Paulo Lício De Geus

Paulo Lício De Geus
University of Campinas | UNICAMP · Institute of Computing

Doctor

About

139
Publications
39,018
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
839
Citations
Additional affiliations
August 1984 - present
University of Campinas
Position
  • Professor (Associate)
August 1984 - present
University of Campinas
Position
  • Professor (Associate)

Publications

Publications (139)
Article
AntiViruses (AVs) are the main defense line against attacks for most users and much research has been done about them, especially proposing new detection procedures that work in academic prototypes. However, as most current and commercial AVs are closed-source solutions, in practice, little is known about their real internals: information such as w...
Article
Full-text available
Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international m...
Article
Full-text available
Resumo. Enquanto o bloqueio de exemplares de malware em nível de endpoint é essencial para o tratamento de ameaças recém-criadas, o controle de ameaças em larga escala só é possível através do bloqueio dos serviços de rede utiliza-dos por estas. Este estudo se propõe a investigar como este tipo de bloqueio ocorre na prática, visando identificar os...
Conference Paper
This work did ample research on techniques used by advanced threats that aim to evade detection systems, elevate privileges and manipulate objects in a modern OS kernel, using the Windows 10 kernel as a test bench. Given state-of-the-art attacks in kernelspace, this work's main goal is to design a secure mechanism to protect the OS kernel against a...
Conference Paper
Enquanto o bloqueio de exemplares de malware em nível de endpoint é essencial para o tratamento de ameaças recém-criadas, o controle de ameaças em larga escala só é possível através do bloqueio dos serviços de rede utilizados por estas. Este estudo se propõe a investigar como este tipo de bloqueio ocorre na prática, visando identificar os problemas...
Chapter
Full-text available
The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge t...
Article
Full-text available
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight K...
Article
Full-text available
Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited...
Article
Full-text available
Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses...
Conference Paper
Full-text available
Malware are persistent threats to computer systems and analysis procedures allow developing countermeasures to them. However, as samples are spreading on growing rates, malware clustering techniques are required to keep analysis procedures scalable. Current clustering approaches use Call Graphs (CGs) to identify polymorphic samples, but they consid...
Chapter
Full-text available
Malicious software have been evolving to look even more indubious to the targeted system. Moreover, they have been relying on obfuscation and anti-analysis techniques to avoid their behavior being discovered during their execution, thus making forensic procedures harder to be conducted on a proper manner. Reverse engineering is an useful procedure...
Conference Paper
Full-text available
Today's world is supported by connected, electronic systems, thus ensuring their secure operation is essential to our daily lives. A major threat to system's security is malware infections, which cause financial and image losses to corporate and end-users, thus motivating the development of malware detectors. In this scenario, Machine Learning (ML)...
Conference Paper
Full-text available
Although malware is a threat for most systems, the main line of defense against them (AntiViruses, or AVs) are performance-intensive applications that cause slow down due to the need of constant target-system monitoring. An effective alternative for accelerating AVs operation is to move them from software to hardware, thus eliminating their imposed...
Conference Paper
Full-text available
Malware infections are constant threats to multiple computing platforms and binary classification leveraging machine learning (ML) techniques has been demonstrated to be a promising approach for fighting these infections. Currently, most ML solutions focus only on the Windows platform. To bridge this development gap, we present Forseti, a solution...
Conference Paper
Full-text available
A engenharia reversa de binários é uma tarefa essencial no campo da segurança, tanto para a validação de aplicações legítimas quanto para a análise de códigos maliciosos. Ainda que o GDB seja uma solução poderosa para a análise de aplicações benignas, este apresenta limitações para lidar com aplicações maliciosas especialmente desenvolvidas para im...
Article
Full-text available
Linux applications are finding their role on important computer systems. At the same time these systems grow, they become target for malware. Therefore, understanding the security impacts of malware infections on them is essential to allow system hardening and countermeasures development. In this project, we developed tools and systems for evaluati...
Article
Full-text available
Malware overview reports are valuable information to understand threats behavior and develop proper countermeasures. Currently, most of these studies are focused on either fine-grained, individual sample analysis or coarse-grained landscapes. On the one hand, only the first allows professionals to handle specific security breaches. On the other han...
Conference Paper
Full-text available
Linux applications are finding their role on important computer systems. At the same time their use grow, they become target for malware. Therefore, understanding the security impacts of malware infections on them is essential to allow system hardening and countermeasures development. In this paper, we evaluate malicious ELF binaries to present a l...
Conference Paper
Full-text available
Programming is an error-prone task, which may result in application misbehavior. From the safety point of view, crashes are undesirable as they affect user experience, whereas from the security point of view, vulnerability exploitation can lead to security violations. Although fuzzing and other testing techniques help to minimize undesirable events...
Chapter
Full-text available
Binary analysis is a key step for security procedures, such as systems inspection and validation. Modern architectures are powered by many resources and features which end up in more efficient-and also more complex-applications and codes. These resources and features include virtual machine support, BIOS and chipset code execution, isolated enclave...
Conference Paper
Full-text available
Malware overview reports are valuable information to understand threats behavior and develop proper countermeasures. Currently, most of these studies are focused on either fine-grained, individual sample analysis or coarse-grained landscapes. On the one hand, only the first allows professionals to handle specific security breaches. On the other han...
Article
Full-text available
Malicious software, a threat users face on a daily basis, have evolved from simple bankers based on social engineering to advanced persistent threats. Recent research and discoveries reveal that malware developers have been using a wide range of anti-analysis and evasion techniques, in-memory attacks, and system subversion, including BIOS and hyper...
Conference Paper
Full-text available
Malicious software (malware) are persistent threats to modern computer systems and the development of countermeasures to them becomes harder each day due to the emergence of anti-analysis and anti-forensics techniques, able to evade software-based monitoring solutions. In this scenario, hardware-assisted solutions are effective alternatives, but st...
Article
Full-text available
In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types...
Article
Malware and code-reuse attacks are the most significant threats to current systems operation. Solutions developed to countermeasure them have their weaknesses exploited by attackers through sandbox evasion and antidebug crafting. To address such weaknesses, we propose a framework that relies on the modern processors’ branch monitor feature to allow...
Conference Paper
Full-text available
Malicious software (malware) has been extensively used for illegal activity and new malware variants are discovered at an alarmingly high rate. The ability to group malware variants into families with similar characteristics makes possible to create mitigation strategies that work for a whole class of programs. In this paper, we present a malware f...
Conference Paper
Full-text available
Despite the numerous advantages offered by cloud computing services, security aspects constitute a critical issue when considering to adopt this kind of service. Novel intrusion detection methods have been proposed in order to mitigate attacks toward the several layers from cloud architectures. In this paper, we present an intrusion detection syste...
Conference Paper
Full-text available
Malicious programs are persistent threats to computer systems, and their damages extend from financial losses to critical infrastructure attacks. Malware analysis aims to provide useful information to be used for forensic procedures and countermeasures development. To thwart that, attackers make use of anti-analysis techniques that prevent or diffi...
Conference Paper
This paper presents the current status of our research on the robustness of CoAP server-side implementations. We discuss the importance of the CoAP protocol as an enabler of the Internet of Things (IoT) vision, and also the current state of CoAP implementations available out there. Then, we proceed to test those implementations using fuzzing techni...
Conference Paper
Full-text available
A análise dinâmica é uma das principais técnicas utilizadas para caracterização de malware, identificação de suas funcionalidades e desenvolvimento de contra-medidas. Portanto, desenvolvedores de malware buscam continuamente por formas de impedir a execução de seus códigos nesses ambientes, dificultando a detecção. Além disso, avanços nos sistemas...
Conference Paper
Full-text available
A injeção de código foi um dos principais ataques contra sistemas computacionais. A adoção das páginas não-executáveis com apoio de hardware (NX/XD) e prevenção de execução de dados (DEP) eliminou o problema na prática. Entretanto, os atacantes passaram a desviar o fluxo de controle legítimo, encadeando blocos de código (gadgets) via instruções de...
Conference Paper
Full-text available
Debuggers são ferramentas importantes no desenvolvimento de software, pois auxiliam na inspeção de código e, com isso, sua validação. Em segurança de sistemas, debuggers podem ser usados em análise de malware e engenharia reversa, permitindo a investigação de vários caminhos de execução de aplicações. Entretanto, programas legítimos (para proteção...
Article
Malicious programs have been the main actors in complex, sophisticated attacks against nations, governments, diplomatic agencies, private institutions and people. Knowledge about malicious program behavior forms the basis for constructing more secure information systems. In this article, we introduce MBO, a Malicious Behavior Ontology that represen...
Conference Paper
Full-text available
urrent static analysis techniques for Android applications operate at the Java level - that is, they analyze either the Java source code or the Dalvik bytecode. However, Android allows developers to write code in C or C++ that is cross-compiled to multiple binary architectures. Furthermore, the Java-written components and the native code components...
Conference Paper
Full-text available
Malware is one of the main attack vectors to compromise computer systems. To be ahead of security mechanisms, malware authors diversify their creations by inserting evasive functions, applying obfuscation techniques, and modularizing them into distributed components. In addition, distinct trends can be observed in different countries, according to...
Conference Paper
Full-text available
Cloud Computing has introduced a variety of models of service delivery and deployment for public clouds, hybrid and private, that changed enterprise computing. Several providers provide these services, and each uses different models and pricing solutions. One of the most complex tasks for IT governance team is to calculate the total cost of an IT s...
Article
Full-text available
Malicious code attacks pose a serious threat to the security of information systems, as malware evolved from innocuous conceptual software to advanced and destructive cyber weapons. However, there is still the lack of a comprehensive and useful taxonomy to classify malware according to their behavior, since commonly used names are obsolete and unab...
Article
Full-text available
The lack of novel security controls for the cloud might arise from the fact that Cloud Computing is the convergence of many different technological areas, including Utility Computer, Computational Grid, Autonomous Computing, Virtualization and Service Oriented Architectures. These underlying areas have been independently addressed by existing gener...
Conference Paper
A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network, it also provides a standard means of interoperating between different software applications. However, Web Services have raised new challenges on information security, this technology is susceptible to XML Injection attacks, which woul...
Conference Paper
Full-text available
Malware are persistent threats to systems security that are constantly evolving to prevent detection and dynamic analysis techniques. Currently, there is no known dynamic analysis system (publicly available or described in the literature) that supports 64-bits malware (PE+ format). It is difficult to monitor malware for Windows NT 6.x due to new se...
Conference Paper
The ubiquity of Internet-connected devices motivates attackers to create malicious programs (malware) to exploit users and their systems. Malware detection requires a deep understanding of their possible behaviors, one that is detailed enough to tell apart suspicious programs from benign, legitimate ones. A step to effectively address the malware p...
Article
Full-text available
The constant evolution of mobile devices’ resources and features turned ordinary phones into powerful and portable computers, leading their users to perform payments, store sensitive information and even to access other accounts on remote machines. This scenario has contributed to the rapid rise of new malware samples targeting mobile platforms. Gi...
Conference Paper
An important aspect to security management is the continuous monitoring of the environment where we want to ensure security. However, there are still very few results in the field of security monitoring in cloud computing, which happens mainly because of the environment characteristics like virtualization, multilayer and multitenancy service. Aimin...
Conference Paper
Dispositivos móveis dependem de "lojas" para intermediar a obtenção de suas aplicações. Dispositivos Android contam com a loja oficial, Google Play, ou com lojas alternativas, as quais podem não restringir ou avaliar adequadamente as aplicações disponibilizadas. O controle menos rigoroso somado ao crescimento na quantidade de malware voltado para d...
Conference Paper
O aumento na quantidade de dispositivos móveis vendidos levou ao surgimento de inúmeros exemplares de malware para estas plataformas. Essa situação é especialmente grave no caso do sistema Android, cujas lojas (oficial e alternativas) servem como ponto de infecção para muitos usuários. Com isso, faz-se necessário o desenvolvimento de técnicas para...
Conference Paper
Full-text available
"Bankers" are special types of malware whose targets are Internet banking users, mainly to obtain their credentials. Banker infections cause losses of billions of dollars worldwide. Thus, better understanding and detection of bankers is required. Due to their interactive nature, obtaining bankers' behaviors can be a difficult task for current dynam...
Conference Paper
Full-text available
Desirable requirements of cloud computing are to avoid wasting underused resources and increasing response time due to shortage of resources. We notice that recent literature in the field prioritizes the administration of resource provisioning and the allocation algorithms for an energy-efficient management of cloud computing environments. Security...
Conference Paper
Full-text available
Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the...
Conference Paper
Full-text available
Malicious programs pose a major threat to Internet-connected systems, increasing the importance of studying their behavior in order to fight against them. In this paper, we propose definitions to the different types of behavior that a program can present during its execution. Based on those definitions, we define suspicious behavior as the group of...
Conference Paper
Full-text available
Malicious software attacks can disrupt information systems, violating security principles of availability, confidentiality and integrity. Attackers use malware to gain control, steal data, keep access and cover traces left on the compromised systems. The dynamic analysis of malware is useful to obtain an execution trace that can be used to assess t...
Conference Paper
A security analyst plays a key role in tackling unusual incidents, which is an extenuating task to be properly done, a single service can generate a massive amount of log data in a single day. The analysis of such data is a challenge. Among several available techniques, parallel coordinates have been widely used for visualization of high-dimensiona...
Conference Paper
Full-text available
Malicious programs (malware) cause serious security issues to home users and even to highly secured enterprise systems. The main infection vector currently used by attackers is the Internet. To improve the detection rate and to develop protection mechanisms, it is very important to analyze and study these threats. To this end, several systems were...
Article
Full-text available
Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behavio...
Article
Full-text available
Security administrators face the challenge of designing, deploying and maintaining a variety of configuration files related to security systems, especially in large-scale networks. These files have heterogeneous syntaxes and follow differing semantic concepts. Nevertheless, they are interdependent due to security services having to cooperate and th...