Critical infrastructures security: improving defense against novel malware and Advanced Persistent Threats [Tesi di dottorato]

Protection of Critical Infrastructures (CIs) is vital for the survival of society. Any functionality reduction or interruption can cause heavy damages to people. Stuxnet and Wannacry are clear proofs that the world is changed and now attackers target CIs mainly through cyber-space. The rapid evolution of adversaries' skills provokes an overwhelming raising in the difficulty of defense. Tons of malware are released every day and malware analysts cannot be fast enough to analyze all of them and react in time. Moreover, classical security software, such as anti-virus, cannot help, due to the huge knowledge required to recognize threats. In this thesis, we present our ideas to reduce the problem and consequently improve Critical Infrastructures security. We observe that the main attack vector is malware, therefore we propose a semi-automatic architecture for malware analysis, which can help human analysts giving useful information and heavily reducing their workloads by prioritizing the cutting-edge and most dangerous malware. Moreover, we focus on malware belonging to new malware families or developed by Advanced Persistent Threats (APTs), which pose a serious risk to CIs and hence deserve deeper inspection. We have hence developed useful tools, to be integrated into our architecture, able to group malware in families and recognize malware developed by APTs. We implement the first task through clustering and online clustering. This module can help to highly reduce the number of malware to be analyzed. Malware labeled as known families do not need additional investigation since their behavior is already studied. Moreover, it is possible to study only a small number of representatives from new groups to further reduce the workload. We fulfill the second task through a Triage approach. This task is fundamental to detect very dangerous malware. Being APTs the most threatening adversaries of CIs, detecting their activities as soon as possible is the only way to diminish the damage and possibly stop the attack.

diritti: info:eu-repo/semantics/openAccess
In relazione con info:eu-repo/semantics/altIdentifier/hdl/11573/1362189
BALDONI, Roberto
QUERZONI, Leonardo
valutatori esterni: A. Merlo, C. A. Visaggio
Settore ING-INF/05 - - Sistemi di Elaborazione delle Informazioni

Tesi di dottorato. | Lingua: Inglese. | Paese: | BID: TD20019166