{"id":1743,"date":"2024-05-17T12:20:01","date_gmt":"2024-05-17T10:20:01","guid":{"rendered":"https:\/\/pepr-defmal.loria.fr\/?page_id=1743"},"modified":"2026-04-16T10:57:55","modified_gmt":"2026-04-16T08:57:55","slug":"webinaires","status":"publish","type":"page","link":"https:\/\/pepr-defmal.loria.fr\/en\/webinaires\/","title":{"rendered":"DefMal Webinar"},"content":{"rendered":"

Would you like to receive webinar invitations? Contact us by email at: maira.nassau@loria.fr<\/a><\/p>\n\n\n\n

We are pleased to invite you to the next DefMal webinar by\u00a0
Marcus BOTACIN ( Texas A&M University<\/a> )<\/strong>
on October 15th at 2 p.m.<\/strong>
\u00a0<\/p>\n\n\n\n

Towards Fully Automated Malware Analysis<\/strong> <\/p>\n\n\n\n

This talk discusses the ideas developed in Botacin’s lab toward the goal of creating an end-to-end, fully automated malware detection solution. Let’s together discuss solutions for each step of a malware detection pipeline, including: (1) How to efficiently build ML detectors in the presence of evolving attacks via concept drift detection and distributed learning; (2) How to test detectors’ robustness with automated adversarial attack generation; (3) How to enhance model’s robustness via adversarial retraining based on the augmentation of the training set with synthetic samples generated by GPT models; (4) How to derive rules from ML models for efficient matching at the endpoint with hardware support; and (5) How to advance threat intelligence in analysis platforms with LLMs.

<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Marcus Botacin is an assistant professor in the computer science and engineering department at Texas A&M University. He holds a Ph.D. in computer Science (Federal University of Paran\u00e1, Brazil, 2021), a master\u2019s in computer science (University of Campinas, Brazil, 2017) and a bachelor\u2019s in computer engineering (University of Campinas, Brazil, 2015). Botacin\u2019s main research interests are malware analysis and reverse engineering. Botacin\u2019s research has been published in the major scientific venues (e.g., ACM Transactions and USENIX Security). Botacin has spoken of academic, industry and hacking conferences (e.g., USENIX Enigma and HackInTheBox). <\/p>\n\n\n\n

\n\n\n\n

We are pleased to invite you to the next DefMal webinar by  Giada Stivala<\/strong> (CISPA) on 17th September at 2 p.m<\/strong>. <\/p>\n\n\n\n

Giada Stivala is a senior PhD student in \nthe group of Giancarlo Pellegrino at CISPA, focusing on web security, \nlarge-scale measurements, phishing, and cybercrime. Her recent works \npresent Clickbait PDFs, an attack vector for malicious links, and \ninvestigate the web infrastructure behind clickbait PDF campaigns. \nPreviously, she studied malicious link distribution on social \nplatforms, focusing on trustworthiness (or deception) of link \npreviews in social media posts. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Deceptive Link Distribution and the Tactics Behind Malicious Web Campaigns. <\/strong><\/p>\n\n\n\n

Our browsers, whether on mobile or \ndesktop, are gateways to a vast universe of information. Accessing \nonline content, like reading a blog post linked on social media or \nsearching for a document, is part of our daily routine. However, \nseemingly legitimate social media posts can lead to malicious websites,\n and search engine results can be manipulated to rank harmful content \nhigher than legitimate sources.
In this talk, I explore two emerging\n methods of malicious link distribution. The first involves the \nprogrammatic manipulation of social media link previews. Attackers can \ncreate deceptive previews not only by controlling the linked page but \nalso by exploiting flaws in the preview creation process. While some \nplatforms make it easy to craft deceptive previews, they can also \neasily block link distribution via blocklisting.The second distribution\n method involves embedding malicious links within PDF files known as \n\u201cClickbait PDFs.\u201d These files don\u2019t contain malware but use misleading \nvisuals to trick users into clicking, directing them to harmful \nwebsites. Attackers poisoned search results to reach victims, uploading\n hundreds of thousands of clickbait PDF files for months. Our studies \nshow that SEO-driven Clickbait PDF campaigns have distinct patterns \ncompared to traditional file-based Web attacks, and that fighting their\n distribution is complex.<\/p>\n\n\n\n

\n\n\n\n
We are pleased to invite you to the next DefMal webinar by 
Davide Balzarotti <\/strong>(EURECOM) on 10th July at 11 a.m<\/strong>.

Davide\n Balzarotti is a full Professor and the head of the Digital Security \nDepartment at EURECOM. He received his Ph.D. from Politecnico di Milano\n in 2006 and his research interests include most aspects of software \nand system security and in particular the areas of binary and malware \nanalysis, fuzzing and vulnerability discovery, computer forensics, and \nweb security. Davide authored more than 100 publications in leading \nconferences and journals. He has been the Program Chair Usenix Security\n 2024, ACSAC 2017, RAID 2012, and Eurosec 2014. Davide received in an \nERC Consolidator and an ERC PoC Grants for his research in the analysis\n of compromised systems. Davide is also member of the \u00ab Order of the \nOverflow \u00bb team, which organized the DEF CON CTF competition between \n2018 and 2021. <\/td><\/tr><\/tbody><\/table>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Malware Research: History, Milestones, and Open Questions<\/strong>  
Abstract<\/strong>\n Researchers have worked on the analysis, detection, and classification\n of malicious software since the first early viruses in the 1980s. \nAfter more than 40 years of academic research and thousands of papers \npublished on this topic, what have we learned about malware? Which \nproblems and questions have attracted the interest of researchers? And \nfor which of those did we find some answers so far? In this talk, I \nwill go through some of these past achievements (shamelessly using some\n of my research as an example) and discuss past findings as well as \nopen questions for the future.<\/td><\/tr><\/tbody><\/table>\n\n\n\n
\n\n\n\n


We are pleased to invite you to the next DefMal webinar by 
Leo COSSERON<\/strong> on 18th June at 2 p.m<\/strong>. <\/p>\n\n\n\n

L\u00e9o COSSERON<\/strong>
L\u00e9o Cosseron est doctorant en 2\u00e8me \nann\u00e9e dans l\u2019\u00e9quipe MAGELLAN \u00e0 l\u2019IRISA (Rennes), et titulaire d\u2019un M2 en\n informatique de l\u2019ENS Rennes (2022). Ses centres d\u2019int\u00e9r\u00eats en \nrecherche sont la virtualisation mat\u00e9rielle, la simulation r\u00e9seau et la \n s\u00e9curit\u00e9 des syst\u00e8mes. Pendant sa th\u00e8se, L\u00e9o cherche \u00e0 synchroniser \npr\u00e9cis\u00e9ment un simulateur r\u00e9seau avec une sandbox d\u2019analyse de malware, \n dans le but de cr\u00e9er un environnement r\u00e9seau factice qui soit \nindistinguable d\u2019un r\u00e9seau r\u00e9el, afin de contrer des malware \u00e9vasifs \nbas\u00e9s sur le fingerprinting des performances du r\u00e9seau. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Simuler l\u2019environnement r\u00e9seau de sandboxes pour cacher les pauses d\u2019introspection de machines virtuelles<\/strong>
\n   Les sandboxes d\u2019analyse de logiciels malveillants utilisent \nl\u2019introspection de machines virtuelles (VMI) pour analyser ces \nprogrammes. La VMI est un ensemble de techniques pour observer \nl\u2019ex\u00e9cution dans une machine virtuelle (VM) en restant isol\u00e9 de la VM. \nCertains logiciels malveillants dits \u00e9vasifs d\u00e9tectent les pauses \nd\u2019ex\u00e9cution de la VM caus\u00e9es par la VMI et \u00e9vitent alors d\u2019activer leur\n comportement malveillant. Ce probl\u00e8me tend \u00e0 dispara\u00eetre puisque les \nconcepteurs de sandboxes manipulent l\u2019horloge des VMs pour cacher ces \npauses. En revanche le r\u00e9seau factice cr\u00e9\u00e9 par une sandbox offre de \nnouvelles opportunit\u00e9s aux logiciels malveillants \u00e9vasifs. En effet les\n pauses VMI ont un impact mesurable sur les performances r\u00e9seau.
\nLes logiciels malveillants peuvent ainsi d\u00e9tecter les \u00e9carts de \nperformance entre le r\u00e9seau observ\u00e9 et celui du syst\u00e8me cibl\u00e9. Pour \nr\u00e9soudre ce probl\u00e8me, l\u2019approche TANSIV consiste \u00e0 construire le r\u00e9seau \n de la sandbox au-dessus d\u2019un simulateur r\u00e9seau \u00e0 \u00e9v\u00e9nements discrets. \nLe simulateur d\u00e9finit la r\u00e9f\u00e9rence de temps et TANSIV coordonne \nl\u2019\u00e9coulement du temps, en synchronisant les horloges virtuelles avec \nl\u2019horloge du simulateur. Les paquets \u00e9mis par les VMs sont intercept\u00e9s \net transmis \u00e0 la VM destinataire \u00e0 l\u2019heure virtuelle calcul\u00e9e par le \nsimulateur. Les VMs sont r\u00e9guli\u00e8rement interrompues \u00e0 des heures \nvirtuelles calcul\u00e9es avec le simulateur afin de les resynchroniser, et \nde faire avancer l\u2019horloge du simulateur en fonction des \u00e9v\u00e9nements \nr\u00e9seau. Dans le cas de la virtualisation mat\u00e9rielle, en plus de \nmanipuler les horloges virtuelles pour masquer les pauses VMI, TANSIV \ncache les pauses de synchronisation avec le simulateur r\u00e9seau [1]. \nTANSIV est portable entre hyperviseurs et supporte QEMU, en modes \n\u00e9mulation et KVM, ainsi que Xen. Pour \u00e9valuer exp\u00e9rimentalement TANSIV, \n nous avons mesur\u00e9 le RTT entre deux VMs, en utilisant sur une VM un \nscript VMI suffisamment agressif pour d\u00e9clencher une pause VMI entre \nchaque envoi de paquet. Nos r\u00e9sultats montrent que la distribution des \nRTT est coh\u00e9rente en utilisant TANSIV, que ce soit avec ou sans VMI, \nalors que ne pas masquer les pauses VMI ou utiliser un r\u00e9seau sans \nsynchronisation r\u00e9sulte en une distribution incoh\u00e9rente des RTTs.

[1]\n L\u00e9o Cosseron, Louis Rilling, Matthieu Simonin, Martin Quinson. \nSimulating the Network Environment of Sandboxes to Hide Virtual Machine\n Introspection Pauses. EuroSec 2024 \u2013 17th European Workshop on Systems\n Security, Apr 2024, Ath\u00e8ne, Greece. pp.1-7, \u27e810.1145\/3642974.3652280\u27e9.\n \u27e8hal-04537165\u27e9<\/em><\/p>\n\n\n\n

\n\n\n\n

16 th April, 2 p.m by
Aurore FASS<\/strong>
Aurore \nFass is a Tenure-Track Faculty at CISPA Helmholtz Center for \nInformation Security. She got her Ph.D. from CISPA & Saarland \nUniversity in 2021. From 2021 to 2023, she was a Visiting Assistant \nProfessor of Computer Science at Stanford University.
Aurore\u2019s \nresearch broadly focuses on Web Security & Privacy and Web \nMeasurements. Specifically, she designs practical approaches to protect \n the security and privacy of Web users. She builds systems to \nproactively detect malicious JavaScript code and suspicious browser \nextensions. Aurore co-chaired the MADWeb 2024 & 2023 workshop, \nco-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In \naddition, she has served on the program committees of the leading \nsecurity conferences and has received Distinguished Reviewer Awards at \nACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.<\/em> <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

\u00abStudying JavaScript Security Through Static Analysis: Detection of Malicious and Vulnerable Code\u00bb<\/strong>\n JavaScript is a browser scripting language that was designed to create\n sophisticated and interactive web pages. However, JavaScript also \nprovides an entry point for an attacker to exploit bugs and \nvulnerabilities in web pages and browser extensions. In practice, an \nattacker can leverage both malicious and vulnerable JavaScript code to \ncompromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
\n First, I will focus on _malicious JavaScript_. I will briefly introduce\n static detectors, which leverage machine learning techniques to detect\n malicious JavaScript samples. Then, I will evaluate the robustness of \n such static detectors in an adversarial setting. In particular, I will \n introduce HideNoSeek, our generic camouflage attack that consists of \nrewriting malicious JavaScript samples so that they have the same \nsyntactic structure as existing benign scripts.
Finally, I will \nfocus on _vulnerable JavaScript_ code from browser extensions. I will \npresent DoubleX, our open-source static analyzer that detects \nvulnerable data flows in browser extensions with high precision (89%) \nand recall (93%).
Through this talk, I aim to raise awareness about \nthe risks posed by malicious and vulnerable JavaScript code, and to \ndiscuss strategies for mitigating such threats. <\/p>\n\n\n\n

\n\n\n\n

19 th Mars, 2 p.m by Luca Demetrio
<\/strong>Luca Demetrio is Assistant Professor at the University of Genoa, and he received his Ph.D. in 2021.
His\n research focuses on assessing the security of machine learning threat\n detectors, with a strong focus on Windows malware. He is first author\n on several paper on the topic, and he is maintainer of SecML Malware (https:\/\/github.com\/pralab\/secml_malware<\/a>)\n which automates the generation of adversarial EXEmples. He has been \n awarded with an honourable mention by the \u201cGruppo 2003\u201d for your \nresearchers in 2023 for his contribution on the topic, and he is \nreviewer for top-tier conferences like USENIX and ICLR.Also, he took \npart to industrial conferences like TROOPERS, and, together with other \n people, he will also deliver a training to BlackHat 2024 covering \nmachine learning for malware detection and pentesting techniques with \nEXEmples. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Title: \u00ab Pentesting Windows malware detectors with Adversarial EXEmples ? \u00bb<\/strong>
\n   Machine learning for malware detection has received a great boost in\n popularity, given its inhuman performances with extremely-low numbers \nof false alarms, compared to static signature which are unable to cope \nwith all the possible variants. However, recent research shows that \nthese techniques are not bullet-proof since they are vulnerable to \nAdversarial EXEmples, carefully-crafted malware samples optimised to \nbypass detection. These are implemented through manipulations that \npreserve the original functionality, and their generation can be easily\n automated and targeted against both machine learning models and \ncommercially-available antivirus programs.Hence, in this talk, we will \nprovide insights on how to properly formulate these novel threats, and \nhow they can be used to test malware detectors. Thanks to cutting-edge \nadvancements, we will also share details on possible defenses and \nmitigations against Adversarial EXEmples, and we will close by \nhighlighting limitations and possible future directions to improve this\n novel research field. <\/p>\n\n\n\n

\n\n\n\n

February 20th at 2 p.m by
Simone AONZO<\/strong><\/p>\n\n\n\n

Simone Aonzo is an Assistant Professor at EURECOM (France), where \nhe teaches and conducts research in the Digital Security Department. \nHe has extensive experience and knowledge in malware analysis (covering\n both Windows and Android platforms), reverse engineering, phishing, \nand mobile security. He is also interested in the human factors of \nsecurity processes and has recently started publishing papers on this \ntopic. He is passionate about finding and solving real-world security \nchallenges and educating the next generation of security \nprofessionals. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Title: \u00ab Do Androids Dream of Electric Phishing? \u00bb<\/strong>
\n   In this seminar, I will present two novel and practical phishing \nattacks on Android that exploit some convenience features. In the first\n attack, I will abuse features unique to Android, namely the Autofill \nFramework and Instant Apps, to show how an attacker can trick password \nmanagers into autofilling credentials for malicious websites. In the \nsecond attack, I demonstrate a state inference-based phishing attack \nthat uses the inotify APIs, in this case a feature of the Linux kernel \non which Android is based, to monitor file system events and detect \nwhen the victim launches a target application.
Several \nvulnerabilities and their fixes were reported to both Google and major \npassword manager developers, but even now these issues have not been \nfully resolved, proving once again that while secure solutions exist in\n theory, they are difficult to implem<\/p>\n\n\n\n

\n\n\n\n

Tuesday 16\/01 at 2pm by Gregoire Menguy, CEA List. <\/strong><\/p>\n\n\n\n

Black-box Code Analysis for Reverse Engineering Through Constraint Acquisition and Program Synthesis<\/strong>
Software\n always becomes larger and more complex, making crucial tasks like code \ntesting, verification, or code understanding highly difficult for \nhumans. Hence the need for methods to reason about code automatically. \nThese are usually white-box, and use the code syntax to deduce its \nproperties. While they have proven very powerful, they also show \nlimitations: they need the source code, the code size and the data \nstructures\u2019 complexity degrade their efficiency, they are highly \nimpacted by syntactic code complexity amplified by optimizations or \nobfuscations. We explore how black-box code analysis can infer valuable \nproperties for reverse engineering through data-driven learning. First, \nwe consider the function contracts inference problem, which aims to \ninfer over which inputs a code function can be executed to get good \nbehaviors only. We extend the constraint acquisition learning framework,\n notably solving one of its major flaws: the dependency on a human user.\n It leads to PreCA, the first black-box approach enjoying clear \ntheoretical guarantees. It makes PreCA especially suitable for \ndevelopment uses. Second, we consider the deobfuscation problem, which \naims to simplify obfuscated code. Our proposal, Xyntia, synthesizes code\n block semantics through S-metaheuristics to offer an understandable \nversion of the code. Xyntia significantly improves the state-of-the-art \nin terms of robustness and speed. In addition, we propose the two first \nprotections efficient against black-box deobfuscation.\n\n<\/p>","protected":false},"excerpt":{"rendered":"

Would you like to receive webinar invitations? Contact us by email at: maira.nassau@loria.fr We are pleased to invite you to the next DefMal webinar by\u00a0 Marcus BOTACIN ( Texas A&M University ) on October 15th at 2 p.m. \u00a0 Towards Fully Automated Malware Analysis This talk discusses the ideas developed\u2026<\/p>\n

en savoir+<\/span><\/i><\/a> <\/p>\n","protected":false},"author":1990,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1743","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/pages\/1743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/users\/1990"}],"replies":[{"embeddable":true,"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/comments?post=1743"}],"version-history":[{"count":25,"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/pages\/1743\/revisions"}],"predecessor-version":[{"id":2211,"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/pages\/1743\/revisions\/2211"}],"wp:attachment":[{"href":"https:\/\/pepr-defmal.loria.fr\/en\/wp-json\/wp\/v2\/media?parent=1743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}