{"id":1743,"date":"2024-05-17T12:20:01","date_gmt":"2024-05-17T10:20:01","guid":{"rendered":"https:\/\/pepr-defmal.loria.fr\/?page_id=1743"},"modified":"2026-01-20T11:32:13","modified_gmt":"2026-01-20T10:32:13","slug":"webinaires","status":"publish","type":"page","link":"https:\/\/pepr-defmal.loria.fr\/fr\/webinaires\/","title":{"rendered":"DefMal Webinar"},"content":{"rendered":"

Would you like to receive the invitation link for the webinars? Contact us: maira.nassau@loria.fr<\/a> <\/p>\n\n\n\n

We are pleased to invite you to the next DefMal webinar by 

Gabriel SAUGER <\/strong>(Universit\u00e9 de Lorraine)
on January 29 at 2 p.m.<\/strong><\/p>\n\n\n\n

Adversarial Attacks Against Machine-Learning-Based Binary Code Analysis<\/strong><\/p>\n\n\n\n

My research investigates the security and robustness of machine-learning models used for Binary Code Similarity Detection (BCSD), revealing their vulnerability to targeted adversarial manipulation. To demonstrate these weaknesses, we developed Kelpie, a novel framework that generates semantically valid binary perturbations by combining control-flow graph mimicry with instruction-distribution alignment. Operating in a realistic zero-query, black-box setting, Kelpie successfully deceives eight state-of-the-art classifiers into misidentifying malicious payloads or vulnerable code as benign targets. Ultimately, this work challenges the foundational assumptions of current binary analysis models and provides a framework for building more resilient, semantics-aware security systems.<\/p>\n\n\n\n

\n

Speaker Bio:<\/strong> Gabriel Sauger is a PhD candidate at LORIA (University of Lorraine) in the CARBONE team. He is an engineer trained at \u00c9cole des Mines de Nancy, and his research interests lie in the intersection of machine learning and low-level program analysis. This has led him to focus on the Binary Code Similarity Detection task, which he approached from the adversarial attack point of view.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

Roy RICALDI<\/strong>\u00a0(Eindhoven University of Technology)
on December 18 at 2 p.m.<\/strong><\/p>\n\n\n\n

Hunting CTI on Telegram: Towards Effective Cybercriminal Community Discovery<\/strong><\/p>\n\n\n\n

Telegram has become a central coordination and vast distribution hub for cybercriminal activity, offering anonymity, scalability, and low entry barriers that make it both attractive to offenders and difficult for analysts to monitor. As a result, Cyber Threat Intelligence (CTI) teams require updated methods to track these illicit communities, but little is known about how different discovery strategies perform or what their outcomes reveal about the broader ecosystem. We present TeleHUNT, a modular, language-model\u2013driven tool for cybercriminal community discovery on Telegram. We employ TeleHUNT to classify discovered communities into six market segments (cyberattacks, digital piracy, infrastructure, fraud tools, personal data, and tutorials) and evaluate the efficiency, accessibility, and saturation produced by different tool configurations, and reframe discovery performance into insights about the ecosystem. Using both open web and dark web seeds to snowball on, we collected 6,022 communities, 172,385,463 messages, and 2,392,741 unique users. After testing 28 configurations, we found that link-based strategies maximized coverage but suffered high noise, while forward-based methods achieved near-perfect precision with limited reach. Saturation modeling shows highly interconnected growth in market segments dedicated to fraud tools and cyberattacks, with other segments plateauing quickly. Further, while open web seeds yield more communities, combining both open and dark web seeding is best for maximum coverage. With these insights, TeleHUNT enables effective CTI collection and structural analysis of Telegram\u2019s cybercrime economy.<\/p>\n\n\n\n

\n

Speaker Bio:<\/strong> Roy Ricaldi is a PhD candidate in Cybercrime at Eindhoven University of Technology, where his research advances cybersecurity through threat analysis and the study of evolving cybercriminal ecosystems. His work examines the organization, capabilities, and behaviors of offenders across illicit online economies, identifying how threats emerge and propagate. His recent publications include studies on trust signals to support trade in Telegram\u2019s cybercrime economy, migratory decisions within underground networks, and attacker actions on honeypot platforms.\u00a0By combining artificial intelligence, quantitative monitoring tools, and qualitative methods, he develops frameworks to enhance threat intelligence and strengthen defenses against emerging cyber risks<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n

.<\/p>\n\n\n\n

\n\n\n\n

We are pleased to invite you to the next DefMal webinar by 
Lesly-Ann Daniel<\/strong> (EURECOM)
on October 21 at 2 p.m.<\/strong><\/p>\n\n\n\n

Microarchitectural attacks and provable defenses.<\/strong><\/p>\n\n\n\n

Modern processors rely on microarchitectural optimizations, such as caches and speculative execution, for performance, but these same features open the door to powerful attacks on cryptographic systems. The standard defense, constant-time programming, is widely used in cryptographic libraries, yet it falls short against threats like Spectre. In this talk, we will see how to enforce constant-time in software, how to extend it to defend against Spectre, and how hardware support can strengthen protection against microarchitectural attacks.<\/p>\n\n\n\n

\n

Speaker Bio:<\/strong> Lesly-Ann Daniel is an Assistant Professor at Eurecom in the Digital Security group since 2025. She is interested in the application of formal methods for securing the hardware software boundary. She has worked on program analysis, secure compilation, hardware security extensions, in the context of microarchitectural security and trusted execution environments. Before joining Eurecom, Lesly-Ann was a postdoctoral researcher in the DistriNet research group at KU Leuven (Belgium), where she worked on hardware-software co-designs. She obtained her PhD on Symbolic Binary-Level Code Analysis for Security in 2021, working at CEA List under the supervision of S\u00e9bastien Bardin and Tamara Rezk.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

We are pleased to invite you to the next DefMal webinar by 
Pierre-Fran\u00e7ois GIMENEZ<\/strong> (INRIA – PIRAT team)
on April 15 at 2 p.m.<\/strong> <\/p>\n\n\n\n

Towards more realistic honeypots with synthetic network traffic injection <\/strong><\/p>\n\n\n\n

Honeypots and honeynets need to be realistic to attract and convince attackers to reveal their techniques. Several work on realistic file systems, but realistic local network communication is still an open question. In this work, we propose to generate synthetic network traffic using generative machine learning techniques and inject it into the network. This presentation entails some recent, ongoing work on this subject. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Pierre-Fran\u00e7ois Gimenez <\/strong>is a research scientist at Inria. He is a member of the IRISA laboratory in the Protection of Information and Resistance to ATtacks (PIRAT) team, where he works on network intrusion detection and synthetic network data generation. Applications include monitoring embedded systems, radio communication, IT network communications, and computer systems. He holds a Ph.D. Degree in artificial intelligence from IRIT, France. He is leading the associate team SecGen between Inria and CISPA focused on generating synthetic security data for intrusion detection system assessment and is a member of French national projects on supervision (Superviz), malware analysis (DefMal), and vulnerability search (REV). radio communication, IT network communications, and computer systems. He holds a Ph.D. Degree in artificial intelligence from IRIT, France. He is leading the associate team SecGen between Inria and CISPA focused on generating synthetic security data for intrusion detection system assessment and is a member of French national projects on supervision (Superviz), malware analysis (DefMal), and vulnerability search (REV). <\/p>\n\n\n\n

\n\n\n\n

We are pleased to invite you to the next DefMal webinar by 
Van Anh Nguyen<\/strong> (Yokohama National University)
on March 20 at 3 p.m.
*In person, salle A015 – LORIA\/Nancy<\/strong>
<\/p>\n\n\n\n

Cross-environment Dynamic Symbolic Execution: Risks of
Android Applications with Native Code<\/strong> Modern applications often run across multiple environments. A high-level language can invoke native extensions, typically written in C\/C++, resulting in more efficient applications and increased productivity since legacy code can be reused. However, the use of native code introduces safety concerns that can lead to security breaches, potentially violating security protocols.
This research presents a novel tool, HybridSE, to analyze Android apps with native code. We believe that HybridSE is the first cross-environmental DSE tool that handles real-world Android apps. HybridSE distinguishes itself by integrating the strengths of established Dynamic Symbolic Execution (DSE) tools\u2014SPF (SymbolicPathfinder) and CORANA\/API, which are originally designed for Java and ARM architectures, respectively. Enhanced with a specialized taint analysis module, HybridSE effectively addresses data leaks in real- world applications and malware.

<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Van Anh Nguyen <\/strong>is an assistant professor at Yokohama National University, with a research interest in the symbolic and dynamic analysis of malware in Windows and Android environments. She obtained her bachelor\u2019s degree from Vietnam National University in Hanoi in 2019 and completed her Master\u2019s and PhD at the Japan Advanced Institute of Science and Technology (JAIST) in 2024, under the guidance of Professor Mizuhito Ogawa. After earning her PhD, she joined Yokohama National University to continue her research in cybersecurity at the YNU Security Lab.
https:\/\/sec.ynu.codes\/iot\/about<\/a><\/p>\n\n\n\n

\n\n\n\n

We are pleased to invite you to the next DefMal webinar by\u00a0

Roxane COHEN <\/strong>and Robin DAVID <\/strong>(University Paris-Dauphine, Quarkslab)
on February 18th at 2 p.m.<\/strong><\/p>\n\n\n\n

Tackling obfuscated code through variant analysis and Graph Neural Networks.<\/strong>\n\nExisting deobfuscation techniques \nusually target specific obfuscation passes and assume a prior knowledge \nof obfuscated location within a program. Also, some approaches tend to \nbe computationally costly. Conversely, few research consider bypassing \nobfuscation through correlation of various variants of the same \nobfuscated program or a clear program and a later obfuscated variant. \nBoth scenarios are common both in IP protection but also malware \nanalysis. We formalize an attacker model targeting obfuscation by \nexploiting knowledge transfer between binaries through a dedicated \nbinary diffing algorithm leveraging both intra-procedural structure \n(CFG) and inter-procedural structure (call-graph) combined through \nmessage passing. The associated tool QBinDiff exhibits better results \nthan state-of-the-art differs.
\nIn a case where an adversary cannot find multiple variants of the same \nprogram, applying deobfuscation may be necessary and consequently \nlocating it. The latter, requires characterizing an obfuscation from \ngenuine code. We analyze both the binary classification problem namely \ndetermining if a function is obfuscated but also the multi-class problem\n namely determining the pass that is applied. Our baseline results \nreaches 0.95 of f1-score at the function level for binary. We show early\n results for the multi-class problem using various base representation \nand various algorithms including RandomForest, GradientBoosting and \nvarious GNNs.\n \n\n<\/p>\n\n\n\n

Roxane Cohen<\/strong> is currently doing her PhD at University Paris-Dauphine in collaboration with Quarkslab. Supervised by Fabrice Rossi, Robin \nDavid and Florian Yger, her main research subject is focused on graph \nrepresentation learning linked with reverse-engineering problems, such \nas obfuscation detection and binary diffing and similarity.<\/p>\n\n\n\n

\n

Robin David<\/strong> is Security Researcher focused on reverse engineering and software testing (fuzzing and symbolic execution). He peformed his Phd at the Atomic Energy Comission (CEA) in France under the supervision of Jean-Yves Marion at Loria. He attacked obfuscation using formal methods and symbolic execution. He is now full-time security researcher at Quarkslab where he is leading the automated analysis team and various research topics.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

We are pleased to invite you to the next DefMal webinar by Martin MOCKO (<\/strong> Brno University of Technology )on December 17th at 10 a.m.<\/strong>
<\/p>\n\n\n\n

Malware clustering<\/strong> <\/p>\n\n\n\n

In this presentation, I explore problems I have identified for the task of malware clustering. I focus on improving the understanding of clustering performance and usability in malware analysis. Using public benchmark datasets, I ensure experiment comparability and investigate scenarios where the number of clusters exceeds the reported number of malware families. Various clustering algorithms and dimensionality reduction techniques were tested to assess their impact on clustering outcomes. This work aims to offer practical insights for enhancing malware clustering approaches in research and operational settings.   <\/p>\n\n\n\n

\n

Speaker Bio:<\/strong> Martin is a PhD student and research assistant at the Kempelen Institute of Intelligent Technologies, doing his PhD at the Brno University of Technology. His PhD thesis focuses on clustering of Windows executable files and creating useful representations using machine learning models. During his short research internship stay at Inria\/CentraleSupelec, he collaborates with multiple members of the PIRAT team and teams up with Vincent Raulin and Alexandre Sanchez to create a malware benchmark dataset based on dynamic features and tries to improve the state-of-the-art in malware clustering by utilizing self-supervised learning models. <\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

Nous avons le plaisir de vous inviter \u00e0 assister au prochain webinaire DefMal, anim\u00e9 par Daniel VENTRE <\/strong>(CESDIP – UMR 8183 ) le 19 Novembre \u00e0 14h<\/strong><\/p>\n\n\n\n

Les APTs sous l’angle des SHS <\/strong> <\/p>\n\n\n\n

Quelles questions th\u00e9oriques soul\u00e8vent les APTs du point de vue des recherches en science politique, relations internationales, \u00e9tudes strat\u00e9giques? Sur le plan empirique, de quelles donn\u00e9es le chercheur en SHS peut-il disposer? Que peut-il en faire, comment les interpr\u00e8te-t-il? L’objectif de cette courte pr\u00e9sentation sera d’essayer d’ouvrir un dialogue avec la recherche en informatique, afin d’envisager des possibilit\u00e9s d’\u00e9changes plus approfondis et de collaboration pluridisciplinaire.   <\/p>\n\n\n\n

\n

Daniel Ventre est docteur en science politique, ing\u00e9nieur de recherche CNRS, chercheur au CESDIP (UMR 8183), directeur adjoint de la f\u00e9d\u00e9ration SIHS (sciences informatiques, humaines et sociales) du CNRS, directeur de la s\u00e9rie Cybers\u00e9curit\u00e9 aux \u00e9ditions ISTE (Londres). Ses travaux portent sur les politiques et doctrines de cybers\u00e9curit\u00e9 et cyberd\u00e9fense. Il est l’auteur d’une vingtaine d’ouvrages sur ces sujets. <\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

We are pleased to invite you to the next DefMal webinar by  Marcus BOTACIN ( Texas A&M University<\/a> )<\/strong> on October 15th at 2 p.m.<\/strong>
<\/p>\n\n\n\n

Towards Fully Automated Malware Analysis<\/strong> <\/p>\n\n\n\n

This talk discusses the ideas developed in Botacin’s lab toward the goal of creating an end-to-end, fully automated malware detection solution. Let’s together discuss solutions for each step of a malware detection pipeline, including: (1) How to efficiently build ML detectors in the presence of evolving attacks via concept drift detection and distributed learning; (2) How to test detectors’ robustness with automated adversarial attack generation; (3) How to enhance model’s robustness via adversarial retraining based on the augmentation of the training set with synthetic samples generated by GPT models; (4) How to derive rules from ML models for efficient matching at the endpoint with hardware support; and (5) How to advance threat intelligence in analysis platforms with LLMs. <\/p>\n\n\n\n

\n

Marcus Botacin is an assistant professor in the computer science and engineering department at Texas A&M University. He holds a Ph.D. in computer Science (Federal University of Paran\u00e1, Brazil, 2021), a master\u2019s in computer science (University of Campinas, Brazil, 2017) and a bachelor\u2019s in computer engineering (University of Campinas, Brazil, 2015). Botacin\u2019s main research interests are malware analysis and reverse engineering. Botacin\u2019s research has been published in the major scientific venues (e.g., ACM Transactions and USENIX Security). Botacin has spoken of academic, industry and hacking conferences (e.g., USENIX Enigma and HackInTheBox). <\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

We are pleased to invite you to the next DefMal webinar by  Giada Stivala<\/strong> (CISPA) on 17th September at 2 p.m<\/strong>. <\/p>\n\n\n\n

Deceptive Link Distribution and the Tactics Behind Malicious Web Campaigns. <\/strong><\/p>\n\n\n\n

Our browsers, whether on mobile or desktop, are gateways to a vast universe of information. Accessing online content, like reading a blog post linked on social media or searching for a document, is part of our daily routine. However, seemingly legitimate social media posts can lead to malicious websites, and search engine results can be manipulated to rank harmful content higher than legitimate sources.
In this talk, I explore two emerging methods of malicious link distribution. The first involves the programmatic manipulation of social media link previews. Attackers can create deceptive previews not only by controlling the linked page but also by exploiting flaws in the preview creation process. While some platforms make it easy to craft deceptive previews, they can also easily block link distribution via blocklisting.The second distribution method involves embedding malicious links within PDF files known as \u201cClickbait PDFs.\u201d These files don\u2019t contain malware but use misleading visuals to trick users into clicking, directing them to harmful websites. Attackers poisoned search results to reach victims, uploading hundreds of thousands of clickbait PDF files for months. Our studies show that SEO-driven Clickbait PDF campaigns have distinct patterns compared to traditional file-based Web attacks, and that fighting their distribution is complex.<\/p>\n\n\n\n

\n

Giada Stivala is a senior PhD student in the group of Giancarlo Pellegrino at CISPA, focusing on web security, large-scale measurements, phishing, and cybercrime. Her recent works present Clickbait PDFs, an attack vector for malicious links, and investigate the web infrastructure behind clickbait PDF campaigns. Previously, she studied malicious link distribution on social platforms, focusing on trustworthiness (or deception) of link previews in social media posts.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

We are pleased to invite you to the next DefMal webinar by\u00a0
Davide Balzarotti <\/strong>(EURECOM) on 10th July at 11 a.m<\/strong>. <\/p>\n\n\n\n

Malware Research: History, Milestones, and Open Questions<\/strong> \u00a0
Abstract<\/strong> Researchers have worked on the analysis, detection, and classification of malicious software since the first early viruses in the 1980s. After more than 40 years of academic research and thousands of papers published on this topic, what have we learned about malware? Which problems and questions have attracted the interest of researchers? And for which of those did we find some answers so far? In this talk, I will go through some of these past achievements (shamelessly using some of my research as an example) and discuss past findings as well as open questions for the future.<\/p>\n\n\n\n

\n

Davide Balzarotti is a full Professor and the head of the Digital Security Department at EURECOM. He received his Ph.D. from Politecnico di Milano in 2006 and his research interests include most aspects of software and system security and in particular the areas of binary and malware analysis, fuzzing and vulnerability discovery, computer forensics, and web security. Davide authored more than 100 publications in leading conferences and journals. He has been the Program Chair Usenix Security 2024, ACSAC 2017, RAID 2012, and Eurosec 2014. Davide received in an ERC Consolidator and an ERC PoC Grants for his research in the analysis of compromised systems. Davide is also member of the \u00ab\u00a0Order of the Overflow\u00a0\u00bb team, which organized the DEF CON CTF competition between 2018 and 2021.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n


We are pleased to invite you to the next DefMal webinar by 
Leo COSSERON<\/strong> on 18th June at 2 p.m<\/strong>. <\/p>\n\n\n\n

Simuler l’environnement r\u00e9seau de sandboxes pour cacher les pauses d’introspection de machines virtuelles<\/strong>
\u00a0 Les sandboxes d\u2019analyse de logiciels malveillants utilisent l\u2019introspection de machines virtuelles (VMI) pour analyser ces programmes. La VMI est un ensemble de techniques pour observer l\u2019ex\u00e9cution dans une machine virtuelle (VM) en restant isol\u00e9 de la VM. Certains logiciels malveillants dits \u00e9vasifs d\u00e9tectent les pauses d\u2019ex\u00e9cution de la VM caus\u00e9es par la VMI et \u00e9vitent alors d\u2019activer leur comportement malveillant. Ce probl\u00e8me tend \u00e0 dispara\u00eetre puisque les concepteurs de sandboxes manipulent l\u2019horloge des VMs pour cacher ces pauses. En revanche le r\u00e9seau factice cr\u00e9\u00e9 par une sandbox offre de nouvelles opportunit\u00e9s aux logiciels malveillants \u00e9vasifs. En effet les pauses VMI ont un impact mesurable sur les performances r\u00e9seau.
Les logiciels malveillants peuvent ainsi d\u00e9tecter les \u00e9carts de performance entre le r\u00e9seau observ\u00e9 et celui du syst\u00e8me cibl\u00e9. Pour r\u00e9soudre ce probl\u00e8me, l\u2019approche TANSIV consiste \u00e0 construire le r\u00e9seau de la sandbox au-dessus d\u2019un simulateur r\u00e9seau \u00e0 \u00e9v\u00e9nements discrets. Le simulateur d\u00e9finit la r\u00e9f\u00e9rence de temps et TANSIV coordonne l\u2019\u00e9coulement du temps, en synchronisant les horloges virtuelles avec l\u2019horloge du simulateur. Les paquets \u00e9mis par les VMs sont intercept\u00e9s et transmis \u00e0 la VM destinataire \u00e0 l\u2019heure virtuelle calcul\u00e9e par le simulateur. Les VMs sont r\u00e9guli\u00e8rement interrompues \u00e0 des heures virtuelles calcul\u00e9es avec le simulateur afin de les resynchroniser, et de faire avancer l\u2019horloge du simulateur en fonction des \u00e9v\u00e9nements r\u00e9seau. Dans le cas de la virtualisation mat\u00e9rielle, en plus de manipuler les horloges virtuelles pour masquer les pauses VMI, TANSIV cache les pauses de synchronisation avec le simulateur r\u00e9seau [1]. TANSIV est portable entre hyperviseurs et supporte QEMU, en modes \u00e9mulation et KVM, ainsi que Xen. Pour \u00e9valuer exp\u00e9rimentalement TANSIV, nous avons mesur\u00e9 le RTT entre deux VMs, en utilisant sur une VM un script VMI suffisamment agressif pour d\u00e9clencher une pause VMI entre chaque envoi de paquet. Nos r\u00e9sultats montrent que la distribution des RTT est coh\u00e9rente en utilisant TANSIV, que ce soit avec ou sans VMI, alors que ne pas masquer les pauses VMI ou utiliser un r\u00e9seau sans synchronisation r\u00e9sulte en une distribution incoh\u00e9rente des RTTs.

[1] L\u00e9o Cosseron, Louis Rilling, Matthieu Simonin, Martin Quinson. Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection Pauses. EuroSec 2024 – 17th European Workshop on Systems Security, Apr 2024, Ath\u00e8ne, Greece. pp.1-7, \u27e810.1145\/3642974.3652280\u27e9. \u27e8hal-04537165\u27e9<\/em><\/p>\n\n\n\n

\n

L\u00e9o Cosseron est doctorant en 2\u00e8me ann\u00e9e dans l’\u00e9quipe MAGELLAN \u00e0 l’IRISA (Rennes), et titulaire d’un M2 en informatique de l’ENS Rennes (2022). Ses centres d’int\u00e9r\u00eats en recherche sont la virtualisation mat\u00e9rielle, la simulation r\u00e9seau et la s\u00e9curit\u00e9 des syst\u00e8mes. Pendant sa th\u00e8se, L\u00e9o cherche \u00e0 synchroniser pr\u00e9cis\u00e9ment un simulateur r\u00e9seau avec une sandbox d’analyse de malware, dans le but de cr\u00e9er un environnement r\u00e9seau factice qui soit indistinguable d’un r\u00e9seau r\u00e9el, afin de contrer des malware \u00e9vasifs bas\u00e9s sur le fingerprinting des performances du r\u00e9seau.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

16 th April, 2 p.m by
Aurore FASS<\/strong><\/p>\n\n\n\n

\u00abStudying JavaScript Security Through Static Analysis: Detection of Malicious and Vulnerable Code\u00bb<\/strong> JavaScript is a browser scripting language that was designed to create sophisticated and interactive web pages. However, JavaScript also provides an entry point for an attacker to exploit bugs and vulnerabilities in web pages and browser extensions. In practice, an attacker can leverage both malicious and vulnerable JavaScript code to compromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
First, I will focus on _malicious JavaScript_. I will briefly introduce static detectors, which leverage machine learning techniques to detect malicious JavaScript samples. Then, I will evaluate the robustness of such static detectors in an adversarial setting. In particular, I will introduce HideNoSeek, our generic camouflage attack that consists of rewriting malicious JavaScript samples so that they have the same syntactic structure as existing benign scripts.
Finally, I will focus on _vulnerable JavaScript_ code from browser extensions. I will present DoubleX, our open-source static analyzer that detects vulnerable data flows in browser extensions with high precision (89%) and recall (93%). Through this talk, I aim to raise awareness about the risks posed by malicious and vulnerable JavaScript code, and to discuss strategies for mitigating such threats.<\/p>\n\n\n\n

\n

Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security. She got her Ph.D. from CISPA & Saarland University in 2021. From 2021 to 2023, she was a Visiting Assistant Professor of Computer Science at Stanford University.
Aurore’s research broadly focuses on Web Security & Privacy and Web Measurements. Specifically, she designs practical approaches to protect the security and privacy of Web users. She builds systems to proactively detect malicious JavaScript code and suspicious browser extensions. Aurore co-chaired the MADWeb 2024 & 2023 workshop, co-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In addition, she has served on the program committees of the leading security conferences and has received Distinguished Reviewer Awards at ACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.<\/em><\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

19 th Mars, 2 p.m by Luca Demetrio<\/strong><\/p>\n\n\n\n

Title: \u00ab Pentesting Windows malware detectors with Adversarial EXEmples ? \u00bb<\/strong>
\u00a0 Machine learning for malware detection has received a great boost in popularity, given its inhuman performances with extremely-low numbers of false alarms, compared to static signature which are unable to cope with all the possible variants. However, recent research shows that these techniques are not bullet-proof since they are vulnerable to Adversarial EXEmples, carefully-crafted malware samples optimised to bypass detection. These are implemented through manipulations that preserve the original functionality, and their generation can be easily automated and targeted against both machine learning models and commercially-available antivirus programs.Hence, in this talk, we will provide insights on how to properly formulate these novel threats, and how they can be used to test malware detectors. Thanks to cutting-edge advancements, we will also share details on possible defenses and mitigations against Adversarial EXEmples, and we will close by highlighting limitations and possible future directions to improve this novel research field.
<\/strong><\/p>\n\n\n\n

\n

Speaker Bio: <\/strong>Luca Demetrio is Assistant Professor at the University of Genoa, and he received his Ph.D. in 2021. His research focuses on assessing the security of machine learning threat detectors, with a strong focus on Windows malware. He is first author on several paper on the topic, and he is maintainer of SecML Malware (https:\/\/github.com\/pralab\/secml_malware<\/a>) which automates the generation of adversarial EXEmples. He has been awarded with an honourable mention by the \u201cGruppo 2003\u201d for your researchers in 2023 for his contribution on the topic, and he is reviewer for top-tier conferences like USENIX and ICLR.Also, he took part to industrial conferences like TROOPERS, and, together with other people, he will also deliver a training to BlackHat 2024 covering machine learning for malware detection and pentesting techniques with EXEmples.<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

February 20th at 2 p.m by
Simone AONZO<\/strong><\/p>\n\n\n\n

Title: \u00ab Do Androids Dream of Electric Phishing? \u00bb<\/strong>
\u00a0 In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features. In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites. In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application.
Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implem<\/p>\n\n\n\n

\n

Speaker Bio: <\/strong>Simone Aonzo is an Assistant Professor at EURECOM (France), where he teaches and conducts research in the Digital Security Department. He has extensive experience and knowledge in malware analysis (covering both Windows and Android platforms), reverse engineering, phishing, and mobile security. He is also interested in the human factors of security processes and has recently started publishing papers on this topic. He is passionate about finding and solving real-world security challenges and educating the next generation of security professionals. <\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n
\n\n\n\n

Tuesday 16\/01 at 2pm by Gregoire Menguy, CEA List. <\/strong><\/p>\n\n\n\n

Black-box Code Analysis for Reverse Engineering Through Constraint Acquisition and Program Synthesis<\/strong>
Software\n always becomes larger and more complex, making crucial tasks like code \ntesting, verification, or code understanding highly difficult for \nhumans. Hence the need for methods to reason about code automatically. \nThese are usually white-box, and use the code syntax to deduce its \nproperties. While they have proven very powerful, they also show \nlimitations: they need the source code, the code size and the data \nstructures’ complexity degrade their efficiency, they are highly \nimpacted by syntactic code complexity amplified by optimizations or \nobfuscations. We explore how black-box code analysis can infer valuable \nproperties for reverse engineering through data-driven learning. First, \nwe consider the function contracts inference problem, which aims to \ninfer over which inputs a code function can be executed to get good \nbehaviors only. We extend the constraint acquisition learning framework,\n notably solving one of its major flaws: the dependency on a human user.\n It leads to PreCA, the first black-box approach enjoying clear \ntheoretical guarantees. It makes PreCA especially suitable for \ndevelopment uses. Second, we consider the deobfuscation problem, which \naims to simplify obfuscated code. Our proposal, Xyntia, synthesizes code\n block semantics through S-metaheuristics to offer an understandable \nversion of the code. Xyntia significantly improves the state-of-the-art \nin terms of robustness and speed. In addition, we propose the two first \nprotections efficient against black-box deobfuscation.\n\n<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

Speaker Bio:<\/strong><\/p>\n\n\n\n

<\/p>","protected":false},"excerpt":{"rendered":"

Would you like to receive the invitation link for the webinars? Contact us: maira.nassau@loria.fr We are pleased to invite you to the next DefMal webinar by  Gabriel SAUGER (Universit\u00e9 de Lorraine)on January 29 at 2 p.m. Adversarial Attacks Against Machine-Learning-Based Binary Code Analysis My research investigates the security and robustness of\u2026<\/p>\n

en savoir+<\/span><\/i><\/a> <\/p>\n","protected":false},"author":1990,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1743","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/pages\/1743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/users\/1990"}],"replies":[{"embeddable":true,"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/comments?post=1743"}],"version-history":[{"count":24,"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/pages\/1743\/revisions"}],"predecessor-version":[{"id":2200,"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/pages\/1743\/revisions\/2200"}],"wp:attachment":[{"href":"https:\/\/pepr-defmal.loria.fr\/fr\/wp-json\/wp\/v2\/media?parent=1743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}