Skip to main content

Towards a Reliable and Automated Analysis of Compromised Systems

Periodic Reporting for period 2 - BITCRUMBS (Towards a Reliable and Automated Analysis of Compromised Systems)

Reporting period: 2019-10-01 to 2021-03-31

Despite the incredible effort and the enormous investments to increase
security and fight cybercrime, the number of security incidents is rapidly
increasing every year. In fact, the security community is struggling to
cope with the multiplication and increase in complexity of attacks and
malicious software. Security companies routinely collects over a million
new malicious samples per day and this is only the tip of the iceberg:
state-sponsored espionage, insider threats, and widespread software
vulnerabilities make extremely difficult to protect against cyber attacks.
It is not anymore a matter of “if” a systems will be compromised, but only a
matter of “when”. Even worse, new smart objects are now
connected to the Internet as part of the ongoing Internet-of-Thing (IoT)
revolution, and it is time to accept the fact that it is already
too late to secure this first generation of devices. Since both prevention
and detection techniques regularly fail to protect computer systems and
online services, the ability to quickly respond to security incidents is
becoming of paramount importance to promptly analyze the aftermath of
computer attacks and mitigate their damage.

Unfortunately, the field of information technology is rapidly evolving, and
these changes will have a dramatic impact on the way we will be able to
handle computer incidents in the next decade. In particular, the fragile
(and often difficult to quantify) reliability of current techniques, the
increasing diversity of devices and data sources, and the scarce
availability of the information required for the analysis are three of the
main problems that affect this important field - and that the Bitcrumbs
projects want to tackle.
Most of the activity in the first part of the project has focused around
two aspects. First, on improving the analysis of malicious files
(including, among other, the first platform to analyze Linux malware and
the first large-scale study on IoT malware) and on the effectiveness of
machine learning in malware classification and packing detection. Second,
on the analysis of memory forensics techniques, including the first
empirical study of the effect of time on memory acquisition and the
proposal of a new framework to design forensics techniques in a principled
The objective of BITCRUMBS is to rethink the Incident Response field from
its foundations by proposing a more scientific and comprehensive approach
to the analysis of compromised systems. The BITCRUMBS project will make
progress towards this goal in three steps: (1) by introducing a new
systematic approach to precisely measure the effectiveness and accuracy of
IR techniques and their resilience to evasion and forgery; (2) by designing
and implementing new automated techniques to cope with advanced threats and
the analysis of IoT devices; and (3) by proposing a novel
forensics-by-design development methodology and a set of guidelines for the
design of future systems and software.
IoT Malware Genealogy