PhD Oral Exam - ElMouatez Billah Karbab, Information and Systems Engineering

When studying for a doctoral degree (PhD), candidates submit a thesis that provides a critical review of the current state of knowledge of the thesis subject as well as the student’s own contributions to the subject. The distinguishing criterion of doctoral graduate research is a significant and original contribution to knowledge.

Once accepted, the candidate presents the thesis orally. This oral exam is open to the public.

Abstract

Malicious software (Malware) proliferation reaches hundreds of thousands daily. Manual analyses of such large volume of malware is a daunting and time-consuming process. The diversity of targeted systems in terms of architectures and platforms compounds the malware detection challenges. In this thesis, we develop a malware fingerprinting framework to cover different aspects of accurate Android malware detection. In this context, we give special attention to the cross-application of the elaborated malware fingerprinting techniques with an emphasis on Android malware. In addition, the elaborated techniques are applicable to other malware types and platforms such as ransomware. The goal of our malware fingerprinting framework is to achieve accurate Android malware detection in which we focus on (i) the scalability over a large malware corpus and (ii) the robustness to common obfuscation techniques. First, we present a survey on state-of-the-art Android malware detection systems. We conduct an in-depth comparative study of the surveyed solutions. Besides, we introduce a granular taxonomy to classify the bodywork of Android malware detection. Second, we propose an approximate fingerprinting technique for Android packaging that captures the underlying static structure of the Android apps. We propose a malware clustering framework on top of this fingerprinting technique to perform an unsupervised malware detection and grouping by building an efficient and scalable similarity network of malicious apps. Third, we propose an approximate fingerprinting technique for Android malware’s behaviors generated using dynamic analyses. Based on this fingerprinting technique, we propose a portable malware detection and family threat attribution framework along with supervised machine learning techniques. Fourth, we design an automatic framework to produce intelligence about the underlying malicious cyber-infrastructures of Android malware. We leverage graph analysis techniques to generate actionable, relevant, and granular intelligence to identify the threat effects induced by the malicious Internet activity of Android malware apps. Fifth, we elaborate a robust, adaptive, and scalable framework for android malware detection and family clustering using advanced natural language processing and machine learning techniques. We detect Android malware samples using an ensemble of Convolutional Neural Network (CNN) models on top of embedding features. Afterward, we cluster the detected malware into groups of the same family using sample digests generated using deep neural auto-encoder. Sixth, we leverage the elaborated techniques to develop a novel framework for cross-platform ransomware fingerprinting.