Mark Vella - Computer Science Dept.
CyberForensics
Cyber security threats are nowadays affecting various aspects of critical business processes and personal privacy/safety alike. The increasing trend in having everything connected to the Internet: from business informations systems to industrial automation/control systems and home appliances; from personal cloud storage and messaging applications; to banking and shopping accounts; is straining state-of-the-art information security mechanisms. The mushrooming of Computer Security Incident Response Teams (CSIRT) is a direct result of this situation.
In the case of digital investigations not involving cyber attacks, audit logs and disk forensics are the holy grail. On the contrary, cyber attacks nowadays make use of exploits and malware that possibly never touch the disk, or do so but still manage to erase every trail of evidence. This is where the importance of memory forensics becomes paramount. This approach follows the adage: "malware can hide but it must run", meaning that memory forensics revolves around investigating unavoidable in-memory artefacts produced by successful security breaches. Once malware is hunted down in memory, say identification of a backdoor residing inside the process of a legitimate process, it must be forensically followed up in order to conduct successful recovery and attribution. This task comprises the use of malware sandboxes complemented with static/dynamic analysis of compiled code in order to reverse engineer its behaviour. Actionable information produced at this stage is then used to improve state-of-the-art security countermeasures.
Ongoing research leverages the core idea that in-memory artefacts cannot be avoided by cyberattacks in order to provide more effective digital investigation tools for incident responders during the collection, analysis and recovery stages. Current exploration is specifically focused on studying in-memory artefact-centric solutions for the following:-
Research Projects
Expertise from the CyberForensics intiative is currently contributing towards the following funded projects:
Digital Evidence Targeting covErt Cyberattacks through Timely Information ForensicsGRANT AGREEMENT NUMBER: REP-2022-007
H2020-SU-SEC-2018: 832735
Secure Communication in the Quantum EraSPS Project Number: G5448
Publications
Abela, R., Colombo, C., Malo, P., Sýs, P., Fabšič, T., Gallo, O., ... & Vella, M. 2021. Secure Implementation of a Quantum-Future GAKE Protocol. In International Workshop on Security and Trust Management (pp. 103-121). Springer, Cham.
Abela, R., Vella, M., 2017. Casting exploit analysis as a Weird Machine reconstruction problem. In: WorldCIS 2017, Infonomics Society, pp 47-54.
Aquilina, S. J., Casino, F., Vella, M., Ellul, J., & Patsakis, C. 2021. EtherClue: Digital investigation of attacks on Ethereum smart contracts. Blockchain: Research and Applications, 2(4), 100028.
Bellizzi, J., Vella, M., 2015. WeXpose: Towards on-line dynamic analysis of web attack payloads using just-in-time binary modification. In: 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE). Vol. 4. IEEE, pp. 5–15.
Bellizzi, J., Vella, M., Colombo, C., Hernandez-Castro, J., 2020. Real-time triggering of Android memory dumps for stealthy attack investigation. In: Nordic Conference on Secure IT Systems (NordSec) 2020. Springer, Cham.
Bellizzi, J., Vella, M., Colombo, C., Hernandez-Castro, J., 2021. Responding to Living-Off-the-Land Tactics using Just-In-Time Memory Forensics (JIT-MF) for Android. In: Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021, pp. 356-369.
Bellizzi, J., Vella, M., Colombo, C., & Hernandez-Castro, J., 2022. Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory Dumps. IEEE Access, 10, 35172-35218.
Bellizzi, J., Vella, M., Colombo, C., & Hernandez-Castro, J., 2023. Using Infrastructure-Based Agents to Enhance Forensic Logging of Third-Party Applications. In Proceedings of the 9th International Conference on Information Systems Security and Privacy - ICISSP, SciTePress, pages 389-401.
Birmingham, B., Farrugia, R. A., & Vella, M., 2017. Using thumbnail affinity for fragmentation point detection of JPEG files. In Smart Technologies, IEEE EUROCON 2017-17th International Conference on (pp. 3-8). IEEE.
Buttigieg, J., Vella, M., Colombo, C., 2015. BYOD for Android - Just add Java. In: Trust and Trustworthy Computing: 8th International Conference, TRUST 2015, Heraklion, Greece, August 24-26, 2015, Proceedings. Vol. 9229. Springer, p. 315.
Curmi, A., Colombo, C., & Vella, M. 2022. Runtime verification for trustworthy secure shell deployment. In Proceedings of the 5th ACM International Workshop on Verification and mOnitoring at Runtime EXecution (pp. 30-34).
Curmi, A., Colombo, C., & Vella, M., 2022. RV-TEE-Based Trustworthy Secure Shell Deployment: An Empirical Evaluation. J. Object Technol., 21(2), 2-1.
Colombo, C., Vella, M. 2020. Towards a Comprehensive Solution for Secure Cryptographic Protocol Execution based on Runtime Verification. ICISSP 2020: pp .765-774.
Galea, J., Vella, M., 2015. Script fuzzing with an attackers mind-set. In: Trust and Trustworthy Computing: 8th International Conference, TRUST 2015, Heraklion, Greece, August 24-26, 2015, Proceedings. Vol. 9229. Springer, p. 317.
Galea, J., Vella, M., 2015. SUDUTA: Script UAF detection using taint analysis. In: International Workshop on Security and Trust Management. Springer, pp. 136–151.
Galea, J., Vella, M., 2015. Using dynamic binary analysis for tracking pointer data. In: CSAW 2014 CS2014-02.
Gatt, J., Vella, M., Micallef, M., 2013. Towards a tunable, sandbox-independent approach for exploring hidden behavior in malware. In: CSAW 2013 CS2013-02.
Gatt, J., Vella, M., Micallef, M., 2014. Challenges faced when Forcing Malware Execution down Hidden Paths. In: CSAW 2014 CS2014-02.
Leguesse, Y., Vella, M., Ellul, J., 2017. AndroNeo: Hardening Android malware sandboxes by predicting evasion heuristics. In IFIP International Conference on Information Security Theory and Practice (pp. 140-152). Springer, Cham.
Leguesse, Y., Vella, M., Colombo, C., Hernandez-Castro, J., 2020. Reducing the Forensic Footprint with Android Accessibility Attacks. In International Workshop on Security and Trust Management (pp. 22-38). Springer, Cham.
Leguesse, Y., Colombo, C., Vella, M., & Hernandez-Castro, J. 2021. PoPL: Proof-of-Presence and Locality, or How to Secure Financial Transactions on Your Smartphone. IEEE Access, 9, 168600-168612.
Muscat, M., Vella, M., 2018. Enhancing Virtual Machine Introspection-Based Memory Analysis with Event Triggers. In 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom) (pp. 133-136). IEEE.
Vella, M., 2012. Novel attack resilience by fusing events related to objectives. In: CSAW 2012 CS2012-03.
Vella, M., 2014. Cloud and mobile security assurance: A memory forensics approach. In: CSAW 2014 CS2014-02.
Vella, M., Cilia, R. 2017. Memory forensics of insecure Android inter-app communications. In: 2017 3rd International Conference on Information Systems Security and Privacy (ICISSP). Scitepress, pp. 481–486.
Vella, M., Colombo, C., 2020. SpotCheck: On-Device Anomaly Detection for Android. In: 13th International Conference on Security of Information and Networks (SINCONF 2020). ACM DL.
Vella, M., & Colombo, C., 2022. D-Cloud-Collector: Admissible Forensic Evidence from Mobile Cloud Storage. In IFIP International Conference on ICT Systems Security and Privacy Protection (pp. 161-178). Springer, Cham.
Vella, M., Colombo, C., Abela, R., & Špaček, P. 2021. RV-TEE: secure cryptographic protocol execution based on runtime verification. Journal of Computer Virology and Hacking Techniques, 17(3), 229-248.
Vella, M., Roper, M., Terzis, S., 2010. Danger theory and intrusion detection: Possibilities and limitations of the analogy. In: Artificial Immune Systems. Springer, pp. 276–289.
Vella, M., Rudramurthy, V. 2018. Volatile memory-centric investigation of SMS-hijacked phones: a Pushbullet case study. In: FedCSIS 2018, pp 607-616.
Vella, M., Terzis, S., 2013. Detecting web server take-over attacks through objective verification actions. In: CSAW 2013 CS2013-02.
Vella, M., Terzis, S., Roper, M., 2012. Distress detection. In: Research in Attacks, Intrusions, and Defenses. Springer, pp. 384–385.