Full Program »

M2. Program Analysis and Machine Learning to Improve Security and Privacy

Today's software systems are large and complex.  This dramatically complicates security analysis and auditing because existing tools that perform program analysis and auditing do not easily scale to large and complex programs, and if they do so, it is at the expense of accuracy and precision.  Even though automated security analysis technologies have become a necessity, the traditional dichotomy between scalability and precision has led most security tool developers to make their analyses too conservative (with too many false positives) and/or unsound (with false negatives).  Security analyses that report overly conservative cannot be effectively used in production environments, whereas unsound analyses do not lend themselves to be used for program security certification.  In the last few years, security researchers have studied how to bypass the traditional scalability/precision dichotomy by combining Program Analysis with Machine Learning.  One approach is to inject statistical learning techniques into the program analysis algorithms in order to guide the analysis towards the production of accurate results.  An orthogonal approach consists of executing a conservative security analysis and to then apply Machine Learning to the results of the analysis in order to eliminate as many false positives as possible, possibly without eliminating the analysis' true positives.  This approach has been shown to be very promising, to the point that numerous industrial security analysis providers have started to adopt it, with excellent results.

The course Program Analysis and Machine Learning to Improve Security and Privacy introduces the state of the art in the area of Program Security Analysis, and then show how Machine Learning can be integrated into Program Analysis either for producing better results right away, or for cleansing existing results.

Prerequisites: None.

Outline:

1. Introduction:

a. Static and Dynamic Program Analysis

b. Machine Learning

c. Methodologies and Analyses

d. Data Privacy

2. Introduction to Machine Learning for Computer Security:

a. Overview of Adversarial Machine Learning

b. Patterns Recognition Under Attack

c. Attack Detection in Networks and Applications

d. Security Evaluation of Patterns Classifiers

e. Vulnerabilities Exploitation

f. Machine Learning and Offensive Security

g. Machine Learning in Digital Forensics

3. Advances in Privacy Preserving Machine Learning:

a. Challenges with Real Data / Applications

b. Anonymization Restrictions

c. Sensitive Method Restrictions

4. Current and Future Analyses for Security and Privacy:

a. Static Analysis Restrictions

b. Improving the Usability of Static Security Analysis by Using Machine Learning

c. Encrypted Statistical Machine Learning: New Privacy Preserving Methodologies

d. Using Machine Learning for Network Intrusion Detection

e. Automatic Analysis of Malware Behavior Using Machine Learning

 

About the Instructor:

Dr. Paolina Centonze, PhD, is a Professor in the Computer Science Department at Iona College., New Rochelle, New York.  Her areas of research include Language-based Security and Mobile Computing.   At Iona College, she has been responsible for extending the Computer Science curricula into the field of Cyber Security.   Dr. Centonze is also actively collaborating with researchers at IBM's Thomas J. Watson Research Center, Yorktown Heights, New York in the area of Program Analysis applied to Mobile Security.  In the course of her career, Dr. Centonze has published extensively at numerous conferences worldwide, such as the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), the European Conference on Object Oriented Programming (ECOOP), the Annual Computer Security Application Conference (ACSAC), the IEEE International Conference on Mobile Data Management (MDM), the IEEE/ACM IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft), and the ACM International Workshop on Mobile Development Lifecycle (MobileDeLi).  Dr. Centonze has been a tutorial instructor at ACSAC for two consecutive years (2014 and 2015).  She is also the author of a book chapter in the area of cloud and mobile security, which will appear in 2017 in a book published by John Wiley & Sons.  She is the inventor of 10 patents granted by the United States Patent and Trademark Office.

Dr. Centonze received her Ph.D. in Mathematics and M.S. degree in Computer Science from New York University (NYU) Tandon School of Engineering, Brooklyn, New York, and her B.S. degree in Computer Science from St. John's University, Queens, New York.  Dr. Centonze's home page is at http://www.iona.edu/Academics/School-of-Arts-Science/Departments/Computer-Science/Faculty-Staff/Paolina-Centonze.aspx