Marcus Botacin
@marcusbotacin.bsky.social
CS Assistant Professor at Texas A&M University, USA
CS PhD @ SECRET UFPR , Brazil
CE/CS Master @ UNICAMP, Brazil
#Malware Research; #Reverse Engineering #Antivirus #Forensics #Debugging
@MarcusBotacin@infosec.exchange
Website: marcusbotacin.github.io
CS PhD @ SECRET UFPR , Brazil
CE/CS Master @ UNICAMP, Brazil
#Malware Research; #Reverse Engineering #Antivirus #Forensics #Debugging
@MarcusBotacin@infosec.exchange
Website: marcusbotacin.github.io
And there are pretty significant cases of dataset imbalances in popular malware dataset, such as in DREBIN. See the results for more than 5K runs with different configurations:
July 11, 2025 at 2:32 PM
And there are pretty significant cases of dataset imbalances in popular malware dataset, such as in DREBIN. See the results for more than 5K runs with different configurations:
This includes false positives (on the drift detection report). We are able to pinpoint, for instance, when a FP occurs because the model did not learn enough due to class imbalance.
July 11, 2025 at 2:32 PM
This includes false positives (on the drift detection report). We are able to pinpoint, for instance, when a FP occurs because the model did not learn enough due to class imbalance.
The result is that this approach can explain what is happening at every drift point.
July 11, 2025 at 2:32 PM
The result is that this approach can explain what is happening at every drift point.
We created an entire taxonomy about when drift happens and when not, for the most formal ones.
July 11, 2025 at 2:32 PM
We created an entire taxonomy about when drift happens and when not, for the most formal ones.
We also identified that concept drift is directional, i.e., only expansions towards the border cause true drift in the main classifier. Therefore, by measuring directionality we can predict if a concept expansion will cause a drift in the future and even anticipate to it (early retrain).
July 11, 2025 at 2:32 PM
We also identified that concept drift is directional, i.e., only expansions towards the border cause true drift in the main classifier. Therefore, by measuring directionality we can predict if a concept expansion will cause a drift in the future and even anticipate to it (early retrain).
We detect these cases via an architecture of external meta-models to be applied to any internal ML model. They measure the concepts and the main model measures the boundaries. True drift represent changes in both meta models and boundaries, and false ones affect only the boundary.
July 11, 2025 at 2:32 PM
We detect these cases via an architecture of external meta-models to be applied to any internal ML model. They measure the concepts and the main model measures the boundaries. True drift represent changes in both meta models and boundaries, and false ones affect only the boundary.
Our insight is that there is a difference between the concept (circles) and the decision boundary (lines) of a classifier. Sometimes samples cross the boundary because concept expansion (true drift), but sometimes because the line is misplaced (false positive drift). We want to detect these cases.
July 11, 2025 at 2:32 PM
Our insight is that there is a difference between the concept (circles) and the decision boundary (lines) of a classifier. Sometimes samples cross the boundary because concept expansion (true drift), but sometimes because the line is misplaced (false positive drift). We want to detect these cases.
But don't worry. The students were able to patch many of those vulnerabilities and to verify many other patches, such as those escapes:
May 2, 2025 at 12:11 AM
But don't worry. The students were able to patch many of those vulnerabilities and to verify many other patches, such as those escapes:
In a more sophisticated attack, one team was able to abuse an intent to move the window to the foreground while screenshoting it via accessibility services.
May 2, 2025 at 12:11 AM
In a more sophisticated attack, one team was able to abuse an intent to move the window to the foreground while screenshoting it via accessibility services.
The previous attack was ran against a mobile app. What happen when the app is protected by a password? Well, students could bruteforce it.
May 2, 2025 at 12:11 AM
The previous attack was ran against a mobile app. What happen when the app is protected by a password? Well, students could bruteforce it.
In the worst case, one could remotely trigger user deletion by manipulation the client-side requests.
May 2, 2025 at 12:11 AM
In the worst case, one could remotely trigger user deletion by manipulation the client-side requests.
So why not setting it to the maximum value possible?
May 2, 2025 at 12:11 AM
So why not setting it to the maximum value possible?
Another classical attack: MITM. One team identified an application (game) whose credits were set at the user side and not validated.
May 2, 2025 at 12:11 AM
Another classical attack: MITM. One team identified an application (game) whose credits were set at the user side and not validated.
OK, sometimes the students exaggerate on how much payload they add to the requests...
May 2, 2025 at 12:11 AM
OK, sometimes the students exaggerate on how much payload they add to the requests...
Or to steal cookies. That moment when your students come to you with a panel of stolen session cookies...
May 2, 2025 at 12:11 AM
Or to steal cookies. That moment when your students come to you with a panel of stolen session cookies...
In a more ellaborated attack, one could use XSS to turn an input form into a complete keylogger.
May 2, 2025 at 12:11 AM
In a more ellaborated attack, one could use XSS to turn an input form into a complete keylogger.
More than one team found XSS cases, in diverse websites.
May 2, 2025 at 12:11 AM
More than one team found XSS cases, in diverse websites.
Another classical problem identified by the teams were XSS, that can be still widely found online.
May 2, 2025 at 12:11 AM
Another classical problem identified by the teams were XSS, that can be still widely found online.
And then the access is greanted, thus leaking data of a variety of users.
May 2, 2025 at 12:11 AM
And then the access is greanted, thus leaking data of a variety of users.
In those applications, one can modify the request parameters to bypass authentication schemes.
May 2, 2025 at 12:11 AM
In those applications, one can modify the request parameters to bypass authentication schemes.
Other classical problems include pure client-side configurations, whose change is not validated by the server, allowing easy manipulation.
May 2, 2025 at 12:11 AM
Other classical problems include pure client-side configurations, whose change is not validated by the server, allowing easy manipulation.
This allowed them to find classical security issues, such as directory traversals leading to the access of supposedly private data.
May 2, 2025 at 12:11 AM
This allowed them to find classical security issues, such as directory traversals leading to the access of supposedly private data.
The students become pretty good at Google Dorks, such that they found many interesting things.
May 2, 2025 at 12:11 AM
The students become pretty good at Google Dorks, such that they found many interesting things.
Proud advisor moment! Congrats Nhat Nguyen for successfully defending his MSc thesis! Nhat is my first advised student to graduate! Thx Dr. Peeples and Dr. Hamilton for participating in the committee. Wait for some cool papers to come on automatic YARA rule generation!
March 11, 2025 at 4:59 PM
Proud advisor moment! Congrats Nhat Nguyen for successfully defending his MSc thesis! Nhat is my first advised student to graduate! Thx Dr. Peeples and Dr. Hamilton for participating in the committee. Wait for some cool papers to come on automatic YARA rule generation!