MALWARE ANALYSIS AND INCIDENT FORENSICS

Course objectives

Today's cyber security scenario shows a relentless growth of malicious software used to perpetrate cyber attacks. This course aims to provide students with the knowledge, methods and basic tools to analyze, identify, categorize and understand the behavior of different classes of malicious software. The course will adopt a practical approach, with frequent application of the learned methods to real-world cases. Expected learning results Students will be able to analyze, both manually and through the use of automated tools, malicious software of different nature to identify all its salient features. They will be able to extract these characteristics and relate them with existing knowledge bases. Finally, students will be able to contextualize these activities as part of an overall process of threat intelligence and incident management caused by such malicious software.

Channel 1
LEONARDO QUERZONI Lecturers' profile

Program - Frequency - Exams

Course program
- Introduction to cybersecurity (5 hrs.) - Threat models and attack kill chain (5 hrs.) - Malware evolution (5 hrs.) - The internal structure of a malware (5 hrs.) - Basic malware analysis (5 hrs.) - Reverse engineering (10 hrs.) - Static analysis (10 hrs.) - Dynamic analysis (10 hrs.) - Packing and injection techniques (10 hrs.) - Obfuscation and evasion techniques (5 hrs.) - Threat intelligence (15 hrs.) - Digital forensics (5 hrs.)
Prerequisites
Fundamental knowledge: - C programming - Develop/compile/link software cycle - Computer architectures Useful knowledge: - ASM x86
Books
Lecturer's slides M. Sikorski and A. Honig; Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press.
Frequency
Following the lectures is highly recommended, but not compulsory.
Exam mode
The exam consists of a practical test where the student will have to analyze a synthetic malware sample and a questionnaires with true/false questions about other topics from the syllabus. The evaluation is based on the practical test, but students need to correctly answer at least 6 out of 10 questions from the questionnaire to pass the exam.
Lesson mode
Face-to-face lectures, exercises, hands-on.
DANIELE CONO D'ELIA Lecturers' profile

Program - Frequency - Exams

Course program
- Introduction to cybersecurity (5 hrs.) - Threat models and attack kill chain (5 hrs.) - Malware evolution (5 hrs.) - The internal structure of a malware (5 hrs.) - Basic malware analysis (5 hrs.) - Reverse engineering (10 hrs.) - Static analysis (10 hrs.) - Dynamic analysis (10 hrs.) - Packing and injection techniques (15 hrs.) - Threat intelligence (15 hrs.) - Digital forensics (5 hrs.)
Prerequisites
Fundamental knowledge: - C programming - Develop/compile/link software cycle - Computer architectures Useful knowledge: - ASM x86
Books
Lecturer's slides M. Sikorski and A. Honig; Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press.
Teaching mode
Face-to-face lectures, exercises, hands-on.
Frequency
In person, videos of lectures also available
Exam mode
The exam consists of a practical test where the student will have to dissect a synthetic malware sample and a questionnaires with multiple-choice questions about other topics from the syllabus.
Bibliography
We will be providing additional resources on the course web page. Further references - B. Dang, A. Gazet, E. Bachaalany; Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation. Wiley. - Monnappa K A; Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware. Packt.
Lesson mode
Face-to-face lectures, exercises, hands-on.
  • Lesson code1055681
  • Academic year2024/2025
  • CourseCybersecurity
  • CurriculumSingle curriculum
  • Year2nd year
  • Semester1st semester
  • SSDING-INF/05
  • CFU3
  • Subject areaAmbito Scientifico