A Multi-view Context-aware Approach to Android Malware Detection and Malicious Code Localization

Existing Android malware detection approaches use a variety of features such as security sensitive APIs, system calls, control-flow structures and information flows in conjunction with Machine Learning classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps' behaviours with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterise several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevent them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localisation. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps' dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid's unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localisation experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall

Watch and Learn: Semi-Supervised Learning of Object Detectors from Videos

We present a semi-supervised approach that localizes multiple unknown object instances in long videos. We start with a handful of labeled boxes and iteratively learn and label hundreds of thousands of object instances. We propose criteria for reliable object detection and tracking for constraining the semi-supervised learning process and minimizing semantic drift. Our approach does not assume exhaustive labeling of each object instance in any single frame, or any explicit annotation of negative data. Working in such a generic setting allow us to tackle multiple object instances in video, many of which are static. In contrast, existing approaches either do not consider multiple object instances per video, or rely heavily on the motion of the objects present. The experiments demonstrate the effectiveness of our approach by evaluating the automatically labeled data on a variety of metrics like quality, coverage (recall), diversity, and relevance to training an object detector.Comment: To appear in CVPR 201

False memory and aging: an event-related potential study

The DRM paradigm is used to examine false memory—when a list of highly associated words (e.g. SEWING, THREAD, THIMBLE) is studied, a nonpresented but associated false target (e.g. NEEDLE) is often confidently (but incorrectly) identified as having been studied. An ERP study was conducted with a sample of young and older adults to examine age differences in false memory and neurological distinctions between true and false recognition. DRM words were presented in a lateralized fashion, with the prediction that a contralateral sensory signature would be present for true but not false memories. ERP data was largely inconclusive, but does suggest that processing during the DRM paradigm may largely be carried out in the left hemisphere.Paul Verhaeghen - Faculty Mentor ; Audrey Duarte - Committee Member/Second Reade

Dynamic Analysis of Executables to Detect and Characterize Malware

It is needed to ensure the integrity of systems that process sensitive information and control many aspects of everyday life. We examine the use of machine learning algorithms to detect malware using the system calls generated by executables-alleviating attempts at obfuscation as the behavior is monitored rather than the bytes of an executable. We examine several machine learning techniques for detecting malware including random forests, deep learning techniques, and liquid state machines. The experiments examine the effects of concept drift on each algorithm to understand how well the algorithms generalize to novel malware samples by testing them on data that was collected after the training data. The results suggest that each of the examined machine learning algorithms is a viable solution to detect malware-achieving between 90% and 95% class-averaged accuracy (CAA). In real-world scenarios, the performance evaluation on an operational network may not match the performance achieved in training. Namely, the CAA may be about the same, but the values for precision and recall over the malware can change significantly. We structure experiments to highlight these caveats and offer insights into expected performance in operational environments. In addition, we use the induced models to gain a better understanding about what differentiates the malware samples from the goodware, which can further be used as a forensics tool to understand what the malware (or goodware) was doing to provide directions for investigation and remediation.Comment: 9 pages, 6 Tables, 4 Figure

ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks

Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them. In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks. In this paper we present ATTACK2VEC, a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve. We test ATTACK2VEC on a dataset of billions of security events collected from the customers of a commercial Intrusion Prevention System over a period of two years, and show that our approach is effective in monitoring the emergence of new attack strategies in the wild and in flagging which attack steps are often used together by attackers (e.g., vulnerabilities that are frequently exploited together). ATTACK2VEC provides a useful tool for researchers and practitioners to better understand cyberattacks and their evolution, and use this knowledge to improve situational awareness and develop proactive defenses

We are archivists, but are we OK?

Purpose – The purpose of this paper is to show that the digital environment of the early twenty-first century is forcing the information sciences to revisit practices and precepts built around paper and physical objects over centuries. The training of archivists, records managers, librarians and museum curators has had to accommodate this new reality. Often the response has been to superimpose a digital overlay on existing curricula. A few have taken a radical approach by scrutinising the fundamentals of the professions and the ontologies of the materials they handle. Design/methodology/approach – The article explores a wide range of the issues exposed by this critique through critical analysis of ideas and published literature. Findings – The authors challenge archive and records management educators to align their curricula with contemporary need and to recognise that partnership with other professionals, particularly in the area of technology, is essential. Practical implications – The present generation owe it to future generations of archivists and records managers to ensure that the education that they get to prepare them for professional life is forward-looking in the same way. Originality/value – This paper aims to raise awareness of the educational needs of twenty-first century archives and records professionals

The oculomotor resonance effect in spatial-numerical mapping.

We investigated automatic Spatial-Numerical Association of Response Codes (SNARC) effect in auditory number processing. Two experiments continually measured spatial characteristics of ocular drift at central fixation during and after auditory number presentation. Consistent with the notion of a spatially oriented mental number line, we found spontaneous magnitude-dependent gaze adjustments, both with and without a concurrent saccadic task. This fixation adjustment (1) had a small-number/left-lateralized bias and (2) it was biphasic as it emerged for a short time around the point of lexical access and it received later robust representation around following number onset. This pattern suggests a two-step mechanism of sensorimotor mapping between numbers and space - a first-pass bottom-up activation followed by a top-down and more robust horizontal SNARC. Our results inform theories of number processing as well as simulation-based approaches to cognition by identifying the characteristics of an oculomotor resonance phenomenon