Bayesian Active Malware Analysis

We propose a novel technique for Active Malware Analysis (AMA) formalized as a Bayesian game between an analyzer agent and a malware agent, focusing on the decision making strategy for the analyzer. In our model, the analyzer performs an action on the system to trigger the malware into showing a malicious behavior, i.e., by activating its payload. The formalization is built upon the link between malware families and the notion of types in Bayesian games. A key point is the design of the utility function, which reflects the amount of uncertainty on the type of the adversary after the execution of an analyzer action. This allows us to devise an algorithm to play the game with the aim of minimizing the entropy of the analyzer's belief at every stage of the game in a myopic fashion. Empirical evaluation indicates that our approach results in a significant improvement both in terms of learning speed and classification score when compared to other state-of-the-art AMA techniques

Agent Behavioral Analysis Based on Absorbing Markov Chains

We propose a novel technique to identify known behaviors of intelligent agents acting within uncertain environments. We employ Markov chains to represent the observed behavioral models of the agents and we formulate the problem as a classification task. In particular, we propose to use the long-term transition probability values of moving between states of the Markov chain as features. Additionally, we transform our models into absorbing Markov chains, enabling the use of standard techniques to compute such features. The empirical evaluation considers two scenarios: the identification of given strategies in classical games, and the detection of malicious behaviors in malware analysis. Results show that our approach can provide informative features to successfully identify known behavioral patterns. In more detail, we show that focusing on the long-term transition probability enables to diminish the error introduced by noisy states and transitions that may be present in an observed behavioral model. We pose particular attention to the case of noise that may be intentionally introduced by a target agent to deceive an observer agent

Velocity-space sensitivity of the time-of-flight neutron spectrometer at JET

The velocity-space sensitivities of fast-ion diagnostics are often described by so-called weight functions. Recently, we formulated weight functions showing the velocity-space sensitivity of the often dominant beam-target part of neutron energy spectra. These weight functions for neutron emission spectrometry (NES) are independent of the particular NES diagnostic. Here we apply these NES weight functions to the time-of-flight spectrometer TOFOR at JET. By taking the instrumental response function of TOFOR into account, we calculate time-of-flight NES weight functions that enable us to directly determine the velocity-space sensitivity of a given part of a measured time-of-flight spectrum from TOFOR

Effect of the relative shift between the electron density and temperature pedestal position on the pedestal stability in JET-ILW and comparison with JET-C

The electron temperature and density pedestals tend to vary in their relative radial positions, as observed in DIII-D (Beurskens et al 2011 Phys. Plasmas 18 056120) and ASDEX Upgrade (Dunne et al 2017 Plasma Phys. Control. Fusion 59 14017). This so-called relative shift has an impact on the pedestal magnetohydrodynamic (MHD) stability and hence on the pedestal height (Osborne et al 2015 Nucl. Fusion 55 063018). The present work studies the effect of the relative shift on pedestal stability of JET ITER-like wall (JET-ILW) baseline low triangularity (\u3b4) unseeded plasmas, and similar JET-C discharges. As shown in this paper, the increase of the pedestal relative shift is correlated with the reduction of the normalized pressure gradient, therefore playing a strong role in pedestal stability. Furthermore, JET-ILW tends to have a larger relative shift compared to JET carbon wall (JET-C), suggesting a possible role of the plasma facing materials in affecting the density profile location. Experimental results are then compared with stability analysis performed in terms of the peeling-ballooning model and with pedestal predictive model EUROPED (Saarelma et al 2017 Plasma Phys. Control. Fusion). Stability analysis is consistent with the experimental findings, showing an improvement of the pedestal stability, when the relative shift is reduced. This has been ascribed mainly to the increase of the edge bootstrap current, and to minor effects related to the increase of the pedestal pressure gradient and narrowing of the pedestal pressure width. Pedestal predictive model EUROPED shows a qualitative agreement with experiment, especially for low values of the relative shift

Relationship of edge localized mode burst times with divertor flux loop signal phase in JET

A phase relationship is identified between sequential edge localized modes (ELMs) occurrence times in a set of H-mode tokamak plasmas to the voltage measured in full flux azimuthal loops in the divertor region. We focus on plasmas in the Joint European Torus where a steady H-mode is sustained over several seconds, during which ELMs are observed in the Be II emission at the divertor. The ELMs analysed arise from intrinsic ELMing, in that there is no deliberate intent to control the ELMing process by external means. We use ELM timings derived from the Be II signal to perform direct time domain analysis of the full flux loop VLD2 and VLD3 signals, which provide a high cadence global measurement proportional to the voltage induced by changes in poloidal magnetic flux. Specifically, we examine how the time interval between pairs of successive ELMs is linked to the time-evolving phase of the full flux loop signals. Each ELM produces a clear early pulse in the full flux loop signals, whose peak time is used to condition our analysis. The arrival time of the following ELM, relative to this pulse, is found to fall into one of two categories: (i) prompt ELMs, which are directly paced by the initial response seen in the flux loop signals; and (ii) all other ELMs, which occur after the initial response of the full flux loop signals has decayed in amplitude. The times at which ELMs in category (ii) occur, relative to the first ELM of the pair, are clustered at times when the instantaneous phase of the full flux loop signal is close to its value at the time of the first ELM

SECUR-AMA: Active Malware Analysis Based on Monte Carlo Tree Search for Android Systems

We propose SECUR-AMA, an Active Malware Analysis (AMA) framework for Android. (AMA) is a technique that aims at acquiring knowledge about target applications by executing actions on the system that trigger responses from the targets. The main strength of this approach is the capability of extracting behaviors that would otherwise remain invisible. A key difference from other analysis techniques is that the triggering actions are not selected randomly or sequentially, but following strategies that aim at maximizing the information acquired about the behavior of the target application. Specifically, we design SECUR-AMA as a framework implementing a stochastic game between two agents: an analyzer and a target application. The strategy of the analyzer consists in a reinforcement learning algorithm based on Monte Carlo Tree Search (MCTS) to efficiently search the state and action spaces taking into account previous interactions in order to obtain more information on the target. The target model instead is created online while playing the game, using the information acquired so far by the analyzer and using it to guide the remainder of the analysis in an iterative process. We conduct an extensive evaluation of SECUR-AMA analyzing about 1200 real Android malware divided into 24 families (classes) from a publicly available dataset, and we compare our approach with multiple state-of-the-art techniques of different types, including passive and active approaches. Results show that SECUR-AMA creates more informative models that allow to reach better classification results for most of the malware families in our dataset

Investigation on an Anomalous Behavior of the Polarimetric Measurements at JET

The far-infrared polarimeter at JET is affected by an anomaly that makes difficult the interpretation of both Faraday and Cotton\u2013Mouton effect measurements. The anomaly is clearly displayed during calibration operations in the absence of plasma: As the polarization of the probing beam is rotated, the phase shift of the polarimetric signal with respect to the interferometric signal is not constant, as expected, and changes significantly. It affects all the polarimetric measurement channels and has so far been removed by an empirical preprocessing of the raw data. It can be ascribed to a nonideal behavior of some optical components. Looking for a possible explanation of the anomaly, in this paper, we analyze the optical setup of the JET polari\u2013interferometer according to the laws of classical polarization optics. At first, the optical characteristics of the recombination plates are analyzed in detail. Although they produce ellipticity in the transmitted and reflected beams, the results show that the recombination plates should not be responsible of the anomaly of the polarimeter. Then, the dielectric waveguides used to transfer the recombined beams from the torus hall to the detectors are, for the first time, considered as a possible origin of the anomaly. The anomalous behavior is expected to be mainly originated by reflections on metal mirrors, which may produce rotations of the polarization of the beams. A calculation has been performed in order to analyze the effects of a rotation of the polarization of the recombined beam on the detector signals. As a result, a rotation of the polarization along the line could explain the anomaly. We also suggest some simple and feasible tests, which are useful to give an experimental support to this conclusion, and discuss possible modifications of the optical setup to remove or greatly reduce the anomaly in future measurements

Stacking of predictors for the automatic classification of disruption types to optimise the control logic

Nowadays, disruption predictors, based on machine learning techniques, can perform well but they typically do not provide any information about the type of disruption and cannot predict the time remaining before the current quench. On the other hand, the automatic identification of the disruption type is a crucial aspect required to optimize the remedial actions and a prerequisite to forecasting the time left for intervening. In this work, a stack of machine learning tools is applied to the task of automatic classification of the disruption types. The strategy is implemented from scratch and completely adaptive; the predictors start operating after the first disruption and update their own models, following the evolution of the experimental program, without any human intervention. Moreover, they are designed to implement a form of transfer learning, in the sense that they identify autonomously the most important disruption classes, generating new ones when necessary. The results obtained are very encouraging in terms of both prediction performance and classification accuracy. On the other hand, regarding the narrowing of the warning times, some progress has been achieved, but new techniques will have to be devised to obtain fully satisfactory properties

Ultrafast mapping of relaxation dynamics of ethylene cation

The complex ultrafast molecular relaxation dynamics of ethylene, initiated by tunable vacuum-ultraviolet ~10-fs pulses, was measured. Exploiting state selectivity, an unprecedented time-energy mapping of the process was demonstrated on a few-femtosecond temporal scale

Bayesian active malware analysis

Summarization: We propose a novel technique for Active Malware Analysis (AMA) formalized as a Bayesian game between an analyzer agent and a malware agent, focusing on the decision making strategy for the analyzer. In our model, the analyzer performs an action on the system to trigger the malware into showing a malicious behavior, i.e., by activating its payload. The formalization is built upon the link between malware families and the notion of types in Bayesian games. A key point is the design of the utility function, which reflects the amount of uncertainty on the type of the adversary after the execution of an analyzer action. This allows us to devise an algorithm to play the game with the aim of minimizing the entropy of the analyzer’s belief at every stage of the game in a myopic fashion. Empirical evaluation indicates that our approach results in a significant improvement both in terms of learning speed and classification score when compared to other state-of-the-art AMA techniques.Presented on