Effiziente und erklärbare Erkennung von mobiler Schadsoftware mittels maschineller Lernmethoden

In recent years, mobile devices shipped with Google’s Android operating system have become ubiquitous. Due to their popularity and the high concentration of sensitive user data on these devices, however, they have also become a profitable target of malware authors. As a result, thousands of new malware instances targeting Android are found almost every day. Unfortunately, common signature-based methods often fail to detect these applications, as these methods can- not keep pace with the rapid development of new malware. Consequently, there is an urgent need for new malware detection methods to tackle this growing threat. In this thesis, we address the problem by combining concepts of static analysis and machine learning, such that mobile malware can be detected directly on the mobile device with low run-time overhead. To this end, we first discuss our analysis results of a sophisticated malware that uses an ultrasonic side channel to spy on unwitting smartphone users. Based on the insights we gain throughout this thesis, we gradually develop a method that allows detecting Android malware in general. The resulting method performs a broad static analysis, gathering a large number of features associated with an application. These features are embedded in a joint vector space, where typical patterns indicative of malware can be automatically identified and used for explaining the decisions of our method. In addition to an evaluation of its overall detection and run-time performance, we also examine the interpretability of the underlying detection model and strengthen the classifier against realistic evasion attacks. In a large set of experiments, we show that the method clearly outperforms several related approaches, including popular anti-virus scanners. In most experiments, our approach detects more than 90% of all malicious samples in the dataset at a low false positive rate of only 1%. Furthermore, even on older devices, it offers a good run-time performance, and can output a decision along with a proper explanation within a few seconds, despite the use of machine learning techniques directly on the mobile device. Overall, we find that the application of machine learning techniques is a promising research direction to improve the security of mobile devices. While these techniques alone cannot defeat the threat of mobile malware, they at least raise the bar for malicious actors significantly, especially if combined with existing techniques.Die Verbreitung von Smartphones, insbesondere mit dem Android-Betriebssystem, hat in den vergangenen Jahren stark zugenommen. Aufgrund ihrer hohen Popularität haben sich diese Geräte jedoch zugleich auch zu einem lukrativen Ziel für Entwickler von Schadsoftware entwickelt, weshalb mittlerweile täglich neue Schadprogramme für Android gefunden werden. Obwohl verschiedene Lösungen existieren, die Schadprogramme auch auf mobilen Endgeräten identifizieren sollen, bieten diese in der Praxis häufig keinen ausreichenden Schutz. Dies liegt vor allem daran, dass diese Verfahren zumeist signaturbasiert arbeiten und somit schädliche Programme erst zuverlässig identifizieren können, sobald entsprechende Erkennungssignaturen vorhanden sind. Jedoch wird es für Antiviren-Hersteller immer schwieriger, die zur Erkennung notwendigen Signaturen rechtzeitig bereitzustellen. Daher ist die Entwicklung von neuen Verfahren nötig, um der wachsenden Bedrohung durch mobile Schadsoftware besser begegnen zu können. In dieser Dissertation wird ein Verfahren vorgestellt und eingehend untersucht, das Techniken der statischen Code-Analyse mit Methoden des maschinellen Lernens kombiniert, um so eine zuverlässige Erkennung von mobiler Schadsoftware direkt auf dem Mobilgerät zu ermöglichen. Die Methode analysiert hierfür mobile Anwendungen zunächst statisch und extrahiert dabei spezielle Merkmale, die eine Abbildung einer Applikation in einen hochdimensionalen Vektorraum ermöglichen. In diesem Vektorraum sind schließlich maschinelle Lernmethoden in der Lage, automatisch Muster zur Erkennung von Schadprogrammen zu finden. Die gefundenen Muster können dabei nicht nur zur Erkennung, sondern darüber hinaus auch zur Erklärung einer getroffenenen Entscheidung dienen. Im Rahmen einer ausführlichen Evaluation wird nicht nur die Erkennungsleistung und die Laufzeit der vorgestellten Methode untersucht, sondern darüber hinaus das gelernte Erkennungsmodell im Detail analysiert. Hierbei wird auch die Robustheit des Modells gegenüber gezielten Angriffe untersucht und verbessert. In einer Reihe von Experimenten kann gezeigt werden, dass mit dem vorgeschlagenen Verfahren bessere Ergebnisse erzielt werden können als mit vergleichbaren Methoden, sogar einschließlich einiger populärer Antivirenprogramme. In den meisten Experimenten kann die Methode Schadprogramme zuverlässig erkennen und erreicht Erkennungsraten von über 90% bei einer geringen Falsch-Positiv-Rate von 1%

Evaluating Explanation Methods for Deep Learning in Security

Deep learning is increasingly used as a building block of security systems. Unfortunately, neural networks are hard to interpret and typically opaque to the practitioner. The machine learning community has started to address this problem by developing methods for explaining the predictions of neural networks. While several of these approaches have been successfully applied in the area of computer vision, their application in security has received little attention so far. It is an open question which explanation methods are appropriate for computer security and what requirements they need to satisfy. In this paper, we introduce criteria for comparing and evaluating explanation methods in the context of computer security. These cover general properties, such as the accuracy of explanations, as well as security-focused aspects, such as the completeness, efficiency, and robustness. Based on our criteria, we investigate six popular explanation methods and assess their utility in security systems for malware detection and vulnerability discovery. We observe significant differences between the methods and build on these to derive general recommendations for selecting and applying explanation methods in computer security.Comment: IEEE European Symposium on Security and Privacy, 202

Evolutionarily Conserved Histone Methylation Dynamics during Seed Life-Cycle Transitions

Plants have a remarkable ability to react to seasonal changes by synchronizing life-cycle transitions with environmental conditions. We addressed the question of how transcriptional re-programming occurs in response to an environmental cue that triggers the major life cycle transition from seed dormancy to germination and seedling growth. We elucidated an important mechanistic aspect of this process by following the chromatin dynamics of key regulatory genes with a focus on the two antagonistic marks, H3K4me3 and H3K27me3. Histone methylation patterns of major dormancy regulators changed during the transition to germination and seedling growth. We observed a switch from H3K4me3 and high transcription levels to silencing by the repressive H3K27me3 mark when dormancy was broken through exposure to moist chilling, underscoring that a functional PRC2 complex is necessary for this transition. Moreover, this reciprocal regulation by H3K4me3 and H3K27me3 is evolutionarily conserved from gymnosperms to angiosperms

Role of a Fur homolog in iron metabolism in Nitrosomonas europaea

<p>Abstract</p> <p>Background</p> <p>In response to environmental iron concentrations, many bacteria coordinately regulate transcription of genes involved in iron acquisition via the ferric uptake regulation (Fur) system. The genome of <it>Nitrosomonas europaea</it>, an ammonia-oxidizing bacterium, carries three genes (NE0616, NE0730 and NE1722) encoding proteins belonging to Fur family.</p> <p>Results</p> <p>Of the three <it>N. europaea fur </it>homologs, only the Fur homolog encoded by gene NE0616 complemented the <it>Escherichia coli </it>H1780 <it>fur </it>mutant. A <it>N. europaea fur:kanP </it>mutant strain was created by insertion of kanamycin-resistance cassette in the promoter region of NE0616 <it>fur </it>homolog. The total cellular iron contents of the <it>fur:kanP </it>mutant strain increased by 1.5-fold compared to wild type when grown in Fe-replete media. Relative to the wild type, the <it>fur:kanP </it>mutant exhibited increased sensitivity to iron at or above 500 μM concentrations. Unlike the wild type, the <it>fur:kanP </it>mutant was capable of utilizing iron-bound ferrioxamine without any lag phase and showed over expression of several outer membrane TonB-dependent receptor proteins irrespective of Fe availability.</p> <p>Conclusions</p> <p>Our studies have clearly indicated a role in Fe regulation by the Fur protein encoded by <it>N. europaea </it>NE0616 gene. Additional studies are required to fully delineate role of this <it>fur </it>homolog.</p

The Wolf effect and the Redshift of Quasars

We consider a simple model, based on currently accepted models for active galactic nuclei, for a quasi-stellar object (QSO or ``quasar'') and examine the influence that correlation- induced spectral changes (``The Wolf Effect'') may have upon the redshifts of the optical emission lines.Comment: 13 pages, 3 figures. To be published in J. European Optical Soc. A: Pure and Applied Optic

Dos and Don'ts of Machine Learning in Computer Security

With the growing processing power of computing systems and the increasing availability of massive datasets, machine learning algorithms have led to major breakthroughs in many different areas. This development has influenced computer security, spawning a series of work on learning-based security systems, such as for malware detection, vulnerability discovery, and binary code analysis. Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance and render learning-based systems potentially unsuitable for security tasks and practical deployment. In this paper, we look at this problem with critical eyes. First, we identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We conduct a study of 30 papers from top-tier security conferences within the past 10 years, confirming that these pitfalls are widespread in the current security literature. In an empirical analysis, we further demonstrate how individual pitfalls can lead to unrealistic performance and interpretations, obstructing the understanding of the security problem at hand. As a remedy, we propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible. Furthermore, we identify open problems when applying machine learning in security and provide directions for further research.Comment: to appear at USENIX Security Symposium 202