Faraz Ahmed

Using spatio-temporal information in API calls with machine learning algorithms for malware detection

Run-time monitoring of program execution behavior is widely used to discriminate between benign and malicious processes running on an end-host. Towards this end, most of the existing run-time intrusion or malware detection techniques utilize information available in Windows Application Programming Interface (API) call arguments or sequences. In comparison, the key novelty of our proposed tool is the use of statistical features which are extracted from both spatial arguments) and temporal (sequences) information available in Windows API calls. We provide this composite feature set as an input to standard machine learning algorithms to raise the final alarm. The results of our experiments show that the concurrent analysis of spatio-temporal features improves the detection accuracy of all classifiers. We also perform the scalability analysis to identify a minimal subset of API categories to be monitored whilst maintaining high detection accuracy.

A Generic Statistical Approach for Spam Detection in Online Social Networks

Abstract In this paper, we present a generic statistical approach to identify spam profiles on Online Social Networks (OSNs). Our study is based on real datasets containing both normal and spam profiles crawled from Facebook and Twitter networks. We have identified a set of 14 generic statistical features to identify spam profiles. The identified features are common to both Facebook and Twitter networks. For classification task, we have used three different classification algorithms – na i ve Bayes , Jrip , and J48 , and evaluated them on both individual and combined datasets to establish the discriminative property of the identified features. The results obtained on a combined dataset has detection rate (DR) as 0.957 and false positive rate (FPR) as 0.048, whereas on Facebook dataset the DR and FPR values are 0.964 and 0.089, respectively, and that on Twitter dataset the DR and FPR values are 0.976 and 0.075, respectively. We have also analyzed the contribution of each individual feature towards the detection accuracy of spam profiles. Thereafter, we have considered 7 most discriminative features and proposed a clustering-based approach to identify spam campaigns on Facebook and Twitter networks.

An MCL-Based Approach for Spam Profile Detection in Online Social Networks

Over the past few years, Online Social Networks (OSNs) have emerged as cheap and popular communication and information sharing media. Huge amount of information is being shared through popular OSN sites. This aspect of sharing information to a large number of individuals with ease has attracted social spammers to exploit the network of trust for spreading spam messages to promote personal blogs, advertisements, phishing, scam and so on. In this paper, we present a Markov Clustering (MCL) based approach for the detection of spam profiles on OSNs. Our study is based on a real dataset of Facebook profiles, which includes both benign and spam profiles. We model social network using a weighted graph in which profiles are represented as nodes and their interactions as edges. The weight of an edge, connecting a pair of user profiles, is calculated as a function of their real social interactions in terms of active friends, page likes and shared URLs within the network. MCL is applied on the weighted graph to generate different clusters containing different categories of profiles. Majority voting is applied to handle the cases in which a cluster contains both spam and normal profiles. Our experimental results show that majority voting not only reduces the number of clusters to a minimum, but also increases the performance values in terms of FP and FB measures from FP=0.85 and FB=0.75 to FP=0.88 and FB=0.79, respectively.

Towards a Theory of Generalizing System Call Representation for In-Execution Malware Detection

The major contribution of this paper is two-folds: (1) we present our novel variable-length system call representation scheme compared to existing fixed- length sequence schemes, and (2) using this representation, we present our in-execution malware detector that can not only identify zero-day malware without any a priori knowledge but can also detect a malicious process while it is executing. Our representation scheme - a more generalized version of n-gram - can be visualized in a k-dimensional hyperspace in which processes move depending upon their sequence of system calls. The process marks its impact in space by generating hyper-grams that are later used to evaluate an unknown process according to their profile. The proposed technique is evaluated on a real world dataset extracted from a Linux System. The results of our analysis show that our in-execution malware detector with hyper- gram representation achieves low processing overheads and improved detection accuracies as compared to conventional n-grams.

Detecting and Localizing End-to-End Performance Degradation for Cellular Data Services

Providing high end-to-end (E2E) performance is critical for cellular service providers to best serve their customers. Detecting and localizing E2E performance degradation is crucial for cellular service providers, content providers, device manufactures, and application developers to jointly troubleshoot root causes. To the best of our knowledge, detection and localization of E2E performance degradation at cellular service providers has not been previously studied. In this paper, we propose a holistic approach to detecting and localizing E2E performance degradation at cellular service providers across the four dimensions of user locations, content providers, device types, and application types. First, we use training data to build models that can capture the normal performance of every E2E-instance, which means flows corresponding to a specific location, content provider, device type, and application type. Second, we use our models to detect performance degradation for each E2E-instance on an hourly basis. Third, after each E2E-instance has been labeled as non-degrading or degrading, we use association rule mining techniques to localize the source of performance degradation. Our system detected performance degradation instances over a period of one week. In 80% of the detected degraded instances, content providers, device types, and application types were the only factors of performance degradation.

A data mining framework for securing 3g core network from GTP fuzzing attacks

Since the emergence of 3G cellular IP networks, internet usage via 3G data services has become ubiquitous. Therefore such network is an important target for imposters who can disrupt the internet services by attacking the network core, thereby causing significant revenue losses to mobile operators. GPRS Tunneling Protocol GTP is the primary protocol used between the 3G core network nodes. In this paper, we present the design of a multi-layer framework to detect fuzzing attacks targeted to GTP control (GTP-C) packets. The framework analyzes each type of GTP-C packet separately for feature extraction, by implementing a Markov state space model at the Gn interface of the 3G core network. The Multi-layered architecture utilizes standard data mining algorithms for classification. Our analysis is based on real world network traffic collected at the Gn interface. The analysis results show that for only 5% fuzzing introduced in a packet with average size of 85 bytes, the framework detects fuzzing in GTP-C packets with 99.9% detection accuracy and 0.01% false alarm rate.

Noise Tolerant Localization for Sensor Networks

Most range-based localization approaches for wireless sensor networks (WSNs) rely on accurate and sufficient range measurements, yet noise and data missing are inevitable in distance ranging. Existing localization approaches often suffer from unsatisfied accuracy in the co-existence of incomplete and corrupted range measurements. In this paper, we propose LoMaC, a noise-tolerant localization scheme, to address this problem. Specifically, we first employ Frobenius-norm and

The Internet is for Porn: Measurement and Analysis of Online Adult Traffic

L_{1}

Identification of Sybil Communities Generating Context-Aware Spam on Online Social Networks

-norm to formulate the reconstruction of noisy and missing Euclidean distance matrix (EDM) as a norm-regularized matrix completion (NRMC) problem. Second, we design an efficient algorithm based on alternating direction method of multiplier to solve the NRMC problem. Third, based on the completed EDM, we further employ a multi-dimension scaling method to localize unknown nodes. Meanwhile, to accelerate our algorithm, we also adopt some acceleration techniques to reduce the computation cost. Finally, extensive experimental results show that our algorithm not only achieves significantly better localization performance than prior algorithms but also provides an accurate position prediction of outlier, which is useful for malfunction diagnosis in WSNs.

Using computational intelligence to identify performance bottlenecks in a computer system

Adult (or pornographic) websites attract a large number of visitors and account for a substantial fraction of the global Internet traffic. However, little is known about the makeup and characteristics of online adult traffic. In this paper, we present the first large-scale measurement study of online adult traffic using HTTP logs collected from a major commercial content delivery network. Our data set contains approximately 323 terabytes worth of traffic from 80 million users, and includes traffic from several dozen major adult websites and their users in four different continents. We analyze several characteristics of online adult traffic including content and traffic composition, device type composition, temporal dynamics, content popularity, content injection, and user engagement. Our analysis reveals several unique characteristics of online adult traffic. We also analyze implications of our findings on adult content delivery. Our findings suggest several content delivery and cache performance optimizations for adult traffic, e.g., modifications to website design, content delivery, cache placement strategies, and cache storage configurations.