Javier Nieves

Idea: opcode-sequence-based malware detection

Malware is every malicious code that has the potential to harm any computer or network. The amount of malware is increasing faster every year and poses a serious security threat. Hence, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most extended method within commercial antivirus. Although this method is still used on most popular commercial computer antivirus software, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new variations of known malware. In this paper, we propose a new method to detect variants of known malware families. This method is based on the frequency of appearance of opcode sequences. Furthermore, we describe a method to mine the relevance of each opcode and, thereby, weigh each opcode sequence frequency. We show that this method provides an effective way to detect variants of known malware families.

OPEM: A Static-Dynamic Approach for Machine-Learning-Based Malware Detection

Malware is any computer software potentially harmful to both computers and networks. The amount of malware is growing every year and poses a serious global security threat. Signature-based detection is the most extended method in commercial antivirus software, however, it consistently fails to detect new malware. Supervised machine learning has been adopted to solve this issue. There are two types of features that supervised malware detectors use: (i) static features and (ii) dynamic features. Static features are extracted without executing the sample whereas dynamic ones requires an execution. Both approaches have their advantages and disadvantages. In this paper, we propose for the first time, OPEM, an hybrid unknown malware detector which combines the frequency of occurrence of operational codes (statically obtained) with the information of the execution trace of an executable (dynamically obtained). We show that this hybrid approach enhances the performance of both approaches when run separately.

Semi-supervised Learning for Unknown Malware Detection

Malware is any kind of computer software potentially harmful to both computers and networks. The amount of malware is increasing every year and poses a serious global security threat. Signature-based detection is the most widely used commercial antivirus method, however, it consistently fails to detect new malware. Supervised machine-learning models have been used to solve this issue, but the usefulness of supervised learning is far to be perfect because it requires that a significant amount of malicious code and benign software to be identified and labelled beforehand. In this paper, we propose a new method of malware protection that adopts a semi-supervised learning approach to detect unknown malware. This method is designed to build a machine-learning classifier using a set of labelled (malware and legitimate software) and unlabelled instances.We performed an empirical validation demonstrating that the labelling efforts are lower than when supervised learning is used, while maintaining high accuracy rates.

MAMA: MANIFEST ANALYSIS FOR MALWARE DETECTION IN ANDROID

The use of mobile phones has increased because they offer nearly the same functionality as a personal computer. In addition, the number of applications available for Android-based mobile devices has increased. Google offers programmers the opportunity to upload and sell applications in the Android Market, but malware writers upload their malicious code there. In light of this background, we present here manifest analysis for malware detection in Android (MAMA), a new method that extracts several features from the Android manifest of the applications to build machine learning classifiers and detect malware.

Mechanical properties prediction in high-precision foundry production

Mechanical properties are the attributes of a metal to withstand several forces and tensions. Specifically, ultimate tensile strength is the force a material can resist until it breaks. The only way to examine this mechanical property is the employment of destructive inspections that renders the casting invalid with the subsequent cost increment. In a previous work we showed that modelling the foundry process as a probabilistic constellation of interrelated variables allows Bayesian networks to infer causal relationships. In other words, they may guess the value of a variable (for instance, the value of ultimate tensile strength). Against this background, we present here the first ultimate tensile strength prediction system that, upon the basis of a Bayesian network, is able to foresee the values of this property in order to correct it before the casting is made. Further, we have tested the accuracy and error rate of the system with data of a real foundry.

Optimising Machine-Learning-Based Fault Prediction in Foundry Production

Microshrinkages are known as probably the most difficult defects to avoid in high-precision foundry. The presence of this failure renders the casting invalid, with the subsequent cost increment. Modelling the foundry process as an expert knowledge cloud allows properly-trained machine learning algorithms to foresee the value of a certain variable, in this case the probability that a microshrinkage appears within a casting. Extending previous research that presented outstanding results with a Bayesian-network-based approach, we have adapted and tested an artificial neural network and the K-nearest neighbour algorithm for the same objective. Finally, we compare the obtained results and show that Bayesian networks are more suitable than the rest of the counterparts for the prediction of microshrinkages.

Study on the effectiveness of anomaly detection for spam filtering

Abstract Spam has become an important problem for computer security because it is a channel for spreading threats, including computer viruses, worms and phishing. Currently, more than 85% of received emails are spam. Historical approaches to combating these messages, including simple techniques such as sender blacklisting or using email signatures, are no longer completely reliable on their own. Many solutions utilise machine-learning approaches trained with statistical representations of the terms that usually appear in the emails. Nevertheless, these methods require a time-consuming training step with labelled data. Dealing with the limited availability of labelled training instances slows down the progress of filtering systems and offers advantages to spammers. In this paper, we present a study of the effectiveness of anomaly detection applied to spam filtering, which reduces the necessity of labelling spam messages and only employs the representation of one class of emails (i.e., legitimate or spam). This study includes a presentation of the first anomaly based spam filtering system, an enhancement of this system that applies a data reduction algorithm to the labelled dataset to reduce processing time while maintaining detection rates and an analysis of the suitability of choosing legitimate emails or spam as a representation of normality.

Data Leak Prevention through Named Entity Recognition

The rise of the social web has brought a series of privacy concerns and threats. In particular, data leakage is a risk that affects the privacy of not only companies but individuals. Although there are tools that can prevent data losses, they require a prior step that involves the sensitive data to be properly identified. In this paper, we propose a new automatic approach that applies Named Entity Recognition (NER) to prevent data leaks. We conduct an empirical study with real-world data and show that this NER-based approach can enhance the prevention of data losses. In addition, we present and detail the implementation of a prototype built with these techniques and show how it can be used by both particulars and companies in order to handle data losses.

Anomaly Detection Using String Analysis for Android Malware Detection

The usage of mobile phones has increased in our lives because they offer nearly the same functionality as a personal computer. Specifically, Android is one of the most widespread mobile operating systems. Indeed, its app store is one of the most visited and the number of applications available for this platform has also increased. However, as it happens with any popular service, it is prone to misuse, and the number of malware samples has increased dramatically in the last months. Thus, we propose a new method based on anomaly detection that extracts the strings contained in application files in order to detect malware.

Enhanced foundry production control

Mechanical properties are the attributes that measure the faculty of a metal to withstand several loads and tensions. Specifically, ultimate tensile strength is the force a material can resist until it breaks and, thus, it is one of the variables to control in the foundry process. The only way to examine this feature is the use of destructive inspections that renders the casting invalid with the subsequent cost increment. Nevertheless, the foundry process can be modelled as an expert knowledge cloud upon which we may apply several machine learnings techniques that allow foreseeing the probability for a certain value of a variable to happen. In this paper, we extend previous research on foundry production control by adapting and testing support vector machines and decision trees for the prediction in beforehand of the mechanical properties of castings. Finally, we compare the obtained results and show that decision trees are more suitable than the rest of the counterparts for the prediction of ultimate tensile strength.