Jianyun Xu

Static analyzer of vicious executables (SAVE)

Software security assurance and malware (Trojans, worms, and viruses, etc.) detection are important topics of information security. Software obfuscation, a general technique that is useful for protecting software from reverse engineering, can also be used by hackers to circumvent the malware detection tools. Current static malware detection techniques have serious limitations, and sandbox testing also fails to provide a complete solution due to time constraints. In this paper, we present a robust signature-based malware detection technique, with emphasis on detecting obfuscated (or polymorphic) malware and mutated (or metamorphic) malware. The hypothesis is that all versions of the same malware share a common core signature that is a combination of several features of the code. After a particular malware has been first identified, it can be analyzed to extract the signature, which provides a basis for detecting variants and mutants of the same malware in the future. Encouraging experimental results on a large set of recent malware are presented.

Feature mining and pattern classification for steganalysis of LSB matching steganography in grayscale images

In this paper, we present a scheme based on feature mining and pattern classification to detect LSB matching steganography in grayscale images, which is a very challenging problem in steganalysis. Five types of features are proposed. In comparison with other well-known feature sets, the set of proposed features performs the best. We compare different learning classifiers and deal with the issue of feature selection that is rarely mentioned in steganalysis. In our experiments, the combination of a dynamic evolving neural fuzzy inference system (DENFIS) with a feature selection of support vector machine recursive feature elimination (SVMRFE) achieves the best detection performance. Results also show that image complexity is an important reference to evaluation of steganalysis performance.

Image complexity and feature mining for steganalysis of least significant bit matching steganography

The information-hiding ratio is a well-known metric for evaluating steganalysis performance. In this paper, we introduce a new metric of image complexity to enhance the evaluation of steganalysis performance. In addition, we also present a scheme of steganalysis of least significant bit (LSB) matching steganography, based on feature mining and pattern recognition techniques. Compared to other well-known methods of steganalysis of LSB matching steganography, our method performs the best. Results also indicate that the significance of features and the detection performance depend not only on the information-hiding ratio, but also on the image complexity.

Polymorphic malicious executable scanner by API sequence analysis

The proliferation of malware (viruses, Trojans, and other malicious code) in recent years has presented a serious threat to enterprises, organizations, and individuals. Polymorphic (or variant versions of) computer viruses are more complex and difficult than their original versions to detect, often requiring antivirus companies to spend much time to create the routines needed to catch them. In this paper, we propose a new approach for detecting polymorphic malware in the Windows platform. Our approach rests on an analysis based on the Windows API calling sequence that reflects the behavior of a piece of particular code. The analysis is carried out directly on the PE (portable executable) code. It is achieved in two major steps: construct the API calling sequences for both the known virus and the suspicious code, and perform a similarity measurement between the two sequences after a sequence realignment operation is done. Favorable experimental results are obtained and presented.

Image Complexity and Feature Extraction for Steganalysis of LSB Matching Steganography

In this paper, we present a scheme for steganalysis of LSB matching steganography based on feature extraction and pattern recognition techniques. Shape parameter of generalized Gaussian distribution (GGD) in the wavelet domain is introduced to measure image complexity. Several statistical pattern recognition algorithms are applied to train and classify the feature sets. Comparison of our method and others indicates our method is highly competitive. It is highly efficient for color image steganalysis. It is also efficient for grayscale steganalysis in the low image complexity domain

JPEG compression immune steganography using wavelet transform

Steganography is art of hiding a secret media in another media. One of the major challenges in steganography is robustness, since the stego-signal need to survive multiple kinds of data processing. Low pass filtering, for example JPEG compression, is known as a common attack against stego-signal in image based steganography. We present a new method of image steganography that is extremely robust against JPEG compression while allowing error free information extracting. The method is based on 2D lossless wavelet transform and convolution error correction coding. Experimental results show that hidden information can be retrieved with zero bit error rates even when the stego-image experienced maximum JPEG compression.

Tree Based Behavior Monitoring for Adaptive Fraud Detection

The general basis for anomaly detection and fraud detection is pattern recognition. An effective online fraud detection system should be able to discover both known and new attacks as early as possible. The detection process should be self-adjustable to allow the system to deal with the constantly changing nature of online attacks. In this paper, we present an anomaly detection technique based on behavior mining and monitoring that work at both the individual and system level. Frequent pattern tree is utilized to profile the normal behavior adaptively. A novel tree-based pattern matching algorithm is designed to discover individual level anomalies. An algorithm for computing tree similarity is proposed to solve the system level problems. Empirical evaluations of our technique on both synthetic and real-world data show that we can accurately differentiate anomalous behaviors from the profiled normal behavior

Microarray Gene Expression Classification Based on Supervised Learning and Similarity Measures

Microarray gene expression data has high dimension and small samples, the gene selection is very important to the classification accuracy. In this paper, we present a scheme of recursive feature addition for microarray gene expression classification based on supervised learning and the similarity measure between chosen genes and candidates. In comparison with the well-known gene selection methods of T-TEST and SVM-RFE using different classifiers, our method, on the average, performs the best regarding the classification accuracy under different feature dimensions, the mean test accuracy and the highest test accuracy under the highest train accuracy, and the highest test accuracy in the experiments.