Kuo-Ping Wu

DroidMat: Android Malware Detection through Manifest and API Calls Tracing

Recently, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. Although understanding Android malware using dynamic analysis can provide a comprehensive view, it is still subjected to high cost in environment deployment and manual efforts in investigation. In this study, we propose a static feature-based mechanism to provide a static analyst paradigm for detecting the Android malware. The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to enhance the malware modeling capability. Besides, we leverage the proposed mechanism and develop a system, called Droid Mat. First, the Droid Mat extracts the information (e.g., requested permissions, Intent messages passing, etc) from each applications manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing API Calls related to permissions. Next, it applies K-means algorithm that enhances the malware modeling capability. The number of clusters are decided by Singular Value Decomposition (SVD) method on the low rank approximation. Finally, it uses kNN algorithm to classify the application as benign or malicious. The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Black hat 2011, which focuses on Android malware analysis. In addition, Droid Mat is efficient since it takes only half of time than Androguard to predict 1738 apps as benign apps or Android malware.

Suspicious URL Filtering Based on Logistic Regression with Multi-view Analysis

The current malicious URLs detecting techniques based on whole URL information are hard to detect the obfuscated malicious URLs. The most precise way to identify a malicious URL is verifying the corresponding web page contents. However, it costs very much in time, traffic and computing resource. Therefore, a filtering process that detecting more suspicious URLs which should be further verified is required in practice. In this work, we propose a suspicious URL filtering approach based on multi-view analysis in order to reduce the impact from URL obfuscation techniques. URLs are composed of several portions, each portion has a specific use. The proposed method intends to learn the characteristics from multiple portions (multi-view) of URLs for giving the suspicion level of each portion. Adjusting the suspicion threshold of each portion, the proposed system would select the most suspicious URLs. This work uses the real dataset from T. Co. to evaluate the proposed system. The requests from T. Co. are (1) detection rate should be less than 25%, (2) missing rate should be lower than 25%, and (3) the process with one hour data should be end in an hour. The experiment results show that our approach is effective, is capable to reserve more malicious URLs in the selected suspicious ones and satisfy the requests given by practical environment, such as T. Co. daily works.

Real-Time Fast-Flux Identification via Localized Spatial Geolocation Detection

Fast-flux service networks (FFSNs), broadly used by botnets, are an evasive technique for conducting malicious behavior via rapid activities. FFSN detection easily fails in the case of poor performance and causes a high incidence of false positives due to the similarity of an FFSN to a content distribution network (CDN), a normal behavior for load balance. In this study, we propose a localized spatial geolocation detection (LSGD) system for identifying FFSNs in real time. We believe that the grid distribution of LSGD possesses a precise spatial locating capability for profiling the spatial relations between IP address resolutions. Furthermore, autonomous system numbers (ASNs) are used for enhancing localized geographic characteristics. The proposed system, incorporating LSGD, ASNs, and the domain name system (DNS), can respond well to identify potential FFSNs. The results of our experiment show that the proposed LSGD system has a better detection capability than state-of-the-art spatial or temporal detection approaches, with a lower false positive rate in real-time detection than the approach based on a spatial snapshot alone.

JSOD: JavaScript obfuscation detector

JavaScript obfuscation is a deliberate act of making a script difficult to understand by concealing its purpose. The prevalent use of obfuscation techniques to hide malicious codes and to preserve copyrights of benign scripts resulted in i missing detection of malicious scripts that are obfuscated and ii raising false alarms due to the benign scripts that are obfuscated. Automatic detection of obfuscated JavaScript is generally undertaken by tackling the problem from the readability perspective. Recently, Microsoft research team analyzed different levels of context-based features to distinguish obfuscated malicious scripts from obfuscated benign ones. In this work, we raise the issue of existing readable versions of obfuscated scripts. Further, we discuss the challenges posed by readably obfuscated scripts against both JavaScript malware detectors and obfuscated scripts detectors. Therefore, we propose JavaScript Obfuscation Detector JSOD, a completely static solution to detect obfuscated scripts including readable patterns. To evaluate JSOD, we compare it to the state-of-the-art approaches to detect obfuscated malicious and obfuscated benign script, namely,Zozzle andNofus. Our experimental results demonstrate the importance to detect readably obfuscated scripts and their sophisticated variations. Furthermore, they also show the superiority ofJSOD approach against all relevant solutions. Copyright

Stock Trend Prediction by Using K-Means and AprioriAll Algorithm for Sequential Chart Pattern Mining

In this paper we present a model to predict the stock trend based on a combination of sequential chart pattern, K-means and AprioriAll algorithm. The stock price sequence is truncated to charts by sliding window, then the charts are clustered by K-means algorithm to form chart patterns. Therefore, the chart sequences are converted to chart pattern sequences, and frequent patterns in the sequences can be extracted by AprioriAll algorithm. The existence of frequent patterns implies that some specific market behaviors often appear accompanied, thus the corresponding trend can be predicted. Experiment results show that the proposed system can produce better index return with fewer trades. Its annualized return is also better than award winning mutual funds. Therefore, the proposed method makes profits on the real market, even in a long-term usage.

Stock Trend Prediction by Sequential Chart Pattern via K-Means and AprioriAll Algorithm

In this paper we present a model to predict the stock trend based on a combination of sequential chart pattern, K-Means and AprioriAll algorithm. The stock price sequence is truncated to charts by sliding window. Then the charts are clustered by K-Means algorithm to form chart patterns. Therefore, the charts form chart pattern sequences, and frequent patterns in the sequences can be extracted by AprioriAll algorithm. The existence of frequent patterns implies that some specific market behaviors often show accompanied, thus the corresponding trend can be predicted. Experiment results show that the proposed system can produce better index return with fewer trade. Its annualized return is also better than award winning mutual funds. Therefore, the proposed method makes profits on the real market, even in a long-term usage.

System Failure Forewarning Based on Workload Density Cluster Analysis

Each computer system contains design objectives for long-term usage, so the operator must conduct a continuous and accurate assessment of system performance in order to detect the potential factors that will degrade system performance. Condition indicators are the basic components of diagnosis. It is important to select feature vectors that meet the criteria in order to provide true accuracy and powerful diagnostic routines. Our goal is to indicate the actual system status according to the workload, and use clustering techniques to analyze the workload distribution density to build diagnostic templates. Such templates can be used for system failure forewarning. In the proposed system, we present an approach, based on workload density cluster analysis to automatically monitor the health of software systems and system failure forewarning. Our approach consists of tracking the workload density of metric clusters. We employ the statistical template model to automatically identify significant changes in cluster moving, therefore enabling robust fault detection. We observed two circumstances from the experiment results. First, under most normal status, the lowest accuracy value is approximate our theoretical minimum threshold of 84%. Such result implies a close correlation between our measured and real system status. Second, the command data used by the system could predict 90% of events announced, which reveals the prediction effectiveness of this proposed system. Although it is infeasible for the system to process the largest possible fault events in the deployment of resources, we could apply statistics to characterize the anomalous behaviors to understand the nature of emergencies and to test system service under such scenarios.

RedJsod: A Readable JavaScript Obfuscation Detector Using Semantic-based Analysis

JavaScript allows Web-developers to hide intention behind their code inside different looking scripts known as Obfuscated code. Automatic detection of obfuscated code is generally tackled from readability perspective. However, recently obfuscation exhibits patterns that modify both syntax and semantic characteristics while preserving readability characteristic. There are two problems in dealing with readable obfuscation: 1. Difficulty in locating it since it does not manipulate suspicious strings. 2. It is a common and essential practice adopted in both benign codes and malicious codes. In this work, we first investigate why and how readable obfuscation can hinder detection of maliciousness and prevent the static analysis of suspicious scripts. Next, we propose a readable JavaScript obfuscation detector (RedJsod) system to deal with this type of threat. RedJsod is a well defined detector based on variable length context-based feature extraction (VCLFE) scheme that takes advantages of abstract syntax tree (AST) representation of a given JavaScript code to infer run-time behaviors statically. We applied RedJsod to three datasets collected from real world Web-pages to evaluate its effectiveness. Also, we tested RedJsod on well-known readable obfuscation samples cited in related works as a proof of concept illustration. Our experimental results indicated that RedJsod achieved very high detection rates (greater than 97%) in terms of accuracy, eliminated false negatives completely, while at the same time yielded very few false positives.

A responsive probing approach to detect dynamic intrusion in a MANET

Mobile Ad hoc NETwork (MANET) is regarded as one of the most appropriate technologies to connect IoT (Internet-of-Things). However, intrusion detection for black hole or flooding attacks in MANET is very complicated due to a lack of trusted centralized authority and dynamic topology. This paper proposes an efficient and effective mechanism, Responsive Probing Mechanism (RPM), to periodically inject probe packets into normal data stream transmission for the dynamic detection of misbehavior intrusion. Moreover, an indicator based on the quality of probe packets transmission is introduced to quantify the degree of misbehavior intrusion. The simulation results show that the proposed RPM outperforms the existing solutions in terms of fast, effective detection and lower calculation cost.

VoIPS: VoIP Secure Encryption VoIP Solution

VoIP technology allows voice messages transmitted through the network, but it also encounters information security threats such as packet sniffering and authentication. In this research we propose an integrated algorithm - VoIPS (VoIP Secure). It conduct a secured VoIP communication which afforded confidentiality and message authentication. Furthermore, side-effect to performance is trival and able to eliminate the risk of well-known replay attack which used on VoIP system. According to our simulation experiments, the proposed system can be created to construct a secure VoIP communication system. A hardware prototype is created to verify the proposed system which practically feasible.