Minhui Xue

StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware

Mobile devices are especially vulnerable nowadays to malware attacks, thanks to the current trend of increased app downloads. Despite the significant security and privacy concerns it received, effective malware detection (MD) remains a significant challenge. This paper tackles this challenge by introducing a streaminglized machine learning-based MD framework, StormDroid: (i) The core of StormDroid is based on machine learning, enhanced with a novel combination of contributed features that we observed over a fairly large collection of data set; and (ii) we streaminglize the whole MD process to support large-scale analysis, yielding an efficient and scalable MD technique that observes app behaviors statically and dynamically. Evaluated on roughly 8,000 applications, our combination of contributed features improves MD accuracy by almost 10% compared with state-of-the-art antivirus systems; in parallel our streaminglized process, StormDroid, further improves efficiency rate by approximately three times than a single thread.

Data-Driven Privacy Analytics: A WeChat Case Study in Location-Based Social Networks

Location-based Social Network (LBSN) services enable people to discover users nearby and establish the communication with them. WeChat as both LBSN and Online Social Network (OSN) application does not impose a real-name policy for usernames, leaving the users to choose how they want to be identified by nearby people. In this paper, we show the feasibility to stalk WeChat users in any city from any place in the world and in parallel examine the anonymity of those users. Based on previous studies, we develop an automated attacking methodology by using fake GPS location, smart phone emulation, task automation, and optical character recognition (OCR). We then study the prevalence and behavior of Anonymous and Identifiable WeChat users and correlate their anonymity with their behavior, especially for those who repeatedly query the People Nearby service, a feature that triggers WeChat to discover nearby people. By monitoring Wall Street for 7 days, we gather location information relevant to 3,215 distinct users and finally find that Anonymous users are largely less inhibited to be dynamic participants, as they query more and are more willing to move around in public. To the best of our knowledge, this is the first work that quantifies the relationship between user mobility and user anonymity. We expect our study to motivate better privacy design in WeChat.

I know where you are: Thwarting privacy protection in location-based social discovery services

Location-based Social Discovery (LBSD) services enable users to discover their geographic neighborhoods to make new friends. Original LBSD services were designed to provide the exact distances to nearby users. It has been shown that it is easy to pinpoint any target users location by using trilateration based on the exact distances from three fake GPS locations to the target user. To thwart the trilateration attack, contemporary LBSD services then began to report distances of nearby users in concentric bands, e.g., bands of 100 meters. In this paper, we investigate the user location privacy leakage problem in LBSD services reporting distances in discrete bands. Using number theory, we analytically show that by strategically placing multiple virtual probes with contrived fake GPS locations, one can nevertheless pinpoint user locations in band-based LBSD. Our methodology guarantees to pinpoint any reported user within an area bounded by one square meter, even for LBSD services using large bands (such as 100m as used by WeChat). To the best of our knowledge, this is the first work that explicitly exploits and quantifies user location privacy leakage in band-based LBSD services. Our study is expected to draw more public attention to this serious privacy issue and hopefully motivate better privacy-preserving LBSD designs.

You Can Yak but You Can't Hide: Localizing Anonymous Social Network Users

The recent growth of anonymous social network services -- such as 4chan, Whisper, and Yik Yak -- has brought online anonymity into the spotlight. For these services to function properly, the integrity of user anonymity must be preserved. If an attacker can determine the physical location from where an anonymous message was sent, then the attacker can potentially use side information (for example, knowledge of who lives at the location) to de-anonymize the sender of the message. In this paper, we investigate whether the popular anonymous social media application Yik Yak is susceptible to localization attacks, thereby putting user anonymity at risk. The problem is challenging because Yik Yak application does not provide information about distances between user and message origins or any other message location information. We provide a comprehensive data collection and supervised machine learning methodology that does not require any reverse engineering of the Yik Yak protocol, is fully automated, and can be remotely run from anywhere. We show that we can accurately predict the locations of messages up to a small average error of 106 meters. We also devise an experiment where each message emanates from one of nine dorm colleges on the University of California Santa Cruz campus. We are able to determine the correct dorm college that generated each message 100\% of the time.

Characterizing user behaviors in location-based find-and-flirt services: Anonymity and demographics: A WeChat Case Study

WeChat, both a location-based social network (LBSN) and an online social network (OSN), is an immensely popular application in China. In this paper we specifically focus on a popular WeChat sub-service, namely, the People Nearby service, which is exemplary of a find-and-flirt service, similar to those on Momo and Tinder. Specifically, the People Nearby service reads in the current geographic location of the device to locate a list of other people using WeChat who are in the same vicinity. The user can then request to establish a WeChat friendship relation with any of the users on the list. In this paper, we explore: (i) if one gender tends to use the People Nearby service more than another; (ii) if users of People Nearby are more anonymous than ordinary WeChat users; (iii) if ordinary WeChat users are more anonymous than Twitter users. We also take an in-depth examination of the user anonymity and demographics in a combined fashion and examine: (iv) if ordinary WeChat females are more anonymous than ordinary males; (v) if People Nearby females are more anonymous than People Nearby males. By answering these questions, we will gain significant insights into modern online dating and friendship creation, insights that should be able to inform sociologists as well as designers of future find-and-flirt services.

Thwarting location privacy protection in location-based social discovery services

Location-based social discovery (LBSD) services enable users to discover their geographic neighborhoods to make new friends. Original LBSD services were designed to provide the exact distances to nearby users. It has been shown that it is easy to pinpoint any target users location by using trilateration based on the exact distances from three fake Global Positioning System locations to the target user. To defend against the trilateration attack, contemporary LBSD services then began to report distances of nearby users in concentric bands, for example, bands of 100 meters, rather than exact distances. In this paper, we investigate the user location privacy leakage problem in LBSD services reporting distances in discrete bands. Using number theory, we analytically show that by strategically placing multiple virtual probes with fake Global Positioning System locations, one can nevertheless localize user locations in band-based LBSD. Our methodology is guaranteed to localize any reported user within a circle of radius no greater than one meter, even for LBSD services using large bands (such as 100 m as used by WeChat). Eventually, countermeasures are proposed to reduce location privacy leakage to the very minimum. To the best of our knowledge, this is the first work that explicitly exploits and quantifies user location privacy leakage in band-based LBSD services. We expect our study to draw more public attention to this serious privacy issue and expectantly motivate better privacy preserving LBSD designs. Copyright

Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach

The evolution of mobile malware poses a serious threat to smartphone security. Today, sophisticated attackers can adapt by maximally sabotaging machine-learning classifiers via polluting training data, rendering most recent machine learning-based malware detection tools (such as Drebin, DroidAPIMiner, and MaMaDroid) ineffective. In this paper, we explore the feasibility of constructing crafted malware samples; examine how machine-learning classifiers can be misled under three different threat models; then conclude that injecting carefully crafted data into training data can significantly reduce detection accuracy. To tackle the problem, we propose KuafuDet, a two-phase learning enhancing approach that learns mobile malware by adversarial detection. KuafuDet includes an offline training phase that selects and extracts features from the training set, and an online detection phase that utilizes the classifier trained by the first phase. To further address the adversarial environment, these two phases are intertwined through a self-adaptive learning scheme, wherein an automated camouflage detector is introduced to filter the suspicious false negatives and feed them back into the training phase. We finally show that KuafuDet can significantly reduce false negatives and boost the detection accuracy by at least 15%. Experiments on more than 250,000 mobile applications demonstrate that KuafuDet is scalable and can be highly effective as a standalone system.

The Right to be Forgotten in the Media: A Data-Driven Study

Abstract Due to the recent “Right to be Forgotten” (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain “inadequate, irrelevant or no longer relevant, or excessive” information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks. First, we do a content analysis on 283 known delisted UK media pages, using both manual investigation and Latent Dirichlet Allocation (LDA). We find that the strongest topic themes are violent crime, road accidents, drugs, murder, prostitution, financial misconduct, and sexual assault. Informed by this content analysis, we then show how a third party can discover delisted URLs along with the requesters’ names, thereby putting the efficacy of the RTBF for delisted media links in question. As a proof of concept, we perform an experiment that discovers two previously-unknown delisted URLs and their corresponding requesters. We also determine 80 requesters for the 283 known delisted media pages, and examine whether they suffer from the “Streisand effect,” a phenomenon whereby an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely. To measure the presence (or lack of presence) of a Streisand effect, we develop novel metrics and methodology based on Google Trends and Twitter data. Finally, we carry out a demographic analysis of the 80 known requesters. We hope the results and observations in this paper can inform lawmakers as they refine RTBF laws in the future.

POSTER: Accuracy vs. Time Cost: Detecting Android Malware through Pareto Ensemble Pruning

This paper proposes Begonia, a malware detection system through Pareto ensemble pruning. We convert the malware detection problem into the bi-objective Pareto optimization, aiming to trade off the classification accuracy and the size of classifiers as two objectives. We automatically generate several groups of base classifiers using SVM and generate solutions through bi-objective Pareto optimization. We then select the ensembles with highest accuracy of each group to form the final solutions, among which we hit the optimal solution where the combined loss function is minimal considering the trade-off between accuracy and time cost. We expect users to provide different trade-off levels to their different requirements to select the best solution. Experimental results show that Begonia can achieve higher accuracy with relatively lower overhead compared to the ensemble containing all the classifiers and can make a good trade-off to different requirements.

Towards adversarial detection of mobile malware: poster

Android malware has been found on various third-party online markets, which poses drastic threats to mobile users in terms of security and privacy. Machine learning is one of the promising approaches to discriminate the malicious applications from the benign ones. Despite its higher malware detection capability, a significant challenge remains: in adversarial environment, an attacker can adapt by maximally sabotaging classifiers by polluting training data. This paper proposes KuafuDet, a two-phase learning enhancing approach that adversarially detects the Android malware. Experiments on more than 50,000 Android applications demonstrate the effectiveness and scalability of our approach.