Robiah Yusof

Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection

The proliferation of Android-based mobile devices and mobile applications in the market has triggered the malware author to make the mobile devices as the next profitable target. With user are now able to use mobile devices for various purposes such as web browsing, ubiquitous services, online banking, social networking, MMS and etc, more credential information is expose to exploitation. Applying a similar security solution that work in Desktop environment to mobile devices may not be proper as mobile devices have a limited storage, memory, CPU and power consumption. Hence, there is a need to develop a mobile malware detection that can provide an effective solution to defence the mobile user from any malicious threat and at the same time address the limitation of mobile devices environment. Prior to this matter, this research focused on evaluating the best features selection to be used in the best machine-learning classifiers. To find the best combination of both features selection and classifier, five sets of different feature selection are applies to five different machine learning classifiers. The classifier outcome is evaluated using the True Positive Rate (TPR), False Positive Rate (FPR), and Accuracy. The best combination of both features selection and classifier can be used to reduce features selection and at the same time able to classify the infected android application accurately.

Traceability in digital forensic investigation process

Digital forensic is part of forensic science that implicitly covers crime that is related to computer technology. In a cyber crime, digital evidence investigation requires a special procedures and techniques in order to be used and be accepted in court of law. Generally, the goals of these special processes are to identify the origin of the incident reported as well as maintaining the chain of custody so that the legal process can take its option. Subsequently, the traceability process has become a key or an important element of the digital investigation process, as it is capable to map the events of an incident from difference sources in obtaining evidence of an incident to be used for other auxiliary investigation aspects. Hence, this paper introduces a trace map model to illustrate the relationship in the digital forensic investigation process by adapting and integrating the traceability features. The objective of this integration is to provide the capability of trace and map the evidence to the sources and shows the link between the evidence, the entities and the sources involved in the process, particularly in the collection phase of digital forensic investigation framework. Additionally, the proposed model is expected to help the forensic investigator in obtaining accurate and complete evidence that can be further used in a court of law.

Enhanced Alert Correlation Framework for Heterogeneous Log

Management of intrusion alarms particularly in identifying malware attack is becoming more demanding due to large amount of alert produced by low-level detectors. Alert correlation can provide high-level view of intrusion alerts but incapable of handling large amount of alarm. This paper proposes an enhanced Alert Correlation Framework for sensors and heterogeneous log. It can reduce the large amount of false alarm and identify the perspective of the attack. This framework is mainly focusing on the alert correlation module which consists of Alarm Thread Reconstruction, Log Thread Reconstruction, Attack Session Reconstruction, Alarm Merging and Attack Pattern Identification module. It is evaluated using metric for effectiveness that shows high correlation rate, reduction rate, identification rate and low misclassification rate. Meanwhile in statistical validation it has highly significance result with p < 0.05. This enhanced Alert Correlation Framework can be extended into research areas in alert correlation and computer forensic investigation.

Profiling mobile malware behaviour through hybrid malware analysis approach

Nowadays, the usage of mobile device among the community worldwide has been tremendously increased. With this proliferation of mobile devices, more users are able to access the internet for variety of online application and services. As the use of mobile devices and applications grows, the rate of vulnerabilities exploitation and sophistication of attack towards the mobile user are increasing as well. To date, Googles Android Operating System (OS) are among the widely used OS for the mobile devices, the openness design and ease of use have made them popular among developer and user. Despite the advantages the android-based mobile devices have, it also invited the malware author to exploit the mobile application on the market. Prior to this matter, this research focused on investigating the behaviour of mobile malware through hybrid approach. The hybrid approach correlates and reconstructs the result from the static and dynamic malware analysis in producing a trace of malicious event. Based on the finding, this research proposed a general mobile malware behaviour model that can contribute in identifying the key features in detecting mobile malware on an Android Platform device.

Preliminary study of host and network-based analysis on P2P Botnet detection

Botnet is a network of compromised computer that running malicious software remotely controlled by an attacker known as Botmaster. The threat of Botnet threaten is widely dangerous and it is crucially to overcome this crisis. Some new bots use P2P protocols to construct command and control system are known as peer-to-peer (P2P) Botnet. More severe when P2P Botnet incorporated the centralized and distributed communication which make it more robust and complicated for detection. Hence, the analysis is necessary to be conducted especially in the combination of host-based and network-based in order to detect bots accurately. This paper provides the details analysis on host-based analysis and network-based analysis to detect P2P bots that will reveal their unique characteristic and behaviors. The result of experimental testbed on datasets show that it is possible to detect effectively P2P Botnet in standalone host and network packets payload. Thus, this analysis can be used for early warning of P2P Botnet activities in the host-and network-level as prevention mechanism.

Host Based Detection Approach Using Time Based Module for Fast Attack Detection Behavior

Intrusion Detection System (IDS) is an important component in a network security infrastructure. IDS need to be accurate and reliable in order to detect the intrusive behaviour of a packet that travelling through the network. With the current technological advancement attack on network infrastructure has evolve to a new level and to make IDS sensitive enough to detect the new attack, the detection framework need to be frequently updated. Both the fast attack and slow attack mechanism has become the subset of phases inside the anatomy of attack. Each of the attack mechanism has their own criteria and fast attack is the important type of attack that need to be considered as any late detection of the fast attack can cause a major bad impact to the organization. Therefore, there is a need to identify a suitable technique to detect the fast attack and based on this, this paper introduce a static threshold using statistical and observation technique for detecting the fast attack intrusion that is within one second time interval. The Threshold selected was based on the real network traffic dataset and verified using classification table on real network traffic.

Preliminary Findings: Revising Developer Guideline Using Word Frequency for Identifying Apps Miscategorization

Number of application in Google Play Store is increasing at a rapid rate. It is currently holding more than 3 million apps. With a large number of application files and information, locating the right apps into the right category can be quite challenging. We observed more than one thousand apps to prove that there are miscategorizations of apps in Android official marketplace. We revise the subject inside the guideline provided by developer console and kept the sub-category remain. In order to have more specific subjects for each sub-category, we revise the standard guideline by their description using word frequency. Top five ranked in terms of weighting without duplication from existing guideline was chosen as new subject in particular sub-categories. Furthermore, we remove redundant subject across sub-category. Finally, we calculate the miscategorization apps based on new guideline. The result shows that “Lifestyle” sub-category contributes to large number of misplaced apps. The result shows only 61% apps are correctly inserted into their category for all 1105 collected data. Having fine category will be a feeder to the further research related to malware detection.

Cyber Threat Intelligence – Issue and Challenges

Received Jan 15, 2018 Revised Mar 14, 2018 Accepted Mar 30, 2018 Blood veins detection process can be cumbersome for nurses and medical practioners when it comes to special overweight type of patients. This simple routine procedure can lead the process into an extreme calamity for these patients. In this paper, we emphasized on a process for the detection of the vein in real time using the consecrations of Matlab to prevent or at least reduce the number of inescapable calamity for patients during the infusion of a needle by phlebotomy or doctor in everyday lives. Hemoglobin of the blood tissues engrossed the Near Infrared (NIR) illuminated light and Night vision camera is used to capture the scene and enhance the vein pattern clearly using Contrast Limited Adaptive Histogram Equalization (CLAHE) method. This simple approach can successfully also lead to localizing bleeding spots, clots from stroke ... etc among other things.

Discovering Cyber Terrorism Using Trace Pattern

Nowadays, as the Internet user increased, the number of cyber threats is also increased. Internet has provided a medium for criminal to do the crime and become the target for cyber terrorist to spread their negative propaganda, and promote extreme activities. One of the crimes is cyber terrorism. Cyber terrorism became more sophisticated and it difficult to discover its activities. Hence, this paper proposes tracing technique for discovering cyber terrorism based on trace pattern. Trace pattern will represent the behavior and activities of cyber terrorism. Cyber terrorists website is used as the datasets. Using tracing technique, cyber terrorists activities are identified by extraction and classifying the traces to the keyword that is usually used by the terrorist. Then, the traces will be linked with the cyber terrorism components in order to identify the relationship between them. Using trace pattern, the verification process will be conducted to verify the traces in order to identify the cyber terrorism activities and potential terrorist. This trace pattern can be used in facilitating the forensic investigation process in discovering cyber terrorism activities.

An empirical investigation of RSSI-based distance estimation for wireless indoor positioning system

RSSI-based distance estimation techniques for wireless indoor positioning system require extensive offline calibration to construct propagation model in order to describe the relationship between received signal strength and distance. This paper investigates the accuracy of the well-known propagation models against the measured data at indoor building. From the results, the dual slope model exhibits the best propagation model and it is chosen as the reference for further investigation. The accuracy of dual slope model in distance estimation suffers from the degradation due to the presence of Non Line of Sight NLOS condition between mobile station and access point. Therefore, to further improve the accuracy, this paper studies the effect of breakpoint distance and evaluates two simple techniques, running variance and kurtosis index, to identify the NLOS condition. Once the NLOS condition is identified, the best dual slope model can be selected for accurate distance estimation.