Simin Nadjm-Tehrani

Crowdroid: behavior-based malware detection system for Android

The sharp increase in the number of smartphones on the market, with the Android platform posed to becoming a market leader makes the need for malware analysis on this platform an urgent issue. In this paper we capitalize on earlier approaches for dynamic analysis of application behavior as a means for detecting malware in the Android platform. The detector is embedded in a overall framework for collection of traces from an unlimited number of real users based on crowdsourcing. Our framework has been demonstrated by analyzing the data collected in the central server using two types of data sets: those from artificial malware created for test purposes, and those from real malware found in the wild. The method is shown to be an effective means of isolating the malware and alerting the users of a downloaded malware. This shows the potential for avoiding the spreading of a detected malware to a larger community.

Geographical Routing With Location Service in Intermittently Connected MANETs

Combining mobile platforms such as manned or unmanned vehicles and peer-assisted wireless communication is an enabler for a vast number of applications. A key enabler for the applications is the routing protocol that directs the packets in the network. Routing packets in fully connected mobile ad hoc networks (MANETs) has been studied to a great extent, but the assumption on full connectivity is generally not valid in a real system. This case means that a practical routing protocol must handle intermittent connectivity and the absence of end-to-end connections. In this paper, we propose a geographical routing algorithm called location-aware routing for delay-tolerant networks (LAROD), enhanced with a location service, location dissemination service (LoDiS), which together are shown to suit an intermittently connected MANET (IC-MANET). Because location dissemination takes time in IC-MANETs, LAROD is designed to route packets with only partial knowledge of geographic position. To achieve low overhead, LAROD uses a beaconless strategy combined with a position-based resolution of bids when forwarding packets. LoDiS maintains a local database of node locations, which is updated using broadcast gossip combined with routing overhearing. The algorithms are evaluated under a realistic application, i.e., unmanned aerial vehicles deployed in a reconnaissance scenario, using the low-level packet simulator ns-2. The novelty of this paper is the illustration of sound design choices in a realistic application, with holistic choices in routing, location management, and the mobility model. This holistic approach justifies that the choice of maintaining a local database of node locations is both essential and feasible. The LAROD-LoDiS scheme is compared with a leading delay-tolerant routing algorithm (spray and wait) and is shown to have a competitive edge, both in terms of delivery ratio and overhead. For spray and wait, this case involved a new packet-level implementation in ns-2 as opposed to the original connection-level custom simulator.

Opportunistic DTN routing with window-aware adaptive replication

This paper presents ORWAR, a resource-efficient protocol for opportunistic routing in delay-tolerant networks. Our approach exploits the context of mobile nodes (speed, direction of movement and radio range) to estimate the size of a contact window. This knowledge is exploited to make better forwarding decisions and to minimize the probability of partially transmitted messages. As well as optimizing the use of bandwidth during overloads it helps to reduce energy consumption since partially transmitted messages are useless and waste transmission power. Another feature of the algorithm is the use of a differentiation mechanism based on message utility. This allows allocating more resources for high utility messages. More precisely, messages are replicated in the order of highest utility first, and removed from the buffers in the reverse order. To illustrate the benefit of such a scheme the global accumulated utility is used as a system-wide performance metric. Simulations illustrate the benefit of our model and show that ORWAR provides lower overhead and higher delivery rate, as well as higher accumulated utility compared to a number of well-known algorithms (including Maxprop and SprayAndWait).

ADWICE – anomaly detection with real-time incremental clustering

Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Safeguard architecture.

Scale-up and performance studies of three agent platforms

With maturing technology agents are now a viable choice for distributed computing, also for systems with requirements on dependability and scalability. Agent platforms provide common services to applications developed as agents. Given the abundance of available platforms it is not easy to select an agent platform given a set of applications requirements. Evaluations of relevant properties of agent platforms are therefore needed, but unfortunately few up-to-date evaluations exist. In this paper we introduce and evaluate the three recent agent platforms JADE, Tryllian and SAP. Focus of the evaluation is the important properties of performance, security and scalability. We conclude that all platforms perform very well, but that platform architecture heavily influences the performance.

Time-aware utility-based resource allocation in wireless networks

This paper presents a time-aware admission control and resource allocation scheme in wireless networks in the context of a future generation cellular network. The quality levels (and their respective utility) of different connections are specified using discrete resource-utility (R-U) functions. The scheme uses these R-U functions for allocating and reallocating bandwidth to connections, aiming to maximize the accumulated utility of the system. However, different applications react differently to resource reallocations. Therefore, at each allocation time point, the following factors are taken into account: the age of the connection, a disconnection (drop) penalty, and the sensitiveness to reallocation frequency. The evaluation of our approach shows a superior performance compared to a recent adaptive bandwidth allocation scheme (RBBS). In addition, we have studied the overhead that performing a reallocation imposes on the infrastructure. To minimize this overhead, we present an algorithm that efficiently reduces the number of reallocations while remaining within a given utility bound.

Adaptive real-time anomaly detection with incremental clustering

Anomaly detection in information (IP) networks, detection of deviations from what is considered normal, is an important complement to misuse detection based on known attack descriptions. Performing anomaly detection in real-time places hard requirements on the algorithms used. First, to deal with the massive data volumes one needs to have efficient data structures and indexing mechanisms. Secondly, the dynamic nature of todays information networks makes the characterisation of normal requests and services difficult. What is considered as normal during some time interval may be classified as abnormal in a new context, and vice versa. These factors make many proposed data mining techniques less suitable for real-time intrusion detection. In this paper we present ADWICE, Anomaly Detection With fast Incremental Clustering, and propose a new grid index that is shown to improve detection performance while preserving efficiency in search. Moreover, we propose two mechanisms for adaptive evolution of the normality model: incremental extension with new elements of normal behaviour, and a new feature that enables forgetting of outdated elements of normal behaviour. These address the needs of a dynamic network environment such as a telecom management network. We evaluate the technique for network-based intrusion detection, using the KDD data set as well as on data from a telecom IP test network. The experiments show good detection quality and act as proof of concept for adaptation of normality.

Emerging Information Infrastructures: Cooperation in Disasters

Disasters are characterised by their devastating effect on human lives and the societys ability to function. Unfortunately, rescue operations and the possibility to re-establish a working society after such events is often hampered by the lack of functioning communication infrastructures. This paper describes the challenges ahead in creating new communication networks to support post-disaster operations, and sets them in the context of the current issues in protection of critical infrastructures. The analysis reveals that while there are some common concerns there are also fundamental differences. The paper serves as an overview of some promising research directions and pointers to existing works in these areas.

Price/utility-based optimized resource allocation in wireless ad hoc networks

This paper proposes a scheme for bandwidth allocation in wireless ad hoc networks. The Quality of Service (QoS) levels for each end-to-end flow are expressed using resource-utility functions, and o ...

Real-time hierarchical control

A framework for developing hierarchical control systems consisting of layers that group transformation types, the tools to help implement the layers and validate timing properties, and the mechanisms for communicating among layers is discussed. The layered framework supports the design and implementation of control systems with both continuous and discrete components, and is suitable for integrating symbolic and numeric computations in a range of applications. Two applications of the framework-an elevator control system and driver support system-are described.<<ETX>>