Contextual Identification of Windows Malware through Semantic Interpretation of API Call Sequence

The proper interpretation of the malware API call sequence plays a crucial role in identifying its malicious intent. Moreover, there is a necessity to characterize smart malware mimicry activities that resemble goodware programs. Those types of malware imply further challenges in recognizing their malicious activities. In this paper, we propose a standard and straightforward contextual behavioral models that characterize Windows malware and goodware. We relied on the word embedding to realize the contextual association that may occur between API functions in malware sequences. Our empirical results proved that there is a considerable distinction between malware and goodware call sequences. Based on that distinction, we propose a new method to detect malware that relies on the Markov chain. We also propose a heuristic method that identifies malware’s mimicry activities by tracking the likelihood behavior of a given API call sequence. Experimental results showed that our proposed model outperforms other peer models that rely on API call sequences. Our model returns an average malware detection accuracy of 0.990, with a false positive rate of 0.010. Regarding malware mimicry, our model shows an average noteworthy accuracy of 0.993 in detecting false positives.

Download Full-text

Efficient Detection of Large-Scale Multimedia Network Information Data Anomalies Based on the Rule-Extracting Matrix Algorithm

Advances in Multimedia ◽

10.1155/2021/3299891 ◽

2021 ◽

Vol 2021 ◽

pp. 1-7

Author(s):

Jie Zhao

Keyword(s):

Large Scale ◽

False Positive Rate ◽

Detection Accuracy ◽

Network Information ◽

Matrix Algorithm ◽

Efficient Detection ◽

Sample Data ◽

Multimedia Social Networks ◽

Positive Rate ◽

Rule Extracting

With the continuous development of multimedia social networks, online public opinion information is becoming more and more popular. The rule extraction matrix algorithm can effectively improve the probability of information data to be tested. The network information data abnormality detection is realized through the probability calculation, and the prior probability is calculated, to realize the detection of abnormally high network data. Practical results show that the rule-extracting matrix algorithm can effectively control the false positive rate of sample data, the detection accuracy is improved, and it has efficient detection performance.

Download Full-text

An Enhanced Multimedia Video Surveillance Security Using Wavelet Encryption Framework

Journal of Mobile Multimedia ◽

10.13052/jmm1550-4646.1534 ◽

2020 ◽

Author(s):

Velliangiri S

Keyword(s):

Wavelet Transform ◽

False Positive Rate ◽

Digital Data ◽

Detection Accuracy ◽

Detection Time ◽

Arbitrary Permutation ◽

Secret Keys ◽

Positive Rate ◽

Cae System ◽

Distortion Rate

Multimedia digital data include medical record and financial documents, which are not guaranteed with security. The concerns for security of multimedia digital data is been a widespread issue in the field of cybernetics. With increasing malwares in video payloads, the proposed study aims to reduce the embedding of malwares using Pseudo Arbitrary Permutation based Cellular Automata Encryption (PAP-CAE) System in video payloads. This method reduces the malware attacks and distortion rate by permuting the secret keys with Pseudo arbitrary permutation. Before the application of PAP-CAE, 2D wavelet transform is applied on the multimedia files that compresses the complex files into different scales and position to be transmitted via a network with reduced size. Simultaneously, it performs the process of decryption and decompression to retrieve the original files. The proposed method is evaluated against existing methods to test its efficacy in terms of detection accuracy, detection time of malwares and false positive rate. The result shows that the proposed method is effective against the detection of malwares in multimedia video files.

Download Full-text

A novel Ensemble of Hybrid Intrusion Detection System for Detecting Internet of Things Attacks

Electronics ◽

10.3390/electronics8111210 ◽

2019 ◽

Vol 8 (11) ◽

pp. 1210 ◽

Cited By ~ 11

Author(s):

Khraisat ◽

Gondal ◽

Vamplew ◽

Kamruzzaman ◽

Alazab

Keyword(s):

Internet Of Things ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

False Positive Rate ◽

Support Vector ◽

Detection Accuracy ◽

Lower False Positive Rate ◽

Positive Rate ◽

Iot Devices

The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack to the end nodes. Due to the large number and diverse types of IoT devices, it is a challenging task to protect the IoT infrastructure using a traditional intrusion detection system. To protect IoT devices, a novel ensemble Hybrid Intrusion Detection System (HIDS) is proposed by combining a C5 classifier and One Class Support Vector Machine classifier. HIDS combines the advantages of Signature Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The aim of this framework is to detect both the well-known intrusions and zero-day attacks with high detection accuracy and low false-alarm rates. The proposed HIDS is evaluated using the Bot-IoT dataset, which includes legitimate IoT network traffic and several types of attacks. Experiments show that the proposed hybrid IDS provide higher detection rate and lower false positive rate compared to the SIDS and AIDS techniques.

Download Full-text

A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks

International Journal of Cyber Warfare and Terrorism ◽

10.4018/ijcwt.2017040102 ◽

2017 ◽

Vol 7 (2) ◽

pp. 16-41 ◽

Cited By ~ 5

Author(s):

Naghmeh Moradpoor Sheykhkanloo

Keyword(s):

Neural Network ◽

Web Application ◽

Query Language ◽

False Positive Rate ◽

True Positive Rate ◽

Injection Technique ◽

Injection Attacks ◽

Proposed Model ◽

Positive Rate ◽

Sql Injection Attacks

Structured Query Language injection (SQLi) attack is a code injection technique where hackers inject SQL commands into a database via a vulnerable web application. Injected SQL commands can modify the back-end SQL database and thus compromise the security of a web application. In the previous publications, the author has proposed a Neural Network (NN)-based model for detections and classifications of the SQLi attacks. The proposed model was built from three elements: 1) a Uniform Resource Locator (URL) generator, 2) a URL classifier, and 3) a NN model. The proposed model was successful to: 1) detect each generated URL as either a benign URL or a malicious, and 2) identify the type of SQLi attack for each malicious URL. The published results proved the effectiveness of the proposal. In this paper, the author re-evaluates the performance of the proposal through two scenarios using controversial data sets. The results of the experiments are presented in order to demonstrate the effectiveness of the proposed model in terms of accuracy, true-positive rate as well as false-positive rate.

Download Full-text

A Novel Hybrid LE and SVM with CV in Intrusion Detection

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.644-650.2572 ◽

2014 ◽

Vol 644-650 ◽

pp. 2572-2576

Author(s):

Qing Liu ◽

Yun Kai Zhang ◽

Qing Ru Li

Keyword(s):

Intrusion Detection ◽

False Positive Rate ◽

Likelihood Estimation ◽

Support Vector ◽

Training Time ◽

Detection Algorithms ◽

Lower False Positive Rate ◽

Proposed Model ◽

Positive Rate ◽

Rbf Kernel

A support vector machine (SVM) model combined Laplacian Eigenmaps (LE) with Cross Validation (CV) is proposed for intrusion detection. In the proposed model, a classifier is adopted to estimate whether an action is an attack or not. Maximum Likelihood Estimation (MLE) is used to estimate the intrinsic dimensions, and LE is used as a preprocessor of SVM to reduce the dimensions of feature vectors then training time is shortened. In order to improve the performance of SVM, CV is used to optimize the parameters of SVM in RBF kernel function. Compared with other detection algorithms, the experimental results show that the proposed model has the advantages: shorter training time, higher accuracy rate and lower false positive rate.

Download Full-text

Hybridisation of brownboost classifier and glowworm swarm based optimal sensor placement for water leakage detection

10.5194/dwes-2018-19 ◽

2018 ◽

Author(s):

Rejeesh Rayaroth ◽

Sivaradje Gopalakrishnan

Keyword(s):

Distribution System ◽

False Positive Rate ◽

Detection Accuracy ◽

Leakage Detection ◽

Pressure Data ◽

Water Leakage ◽

Swarm Optimization ◽

Glowworm Swarm Optimization ◽

Positive Rate ◽

Water Leakage Detection

Abstract. Water Distribution System distributes the water to customer with the better quality and pressure. Distribution system supplies the water from their source to usage point. Due to the leakage, the sufficient amount of water is not delivered to the consumer. Many researchers introduced the techniques for detecting the water leakage in distribution system. But, the water leakage detection accuracy was not improved and time consumption was also not reduced. To improve the water leakage detection performance, Enhanced BrownBoost Classifier based Glowworm Swarm Optimization (EBBC-GWO) Method is introduced. EBBC-GWO method introduces two models namely, Enhanced BrownBoost Classifier model and Glowworm Swarm Optimization model. Enhanced BrownBoost Classifier model considers k-Nearest Neighbor (k-NN) classifier as weak classifier. It classifies the training samples with neighbor's majority vote for allocating the object to the class. Brownboost classifier combines all k-NN classifier to construct strong classifier. By this way, data are classified as the normal data or abnormal data with higher accuracy. After classification, optimization process is executed where every solution corresponds to the glowworm (i.e., abnormal pressure data node) in search space. Every glowworm has objective function for addressing the optimization problem. Every glowworm operates in probabilistic means to choose the neighbor with higher luciferin value and transmit to it. Glowworm updates its location to the glowworm in dynamic decision space and optimal one is selected for water leakage detection. By this way, water leakage detection accuracy is improved with lesser false positive rate. Experimental evaluation of proposed EBBC-GWO method is carried out with respect to number of pressure data and sensor placement nodes. The results demonstrated that EBBC-GWO method is higher in case of classification accuracy, false positive rate, classification time and water leakage detection accuracy. The simulation results show that EBBC-GWO method increases the performance of water leakage detection accuracy and reduces classification time when compared to state-of-the-art works.

Download Full-text

Using a Subtractive Center Behavioral Model to Detect Malware

Security and Communication Networks ◽

10.1155/2020/7501894 ◽

2020 ◽

Vol 2020 ◽

pp. 1-17

Author(s):

Ömer Aslan ◽

Refik Samet ◽

Ömer Özgür Tanrıöver

Keyword(s):

Detection Rate ◽

Learning Algorithm ◽

False Positive Rate ◽

Behavioral Model ◽

Behavior Patterns ◽

Test Results ◽

Malicious Behavior ◽

Proposed Model ◽

Positive Rate ◽

New Generation

In recent years, malware has evolved by using different obfuscation techniques; due to this evolution, the detection of malware has become problematic. Signature-based and traditional behavior-based malware detectors cannot effectively detect this new generation of malware. This paper proposes a subtractive center behavior model (SCBM) to create a malware dataset that captures semantically related behaviors from sample programs. In the proposed model, system paths, where malware behaviors are performed, and malware behaviors themselves are taken into consideration. This way malicious behavior patterns are differentiated from benign behavior patterns. Features that could not exceed the specified score are removed from the dataset. The datasets created using the proposed model contain far fewer features than the datasets created by n-gram and other models that have been used in other studies. The proposed model can handle both known and unknown malware, and the obtained detection rate and accuracy of the proposed model are higher than those of the known models. To show the effectiveness of the proposed model, 2 datasets with score and without score are created by using SCBM. In total, 6700 malware samples and 3000 benign samples are tested. The results are compared with those derived from n-gram and models from other studies in the literature. The test results show that, by combining the proposed model with an appropriate machine learning algorithm, the detection rate, false positive rate, and accuracy are measured as 99.9%, 0.2%, and 99.8%, respectively.

Download Full-text

Deep-learning and radiomics ensemble classifier for false positive reduction in brain metastases segmentation

Physics in Medicine and Biology ◽

10.1088/1361-6560/ac4667 ◽

2021 ◽

Author(s):

Zi Yang ◽

Mingli Chen ◽

Mahdieh Kazemimoghadam ◽

Lin Ma ◽

Strahinja Stojadinovic ◽

...

Keyword(s):

Deep Learning ◽

Brain Metastases ◽

False Positive ◽

False Positive Rate ◽

Ensemble Classifier ◽

Support Vector ◽

Svm Classifier ◽

Siamese Network ◽

Proposed Model ◽

Positive Rate

Abstract Stereotactic radiosurgery (SRS) is now the standard of care for brain metastases (BMs) patients. The SRS treatment planning process requires precise target delineation, which in clinical workflow for patients with multiple (>4) BMs (mBMs) could become a pronounced time bottleneck. Our group has developed an automated BMs segmentation platform to assist in this process. The accuracy of the auto-segmentation, however, is influenced by the presence of false-positive segmentations, mainly caused by the injected contrast during MRI acquisition. To address this problem and further improve the segmentation performance, a deep-learning and radiomics ensemble classifier was developed to reduce the false-positive rate in segmentations. The proposed model consists of a Siamese network and a radiomic-based support vector machine (SVM) classifier. The 2D-based Siamese network contains a pair of parallel feature extractors with shared weights followed by a single classifier. This architecture is designed to identify the inter-class difference. On the other hand, the SVM model takes the radiomic features extracted from 3D segmentation volumes as the input for twofold classification, either a false-positive segmentation or a true BM. Lastly, the outputs from both models create an ensemble to generate the final label. The performance of the proposed model in the segmented mBMs testing dataset reached the accuracy (ACC), sensitivity (SEN), specificity (SPE) and area under the curve (AUC) of 0.91, 0.96, 0.90 and 0.93, respectively. After integrating the proposed model into the original segmentation platform, the average segmentation false negative rate (FNR) and the false positive over the union (FPoU) were 0.13 and 0.09, respectively, which preserved the initial FNR (0.07) and significantly improved the FPoU (0.55). The proposed method effectively reduced the false-positive rate in the BMs raw segmentations indicating that the integration of the proposed ensemble classifier into the BMs segmentation platform provides a beneficial tool for mBMs SRS management.

Download Full-text

Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

Journal of Sensors ◽

10.1155/2015/465402 ◽

2015 ◽

Vol 2015 ◽

pp. 1-11 ◽

Cited By ~ 1

Author(s):

Jian Kang ◽

Mei Yang ◽

Junyao Zhang

Keyword(s):

Network Traffic ◽

False Positive Rate ◽

Denial Of Service ◽

Threshold Value ◽

Detection Accuracy ◽

Packet Header ◽

Positive Rate ◽

Spectrum Density ◽

Microscopic Feature ◽

Low Rate

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we chooseF featurein TCP packet header as a microscopic feature and,P featureandD featureof network traffic as macroscopic features. Based on these features, we establishmultistream fused hidden Markov model(MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

Download Full-text

Deep learning-based detection and segmentation of diffusion abnormalities in acute ischemic stroke

Communications Medicine ◽

10.1038/s43856-021-00062-8 ◽

2021 ◽

Vol 1 (1) ◽

Author(s):

Chin-Fu Liu ◽

Johnny Hsu ◽

Xin Xu ◽

Sandhya Ramachandran ◽

Victor Wang ◽

...

Keyword(s):

Deep Learning ◽

Large Scale ◽

False Positive Rate ◽

Learning Networks ◽

Large Dataset ◽

Lower False Positive Rate ◽

Proposed Model ◽

Positive Rate ◽

Total Agreement ◽

Clinical And Translational Research

Abstract Background Accessible tools to efficiently detect and segment diffusion abnormalities in acute strokes are highly anticipated by the clinical and research communities. Methods We developed a tool with deep learning networks trained and tested on a large dataset of 2,348 clinical diffusion weighted MRIs of patients with acute and sub-acute ischemic strokes, and further tested for generalization on 280 MRIs of an external dataset (STIR). Results Our proposed model outperforms generic networks and DeepMedic, particularly in small lesions, with lower false positive rate, balanced precision and sensitivity, and robustness to data perturbs (e.g., artefacts, low resolution, technical heterogeneity). The agreement with human delineation rivals the inter-evaluator agreement; the automated lesion quantification of volume and contrast has virtually total agreement with human quantification. Conclusion Our tool is fast, public, accessible to non-experts, with minimal computational requirements, to detect and segment lesions via a single command line. Therefore, it fulfills the conditions to perform large scale, reliable and reproducible clinical and translational research.

Download Full-text