Visible to the public International Conferences: Workshop on Security and Privacy Analytics (IWSPA) ’15, San Antonio, Texas

SoS Newsletter- Advanced Book Block

SoS Logo

International Conferences: Workshop on Security and Privacy Analytics (IWSPA) ’15, San Antonio, Texas


The 2015 ACM International Workshop on Security and Privacy Analytics -- IWSPA'15 was held in conjunction with CODASPY in San Antonio, Texas on March 02 - 04, 2015.  According to the organizers, techniques from data analytics fields are being applied to security challenges and some interesting questions arise: which techniques from these fields are more appropriate for the security domain and which among those are essential knowledge for security practitioners and students. Applications of such techniques also have interesting implications on privacy. The mission of the workshop is to: create a forum for interaction between data analytics and security experts and to examine the questions mentioned above. The conference web page is available at:  


George Cybenko; “Deep Learning of Behaviors for Security;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 1-1. Doi: 10.1145/2713579.2713592
Abstract: Deep learning has generated much research and commercialization interest recently. In a way, it is the third incarnation of neural networks as pattern classifiers, using insightful algorithms and architectures that act as unsupervised auto-encoders which learn hierarchies of features in a dataset. After a short review of that work, we will discuss computational approaches for deep learning of behaviors as opposed to just static patterns. Our approach is based on structured non-negative matrix factorizations of matrices that encode observation frequencies of behaviors. Example security applications and covert channel detection and coding will be presented.
Keywords: behaviors, machines learning, security (ID#: 15-5560)


Nasir Memon; “Photo Forensics: There is More to a Picture Than Meets the Eye; “ IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 35-35. Doi: 10.1145/2713579.2713594
Abstract: Given an image or a video clip can you tell which camera it was taken from? Can you tell if it was manipulated? Given a camera or even a picture, can you find from the Internet all other pictures taken from the same camera? Forensics professionals all over the world are increasingly encountering such questions. Given the ease by which digital images can be created, altered, and manipulated with no obvious traces, digital image forensics has emerged as a research field with important implications for ensuring digital image credibility. This talk will provide an overview of recent developments in the field, focusing on three problems and list challenges and problems that still need to be addressed. First, collecting image evidence and reconstructing them from fragments, with or without missing pieces. This involves sophisticated file carving technology. Second, attributing the image to a source, be it a camera, a scanner, or a graphically generated picture. The process entails associating the image with a class of sources with common characteristics (device model) or matching the image to an individual source device, for example a specific camera. Third, attesting to the integrity of image data. This involves image forgery detection to determine whether an image has undergone modification or processing after being initially captured.
Keywords: digital forensics, image forensics (ID#: 15-5561)


Hassan Alizadeh, Samaeh Khoshrou, André Zúquete; “Application-Specific Traffic Anomaly Detection Using Universal Background Model;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 11-17. Doi: 10.1145/2713579.2713586
Abstract: This paper presents an application-specific intrusion detection framework in order to address the problem of detecting intrusions in individual applications when their traffic exhibits anomalies. The system is based on the assumption that authorized traffic analyzers have access to a trustworthy binding between network traffic and the source application responsible for it. Given traffic flows generated by individual genuine application, we exploit the GMM-UBM (Gaussian Mixture Model-Universal Background Model) method to build models for genuine applications, and thereby form our detection system. The system was evaluated on a public dataset collected from a real network. Favorable results indicate the success of the framework.
Keywords: gaussian mixture models, intrusion detection, malware, network anomaly, traffic flows, universal background model, web applications (ID#: 15-5562)


Shobhit Shakya, Jian Zhang; “Towards Better Semi-Supervised Classification of Malicious Software;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 27-33. Doi: 10.1145/2713579.2713587
Abstract: Due to the large number of malicious software (malware) and the large variety among them, automated detection and analysis using machine learning techniques have become more and more important for network and computer security. An often encountered scenario in these security applications is that training examples are scarce but unlabeled data are abundant. Semi-supervised learning where both labeled and unlabeled data are used to learn a good model quickly is a natural choice under such condition. We investigate semi-supervised classification for malware categorization. We observed that malware data have specific characteristics and that they are noisy. Off-the-shelf semi-supervised learning may not work well in this case. We proposed a semi supervised approach that addresses the problems with malware data and can provide better classification. We conducted a set of experiments to test and compare our method to others. The experimental results show that semi-supervised classification is a promising direction for malware classification. Our method achieved more than 90% accuracy when there were only a few number of training examples. The results also indicates that modifications are needed to make semi-supervised learning work with malware data. Otherwise, semi-supervised classification may perform worse than classifiers trained on only the labeled data.
Keywords: graph spectral, graph-based semi-supervised learning, machine learning, malware classification (ID#: 15-5563)


Kyle Caudle, Christer Karlsson, Larry D. Pyeatt; “Using Density Estimation to Detect Computer Intrusions;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 43-48. Doi: 10.1145/2713579.2713584
Abstract: Density estimation can be used to make sense of data collected by large scale systems. An estimate of the underlying probability density function can be used to characterize normal network operating conditions. In this paper, we present a recursive method for constructing and updating an estimate of the non-stationary high dimensional probability density function using parallel programming. Once we have characterized standard operating conditions we perform real time checks for changes. We demonstrate the effectiveness of the approach via the use of simulated data as well as data from Internet header packets.
Keywords: data streams, density estimation, parallel programming, wavelets (ID#: 15-5564)


Alaa Darabseh, Akbar Siami Namin; “Keystroke Active Authentications Based on Most Frequently Used Words;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 49-54. Doi: 10.1145/2713579.2713589
Abstract: The aim of this research is to advance the user active authentication technology using keystroke dynamics. Through this research, we assess the performance and influence of various keystroke features on keystroke dynamics authentication systems. In particular, we investigate the performance of keystroke features on a subset of most frequently used English words. The performance of four features including key duration, flight time latency, diagraph time latency, and word total time duration are analyzed. Experiments are performed to measure the performance of each feature individually and the results from the different subsets of these features. The results of the experiments are evaluated using 28 users. The experimental results show that diagraph time offers the best performance result among all four keystroke features, followed by flight time. Furthermore, the paper introduces new feature which can be effectively used in the keystroke dynamics domain.
Keywords: authentication, biometrics, keystroke dynamics, keystroke feature, security (ID#: 15-5565)


Zhentan Feng, Shuguang Xiong, Deqiang Cao, Xiaolu Deng, Xin Wang, Yang Yang, Xiaobo Zhou, Yan Huang, Guangzhu Wu; “HRS: A Hybrid Framework for Malware Detection ;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 19-26. Doi: 10.1145/2713579.2713585
Abstract: Traditional signature-based detection methods fail to detect unknown malwares, while data mining methods for detection are proved useful to new malwares but suffer for high false positive rate. In this paper, we provide a novel hybrid framework called HRS based on the analysis for 50 millions of malware samples across 20,000 malware classes from our antivirus platform. The distribution of the samples are elaborated and a hybrid framework HRS is proposed, which consists of Hash-based, Rule-based and SVM-based models trained from different classes of malwares according to the distribution. Rule-based model is the core component of the hybrid framework. It is convenient to control false positives by adjusting the factor of a boolean expression in rule-based method, while it still has the ability to detect the unknown malwares. The SVM-based method is enhanced by examining the critical sections of the malwares, which can significantly shorten the scanning and training time. Rigorous experiments have been performed to evaluate the HRS approach based on the massive dataset and the results demonstrate that HRS achieves a true positive rate of 99.84% with an error rate of 0.17%. The HRS method has already been deployed into our security platform.
Keywords: antivirus engine, data mining, machine learning, malware class distribution, malware detection (ID#: 15-5566)


Hao Zhang, Maoyuan Sun, Danfeng (Daphne) Yao, Chris North; “Visualizing Traffic Causality for Analyzing Network Anomalies;”  IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 37-42. Doi: 10.1145/2713579.2713583
Abstract: Monitoring network traffic and detecting anomalies are essential tasks that are carried out routinely by security analysts. The sheer volume of network requests often makes it difficult to detect attacks and pinpoint their causes. We design and develop a tool to visually represent the causal relations for network requests. The traffic causality information enables one to reason about the legitimacy and normalcy of observed network events. Our tool with a special visual locality property supports different levels of visual-based querying and reasoning required for the sensemaking process on complex network data. Leveraging the domain knowledge, security analysts can use our tool to identify abnormal network activities and patterns due to attacks or stealthy malware. We conduct a user study that confirms our tool can enhance the readability and perceptibility of the dependency for host-based network traffic.
Keywords: anomaly detection, information visualization, network traffic analysis, usable security, visual locality (ID#: 15-5567)


Yang Liu, Jing Zhang, Armin Sarabi, Mingyan Liu, Manish Karir, Michael Bailey; “Predicting Cyber Security Incidents Using Feature-Based Characterization of Network-Level Malicious Activities ;”  IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 3-9. Doi: 10.1145/2713579.2713582
Abstract: This study offers a first step toward understanding the extent to which we may be able to predict cyber security incidents (which can be of one of many types) by applying machine learning techniques and using externally observed malicious activities associated with network entities, including spamming, phishing, and scanning, each of which may or may not have direct bearing on a specific attack mechanism or incident type. Our hypothesis is that when viewed collectively, malicious activities originating from a network are indicative of the general cleanness of a network and how well it is run, and that furthermore, collectively they exhibit fairly stable and thus predictive behavior over time. To test this hypothesis, we utilize two datasets in this study: (1) a collection of commonly used IP address-based/host reputation blacklists (RBLs) collected over more than a year, and (2) a set of security incident reports collected over roughly the same period. Specifically, we first aggregate the RBL data at a prefix level and then introduce a set of features that capture the dynamics of this aggregated temporal process. A comparison between the distribution of these feature values taken from the incident dataset and from the general population of prefixes shows distinct differences, suggesting their value in distinguishing between the two while also highlighting the importance of capturing dynamic behavior (second order statistics) in the malicious activities. These features are then used to train a support vector machine (SVM) for prediction. Our preliminary results show that we can achieve reasonably good prediction performance over a forecasting window of a few months.
Keywords: network reputation, network security, prediction, temporal pattern, time-series data (ID#: 15-5568)


Wenyaw Chan, George Cybenko, Murat Kantarcioglu, Ernst Leiss, Thamar Solorio, Bhavani Thuraisingham, Rakesh Verma; “Panel: Essential Data Analytics Knowledge for Cyber-security Professionals and Students;” IWSPA '15 Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics, March 2015, Pages 55-57. Doi: 10.1145/2713579.2713590
Abstract: Increasingly, techniques from data analytics fields of statistics, machine learning, data mining, and natural language processing are being employed for challenges in cyber-security and privacy. This panel examines which techniques from these fields are essential for current and future cyber-security practitioners and what are the related considerations involved in successfully solving security and privacy challenges of the future.
Keywords: curriculum, data analytics, privacy, security (ID#: 15-5569)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.