Biblio

Power grids are the most extensive man-made systems that are difficult to control and monitor. With the development of conventional power grids and moving toward smart grids, power systems have undergone vast changes since they use the Internet to transmit information and control commands to different parts of the power system. Due to the use of the Internet as a basic infrastructure for smart grids, attackers can sabotage the communication networks and alter the measurements. Due to the complexity of the smart grids, it is difficult for the network operator to detect such cyber-attacks. The attackers can implement the attack in a manner that conventional Bad Data detection (BDD) systems cannot detect since it may not violate the physical laws of the power system. This paper uses the cross wavelet transform (XWT) to detect stealth false data injections attacks (FDIAs) against state estimation (SE) systems. XWT can capture the coherency between measurements of adjacent buses and represent it in time and frequency space. Then, we train a machine learning classification algorithm to distinguish attacked measurements from normal measurements by applying a feature extraction technique.

Android Operating System becomes a major target for malicious attacks. Static analysis approach is widely used to detect malicious applications. Most of existing studies on static analysis frameworks are limited to certain features. This paper presents an Android Static Analysis Framework (ASAF) which models the overall static analysis phases and approaches for Android applications. ASAF can be implemented for different purposes including Android malicious apps detection. The proposed framework utilizes a parsing tool, Android Static Parse (ASParse) which is also introduced in this paper. Through the extendibility of the ASParse tool, future research studies can easily extend the parsed features and the parsed files to perform parsing based on their specific requirements and goals. Moreover, a case study is conducted to illustrate the implementation of the proposed ASAF.

Due to the advantages and limitations of the two kinds of vulnerability mining methods of static and dynamic analysis of android applications, the paper proposes a method of Android application vulnerability mining based on dynamic and static combination. Firstly, the static analysis method is used to obtain the basic vulnerability analysis results of the application, and then the input test case of dynamic analysis is constructed on this basis. The fuzzy input test is carried out in the real machine environment, and the application security vulnerability is verified with the taint analysis technology, and finally the application vulnerability report is obtained. Experimental results show that compared with static analysis results, the method can significantly improve the accuracy of vulnerability mining.

As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper, we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python, it can be easily scaled to other platforms.

Recent projects regarding the exploration of the functions of microbiomes within communities brought about a plethora of new data. That specific field of study is called Metagenomics and one of its more advancing approach is the application of network analysis. The paper introduces NAMData which is a web-application tool for the network analysis of microbiome data. The system handles the compositionality and sparsity nature of microbiome data by applying taxa filtration, normalization, and zero treatment. Furthermore, compositionally aware correlation estimators were used to compute for the correlation between taxa and the system divides the network into the positive and negative correlation network. NAMData aims to capitalize on the unique network features namely network visualization, centrality scores, and community detection. The system enables researchers to include network analysis in their analysis pipelines even without any knowledge of programming. Biological concepts can be integrated with the network findings gathered from the system to either support existing facts or form new insights.

With the rapid increase of practical problem complexity and code scale, the threat of software security is increasingly serious. Consequently, it is crucial to pay attention to the analysis of software source code vulnerability in the development stage and take efficient measures to detect the vulnerability as soon as possible. Machine learning techniques have made remarkable achievements in various fields. However, the application of machine learning in the domain of vulnerability static analysis is still in its infancy and the characteristics and performance of diverse methods are quite different. In this survey, we focus on a source code-oriented static vulnerability analysis method using machine learning techniques. We review the studies on source code vulnerability analysis based on machine learning in the past decade. We systematically summarize the development trends and different technical characteristics in this field from the perspectives of the intermediate representation of source code and vulnerability prediction model and put forward several feasible research directions in the future according to the limitations of the current approaches.

Data on software vulnerabilities, products and exploits is typically collected from multiple non-structured sources. Valuable information, e.g., on which products are affected by which exploits, is conveyed by matching data from those sources, i.e., through their relations. In this paper, we leverage this simple albeit unexplored observation to introduce a statistical relational learning (SRL) approach for the analysis of vulnerabilities, products and exploits. In particular, we focus on the problem of determining the existence of an exploit for a given product, given information about the relations between products and vulnerabilities, and vulnerabilities and exploits, focusing on Industrial Control Systems (ICS), the National Vulnerability Database and ExploitDB. Using RDN-Boost, we were able to reach an AUC ROC of 0.83 and an AUC PR of 0.69 for the problem at hand. To reach that performance, we indicate that it is instrumental to include textual features, e.g., extracted from the description of vulnerabilities, as well as structured information, e.g., about product categories. In addition, using interpretable relational regression trees we report simple rules that shed insight on factors impacting the weaponization of ICS products.

Existing group shilling attack detection methods mainly depend on human feature engineering to extract group attack behavior features, which requires a high knowledge cost. To address this problem, we propose a group shilling attack detection method based on maximum density subtensor mining. First, the rating time series of each item is divided into time windows and the item tensor groups are generated by establishing the user-rating-time window data models of three-dimensional tensor. Second, the M-Zoom model is applied to mine the maximum dense subtensor of each item, and the subtensor groups with high consistency of behaviors are selected as candidate groups. Finally, a dual-input convolutional neural network model is designed to automatically extract features for the classification of real users and group attack users. The experimental results on the Amazon and Netflix datasets show the effectiveness of the proposed method.

Aiming at group shilling attacks in recommender systems, a shilling group detection approach based on triangle dense subgraph mining is proposed. First, the user relation graph is built by mining the relations among users in the rating dataset. Second, the improved triangle dense subgraph mining method and the personalizing PageRank seed expansion algorithm are used to divide candidate shilling groups. Finally, the suspicious degrees of candidate groups are calculated using several group detection indicators and the attack groups are obtained. Experiments indicate that our method has better detection performance on the Amazon and Yelp datasets than the baselines.

Symbiotic radio (SR) has recently emerged as a promising technology to boost spectrum efficiency of wireless communications by allowing reflective communications underlying the active RF communications. In this paper, we leverage SR to boost physical layer security by using an array of passive reflecting elements constituting the intelligent reflecting surface (IRS), which is reconfigurable to induce diverse RF radiation patterns. In particular, by switching the IRS's phase shifting matrices, we can proactively create dynamic channel conditions, which can be exploited by the transceivers to extract common channel features and thus used to generate secret keys for encrypted data transmissions. As such, we firstly present the design principles for IRS-assisted key generation and verify a performance improvement in terms of the secret key generation rate (KGR). Our analysis reveals that the IRS's random phase shifting may result in a non-uniform channel distribution that limits the KGR. Therefore, to maximize the KGR, we propose both a heuristic scheme and deep reinforcement learning (DRL) to control the switching of the IRS's phase shifting matrices. Simulation results show that the DRL approach for IRS-assisted key generation can significantly improve the KGR.

In the era of rapid technological growth, malicious traffic has drawn increased attention. Most well-known offensive security assessment todays are heavily focused on pre-compromise. The amount of anomalous data in today's context is massive. Analyzing the data using primitive methods would be highly challenging. Solution to it is: If we can detect adversary behaviors in the early stage of compromise, one can prevent and safeguard themselves from various attacks including ransomwares and Zero-day attacks. Integration of new technologies Artificial Intelligence & Machine Learning with manual Anomaly Detection can provide automated machine-based detection which in return can provide the fast, error free, simplify & scalable Threat Detection & Response System. Endpoint Detection & Response (EDR) tools provide a unified view of complex intrusions using known adversarial behaviors to identify intrusion events. We have used the EMBER dataset, which is a labelled benchmark dataset. It is used to train machine learning models to detect malicious portable executable files. This dataset consists of features derived from 1.1 million binary files: 900,000 training samples among which 300,000 were malicious, 300,000 were benevolent, 300,000 un-labelled, and 200,000 evaluation samples among which 100K were malicious, 100K were benign. We have also included open-source code for extracting features from additional binaries, enabling the addition of additional sample features to the dataset.

Threats, posed by ransomware, are rapidly increasing, and its cost on both national and global scales is becoming significantly high as evidenced by the recent events. Ransomware carries out an irreversible process, where it encrypts victims' digital assets to seek financial compensations. Adversaries utilize different means to gain initial access to the target machines, such as phishing emails, vulnerable public-facing software, Remote Desktop Protocol (RDP), brute-force attacks, and stolen accounts. To combat these threats of ransomware, this paper aims to help researchers gain a better understanding of ransomware application profiles through static analysis, where we identify a list of suspicious indicators and similarities among 727 active ran-somware samples. We start with generating portable executable (PE) metadata for all the studied samples. With our domain knowledge and exploratory data analysis tasks, we introduce some of the suspicious indicators of the structure of ransomware files. We reduce the dimensionality of the generated dataset by using the Principal Component Analysis (PCA) technique and discover clusters by applying the KMeans algorithm. This motivates us to utilize the one-class classification algorithms on the generated dataset. As a result, the algorithms learn the common data boundary in the structure of our studied ransomware samples, and thereby, we achieve the data-driven similarities. We use the findings to evaluate the trained classifiers with the test samples and observe that the Local Outlier Factor (LoF) performs better on all the selected feature spaces compared to the One-Class SVM and the Isolation Forest algorithms.

The number of prominent ransomware attacks has increased recently. In this research, we detect ransomware by analyzing network traffic by using machine learning algorithms and comparing their detection performances. We have developed multi-class classification models to detect families of ransomware by using the selected network traffic features, which focus on the Transmission Control Protocol (TCP). Our experiment showed that decision trees performed best for classifying ransomware families with 99.83% accuracy, which is slightly better than the random forest algorithm with 99.61% accuracy. The experimental result without feature selection classified six ransomware families with high accuracy. On the other hand, classifiers with feature selection gave nearly the same result as those without feature selection. However, using feature selection gives the advantage of lower memory usage and reduced processing time, thereby increasing speed. We discovered the following ten important features for detecting ransomware: time delta, frame length, IP length, IP destination, IP source, TCP length, TCP sequence, TCP next sequence, TCP header length, and TCP initial round trip.

Ransomware is a major malware attack experienced by large corporations and healthcare services. Ransomware employs the idea of cryptovirology, which uses cryptography to design malware. The goal of ransomware is to extort ransom by threatening the victim with the destruction of their data. Ransomware typically involves a 3-step process: analyzing the victim’s network traffic, identifying a vulnerability, and then exploiting it. Thus, the detection of ransomware has become an important undertaking that involves various sophisticated solutions for improving security. To further enhance ransomware detection capabilities, this paper focuses on an Application Programming Interface (API)-based ransomware detection approach in combination with machine learning (ML) techniques. The focus of this research is (i) understanding the life cycle of ransomware on the Windows platform, (ii) dynamic analysis of ransomware samples to extract various features of malicious code patterns, and (iii) developing and validating machine learning-based ransomware detection models on different ransomware and benign samples. Data were collected from publicly available repositories and subjected to sandbox analysis for sampling. The sampled datasets were applied to build machine learning models. The grid search hyperparameter optimization algorithm was employed to obtain the best fit model; the results were cross-validated with the testing datasets. This analysis yielded a high ransomware detection accuracy of 99.18% for Windows-based platforms and shows the potential for achieving high-accuracy ransomware detection capabilities when using a combination of API calls and an ML model. This approach can be further utilized with existing multilayer security solutions to protect critical data from ransomware attacks.

Cyberattacks have been progressed in the fields of Internet of Things, and artificial intelligence technologies using the advanced persistent threat (APT) method recently. The damage caused by ransomware is rapidly spreading among APT attacks, and the range of the damages of individuals, corporations, public institutions, and even governments are increasing. The seriousness of the problem has increased because ransomware has been evolving into an intelligent ransomware attack that spreads over the network to infect multiple users simultaneously. This study used open source endpoint detection and response tools to build and test a framework environment that enables systematic ransomware detection at the network and system level. Experimental results demonstrate that the use of EDR tools can quickly extract ransomware attack features and respond to attacks.

At present, in the face of the huge and complex data in cloud computing, the parallel computing ability of quantum computing is particularly important. Quantum principal component analysis algorithm is used as a method of quantum state tomography. We perform feature extraction on the eigenvalue matrix of the density matrix after feature decomposition to achieve dimensionality reduction, proposed quantum principal component extraction algorithm (QPCE). Compared with the classic algorithm, this algorithm achieves an exponential speedup under certain conditions. The specific realization of the quantum circuit is given. And considering the limited computing power of the client, we propose a quantum homomorphic ciphertext dimension reduction scheme (QHEDR), the client can encrypt the quantum data and upload it to the cloud for computing. And through the quantum homomorphic encryption scheme to ensure security. After the calculation is completed, the client updates the key locally and decrypts the ciphertext result. We have implemented a quantum ciphertext dimensionality reduction scheme implemented in the quantum cloud, which does not require interaction and ensures safety. In addition, we have carried out experimental verification on the QPCE algorithm on IBM's real computing platform. Experimental results show that the algorithm can perform ciphertext dimension reduction safely and effectively.

Because of the rise of the Monroe coin, many JavaScript files with embedded malicious code are used to mine cryptocurrency using the computing power of the browser client. This kind of script does not have any obvious behaviors when it is running, so it is difficult for common users to witness them easily. This feature could lead the browser side cryptocurrency mining abused without the user’s permission. Traditional browser security strategies focus on information disclosure and malicious code execution, but not suitable for such scenes. Thus, we present a novel detection method named MineDetector using a machine learning algorithm and static features for automatically detecting browser-side cryptojacking scripts on the websites. MineDetector extracts five static feature groups available from the abstract syntax tree and text of codes and combines them using the machine learning method to build a powerful cryptojacking classifier. In the real experiment, MineDetector achieves the accuracy of 99.41% and the recall of 93.55% and has better performance in time comparing with present dynamic methods. We also made our work user-friendly by developing a browser extension that is click-to-run on the Chrome browser.

Bitcoin and other digital cryptocurrencies have de-veloped rapidly in recent years. To reduce hardware and power costs, many criminals use the botnet to infect other hosts to mine cryptocurrency for themselves, which has led to the proliferation of mining botnets and is referred to as cryptojacking. At present, the mechanisms specific to cryptojacking detection include host-based, Deep Packet Inspection (DPI) based, and dynamic network characteristics based. Host-based detection requires detection installation and running at each host, and the other two are heavyweight. Besides, DPI-based detection is a breach of privacy and loses efficacy if encountering encrypted traffic. This paper de-signs a lightweight cryptojacking traffic detection method based on network behavior features for an ISP, without referring to the payload of network traffic. We set up an environment to collect cryptojacking traffic and conduct a cryptojacking traffic study to obtain its discriminative network traffic features extracted from only the first four packets in a flow. Our experimental study suggests that the machine learning classifier, random forest, based on the extracted discriminative network traffic features can accurately and efficiently detect cryptojacking traffic.

Facial expression recognition has long been established as a subject of continuous research in various fields. In this study, feature extraction was conducted by calculating the distance between facial landmarks in an image. The extracted features of the relationship between each landmark and analysis were used to classify five facial expressions. We increased the data and label reliability based on our labeling work with multiple observers. Additionally, faces were recognized from the original data, and landmark coordinates were extracted and used as features. A genetic algorithm was used to select features that were relatively more helpful for classification. We performed facial recognition classification and analysis using the method proposed in this study, which showed the validity and effectiveness of the proposed method.

Aiming at the problems of the traditional convolutional neural network (CNN), such as too many parameters, single scale feature and inefficiency by some useless features, a lightweight multi-scale network with attention is proposed for facial expression recognition. The network uses the lightweight convolutional neural network model Xception and combines with the convolutional block attention module (CBAM) to learn key facial features; In addition, depthwise separable convolution module with convolution kernel of 3 × 3, 5 × 5 and 7 × 7 are used to extract features of facial expression image, and the features are fused to expand the receptive field and obtain more rich facial feature information. Experiments on facial expression datasets Fer2013 and KDEF show that the expression recognition accuracy is improved by 2.14% and 2.18% than the original Xception model, and the results further verify the effectiveness of our methods.

Emotion recognition in the field of human-computer interaction refers to that the computer has the corresponding perceptual ability to predict the emotional state of human beings in advance by observing human expressions, behaviors and emotions, so as to ensure that computers can communicate emotionally with humans. The main research work of this paper is to extract facial image features by using Linear Discriminant Analysis (LDA) and Facial Landmark Detection after grayscale processing and cropping, and then compare the accuracy after emotion recognition and classification to determine which feature extraction method is more effective. The test results show that the accuracy rate of emotion recognition in face images can reach 73.9% by using LDA method, and 84.5% by using Facial Landmark Detection method. Therefore, facial landmarks can be used to identify emotion in face images more accurately.

Teaching evaluation is an indispensable key link in the modern education model. Its purpose is to promote learners' cognitive and non-cognitive development, especially emotional development. However, today's education has increasingly neglected the emotional process of learners' learning. Therefore, a method of using machines to analyze the emotional changes of learners during learning has been proposed. At present, most of the existing emotion recognition algorithms use the extraction of two-dimensional facial features from images to perform emotion prediction. Through research, it is found that the recognition rate of 2D facial feature extraction is not optimal, so this paper proposes an effective the algorithm obtains a single two-dimensional image from the input end and constructs a three-dimensional face model from the output end, thereby using 3D facial information to estimate the continuous emotion of the dimensional space and applying this method to an online learning system. Experimental results show that the algorithm has strong robustness and recognition ability.

As a typical cyber-physical system, the power system utilizes advanced information and communication technologies to transmit crucial control signals in communication channels. However, many adversaries can construct false data injection attacks (FDIA) to circumvent traditional bad data detection and break the stability of the power grid. In this paper, we proposed a threat-maximizing FDIA model from the view of attackers. The proposed FDIA can not only circumvent bad data detection but can also cause a terrible fluctuation in the power system. Furthermore, in order to eliminate potential attack threats, the Spatio-temporal correlations of measurement matrices are considered. To extract the Spatio-temporal features, a data-driven detection method using a deep convolutional neural network was proposed. The effectiveness of the proposed FDIA model and detection are assessed by a simulation on the New England 39 bus system. The results show that the FDIA can cause a negative effect on the power system’s stable operation. Besides, the results reveal that the proposed FDIA detection method has an outstanding performance on Spatio-temporal features extraction and FDIA recognition.

Reversible data hiding (RDH) is an emerging area in the field of information security. The RDH schemes are widely explored in the field of cloud computing for data authentication and in medical image transmission for clinical data transmission along with medical images. The RDH schemes allow the data hider to embed sensitive information in digital content in such a way that later it can be extracted while recovering the original image. In this research, we explored the use of the RDH through the encryption scheme in a biometric authentication system. The internet of things (IoT) enabled biometric authentication systems are very common nowadays. In general, in biometric authentication, computationally complex tasks such as feature extraction and feature matching will be performed in a cloud server. The user-side devices will capture biometric data such as the face, fingerprint, or iris and it will be directly communicated to the cloud server for further processing. Since the confidentiality of biometric data needs to be maintained during the transmission, the original biometric data will be encrypted using any one of the data encryption techniques. In this manuscript, we propose the use of RDH through encryption approach to transmit two different biometric data as a single file without compromising confidentiality. The proposed scheme will ensure the integrity of the biometric data during transmission. For data hiding purposes, we have used a block-wise RDH through encryption scheme. The experimental study of the proposed scheme is carried out by embedding fingerprint data in the face images. The validation of the proposed scheme is carried out by extracting the fingerprint details from the face images during image decryption. The scheme ensures the exact recovery of face image images and fingerprint data at the receiver site.

Adversarial machine learning, a technique which seeks to deceive machine learning (ML) models, threatens the utility and reliability of ML systems. This is particularly relevant in critical ML implementations such as those found in Network Intrusion Detection Systems (NIDS). This paper considers the impact of adversarial influence on NIDS and proposes ways to improve ML based systems. Specifically, we consider five feature robustness metrics to determine which features in a model are most vulnerable, and four defense methods. These methods are tested on six ML models with four adversarial sample generation techniques. Our results show that across different models and adversarial generation techniques, there is limited consistency in vulnerable features or in effectiveness of defense method.