Probability Distributions.- Linear Models for Regression.- Linear Models for Classification.- Neural Networks.- Kernel Methods.- Sparse Kernel Machines.- Graphical Models.- Mixture Models and EM.- Approximate Inference.- Sampling Methods.- Continuous Latent Variables.- Sequential Data.- Combining Models.

Pattern Recognition and Machine Learning

An overview of the self-organizing map algorithm, on which the papers in this issue are based, is presented in this article.

The Self-Organizing Map

Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and thus Android smartphones often remain unprotected from novel malware. In this paper, we propose DREBIN, a lightweight method for detection of Android malware that enables identifying malicious applications directly on the smartphone. As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an application as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for explaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples DREBIN outperforms several related approaches and detects 94% of the malware with few false alarms, where the explanations provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, rendering it suitable for checking downloaded applications directly on the device.

/pdf/drebin-effective-and-explainable-detection-of-android-4kuv3sjqel.pdf

DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.

Models and Methods in Social Network Analysis presents the most important developments in quantitative models and methods for analyzing social network data that have appeared during the 1990s. Intended as a complement to Wasserman and Faust’s Social Network Analysis: Methods and Applications, it is a collection of original articles by leading methodologists reviewing recent advances in their particular areas of network methods. Reviewed are advances in network measurement, network sampling, the analysis of centrality, positional analysis or blockmodeling, the analysis of diffusion through networks, the analysis of affiliation or “two-mode” networks, the theory of random graphs, dependence graphs, exponential families of random graphs, the analysis of longitudinal network data, graphic techniques for exploring network data, and software for the analysis of social networks.

/pdf/models-and-methods-in-social-network-analysis-46f9pqfov7.pdf

Models and methods in social network analysis

Introduction to quality engineering : designing quality into products and processes

Recently, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. Although understanding Android malware using dynamic analysis can provide a comprehensive view, it is still subjected to high cost in environment deployment and manual efforts in investigation. In this study, we propose a static feature-based mechanism to provide a static analyst paradigm for detecting the Android malware. The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to enhance the malware modeling capability. Besides, we leverage the proposed mechanism and develop a system, called Droid Mat. First, the Droid Mat extracts the information (e.g., requested permissions, Intent messages passing, etc) from each applicationi¦s manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing API Calls related to permissions. Next, it applies K-means algorithm that enhances the malware modeling capability. The number of clusters are decided by Singular Value Decomposition (SVD) method on the low rank approximation. Finally, it uses kNN algorithm to classify the application as benign or malicious. The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Black hat 2011, which focuses on Android malware analysis. In addition, Droid Mat is efficient since it takes only half of time than Androguard to predict 1738 apps as benign apps or Android malware.

DroidMat: Android Malware Detection through Manifest and API Calls Tracing

The rapid growth of smartphones has lead to a renaissance for mobile application services. Android and iOS now as the most popular smartphone platforms offer a public marketplace respectively, the Android Market and App Store- but operate with dramatically different approaches to prevent malware on their devices. In Android platform, developer not only can directly deliver their apps on the Android market without strict review process, but also is capable to put the non-official verified apps marketplace (i.e., Applanet, AppBrain and so on). In this study, we purpose an automatic Android malware detection mechanism based on the result from sandbox. We leverage network spatial feature extraction of Android apps and independent component analysis (ICA) to find the intrinsic domain name resolution behavior of Android malware. The proposed mechanism that identifies the Android malware can achieve in automatic way. For evaluation the proposed approach, the public Android malware apps dataset and popular benign apps collected from Android Market are used for evaluating the effectiveness in analyzing the grouping ability and the effectiveness of identifying the Android malware. The proposed approach successfully identifies malicious Android Apps close to 100% accuracy, precision and recall rate.

Android Malware Detection via a Latent Network Behavior Analysis

Although there is immense data available from networks and hosts, a very small proportion of this data is labeled due to the cost of obtaining expert labels. This proves to be a significant bottle-neck for developing supervised intrusion detection systems that rely solely on labeled data. In spite of the data being collected from real network environments and hence potentially holding valuable information for intrusion detection, such systems can not exploit the remaining unlabeled data. In this work, we intelligently leverage both labeled and unlabeled data. Also, intrusion detection tasks naturally lend themselves into a multi-view scenario, and can benefit significantly if these multiple views are combined meaningfully. In this paper, we propose a co-training method framework for intrusion detection, which is a semi-supervised learning method and can not only utilize unlabeled data, but can also combine multi-view data. We also employ an active learning framework where statistically ambiguous parts of the unlabeled data are identified, which can then be labeled by an expert. This allows for minimal expert labeling while ensuring that the labels obtained from the expert are most informative. In our experiments, we demonstrate that leveraging the unlabeled data using our proposed method significantly reduces the error rate as compared to using the labeled data alone. In addition, our proposed multi-view method has a lower error rate than using a single view.

Semi-supervised co-training and active learning based approach for multi-view intrusion detection

Capturing Fast-Flux Service Networks (FFSNs) by temporal variances is an intuitive way for seeking to identify rapid changes of DNS records. Unfortunately, the features regard to temporal variances would lead to the delay detection (more than one hour) of FFSN which could cause more damages, such as Botnet propagation and malware delivery. In this study, we proposed a delay-free detection system, Spatial Snapshot Fast-flux Detection system (SSFD), for identifying FFSN in real time and alleviating these potential damages. SSFD is capable to capture the geographical pattern of hosts as well as mapping IP addresses in a DNS response into geographic coordinate system for revealing FFSNs at the moment. The SSFD benefits from two novel spatial measures proposed in this study -- spatial distribution estimation and spatial service relationship evaluation. These two measures consider the degree of uniform geographic distribution of infected hosts among FFSN composed of Bots, Content Distribution Network and general benign services. After that, Bayesian network classifier is applied to identify the FFSNs with the joint probability consideration against evading our proposed detection technique easily for attackers. Our experiment results indicate that the proposed SSFD system is more effective and efficient (within less than 0.5 second) with lower False Positive rate than flux-score based detection through one public dataset and two collected datasets.

Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection

A malicious applications detection method is provided. The method includes: extracting a plurality of static features from a manifest file and a de-compiled code respectively obtained from a plurality of training malicious applications (APK files) and a plurality of training benign applications (APK files); generating at least one malicious application group using a clustering algorithm and generating at least one benign application group; generating application detecting models respectively representing the malicious and benign application groups based on static features of the training malicious and benign applications in each malicious application group and each benign application group; extracting target static features from a target manifest file and a target de-compiled code of a target application; using a classification algorithm, the target static features, and the application detecting models to determine whether the target application belongs to the malicious application group; and generating a warning message when a determination result is positive.

Ching-Hao Mao

Papers

DroidMat: Android Malware Detection through Manifest and API Calls Tracing

Android Malware Detection via a Latent Network Behavior Analysis

Semi-supervised co-training and active learning based approach for multi-view intrusion detection

Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection

Method and system for detecting malicious application