-
ST-DPGAN: A Privacy-preserving Framework for Spatiotemporal Data Generation
Authors:
Wei Shao,
Rongyi Zhu,
Cai Yang,
Chandra Thapa,
Muhammad Ejaz Ahmed,
Seyit Camtepe,
Rui Zhang,
DuYong Kim,
Hamid Menouar,
Flora D. Salim
Abstract:
Spatiotemporal data is prevalent in a wide range of edge devices, such as those used in personal communication and financial transactions. Recent advancements have sparked a growing interest in integrating spatiotemporal analysis with large-scale language models. However, spatiotemporal data often contains sensitive information, making it unsuitable for open third-party access. To address this cha…
▽ More
Spatiotemporal data is prevalent in a wide range of edge devices, such as those used in personal communication and financial transactions. Recent advancements have sparked a growing interest in integrating spatiotemporal analysis with large-scale language models. However, spatiotemporal data often contains sensitive information, making it unsuitable for open third-party access. To address this challenge, we propose a Graph-GAN-based model for generating privacy-protected spatiotemporal data. Our approach incorporates spatial and temporal attention blocks in the discriminator and a spatiotemporal deconvolution structure in the generator. These enhancements enable efficient training under Gaussian noise to achieve differential privacy. Extensive experiments conducted on three real-world spatiotemporal datasets validate the efficacy of our model. Our method provides a privacy guarantee while maintaining the data utility. The prediction model trained on our generated data maintains a competitive performance compared to the model trained on the original data.
△ Less
Submitted 4 June, 2024;
originally announced June 2024.
-
model-based script synthesis for fuzzing
Authors:
Zian Liu,
Chao Chen,
Muhammad Ejaz Ahmed,
Jun Zhang,
Dongxi Liu
Abstract:
Kernel fuzzing is important for finding critical kernel vulnerabilities. Close-source (e.g., Windows) operating system kernel fuzzing is even more challenging due to the lack of source code. Existing approaches fuzz the kernel by modeling syscall sequences from traces or static analysis of system codes. However, a common limitation is that they do not learn and mutate the syscall sequences to reac…
▽ More
Kernel fuzzing is important for finding critical kernel vulnerabilities. Close-source (e.g., Windows) operating system kernel fuzzing is even more challenging due to the lack of source code. Existing approaches fuzz the kernel by modeling syscall sequences from traces or static analysis of system codes. However, a common limitation is that they do not learn and mutate the syscall sequences to reach different kernel states, which can potentially result in more bugs or crashes.
In this paper, we propose WinkFuzz, an approach to learn and mutate traced syscall sequences in order to reach different kernel states. WinkFuzz learns syscall dependencies from the trace, identifies potential syscalls in the trace that can have dependent subsequent syscalls, and applies the dependencies to insert more syscalls while preserving the dependencies into the trace. Then WinkFuzz fuzzes the synthesized new syscall sequence to find system crashes.
We applied WinkFuzz to four seed applications and found a total increase in syscall number of 70.8\%, with a success rate of 61\%, within three insert levels. The average time for tracing, dependency analysis, recovering model script, and synthesizing script was 600, 39, 34, and 129 seconds respectively. The instant fuzzing rate is 3742 syscall executions per second. However, the average fuzz efficiency dropped to 155 syscall executions per second when the initializing time, waiting time, and other factors were taken into account. We fuzzed each seed application for 24 seconds and, on average, obtained 12.25 crashes within that time frame.
△ Less
Submitted 8 August, 2023;
originally announced August 2023.
-
SemDiff: Binary Similarity Detection by Diffing Key-Semantics Graphs
Authors:
Zian Liu,
Zhi Zhang,
Siqi Ma,
Dongxi Liu,
Jun Zhang,
Chao Chen,
Shigang Liu,
Muhammad Ejaz Ahmed,
Yang Xiang
Abstract:
Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed.
We observe that all…
▽ More
Binary similarity detection is a critical technique that has been applied in many real-world scenarios where source code is not available, e.g., bug search, malware analysis, and code plagiarism detection. Existing works are ineffective in detecting similar binaries in cases where different compiling optimizations, compilers, source code versions, or obfuscation are deployed.
We observe that all the cases do not change a binary's key code behaviors although they significantly modify its syntax and structure. With this key observation, we extract a set of key instructions from a binary to capture its key code behaviors. By detecting the similarity between two binaries' key instructions, we can address well the ineffectiveness limitation of existing works. Specifically, we translate each extracted key instruction into a self-defined key expression, generating a key-semantics graph based on the binary's control flow. Each node in the key-semantics graph denotes a key instruction, and the node attribute is the key expression. To quantify the similarity between two given key-semantics graphs, we first serialize each graph into a sequence of key expressions by topological sort. Then, we tokenize and concatenate key expressions to generate token lists. We calculate the locality-sensitive hash value for all token lists and quantify their similarity. %We implement a prototype, called SemDiff, consisting of two modules: graph generation and graph diffing. The first module generates a pair of key-semantics graphs and the second module diffs the graphs. Our evaluation results show that overall, SemDiff outperforms state-of-the-art tools when detecting the similarity of binaries generated from different optimization levels, compilers, and obfuscations. SemDiff is also effective for library version search and finding similar vulnerabilities in firmware.
△ Less
Submitted 2 August, 2023;
originally announced August 2023.
-
Transformer-Based Language Models for Software Vulnerability Detection
Authors:
Chandra Thapa,
Seung Ick Jang,
Muhammad Ejaz Ahmed,
Seyit Camtepe,
Josef Pieprzyk,
Surya Nepal
Abstract:
The large transformer-based language models demonstrate excellent performance in natural language processing. By considering the transferability of the knowledge gained by these models in one domain to other related domains, and the closeness of natural languages to high-level programming languages, such as C/C++, this work studies how to leverage (large) transformer-based language models in detec…
▽ More
The large transformer-based language models demonstrate excellent performance in natural language processing. By considering the transferability of the knowledge gained by these models in one domain to other related domains, and the closeness of natural languages to high-level programming languages, such as C/C++, this work studies how to leverage (large) transformer-based language models in detecting software vulnerabilities and how good are these models for vulnerability detection tasks. In this regard, firstly, a systematic (cohesive) framework that details source code translation, model preparation, and inference is presented. Then, an empirical analysis is performed with software vulnerability datasets with C/C++ source codes having multiple vulnerabilities corresponding to the library function call, pointer usage, array usage, and arithmetic expression. Our empirical results demonstrate the good performance of the language models in vulnerability detection. Moreover, these language models have better performance metrics, such as F1-score, than the contemporary models, namely bidirectional long short-term memory and bidirectional gated recurrent unit. Experimenting with the language models is always challenging due to the requirement of computing resources, platforms, libraries, and dependencies. Thus, this paper also analyses the popular platforms to efficiently fine-tune these models and present recommendations while choosing the platforms.
△ Less
Submitted 5 September, 2022; v1 submitted 7 April, 2022;
originally announced April 2022.
-
Towards Web Phishing Detection Limitations and Mitigation
Authors:
Alsharif Abuadbba,
Shuo Wang,
Mahathir Almashor,
Muhammed Ejaz Ahmed,
Raj Gaire,
Seyit Camtepe,
Surya Nepal
Abstract:
Web phishing remains a serious cyber threat responsible for most data breaches. Machine Learning (ML)-based anti-phishing detectors are seen as an effective countermeasure, and are increasingly adopted by web-browsers and software products. However, with an average of 10K phishing links reported per hour to platforms such as PhishTank and VirusTotal (VT), the deficiencies of such ML-based solution…
▽ More
Web phishing remains a serious cyber threat responsible for most data breaches. Machine Learning (ML)-based anti-phishing detectors are seen as an effective countermeasure, and are increasingly adopted by web-browsers and software products. However, with an average of 10K phishing links reported per hour to platforms such as PhishTank and VirusTotal (VT), the deficiencies of such ML-based solutions are laid bare. We first explore how phishing sites bypass ML-based detection with a deep dive into 13K phishing pages targeting major brands such as Facebook. Results show successful evasion is caused by: (1) use of benign services to obscure phishing URLs; (2) high similarity between the HTML structures of phishing and benign pages; (3) hiding the ultimate phishing content within Javascript and running such scripts only on the client; (4) looking beyond typical credentials and credit cards for new content such as IDs and documents; (5) hiding phishing content until after human interaction. We attribute the root cause to the dependency of ML-based models on the vertical feature space (webpage content). These solutions rely only on what phishers present within the page itself. Thus, we propose Anti-SubtlePhish, a more resilient model based on logistic regression. The key augmentation is the inclusion of a horizontal feature space, which examines correlation variables between the final render of suspicious pages against what trusted services have recorded (e.g., PageRank). To defeat (1) and (2), we correlate information between WHOIS, PageRank, and page analytics. To combat (3), (4) and (5), we correlate features after rendering the page. Experiments with 100K phishing/benign sites show promising accuracy (98.8%). We also obtained 100% accuracy against 0-day phishing pages that were manually crafted, comparing well to the 0% recorded by VT vendors over the first four days.
△ Less
Submitted 3 April, 2022;
originally announced April 2022.
-
NatiDroid: Cross-Language Android Permission Specification
Authors:
Chaoran Li,
Xiao Chen,
Ruoxi Sun,
Jason Xue,
Sheng Wen,
Muhammad Ejaz Ahmed,
Seyit Camtepe,
Yang Xiang
Abstract:
The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection map** fro…
▽ More
The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection map** from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection map** in the native library (i.e., code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection map** can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege and component hijacking, imprecise map** will lead to false results in detecting such security vulnerabilities. To fill this gap, we develop a prototype system, named NatiDroid, to facilitate the cross-language static analysis to benchmark against two state-of-the-art tools, termed Axplorer and Arcade. We evaluate NatiDroid on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our NatiDroid can identify up to 464 new API-permission map**s, in contrast to the worst-case results derived from both Axplorer and Arcade, where approximately 71% apps have at least one false positive in permission over-privilege and up to 3.6% apps have at least one false negative in component hijacking. Additionally, we identify that 24 components with at least one Native-triggered component hijacking vulnerability are misidentified by two benchmarks.
△ Less
Submitted 15 November, 2021;
originally announced November 2021.
-
Grand challenges and emergent modes of convergence science
Authors:
Alexander M. Petersen,
Mohammed E. Ahmed,
Ioannis Pavlidis
Abstract:
To address complex problems, scholars are increasingly faced with challenges of integrating diverse knowledge domains. We analyzed the evolution of this convergence paradigm in the broad ecosystem of brain science, which provides a real-time testbed for evaluating two modes of cross-domain integration - subject area exploration via expansive learning and cross-disciplinary collaboration among doma…
▽ More
To address complex problems, scholars are increasingly faced with challenges of integrating diverse knowledge domains. We analyzed the evolution of this convergence paradigm in the broad ecosystem of brain science, which provides a real-time testbed for evaluating two modes of cross-domain integration - subject area exploration via expansive learning and cross-disciplinary collaboration among domain experts. We show that research involving both modes features a 16% citation premium relative to a mono-disciplinary baseline. Further comparison of research integrating neighboring versus distant research domains shows that the cross-disciplinary mode is essential for integrating across relatively large disciplinary distances. Yet we find research utilizing cross-domain subject area exploration alone - a convergence shortcut - to be growing in prevalence at roughly 3% per year, significantly faster than the alternative cross-disciplinary mode, despite being less effective at integrating domains and markedly less impactful. By measuring shifts in the prevalence and impact of different convergence modes in the 5-year intervals before and after 2013, our results indicate that these counterproductive patterns may relate to competitive pressures associated with global Human Brain flagship funding initiatives. Without additional policy guidance, such Grand Challenge flagships may unintentionally incentivize such convergence shortcuts, thereby undercutting the advantages of cross-disciplinary teams in tackling challenges calling on convergence.
△ Less
Submitted 21 March, 2021;
originally announced March 2021.
-
Peeler: Profiling Kernel-Level Events to Detect Ransomware
Authors:
Muhammad Ejaz Ahmed,
Hyoungshick Kim,
Seyit Camtepe,
Surya Nepal
Abstract:
Ransomware is a growing threat that typically operates by either encrypting a victim's files or locking a victim's computer until the victim pays a ransom. However, it is still challenging to detect such malware timely with existing traditional malware detection techniques. In this paper, we present a novel ransomware detection system, called "Peeler" (Profiling kErnEl -Level Events to detect Rans…
▽ More
Ransomware is a growing threat that typically operates by either encrypting a victim's files or locking a victim's computer until the victim pays a ransom. However, it is still challenging to detect such malware timely with existing traditional malware detection techniques. In this paper, we present a novel ransomware detection system, called "Peeler" (Profiling kErnEl -Level Events to detect Ransomware). Peeler deviates from signatures for individual ransomware samples and relies on common and generic characteristics of ransomware depicted at the kernel-level. Analyzing diverse ransomware families, we observed ransomware's inherent behavioral characteristics such as stealth operations performed before the attack, file I/O request patterns, process spawning, and correlations among kernel-level events. Based on those characteristics, we develop Peeler that continuously monitors a target system's kernel events and detects ransomware attacks on the system. Our experimental results show that Peeler achieves more than 99\% detection rate with 0.58\% false-positive rate against 43 distinct ransomware families, containing samples from both crypto and screen-locker types of ransomware. For crypto ransomware, Peeler detects them promptly after only one file is lost (within 115 milliseconds on average). Peeler utilizes around 4.9\% of CPU time with only 9.8 MB memory under the normal workload condition. Our analysis demonstrates that Peeler can efficiently detect diverse malware families by monitoring their kernel-level events.
△ Less
Submitted 29 January, 2021;
originally announced January 2021.
-
Decamouflage: A Framework to Detect Image-Scaling Attacks on Convolutional Neural Networks
Authors:
Bedeuro Kim,
Alsharif Abuadbba,
Yansong Gao,
Yifeng Zheng,
Muhammad Ejaz Ahmed,
Hyoungshick Kim,
Surya Nepal
Abstract:
As an essential processing step in computer vision applications, image resizing or scaling, more specifically downsampling, has to be applied before feeding a normally large image into a convolutional neural network (CNN) model because CNN models typically take small fixed-size images as inputs. However, image scaling functions could be adversarially abused to perform a newly revealed attack calle…
▽ More
As an essential processing step in computer vision applications, image resizing or scaling, more specifically downsampling, has to be applied before feeding a normally large image into a convolutional neural network (CNN) model because CNN models typically take small fixed-size images as inputs. However, image scaling functions could be adversarially abused to perform a newly revealed attack called image-scaling attack, which can affect a wide range of computer vision applications building upon image-scaling functions.
This work presents an image-scaling attack detection framework, termed as Decamouflage. Decamouflage consists of three independent detection methods: (1) rescaling, (2) filtering/pooling, and (3) steganalysis. While each of these three methods is efficient standalone, they can work in an ensemble manner not only to improve the detection accuracy but also to harden potential adaptive attacks. Decamouflage has a pre-determined detection threshold that is generic. More precisely, as we have validated, the threshold determined from one dataset is also applicable to other different datasets. Extensive experiments show that Decamouflage achieves detection accuracy of 99.9\% and 99.8\% in the white-box (with the knowledge of attack algorithms) and the black-box (without the knowledge of attack algorithms) settings, respectively. To corroborate the efficiency of Decamouflage, we have also measured its run-time overhead on a personal PC with an i5 CPU and found that Decamouflage can detect image-scaling attacks in milliseconds. Overall, Decamouflage can accurately detect image scaling attacks in both white-box and black-box settings with acceptable run-time overhead.
△ Less
Submitted 7 October, 2020;
originally announced October 2020.
-
COVID-19: Social Media Sentiment Analysis on Reopening
Authors:
Mohammed Emtiaz Ahmed,
Md Rafiqul Islam Rabin,
Farah Naz Chowdhury
Abstract:
The novel coronavirus (COVID-19) pandemic is the most talked topic in social media platforms in 2020. People are using social media such as Twitter to express their opinion and share information on a number of issues related to the COVID-19 in this stay at home order. In this paper, we investigate the sentiment and emotion of peoples in the United States on the subject of reopening. We choose the…
▽ More
The novel coronavirus (COVID-19) pandemic is the most talked topic in social media platforms in 2020. People are using social media such as Twitter to express their opinion and share information on a number of issues related to the COVID-19 in this stay at home order. In this paper, we investigate the sentiment and emotion of peoples in the United States on the subject of reopening. We choose the social media platform Twitter for our analysis and study the Tweets to discover the sentimental perspective, emotional perspective, and triggering words towards the reopening. During this COVID-19 pandemic, researchers have made some analysis on various social media dataset regarding lockdown and stay at home. However, in our analysis, we are particularly interested to analyse public sentiment on reopening. Our major finding is that when all states resorted to lockdown in March, people showed dominant emotion of fear, but as reopening starts people have less fear. While this may be true, due to this reopening phase daily positive cases are rising compared to the lockdown situation. Overall, people have a less negative sentiment towards the situation of reopening.
△ Less
Submitted 1 June, 2020;
originally announced June 2020.
-
Optimal Spectrum Sensing Policy with Traffic Classification in RF-Powered CRNs
Authors:
Hae Sol Lee,
Muhammad Ejaz Ahmed,
Dong In Kim
Abstract:
An orthogonal frequency division multiple access (OFDMA)-based primary user (PU) network is considered, which provides different spectral access/energy harvesting opportunities in RF-powered cognitive radio networks (CRNs). In this scenario, we propose an optimal spectrum sensing policy for opportunistic spectrum access/energy harvesting under both the PU collision and energy causality constraints…
▽ More
An orthogonal frequency division multiple access (OFDMA)-based primary user (PU) network is considered, which provides different spectral access/energy harvesting opportunities in RF-powered cognitive radio networks (CRNs). In this scenario, we propose an optimal spectrum sensing policy for opportunistic spectrum access/energy harvesting under both the PU collision and energy causality constraints. PU subchannels can have different traffic patterns and exhibit distinct idle/busy frequencies, due to which the spectral access/energy harvesting opportunities are application specific. Secondary user (SU) collects traffic pattern information through observation of the PU subchannels and classifies the idle/busy period statistics for each subchannel. Based on the statistics, we invoke stochastic models for evaluating SU capacity by which the energy detection threshold for spectrum sensing can be adjusted with higher sensing accuracy. To this end, we employ the Markov decision process (MDP) model obtained by quantizing the amount of SU battery and the duty cycle model obtained by the ratio of average harvested energy and energy consumption rates. We demonstrate the effectiveness of the proposed stochastic models through comparison with the optimal one obtained from an exhaustive method.
△ Less
Submitted 6 April, 2018; v1 submitted 24 March, 2018;
originally announced March 2018.