Packer identification using Byte plot and Markov plot

Malware is one of the major concerns in computer security. The availability of easy to use malware toolkits and internet popularity has led to the increase in number of malware attacks. Currently signature based malware detection techniques are widely used. However, malware authors use packing techniques to create new variants of existing malwares which defeat signature based malware detection. So, it is very important to identify packed malware and unpack it before analysis. Dynamic unpacking runs the packed executable and provides an unpacked version based on the system. This technique requires dedicated hardware and is computationally expensive. As each individual packer uses its own unpacking algorithm it is important to have a prior knowledge about the packer used, in order to assist in reverse engineering. In this paper, we propose an efficient framework for packer identification problem using Byte plot and Markov plot. First packed malware is converted to Byte plot and Markov plot. Later Gabor and wavelet based features are extracted from Byte plot and Markov plot. We used SVMs (Support Vector Machine) in our analysis. We performed our experiments on nine different packers and we obtained about 95 % accuracy for nine of the packers. Our results show features extracted from Markov plot outperformed features extracted from Byte plot by about 3 %. We compare the performance of Markov plot with PEID (Signature based PE identification tool). Our results show Markov plot produced better accuracy when compared to PEID. We also performed multi class classification using Random Forest and achieved 81 % accuracy using Markov plot based features.     

Crop type identification by integration of high-spatial resolution multispectral data with features extracted from coarse-resolution time-series vegetation index data

Crop type identification is the basis of crop acreage estimation and plays a key role in crop production prediction and food security analysis. However, the accuracy of crop type identification using remote-sensing data needs to be improved to support operational agriculture-monitoring tasks. In this paper, a new method integrating high-spatial resolution multispectral data with features extracted from coarse-resolution time-series vegetation index data is proposed to improve crop type identification accuracy in Hungary. Four crop growth features, including peak value, date of peak occurrence, average rate of green-up, and average rate for the senescence period were extracted from time-series Moderate Resolution Imaging Spectroradiometer (MODIS) normalized difference vegetation index (NDVI) profiles and spatially enhanced to 30 m resolution using resolution merge tools based on a multiplicative method to match the spatial resolution of Landsat Thematic Mapper (TM) data. A maximum likelihood classifier (MLC) was used to classify the TM and merged images. Independent validation results indicated that the average overall classification accuracy was improved from 92.38% using TM to 94.67% using the merged images. Based on the classification results using the proposed method, acreages of two major summer crops were estimated and compared to statistical data provided by the United States Department of Agriculture (USDA). The proposed method was able to achieve highly satisfactory crop type identification results.     

Mountain agriculture extraction from time-series MODIS NDVI using dynamic time warping technique

The study attempts to extract Mountain Agriculture using an optimized Dynamic Time Warping (DTW) algorithm having endpoint constraints. The DTW was applied over a time-series annual stack of Normalized Differential Vegetation Index (NDVI) using a set of reference time series profiles for three agriculture classes (i.e. double cropping, single cropping, and horticulture) and the pixel-wise similarity is examined to identify the agriculture classes. In addition, Euclidean Distance (ED) was used to compare DTW-based result. The detection accuracy of each class was assessed using Google Earth-based agriculture sample, and the spatial agreement of resultant map was assessed with high-resolution reference data using Pareto boundary technique. The sample based accuracy evaluation reveals that DTW algorithm performed better for double and single cropping agriculture detection in compared to the horticulture. Overall, DTW-based agriculture map (0.81 ± 0.01) yielded higher overall accuracy in comparison with ED-based agriculture map (0.75 ± 0.01). The Pareto boundary-based spatial agreement analysis using high-resolution reference data also shows the dominant performance of DTW based agriculture map than an ED-based map. DTW performed better than ED, in terms of optimal distance (OD), in ten out of eleven districts. However, reliable spatial matching (OD less than 0.23) between DTW-based map and reference agriculture map was observed in lower elevation region, especially in Hamirpur (OD = 0.06), Bilaspur (OD = 0.09), Shimla (OD = 0.19) and Una (OD = 0.20) district.     

Optimal assignments in a markovian queueing system

A generalization of the Hypercube queueing model for exponential queueing systems is presented which allows for distinguishable servers and multiple types of customers. Given costs associated with each server-customer pair, the determination of the assignment policy which minimizes time-averaged costs is formulated as a Markov decision problem. A characterization of optimal policies is obtained and used in an efficient algorithm for determining the optimum. The algorithm combines the method of successive approximations and “Howard's method” in a manner which is particularly applicable to Markov decision problems having large, sparse transition matrices.     

Fault detection and diagnosis in synchronous motors using hidden Markov model-based semi-nonparametric approach

Early detection and diagnosis of faults in industrial machines would reduce the maintenance cost and also increase the overall equipment effectiveness by increasing the availability of the machinery systems. In this paper, a semi-nonparametric approach based on hidden Markov model is introduced for fault detection and diagnosis in synchronous motors. In this approach, after training the hidden Markov model classifiers (parametric stage), two matrices named probabilistic transition frequency profile and average probabilistic emission are computed based on the hidden Markov models for each signature (nonparametric stage) using probabilistic inference. These matrices are later used in forming a similarity scoring function, which is the basis of the classification in this approach. Moreover, a preprocessing method, named squeezing and stretching is proposed which rectifies the difficulty of dealing with various operating speeds in the classification process. Finally, the experimental results are provided and compared. Further investigations are carried out, providing sensitivity analysis on the length of signatures, the number of hidden state values, as well as statistical performance evaluation and comparison with conventional hidden Markov model-based fault diagnosis approach. Results indicate that implementation of the proposed preprocessing, which unifies the signatures from various operating speeds, increases the classification accuracy by nearly 21% and moreover utilization of the proposed semi-nonparametric approach improves the accuracy further by nearly 6%.     

Efficient location aware intrusion detection to protect mobile devices

This paper addresses the problem of efficient intrusion detection for mobile devices via correlating the user’s location and time data. We developed two statistical profiling approaches for modeling the normal spatio–temporal behavior of the users: one based on an empirical cumulative probability measure and the other based on the Markov properties of trajectories. An anomaly is detected when the probability of a particular (location, time) evolution matching the normal behavior of a given user becomes lower than a certain threshold, determined by controlling the recall rate of the model of the normal user’s behavior. We used compression techniques to reduce processing overhead while maintaining high accuracy. Our evaluation based on the Reality Mining and Geolife data sets shows that the proposed system is capable of detecting a potential intrusion within 15 min and with 94 % accuracy.     

Model checking transactional memories

Model checking transactional memories (TMs) is difficult because of the unbounded number, length, and delay of concurrent transactions, as well as the unbounded size of the memory. We show that, under certain conditions satisfied by most TMs we know of, the model checking problem can be reduced to a finite-state problem, and we illustrate the use of the method by proving the correctness of several TMs, including two-phase locking, DSTM, and TL2. The safety properties we consider include strict serializability and opacity; the liveness properties include obstruction freedom, livelock freedom, and wait freedom. Our main contribution lies in the structure of the proofs, which are largely automated and not restricted to the TMs mentioned above. In a first step we show that every TM that enjoys certain structural properties either violates a requirement on some program with two threads and two shared variables, or satisfies the requirement on all programs. In the second step, we use a model checker to prove the requirement for the TM applied to a most general program with two threads and two variables. In the safety case, the model checker checks language inclusion between two finite-state transition systems, a nondeterministic transition system representing the given TM applied to a most general program, and a deterministic transition system representing a most liberal safe TM applied to the same program. The given TM transition system is nondeterministic because a TM can be used with different contention managers, which resolve conflicts differently. In the liveness case, the model checker analyzes fairness conditions on the given TM transition system.     

The influence of filtration and decomposition window size on the threshold value and accuracy of land-cover classification of polarimetric SAR images

In this study we use ALOS PALSAR satellite data to classify land cover using a decision tree algorithm. We apply polarimetric decomposition methods to coherence and covariance matrices obtained from the data and then use threshold values to classify terrain. We evaluate the influence of speckle filter and decomposition window sizes on the threshold value used in the decision algorithm and on the accuracy of the classification. We also study the sensitivity of the classification to the accuracy of the threshold value.

First, we processed a fully polarimetric Synthetic Aperture Radar (SAR) L-band image using different sizes of speckle filtration and decomposition window (3 × 3 pixels, 5 × 5, 7 × 7, 9 × 9), and the decomposition methods available in PolSARPro software. We evaluated these methods and chose the most efficient. Then we developed a simple hierarchical classification scheme based on threshold values. In the first step we divided the terrain into smooth and rough areas and then separated these into more detailed subclasses (water and agriculture, and forest and urban) which correspond to smooth and rough areas, respectively. A more detailed analysis separated continuous and discontinuous urban fabric and deciduous and coniferous forests. The maximum overall accuracy of the classification was 86.1% for the four main land cover classes, and 80.4% for the six more detailed classes. The accuracy of the classification dropped by about 10% when non-optimal window sizes were used in image filtration or decomposition.     

Discovery of activity composites using topic models: An analysis of unsupervised methods

In this work we investigate unsupervised activity discovery approaches using three topic model (TM) approaches, based on Latent Dirichlet Allocation (LDA), $n$-gram TM (NTM), and correlated TM (CTM). While LDA structures activity primitives, NTM adds primitive sequence information, and CTM exploits co-occurring topics. We use an activity composite/primitive abstraction and analyze three public datasets with different properties that affect the discovery, including primitive rate, activity composite specificity, primitive sequence similarity, and composite-instance ratio. We compare the activity composite discovery performance among the TM approaches and against a baseline using $k$-means clustering. We provide guidelines for method and optimal TM parameter selection, depending on data properties and activity primitive noise. Results indicate that TMs can outperform $k$-means clustering up to 17%, when composite specificity is low. LDA-based TMs showed higher robustness against noise compared to other TMs and $k$-means.     

基于马尔科夫链的主机异常检测方法研究

提出了基于马尔科夫链模型的主机异常检测方法,首先提取特权进程的行为特征,并在此基础上构造Markov模型。由Markov模型产生的状态序列计算状态概率,根据状态序列概率来评价进程行为的异常情况。利用Markov模型的构造充分提取特权进程的局部行为特征的相互关系。实验表明该模型算法简单、实时性强、检测率高、误报率低、适合用于在线检测。     

Obtaining crop-specific time profiles of NDVI: the use of unmixing approaches for serving the continuity between SPOT-VGT and PROBA-V time series

The study examined the potential of two unmixing approaches for deriving crop-specific normalized difference vegetation index (NDVI) profiles so that upon availability of Project for On-Board Autonomy – Vegetation (PROBA-V) imagery in winter 2013, this new data set can be combined with existing Satellite Pour l’Observation de la Terre – VEGETATION (SPOT-VGT) data despite the differences in spatial resolution (300 m of PROBA-V versus 1 km of SPOT-VGT). To study the problem, two data sets were analysed: (1) a set of 10 temporal NDVI images, with 300 and 1000 m spatial resolution, from the state of São Paulo (Brazil) synthesized from 30 m Landsat Thematic Mapper (TM) images, and (2) a corresponding set of 10 observed Moderate Resolution Imaging Spectroradiometer (MODIS) images (250 m spatial resolution). To mimic the influence of noise on the retrieval accuracy, different sensor/atmospheric noise levels were applied to the first data set. For the unmixing analysis, a high-resolution land-cover (LC) map was used. The LC map was derived beforehand using a different set of Landsat TM images. The map distinguishes nine classes, with four different sugarcane stages, two agricultural sub-classes, plus forest, pasture, and urban/water. Unmixing aiming at the retrieval of crop-specific NDVI profiles was done at administrative level. For the synthesized data set it was demonstrated that the ‘true’ NDVI temporal profiles of different land-cover classes (from 30 m TM data) can generally be retrieved with high accuracy. The two simulated sensors (PROBA-V and SPOT-VGT) and the two unmixing algorithms gave similar results. Analysing the MODIS data set, we also found a good correspondence between the modelled NDVI profiles (both approaches) and the (true) Landsat temporal endmembers.     

Verified stochastic methods

Markov chains provide quite attractive features for simulating a system’s behavior under consideration of uncertainties. However, their use is somewhat limited because of their deterministic transition matrices. Vague probabilistic information and imprecision appear in the modeling of real-life systems, thus causing difficulties in the pure probabilistic model set-up. Moreover, their accuracy suffers due to implementations on computers with floating point arithmetics. Our goal is to address these problems by extending the Dempster-Shafer with Intervals toolbox for MATLAB with novel verified algorithms for modeling that work with Markov chains with imprecise transition matrices, known as Markov set-chains. Additionally, in order to provide a statistical estimation tool that can handle imprecision to set up Markov chain models, we develop a new verified algorithm for computing relations between the mean and the standard deviation of fuzzy sets.     

Near‐infrared discrimination of leafless saltcedar in wintertime Landsat TM

To test a hypothesis that leafless riparian canopies enable accurate multi‐spectral discrimination of saltcedar (Tamarix ramosissima Ledeb.) from other native species, winter Landsat TM5 data (16 November 2005) were analysed for a reach of the Arkansas River in Colorado, USA. Supporting spectroscopic analysis confirmed that saltcedar could not easily be discriminated from other riparian vegetation using TM5 data when in‐leaf, but bare branches could be easily distinguished due to much lower reflectance than other riparian cover. Use of TM Band 4 (B4) allowed differentiation of wintertime saltcedar into four qualitative density classes judged from high‐resolution low‐oblique aerial photography: high (76%–100%), medium (51%–75%), low (16%–50%), and none (0%–15%). Spectral overlap was removed from the B4 saltcedar classification using TM Band 5 (B5) thresholds to eliminate low‐reflectant wet areas and higher‐reflectant multi‐year darkened weed canopies. The accuracy of a classification algorithm that used B5 thresholds followed by a B4 density slice was judged against high‐resolution aerial photography as providing 98% discrimination of saltcedar cover from other riparian cover and about 90% discrimination of the qualitative density classes. Applying this method to the 2835 km² riparian corridor study area, 1298 km² (45.78%) was identified as containing saltcedar, with over 43% having medium or greater density.     

Rule‐based approach for topic maps learning from relational databases

Relational databases (RDBs) have been widely used as back end for information systems. Considering that RDBs have valuable knowledge interwoven in between stored data, how to access, represent and share this knowledge becomes an important challenge. Topic maps (TMs) emerge as a good solution for this problem. However, manual development of TMs is a difficult, time‐consuming and subjective task if there is no common guideline. The existing TMs building approaches mainly consider the meta‐information contained in a RDB, without considering the knowledge residing in the database content (its current state). Other approaches require a predefined configuration for applying a specific data transformation. This paper proposes an automatic method for TM construction based on learning rules. Our method considers the background knowledge of the RDBs during the building process and was implemented and applied on a representative set of 15 RDBs. The resulting TMs were validated syntactically using a standard tool and validated semantically through the inference of information using a formal query language. In addition, an analysis between the relational data (input) and its representation (output) was conducted. The results found in our experiments are encouraging and put in evidence the soundness of the proposed method.     

Validating MODIS land surface reflectance products using ground-measured reflectance spectra – a case study in semi-arid grassland in Inner Mongolia,China

Validation of Moderate-Resolution Imaging Spectroradiometer (MODIS) land surface reflectance products is important to effective utilization of such products for earth systems science. Ground-based measurements are normally utilized for such validation. However, the major scale mismatch between the ground ‘point’ measurement and MODIS resolution (500 m and 1 km) makes direct comparison infeasible over many land surface types. In this paper, an indirect comparison between ground ‘point’ measurements and MODIS land surface products via high-resolution remotely sensed imagery (Landsat Thematic Mapper/TM) was utilized in semi-arid grassland of Inner Mongolia in summer 2005, where ground measurements are relatively sparse in comparison with other locations around the world. Within the validation, the TM reflectance imagery was first calibrated by the ground ‘point’ measurements, and then aggregated to MODIS data resolution for determination of their accuracy. Besides common direct spectral band comparison of reflectance between TM and MODIS, empirical/indirect comparison between TM and MODIS was also implemented. Both types of validation showed that the absolute error of bidirectional reflectance from atmospheric correction (MOD09) is less than 9.4%, and for nadir bidirectional reflectance distribution function (BRDF)-adjusted reflectance (MOD43B4) it is less than 3.1%, in which the error of visible bands of two data sets is less than 1.35% and 0.95%, respectively. This validation will help improve the accuracy of MODIS products used in this area.     

基于微簇的在线网络异常检测方法

针对大流量骨干网的在线网络异常检测是目前网络安全研究的热点之一,提出一种网络异常检测方法,有效在线处理大数据流,利用密度聚类算法把大数据流转换成微簇,通过微簇提高处理效率,定时调用孤立点检测算法发现攻击行为。方法具有不需线下训练、能发现任意行为模式、支持大数据流、可以平衡检测精度与系统资源要求、处理效率高等优点。实验表明,原型系统在20 s完成2000年LLS_DDOS_1.0数据集分析,检测率为82%,误报率为6%,效果与K-means相当。     

Single slice based detection for Alzheimer’s disease via wavelet entropy and multilayer perceptron trained by biogeography-based optimization

Detection of Alzheimer’s disease (AD) from magnetic resonance images can help neuroradiologists to make decision rapidly and avoid missing slight lesions in the brain. Currently, scholars have proposed several approaches to automatically detect AD. In this study, we aimed to develop a novel AD detection system with better performance than existing systems. 28 ADs and 98 HCs were selected from OASIS dataset. We used inter-class variance criterion to select single slice from the 3D volumetric data. Our classification system is based on three successful components: wavelet entropy, multilayer perceptron, and biogeography-base optimization. The statistical results of our method obtained an accuracy of 92.40 ± 0.83%, a sensitivity of 92.14 ± 4.39%, a specificity of 92.47 ± 1.23%. After comparison, we observed that our pathological brain detection system is superior to latest 6 other approaches.     

Probabilistic symbolic model checking with PRISM: a hybrid approach

In this paper we present efficient symbolic techniques for probabilistic model checking. These have been implemented in PRISM, a tool for the analysis of probabilistic models such as discrete-time Markov chains, continuous-time Markov chains and Markov decision processes using specifications in the probabilistic temporal logics PCTL and CSL. Motivated by the success of model checkers such as SMV which use BDDs (binary decision diagrams), we have developed an implementation of PCTL and CSL model checking based on MTBDDs (multi-terminal BDDs) and BDDs. Existing work in this direction has been hindered by the generally poor performance of MTBDD-based numerical computation, which is often substantially slower than explicit methods using sparse matrices. The focus of this paper is a novel hybrid technique which combines aspects of symbolic and explicit approaches to overcome these performance problems. For typical examples, we achieve a dramatic improvement over the purely symbolic approach. In addition, thanks to the compact model representation using MTBDDs, we can verify systems an order of magnitude larger than with sparse matrices, while almost matching or even beating them for speed.     

基于稀疏表示的电力负荷数据补全

数据缺失在电力负荷数据采集过程中经常发生,对提高算法的预测精确度带来了不利影响。现有的缺失数据补全算法只适用于缺失数据量较少的情况,而对于缺失数据较多的情况表现不佳。面对严重数据缺失的挑战,文中提出了一种基于稀疏表示的电力负荷缺失数据补全方法。首先以数据随机缺失为前提,将训练数据中假定缺失后的数据与完整的训练数据上下拼接构成训练矩阵;其次,利用离散余弦变换(Discrete Cosine Transform,DCT)生成一个过完备字典,并根据训练矩阵对其进行学习,旨在通过调优得到一个合适的字典,能对训练矩阵中的样本进行最好的稀疏表示。最后,在测试阶段,先利用学习后字典的上半部分获得测试集缺失数据的稀疏表示,然后利用稀疏表示和学习后字典的下半部分重构出无缺失的完整数据。实验结果表明,使用该方法对电力负荷数据缺失值进行补全,可以获得比传统插值方法、基于相关性的KNN算法、时空压缩感知估计算法以及时序压缩感知预测算法更高的精度。即使数据缺失率高达95%,该方法依然可以有效地补全缺失数据。