System Calls Research Articles

Research and Application of Malware Classification Method Based on LSTM

Information technology enhances efficiency and introduces the threat of malware. A typical means of destruction, malware affects the operational security of information systems and poses certain risks to human life, production, and social operations. One of the key research directions in the field of information security is the identification and classification of malware. Currently, mainstream malware analysis and identification methods fall into static and dynamic categories. As a result of obfuscated system calls, it is difficult to detect malware using static analysis, and traditional dynamic analysis methods based on local features are not sufficiently accurate. This paper combines sequence-based LSTM neural networks with learning algorithms for traditional API call features to study malware classification. Furthermore, this paper discusses the idea of hybrid classification based on LSTM and expands the research in this area to some extent. As a result of the research presented in this paper, dynamic analysis and classification of malware are expected to be more effective.

A General Framework for Accelerator Management Based on ISA Extension

Thanks to the promised improvements in performance and energy efficiency, hardware accelerators are taking momentum in many computing contexts, both in terms of variety and relative weight in the silicon area of many chips. Commonly, the way an application interacts with these hardware modules has many accelerator-specific traits and requires ad-hoc drivers that usually rely on potentially expensive system calls to manage accelerator resources and access orchestration. As a consequence, driver-based interfacing is far from uniform and can expose high latency, limiting the set of tasks suitable for acceleration. In this paper, we propose a uniform and low-latency interface based on Instruction Set Architecture (ISA) extension. All the previous studies that proposed extensions, were deeply tailored to address a single accelerator. One of the biggest disadvantages of those methods is their inability to scale. Adding more of these accelerators to one System-on-Chip (SoC) would result in ISA bloat, increasing power consumption and complexifying the decoding phase proportionally. Our proposed framework consists of a six-instruction ISA extension and the corresponding architectural support that implements the interface abstraction and the reservation logic at the hardware level. Our proposal allows controlling a broad class of integrated accelerators directly from the CPU. The proposed framework is ISA-independent, which means that it is applicable to all the existing ISAs. We implement it on the gem5 simulator by extending the RISC-V ISA. We evaluate it by simulating three compute-intensive accelerators and comparing our interfacing with a conventional driver-based one. The benchmarks highlight the performance benefits brought by our framework, with up to 10.38x speed up, as well as the ability to seamlessly support different accelerators with the same interface. The speed up advantage of our technique diminishes as the granularity of the workloads increases and the overhead for driver-based accelerators becomes less important. We also show that the impact of its hardware components on chip area and power consumption is limited.

Performance Monitoring Counter Based Intelligent Malware Detection and Design Alternatives

Hardware solutions for malware detection are becoming increasingly important as software-based solutions can be easily compromised by intelligent malware. However, the cost of hardware solutions including design complexity and dynamic power consumption cannot be ignored. Many of the existing hardware solutions are based on statistical learning blocks with abnormal features of system calls, network traffics, or processor behaviors. Among those solutions, the performance of the learning techniques relies primarily on the quality of the training data. However, for the processor behavior-based solutions, only a few behavioral events can be monitored simultaneously due to the limited number of PMCs (Performance Monitoring Counters) in a processor. As a result, the quality and quantity of the data obtained from architectural features have become a critical issue for PMC-based malware detection. In this paper, to emphasize the importance of selecting architectural features for malware detection, the statistical differences between malware workloads and benign workloads were characterized based on the information from performance counters. Most malware can easily be detected with basic characteristics, but some malware types are statistically very similar to benign workloads which need to be handled more in-depth. Hence, we focus on multiple steps to investigate critical issues of PMC-based malware detection: (i) statistical characterization of malware; (ii) distribution-based feature selection; (iii) trade-off analysis of detection time and accuracy; and (iv) providing architectural design alternatives for hardware-based malware detection. Our results show that the existing number of performance counters is not enough to achieve the desired accuracy. For more accurate malware detection in real-time, we propose both accuracy improvement schemes (with additional PMCs, etc.) and hardware acceleration schemes. Both schemes provide accuracy improvement (5~10%) and detection speedup (up to 10%) with the additional hardware cost (less than 1% of the chip complexity).

Reduce Malicious Activity in Trusted Programs

The malicious activity comes in many forms, but many can come through trusted applications that we commonly use. Current systems have the capability to reduce damages, but implementations for the reduction are either outside of the system or are implemented in a manner that is unintuitive or confusing to users. In this paper, an access control method has been proposed that focuses on the alleviation of damage caused by such applications through the interactions between the user, application, and computer system. In details, the proposed model would work as a module or an interceptor to delegate permissions to applications through user input by using existing system calls. The evaluation about the proposed model as well as the first step implementation can show better security protection than existing systems.

THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning

Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">processes</i> and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">files</i> ) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the provenance graph, are not sensitive to the small quantity of threat-related entities and thus result in low performance when hunting stealthy threats. We present THREATRACE, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity’s role in a provenance graph. THREATRACE is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate THREATRACE on five public datasets. The results show that THREATRACE outperforms seven state-of-the-art host intrusion detection systems.

Design and implementation of face recognition attendance management system

In view of the inefficiency and cheating in time attendance, a face recognition attendance management system has been developed. The system is developed under Windows 10 using Java language and MySql database. After the user logs on to the system, click the punch-in button. The system calls camera through openCV to take pictures, and then matches this photo with the photo in the database. If the match is successful, the system can punch in successfully. The full day's work time is calculated by clocking in to record the employee's clock-in time each time. In order to improve the speed of face recognition, the face recognition algorithm in this system first uses the perceptual hash algorithm to filter the photos, and then calls the face comparison interface of the Rainbow Soft Face Recognition Engine for face recognition, thereby improving the speed of face recognition.

New rolling horizon optimization approaches to balance short-term and long-term decisions: An application to energy planning

The planning of complex systems such as energy systems calls for multiple and recurrent operational decisions depending on the present situation as well as future trends. Such decisions can be optimized with rolling-horizon approaches where most immediate decisions are fixed, based on current previsions, while next decisions are made at further optimization steps with updated information. In this paper, focus on cases where long-term decisions have to be balanced with detailed short-term decisions to insure operational realism. On such problems, standard rolling horizon approaches are hard to solve due to the substantial increase of the temporal dimension. To overstep this issue, new approaches to balance short and long-term decisions. Two modelling approaches, based on aggregated time steps, are proposed and tested on an energy production problem where energy can be stored seasonally. Approaches are compared to benchmarks approaches (myopic and a posteriori optimization), and a sensitivity analysis is performed. Both approaches are promising and correspond to different compromises between the model complexity, computation times and solution quality.

Synthesis of context‐aware business‐to‐business processes for location‐based services through choreographies

AbstractModern technologies and emerging wireless communication solutions in the Information and Communications Technology (ICT) world are empowering the spread of the most disparate ready‐to‐use software services distributed over the globe and accessed by an increasing number of users. This state of affairs encourages the development of systems based on the reuse of existing services through composition approaches, notably choreographies. Also Public Administrations are driven towards a digitalization process which exploits composition approaches to build complex and interoperable systems that can be remotely accessed by citizens and authorities. However, an automatic support is needed in order to realize the service composition and the distributed coordination logic that enforces the correct choreography realization. Moreover, the need for building dynamic and user‐centered systems calls for the realization of choreographies capable to adjust their behavior to the surrounding context. This work presents our proposal for addressing the choreography realization problem, by describing an automated process for the synthesis of choreography‐based systems. The synthesized systems are location‐aware and able to adapt the services' interaction according to the user's needs and context conditions. We show and evaluate our approach at work on a real use case scenario in the Public Administration domain.

Toward Identifying APT Malware through API System Calls

Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current research cannot effectively explain the relationship between the recognition, detection, and defense of APT. The model of similar studies also lacks an explanation about it. To defend against APT attacks and inquire about the similarity of different APT attacks, this study proposes an APT malware classification method based on a combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public. By extracting the application programming interface (API) system calls, with the vector representation of features by combining dynamic LSTM and attention algorithm, we can obtain API at different APT families classification contributions trained dynamic. Thus, we used transfer learning to perform multiple classifications of the APT family. This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files when defending against APT attacks. Additionally, it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by combining threat intelligence in public. The experimental result shows that the proposed method can achieve 99.2% in distinguishing common malware from APT malware and assign APT malware to different APT families with an accuracy of 95.5%.

Using Graph Representation in Host-Based Intrusion Detection

Cybersecurity has become an important part of our daily lives. As an important part, there are many researches on intrusion detection based on host system call in recent years. Compared to sentences, a sequence of system calls has unique characteristics. It contains implicit pattern relationships that are less sensitive to the order of occurrence and that have less impact on the classification results when the frequency of system calls varies slightly. There are also various properties such as resource consumption, execution time, predefined rules, and empirical weights of system calls. Commonly used word embedding methods, such as Bow, TI-IDF, N-Gram, and Word2Vec, do not fully exploit such relationships in sequences as well as conveniently support attribute expansion. To solve these problems, we introduce Graph Representation based Intrusion Detection (GRID), an intrusion detection framework based on graph representation learning. It captures the potential relationships between system calls to learn better features, and it is applicable to a wide range of back-end classifiers. GRID utilizes a new sequence embedding method Graph Random State Embedding (GRSE) that uses graph structures to model a finite number of sequence items and represent the structural association relationships between them. A more efficient representation of sequence embeddings is generated by random walks, word embeddings, and graph pooling. Moreover, it can be easily extended to sequences with attributes. Our experimental results on the AFDA-LD dataset show that GRID has an average improvement of 2% using the GRSE embedding method comparing to others.

Manipulation on Two-Dimensional Amorphous Nanomaterials for Enhanced Electrochemical Energy Storage and Conversion.

Low-carbon society is calling for advanced electrochemical energy storage and conversion systems and techniques, in which functional electrode materials are a core factor. As a new member of the material family, two-dimensional amorphous nanomaterials (2D ANMs) are booming gradually and show promising application prospects in electrochemical fields for extended specific surface area, abundant active sites, tunable electron states, and faster ion transport capacity. Specifically, their flexible structures provide significant adjustment room that allows readily and desirable modification. Recent advances have witnessed omnifarious manipulation means on 2D ANMs for enhanced electrochemical performance. Here, this review is devoted to collecting and summarizing the manipulation strategies of 2D ANMs in terms of component interaction and geometric configuration design, expecting to promote the controllable development of such a new class of nanomaterial. Our view covers the 2D ANMs applied in electrochemical fields, including battery, supercapacitor, and electrocatalysis, meanwhile we also clarify the relationship between manipulation manner and beneficial effect on electrochemical properties. Finally, we conclude the review with our personal insights and provide an outlook for more effective manipulation ways on functional and practical 2D ANMs.

Innovative Energy Management System for Mobile Processors Power Consumption with Integration of Predictive Neural Network Models

At the present stage of information technologies development in the field of portable devices implementation one of the perspective direction is the development of software and hardware to optimise the consumption of energy resources in mobile processors. Modern solutions are aimed at continuous improvement of methods to reduce power consumption along with increasing the performance of devices, but the problem of limited time interval of portable devices active use is still relevant. Existing solutions are aimed at using various energy-dependent methods in the kernel configuration – I/O scheduler governors, TCP overload algorithms, as well as additional entropy distribution systems and memory release algorithms. The solutions considered involve a system of aggressive behaviour based on the use of user-driven methods to terminate energy demanding processes in the system. The purpose of this study is to overcome the problems under consideration by developing a cross-platform algorithmic approach, which is based on the tracking of the energy consumption processes in the kernel, taking into account system calls and background activity in the system. A distinctive feature of the proposed solution is the use of a neural network training sample for the processes of tracking user behaviour, which affects the reduction of the CPU load by completing side processes and increasing the time interval of battery performance. To implement the project, root access to the system was also used, assuming full-function access to the system kernel. Another feature of the implemented algorithm is backwards compatibility of the work with mobile processors, which allows to organise work on mobile devices.

Delaying carbon dioxide removal in the European Union puts climate targets at risk

Carbon dioxide removal (CDR) will be essential to meet the climate targets, so enabling its deployment at the right time will be decisive. Here, we investigate the still poorly understood implications of delaying CDR actions, focusing on integrating direct air capture and bioenergy with carbon capture and storage (DACCS and BECCS) into the European Union power mix. Under an indicative target of −50 Gt of net CO2 by 2100, delayed CDR would cost an extra of 0.12−0.19 trillion EUR per year of inaction. Moreover, postponing CDR beyond mid-century would substantially reduce the removal potential to almost half (−35.60 Gt CO2) due to the underused biomass and land resources and the maximum technology diffusion speed. The effective design of BECCS and DACCS systems calls for long-term planning starting from now and aligned with the evolving power systems. Our quantitative analysis of the consequences of inaction on CDR—with climate targets at risk and fair CDR contributions at stake—should help to break the current impasse and incentivize early actions worldwide.

Acceptance of seasonal influenza vaccination and associated factors among pregnant women in the context of COVID-19 pandemic in China: a multi-center cross-sectional study based on health belief model

BackgroundSeasonal influenza can circulate in parallel with coronavirus disease (COVID-19) in winter. In the context of COVID-19 pandemic, the risk of co-infection and the burden it poses on healthcare system calls for timely influenza vaccination among pregnant women, who are the priority population recommended for vaccination. We aimed to evaluate the acceptance of influenza vaccination and associated factors among pregnant women during COVID-19 pandemic, provide evidence to improve influenza vaccination among pregnant women, help reduce the risk of infection and alleviate the burden of healthcare system for co-infected patients.MethodsWe conducted a multi-center cross-sectional study among pregnant women in China. Sociodemographic characteristics, health status, knowledge on influenza, attitude towards vaccination, and health beliefs were collected. Locally weighted scatterplot smoothing regression analysis was used to evaluate the trends in the acceptance of influenza vaccine. Logistic regression was applied to identify factors associated with vaccination acceptance.ResultsThe total acceptance rate was 76.5% (95%CI: 74.8–78.1%) among 2568 pregnant women enrolled. Only 8.3% of the participants had a history of seasonal influenza vaccination. In the logistic regression model, factors associated with the acceptance of influenza vaccine were western region, history of influenza vaccination, high knowledge of influenza infection and vaccination, high level of perceived susceptibility, perceived benefit, cues to action and low level of perceived barriers. Among 23.5% of the participants who had vaccine hesitancy, 48.0% of them were worried about side effect, 35.6% of them lacked confidence of vaccine safety.ConclusionsOur findings highlighted that tailored strategies and publicity for influenza vaccination in the context of COVID-19 pandemic are warranted to reduce pregnant women’s concerns, improve their knowledge, expand vaccine uptake and alleviate pressure for healthcare system.

Testing Platform Invoke as a Tool for Shellcode Injection in Windows Applications

This paper investigates software attacks based on shellcode injection in Windows applications. The attack uses platform invoke to inject binary code by means of system calls. This creates a separate threat that carries the payload. The paper overviews protections against shellcode injection and thus analyzes the injection methods as well. Analysis models the injection of malicious code in a Windows app process. As a result, the paper proposes a step-by-step injection method. Experimental injection of user code in PowerShell is performed to test the method. The paper further shows the assembly code of the system call as an example of finding their IDs in the global system call table; it also shows part of the source code for the injection of binary executable code. Various counterattacks are proposed in the form of software control modules based on architecture drivers. The paper analyzes the feasibility of using dynamic invoke, which the authors plan to do later on.

Histologic features in an autoimmune gastritis patient with hypergastrinemia: Call for a grading system for G cell hyperplasia

Abstract Introduction/Objective Autoimmune gastritis (AG) is characterized by oxyntic glands destruction, metaplasia, enterochromaffin-like endocrine cell abnormality and G-cell hyperplasia with hypergastrinemia. The gastrin level can be extraordinarily high in certain cases to justify suspicion of Zollinger-Ellison syndrome. We herein report one such case and discuss clinical implication of a grading system for G-cell hyperplasia to correlate histology with gastrin levels. Methods/Case Report The patient was a symptomatic 65 year-old female with hypergastrinemia (2,068 pg/mL), negative abdomen/pelvis CT scan, positive anti-intrinsic factor and anti-parietal cell antibodies. Under esophagogastroduodenoscopy, biopsies were obtained from gastric cardia, fundus, corpus, incisura angularis, and antrum. Morphology and immunostains confirmed autoimmune gastritis. Diffuse linear pattern G-cell hyperplasia was evident in antrum and incisura angularis, counting up to 200 G-cells per linear millimeter. One study defined G-cell hyperplasia as &amp;gt;140 gastrin-positive cells per linear millimeter while another proposed a 2-tier stratification, i.e., simple hyperplasia (4-5 cells for each gland) and linear hyperplasia (continuous chain-like distribution of G-cells). Such scoring, however, was largely qualitative and fell short in delineating the extent of G-cell hyperplasia and correlation with gastrinemia. Results (if a Case Study enter NA) NA Conclusion Lack of G-cell grading system hindered our unequivocal determination of the G-cell hyperplasia as underlying or contributing cause of hypergastrenemia. The unique features of our case highlighted the necessity for installing a practical grading system that incorporates G-cell density, pattern (linear vs. nodular), extent of involved areas, other features of AG to correspond to gastrin level. With accumulation of clinical information, one such grading system is feasible and will improve our knowledge and patient care.

Do gradient-based explanations tell anything about adversarial robustness to android malware?

While machine-learning algorithms have demonstrated a strong ability in detecting Android malware, they can be evaded by sparse evasion attacks crafted by injecting a small set of fake components, e.g., permissions and system calls, without compromising intrusive functionality. Previous work has shown that, to improve robustness against such attacks, learning algorithms should avoid overemphasizing few discriminant features, providing instead decisions that rely upon a large subset of components. In this work, we investigate whether gradient-based attribution methods, used to explain classifiers’ decisions by identifying the most relevant features, can be used to help identify and select more robust algorithms. To this end, we propose to exploit two different metrics that represent the evenness of explanations, and a new compact security measure called Adversarial Robustness Metric. Our experiments conducted on two different datasets and five classification algorithms for Android malware detection show that a strong connection exists between the uniformity of explanations and adversarial robustness. In particular, we found that popular techniques like Gradient*Input and Integrated Gradients are strongly correlated to security when applied to both linear and nonlinear detectors, while more elementary explanation techniques like the simple Gradient do not provide reliable information about the robustness of such classifiers.

Applications of deep learning for mobile malware detection: A systematic literature review

For detecting and resolving the various types of malware, novel techniques are proposed, among which deep learning algorithms play a crucial role. Although there has been a lot of research on the development of DL-based mobile malware detection approaches, they were not reviewed in detail yet. This paper aims to identify, assess, and synthesize the reported articles related to the application of DL techniques for mobile malware detection. A Systematic Literature Review is performed in which we selected 40 journal articles for in-depth analysis. This SLR presents and categorizes these articles based on machine learning categories, data sources, DL algorithms, evaluation parameters & approaches, feature selection techniques, datasets, and DL implementation platforms. The study also highlights the challenges, proposed solutions, and future research directions on the use of DL in mobile malware detection. This study showed that Convolutional Neural Networks and Deep Neural Networks algorithms are the most used DL algorithms. API calls, Permissions, and System Calls are the most dominant features utilized. Keras and Tensorflow are the most popular platforms. Drebin and VirusShare are the most widely used datasets. Supervised learning and static features are the most preferred machine learning and data source categories.

Beyond food for thought – Directing sustainability transitions research to address fundamental change in agri-food systems

Dominant agricultural and food systems lead to continuous resource depletion and unacceptable environmental and social impacts. While current calls for changing agrifood systems are increasingly framed in the context of sustainability transitions, they rarely make an explicit link to transition studies to address these systemic challenges, nor do transition scholars sufficiently address agri-food systems, despite their global pertinence. From this viewpoint, we illustrate several gaps in the agri-food systems debate that sustainability transition studies could engage in. We propose four avenues for research in the next decade of transition research on agri-food systems: 1) Crossscale dynamics between coupled systems; 2) Social justice, equity and inclusion; 3) Sustainability transitions in low- and middle-income countries; 4) Cross-sectoral governance and system integration. We call for a decade of new transition research that moves beyond single-scale and sector perspectives toward more inclusive and integrated analyses of food system dynamics.

Methods for Host-based Intrusion Detection with Deep Learning

Host-based Intrusion Detection Systems (HIDS) automatically detect events that indicate compromise by adversarial applications. HIDS are generally formulated as analyses of sequences of system events such as bash commands or system calls. Anomaly-based approaches to HIDS leverage models of normal (a.k.a. baseline) system behavior to detect and report abnormal events and have the advantage of being able to detect novel attacks. In this article, we develop a new method for anomaly-based HIDS using deep learning predictions of sequence-to-sequence behavior in system calls. Our proposed method, called the ALAD algorithm, aggregates predictions at the application level to detect anomalies. We investigate the use of several deep learning architectures, including WaveNet and several recurrent networks. We show that ALAD empowered with deep learning significantly outperforms previous approaches. We train and evaluate our models using an existing dataset, ADFA-LD, and a new dataset of our own construction, PLAID. As deep learning models are black box in nature, we use an alternate approach, allotaxonographs, to characterize and understand differences in baseline vs. attack sequences in HIDS datasets such as PLAID.