Computer Science

Abstract—Semantic values in kernel data structures are critical to many security applications, such as virtual machine introspection, malware analysis, and memory forensics. However, malware, or more specifically a kernel rootkit, can often directly tamper with the raw kernel data structures, known as DKOM (Direct Kernel Object Manipulation) attacks, thereby significantly thwarting security analysis. In addition to manipulating pointer fields to hide certain kernel objects, DKOM attacks may also mutate semantic values, which are data values with important semantic meanings. Prior research efforts have been made to defeat pointer manipulation attacks and thus identify hidden kernel objects. However, the space and severity of Semantic Value Manipulation (SVM) attacks have not received sufficient understanding. In this paper, we take a first step to systematically assess this attack space. To this end, we devise a new fuzz testing technique, namely- duplicate-value directed semantic fi...

We propose a new approach for outlier detection, based on a ranking measure that focuses on the question of whether a point is ‘central’ for its nearest neighbours. Using our notations, a low cumulative rank implies that the point is central. For instance, a point centrally located in a cluster has a relatively low cumulative sum of ranks because it is among the nearest neighbours of its own nearest neighbours, but a point at the periphery of a cluster has a high cumulative sum of ranks because its nearest neighbours are closer to each other than the point. Use of ranks eliminates the problem of density calculation in the neighbourhood of the point and this improves the performance. Our method performs better than several density-based methods on some synthetic data sets as well as on some real data sets.

Anomaly or outlier detection problems are of considerable importance, arising frequently in diverse real-world applications such as finance and cyber-security. Several algorithms have been formulated for such problems, usually based on formulating a problem-dependent heuristic or distance metric. This dissertation proposes anomaly detection algorithms that exploit the notion of “rank," expressing relative outlierness of different points in the relevant space, and exploiting asymmetry in nearest neighbor relations between points: a data point is “more anomalous" if it is not the nearest neighbor of its nearest neighbors. Although rank is computed using distance, it is a more robust and higher level abstraction that is particularly helpful in problems characterized by significant variations of data point density, when distance alone is inadequate. We begin by proposing a rank-based outlier detection algorithm, and then discuss how this may be extended by also considering clu...

Rank-based algorithms provide a promising approach for outlier detection, but currently used rank-based measures of outlier detection suffer from two deficiencies: first they take a large value from an object near a cluster whose density is high even through the object may not be an outlier and second the distance between the object and its nearest cluster plays a mild role though its rank with respect to its neighbor. To correct for these deficiencies we introduce the concept of modified-rank and propose new algorithms for outlier detection based on this concept. Our method performs better than several density-based methods, on some synthetic data sets as well as on some real data sets.

The density-based methodology discussed in the preceding chapter, which examines the k-neighborhood of a data point, has many good features. For instance, it is independent of the distribution of the data and is capable of detecting isolated objects. However it has the following shortcomings: • If some neighbors of the point are located in one cluster, and the other neighbors are located in another cluster, and the two clusters have different densities, then comparing the density of the data point with all of its neighbors may lead to a wrong conclusion and the recognition of real outliers may fail, an example is illustrated in Sect. 7.1. • The notion of density does not work well for sparse data sets such as a cluster of points on a single straight line. Even if each point in the set has equal distances to its closest neighbors, its density may vary depending on its position in the dataset. Clusters with different densities and sizes arise in many real-world context. An example is the case where a financial institution wishes to find anomalous behavior of its customers. It is obvious that all normal customers are not alike-depending upon their needs and nature all have different 'normal' behavior. Individuals with multiple accounts and large investments tend to have deposit and withdrawal patterns that differ substantially from those of individuals with small amounts. Consequently, the collection of data associated with all users is likely to form multiple clusters with variable number of data points in each cluster, and with variable densities, etc. In such a situation, density based approaches will perform poorly. In such situations, to find anomalous observations, the ideal solution is to transform the data so that all regions in the transformed space have similar local distributions. The rank-based approach attempts to achieve this goal. In using the rank based approach the effect of inter-object distances is diminished; and in using 'modified-ranks', described in Sect. 7.3, the effect of the size of the local cluster(s) is also accommodated.

Many practical problems involve data that arrive over time, and are hence in a strict temporal sequence. As discussed in Chap. 5, treating the data as a set, while ignoring the time-stamp, loses information essential to the problem. Treating the time-stamp as just another dimension (on par with other relevant dimensions such as dollar amounts) can only confuse the matter: the occurrence of other attribute values at a specific time instant can mean something quite different from the same attribute values occurring at another time, depending on the immediately preceding values. Such dependencies necessitate considering time as a special aspect of the data for explicit modeling, and treating the data as a sequence rather than a set. Hence anomaly detection for time-sequenced data requires algorithms that are substantially different from those discussed in the previous chapters.

Anomaly Detection Anomaly detection problems arise in multiple applications, as discussed in the preceding chapter. This chapter discusses the basic ideas of anomaly detection, and sets up a framework within which various algorithms can be analyzed and compared. 2.1 Anomalies An anomaly is a "variation from the norm"-this section explores this notion in greater detail. Many scientific and engineering fields are based on the assumption that processes or behaviors exist in nature that follow certain rules or broad principles, resulting in the state of a system, manifested in observable data. From the data, we must formulate hypotheses about the nature of the underlying process, which can be verified upon observation of additional data. 1 These hypotheses describe the normal behavior of a system, implicitly assuming that the data used to generate the hypotheses are typical of the system in some sense. However, variations from the norm may occur in the processes, hence systems may also exist in abnormal states, leading to observable data values that are different from the values observed when no such process/state variations occur. The task of anomaly detection is to discover such variations (from the norm) in the observed data values, and hence infer the variations in the underlying process. A fundamental problem is that there is no simple unique definition that permits us to evaluate how similar are two data points, and hence how different is one data point from others in the data set. As pointed out by Papadimitriou et al. [92],

MapReduce is a programming model and an associated implementation for processing and generating large data sets. Users specify a map function that processes a key/value pair to generate a set of intermediate key/value pairs, and a reduce function that merges all intermediate values associated with the same intermediate key. Many real world tasks are expressible in this model, as shown in the paper. Programs written in this functional style are automatically parallelized and executed on a large cluster of commodity machines. The run-time system takes care of the details of partitioning the input data, scheduling the program's execution across a set of machines, handling machine failures, and managing the required intermachine communication. This allows programmers without any experience with parallel and distributed systems to easily utilize the resources of a large distributed system. Our implementation of MapReduce runs on a large cluster of commodity machines and is highly scalable: a typical MapReduce computation processes many terabytes of data on thousands of machines. Programmers find the system easy to use: hundreds of MapReduce programs have been implemented and upwards of one thousand MapReduce jobs are executed on Google's clusters every day.

The E-Learning System is a web based system that focuses on the use of graphical simulation to help students learn the basic concepts of programming easily. The intended project would be used by the students as a web based tutorial for practicing programming. Currently, students who are new to programming find it difficult to understand how exactly programming works. This makes learning the subject even more difficult. The proposed system aims to help students develop aptitude towards programming with the help of graphical simulations. The system also intends to classify the students on the basis of their level of competency and programming and devise various strategies for various

Time series data abound in many realistic domains. The proper study and analysis of time series data help to make important decisions. Study of such data is very useful in many applications where there are trendy changes with time or specific seasonality as in electricity demand, cloud workload, weather and sales, cost of business products, etc. By understanding the nature of the time series and the objective of analysis, we have used different approaches to learn and extract meaningful information that can satisfy the business needs. The present paper covers and compares various forecasting algorithmic approaches and explores their limitations and usefulness for different types of time series data in different domains. Keywords Time series forecast • Deep learning • ARIMA • MVFTS • CNN • LSTM • CBLSTM This article is part of the topical collection "Advances in Computational Approaches for Artificial Intelligence, Image Processing, IoT and Cloud Applications" guest edited by Bhanu Prakash K N and M. Shivakumar.