Project #1: Android Malware and Ransomware Detection using Deep Learning (Advert Reference: RDF20/EE/CIS/ISSAC) - (Fully-funded)

Supervisor: Dr Biju Issac and Co-supervisor: Dr Longzhi Yang

Deadline for applications: 24 January 2020 and start date: 1 October 2020.

Android OS is extremely popular since the last few years and it is predominantly used in smartphones and in the Internet of Things (IoT) devices. This has created an opportunity to be an effective target of malicious apps. Thus, there is a need for effective and portable malware and ransomware detection solutions. Malware tricks one into installing software that allows scammers to access their files and track what they are doing, while ransomware demands payment to ‘unlock’ your computer or files. Ransomware is a type of malware that blocks or limits access to your computer or files, and demands a ransom be paid to be unlocked. In this research, we propose a deep learning approach for Android malware and ransomware detection. Using the raw sequence of the app’s API method calls, our approach will extract and learn the malicious and the benign patterns from the actual samples of datasets to detect Android malware. We will use deep neural network or similar, which uses permissions combination, Intent filters, Invalid certificate, the existence of APK file in the asset folder, API calls etc. as features to construct a deep learning network that can identify malicious from the benign ones. We will examine API packages’ calls as a leading indicator of ransomware activity to discriminate ransomware with high accuracy before it harms the user’s device. We will use deep learning to identify a set of novel features with high discriminative power for separating ransomware and benign samples. Experiments would be done on multiple malware and ransomware datasets to prove that the proposed deep learning techniques would work effectively. Optimization of deep learning using bio-inspired metaheuristics algorithms would be applied to make the classification accuracy even better.​

Project #2: Ransomware Tweet Detection and Attack Detection using Deep Learning (Application Ref: SF19/EE/CIS/ISSAC) - (Self-funded)

Supervisor: Dr Biju Issac and Co-supervisor: Dr Longzhi Yang

Deadline for applications: None. Start Date: 1 March 2020 or 1 October 2020.

Ransomware is a type of malicious software designed to deny access to a computer system or data until a ransom is paid. This project will try to tackle two aspects of ransomware. First, we will investigate and implement a ransomware tweet detection scheme. In this research, we will initially analyse multiple families of ransomware over a period. A deep learning architecture will be used to categorize ransomware tweets to their corresponding family. The social media data can be monitored by the method proposed which will be able to alert about ransomware spreads. This will help the incident management to better plan the resources to mitigate the attack. Second, we will investigate and implement an intelligent ransomware attack detection scheme, for the attacks identified in the first stage, as well as for the new variants. The number of ransomware variants has increased rapidly, and the way ransomware works need to be differentiated from malware so as to protect against ransomware‐based attacks. Though ransomware is like malware in some respects, they are clearly different. Ransomware generally focuses on many file‐related operations in a short burst of time to encrypt files and lock the victim’s computer. The signature‐based malware detection methods will not be able to detect zero‐day and unknown ransomware. Thus a novel protection mechanism for ransomware detection is needed and it should focus on ransomware‐specific operations to differentiate ransomware from other malware and benign files. This project will use a ransomware detection method using an optimized version of deep learning through bio-inspired metaheuristics algorithms to achieve that purpose. Optimized versions of deep learning architectures like convolutional neural networks (CNNs) or other variants, can detect malware or ransomware efficiently simply by looking at the raw bytes of Windows Portable Executable files.

Project #3: Deep Learning-based Network Forensic Methods for Investigating Botnets in the IoT (Application Ref: SF19/EE/CIS/ASLAM) - (Self-funded)


Supervisor: Dr Nauman Aslam and Co-supervisor: Dr Biju Issac

Deadline for applications: None. Start Date: 1 March 2020 or 1 October 2020.

The process of designing IoT protocols and sensors and the lack of standards are the main reasons why the IoT is an easy target for botnets. Network Forensics is the branch of Digital Forensics, where the evidence is network-related and exists in the form of logs, packets and network flows. Popular methods of investigating botnets include Honeypot, Network flow analysis, Intrusion detection systems, Visualization of Network traffic, Deep Packet Analysis etc. Multiple deep learning solutions have been proposed for application in the field of Network Forensics in recent years. Niyaz et al. (2016) used stacked auto-encoders in their implementation of a DDoS detection system for software-defined networks. The multiple auto-encoders were greedily trained layer-by-layer, with the output of one layer being the input of the next. Then the entire network was fine-tuned as a classifier. Reported accuracy for distinguishing between normal and attack traffic was 99.82%, outperforming other classification methods such as shallow NN, while individual types of DDoS attacks were identified with an accuracy of 95.65%. Lotfollahi et al. (2017) used a combination of a one-dimensional CNN and stacked auto-encoders for automatic feature extraction and classification of network traffic, achieving both application identification and traffic characterization in either encrypted or unencrypted traffic. This project will explore the use of Recurrent Neural Network (RNN), Convolutional Neural Networks (CNN), Deep Auto Encoder (DAE), Deep Boltzmann Machine (DBM) and Deep Belief Network (DBN), alongside some of the network forensics methods, whereby botnets in IoT can be effectively mitigated. For example, some ways of enhancing Honeypot implementations might include, making them more resilient against anti-forensics mechanisms, increasing the number of supported protocols thus increasing the range of mimicked IoT devices and handling the massive quantities of incoming traffic which could be generated by an IoT Botnet (N. Koroniotis et al., 2019)

Project #4: Zero-Shot Cyber Event Detection (Application Ref: SF19/EE/CIS/YANG) - (Self-funded)

Dr Longzhi Yang and Co-supervisor: Dr Biju Issac

Deadline for applications: None. Start Date: 1 March 2020 or 1 October 2020.​

Adverse cyber events, either distributed/spreading attacks or targeted one-off attacks, are happening all the time in the cyberspace, leading to a tremendous loss economically and socially. Intensive research efforts have been dedicated to fighting such attacks, but most of the existing approaches are only able to detect known threats, commonly using the signature of known attacks. In order to detect unknown attacks, the anomaly detection approaches were designed which identify the behaviour of the network traffic that does not conform to any expected pattern. However, these approaches are only able to detect abnormal events, but cannot determine their types in order to prevent their occurrences.
This proposed project aims to address this by developing and evaluating an unknown cyber threat detection and interpretation system. A model based on the core technology adaptive sparse deep fuzzy inference will be proposed to address this challenge. Compared to other AI approaches, this approach has the following unique advantages: 1) the rule base used in a fuzzy inference system can be readily transferred to linguistic rules, which are transparent, readily comprehensible and interpretable for human experts for intelligence acquisition; 2) with the support of the recent development in adaptive sparse fuzzy rule base generation and deep learning, concise, neat but expressively powerful rules can be generated to highly summarise big streaming data in real-time; and 3) fuzzy inference systems usually require less computational resources, making it possible to be deployed in embedded systems or IoT devices, in addition to high-end servers. The method will be evaluated extensively by publicly available data set and experiments in our recently built modern computer network and cybersecurity labs to ensure its high-grade performance.