Change search
Refine search result
1 - 16 of 16
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Rows per page
  • 5
  • 10
  • 20
  • 50
  • 100
  • 250
Sort
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
  • Standard (Relevance)
  • Author A-Ö
  • Author Ö-A
  • Title A-Ö
  • Title Ö-A
  • Publication type A-Ö
  • Publication type Ö-A
  • Issued (Oldest first)
  • Issued (Newest first)
  • Created (Oldest first)
  • Created (Newest first)
  • Last updated (Oldest first)
  • Last updated (Newest first)
  • Disputation date (earliest first)
  • Disputation date (latest first)
Select
The maximal number of hits you can export is 250. When you want to export more records please use the Create feeds function.
  • 1. Axelsson, Stefan
    The Normalised Compression Distance as a File Fragment Classifier2010In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 7, no Suppl 1, p. S24-S31Article in journal (Refereed)
    Abstract [en]

    We have applied the generalised and universal distance measure NCD—Normalised Compression Distance—to the problem of determining the type of file fragments. To enable later comparison of the results, the algorithm was applied to fragments of a publicly available corpus of files. The NCD algorithm in conjunction with the k-nearest-neighbour (k ranging from one to ten) as the classification algorithm was applied to a random selection of circa 3000 512-byte file fragments from 28 different file types. This procedure was then repeated ten times. While the overall accuracy of the n-valued classification only improved the prior probability from approximately 3.5% to circa 32%–36%, the classifier reached accuracies of circa 70% for the most successful file types. A prototype of a file fragment classifier was then developed and evaluated on new set of data (from the same corpus). Some circa 3000 fragments were selected at random and the experiment repeated five times. This prototype classifier remained successful at classifying individual file types with accuracies ranging from only slightly lower than 70% for the best class, down to similar accuracies as in the prior experiment.

  • 2. Axelsson, Stefan
    Using Normalized Compression Distance for Classifying File Fragments2010Conference paper (Refereed)
    Abstract [en]

    We have applied the generalised and universal distance measure NCD-Normalised Compression Distance-to the problem of determining the types of file fragments via example. A corpus of files that can be redistributed to other researchers in the field was developed and the NCD algorithm using k-nearest-neighbour as the classification algorithm was applied to a random selection of file fragments. The experiment covered circa 2000 fragments from 17 different file types. While the overall accuracy of the n-valued classification only improved the prior probability of the class from approximately 6% to circa 50% overall, the classifier reached accuracies of 85%-100% for the most successful file types.

  • 3. Axelsson, Stefan
    et al.
    Baca, Dejan
    Feldt, Robert
    Sidlauskas, Darius
    Kacan, Denis
    Detecting Defects with an Interactive Code Review Tool Based on Visualisation and Machine Learning2009Conference paper (Refereed)
    Abstract [en]

    Code review is often suggested as a means of improving code quality. Since humans are poor at repetitive tasks, some form of tool support is valuable. To that end we developed a prototype tool to illustrate the novel idea of applying machine learning (based on Normalised Compression Distance) to the problem of static analysis of source code. Since this tool learns by example, it is rivially programmer adaptable. As machine learning algorithms are notoriously difficult to understand operationally (they are opaque) we applied information visualisation to the results of the learner. In order to validate the approach we applied the prototype to source code from the open-source project Samba and from an industrial, telecom software system. Our results showed that the tool did indeed correctly find and classify problematic sections of code based on training examples.

  • 4.
    Axelsson, Stefan
    et al.
    Blekinge Institute of Technology, School of Computing.
    Bajwa, Kamran Ali
    Srikanth, Mandhapati Venkata
    Blekinge Institute of Technology, School of Computing.
    File Fragment Analysis Using Normalized Compression Distance2013Conference paper (Refereed)
    Abstract [en]

    The first step when recovering deleted files using file carving is to identify the file type of a block, also called file fragment analysis. Several researchers have demonstrated the applicability of Kolmogorov complexity methods such as the normalized compression distance (NCD) to this problem. NCD methods compare the results of compressing a pair of data blocks with the compressed concatenation of the pair. One parameter that is required is the compression algorithm to be used. Prior research has identified the NCD compressor properties that yield good performance. However, no studies have focused on its applicability to file fragment analysis. This paper describes the results of experiments on a large corpus of files and file types with different block lengths. The experimental results demonstrate that, in the case of file fragment analysis, compressors with the desired properties do not perform statistically better than compressors with less computational complexity.

  • 5. Ghorbanian, Sara
    et al.
    Fryklund, Glenn
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    DO DATA LOSS PREVENTION SYSTEMS REALLY WORK?2015In: ADVANCES IN DIGITAL FORENSICS XI, 2015, p. 341-357Conference paper (Refereed)
    Abstract [en]

    The threat of insiders stealing valuable corporate data continues to escalate. The inadvertent exposure of internal data has also become a major problem. Data loss prevention systems are designed to monitor and block attempts at exposing sensitive data to the outside world. They have become very popular, to the point where forensic investigators have to take these systems into account. This chapter describes the first experimental analysis of data loss prevention systems that attempts to ascertain their effectiveness at stopping the unauthorized exposure of sensitive data and the ease with which the systems could be circumvented. Four systems are evaluated (three of them in detail). The results point to considerable weaknesses in terms of general effectiveness and the ease with which the systems could be disabled.

  • 6.
    Lavesson, Niklas
    et al.
    Blekinge Institute of Technology, School of Computing.
    Axelsson, Stefan
    Blekinge Institute of Technology, School of Computing.
    Similarity assessment for removal of noisy end user license agreements2012In: Knowledge and Information Systems, ISSN 0219-1377, Vol. 32, no 1, p. 167-189Article in journal (Refereed)
    Abstract [en]

    In previous work, we have shown the possibility to automatically discriminate between legitimate software and spyware-associated software by performing supervised learning of end user license agreements (EULAs). However, the amount of false positives (spyware classified as legitimate software) was too large for practical use. In this study, the false positives problem is addressed by removing noisy EULAs, which are identified by performing similarity analysis of the previously studied EULAs. Two candidate similarity analysis methods for this purpose are experimentally compared: cosine similarity assessment in conjunction with latent semantic analysis (LSA) and normalized compression distance (NCD). The results show that the number of false positives can be reduced significantly by removing noise identified by either method. However, the experimental results also indicate subtle performance differences between LSA and NCD. To improve the performance even further and to decrease the large number of attributes, the categorical proportional difference (CPD) feature selection algorithm was applied. CPD managed to greatly reduce the number of attributes while at the same time increase classification performance on the original data set, as well as on the LSA- and NCD-based data sets.

  • 7.
    Lopez-Rojas, Edgar Alonso
    et al.
    Blekinge Institute of Technology, School of Computing.
    Axelsson, Stefan
    Blekinge Institute of Technology, School of Computing.
    Money Laundering Detection using Synthetic Data2012Conference paper (Refereed)
    Abstract [en]

    Criminals use money laundering to make the proceeds from their illegal activities look legitimate in the eyes of the rest of society. Current countermeasures taken by financial organizations are based on legal requirements and very basic statistical analysis. Machine Learning offers a number of ways to detect anomalous transactions. These methods can be based on supervised and unsupervised learning algorithms that improve the performance of detection of such criminal activity. In this study we present an analysis of the difficulties and considerations of applying machine learning techniques to this problem. We discuss the pros and cons of using synthetic data and problems and advantages inherent in the generation of such a data set. We do this using a case study and suggest an approach based on Multi-Agent Based Simulations (MABS).

  • 8.
    Lopez-Rojas, Edgar Alonso
    et al.
    Blekinge Institute of Technology, School of Computing.
    Axelsson, Stefan
    Blekinge Institute of Technology, School of Computing.
    Multi Agent Based Simulation (MABS) of Financial Transactions for Anti Money Laundering (AML)2012Conference paper (Refereed)
    Abstract [en]

    Mobile money is a service for performing financial transactions using a mobile phone. By law it has to have protection against money laundering and other types of fraud. Research into fraud detection methods is not as advanced as in other similar fields. However, getting access to real world data is difficult, due to the sensitive nature of financial transactions, and this makes research into detection methods difficult. Thus, we propose an approach based on a Multi-Agent Based Simulation (MABS) for the generation of synthetic transaction data. We present the generation of synthetic data logs of transactions and the use of such a data set for the study of different detection scenarios using machine learning.

  • 9.
    Lopez-Rojas, Edgar Alonso
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Social Simulation of Commercial and Financial Behaviour for Fraud Detection Research2014In: Advances in Computational Social Science and Social Simulation / [ed] Miguel, Amblard, Barceló & Madella, Barcelona, 2014Conference paper (Refereed)
    Abstract [en]

    We present a social simulation model that covers three main financialservices: Banks, Retail Stores, and Payments systems. Our aim is toaddress the problem of a lack of public data sets for fraud detectionresearch in each of these domains, and provide a variety of fraudscenarios such as money laundering, sales fraud (based on refunds anddiscounts), and credit card fraud. Currently, there is a general lackof public research concerning fraud detection in the financial domainsin general and these three in particular. One reason for this is thesecrecy and sensitivity of the customers data that is needed toperform research. We present PaySim, RetSim, and BankSim asthree case studies of social simulations for financial transactionsusing agent-based modelling. These simulators enable us to generatesynthetic transaction data of normal behaviour of customers, and alsoknown fraudulent behaviour. This synthetic data can be used to furtheradvance fraud detection research, without leaking sensitiveinformation about the underlying data. Using statistics and socialnetwork analysis (SNA) on real data we can calibrate the relationsbetween staff and customers, and generate realistic synthetic datasets. The generated data represents real world scenarios that arefound in the original data with the added benefit that this data canbe shared with other researchers for testing similar detection methodswithout concerns for privacy and other restrictions present when usingthe original data.

  • 10.
    Lopez-Rojas, Edgar Alonso
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering. Gjovik University College.
    Using the RetSim Fraud Simulation Tool to set Thresholds for Triage of Retail Fraud2015In: SECURE IT SYSTEMS, NORDSEC 2015 / [ed] Sonja Buchegger, Mads Dam, Springer, 2015, Vol. 9417, p. 156-171Conference paper (Refereed)
    Abstract [en]

    The investigation of fraud in business has been a staple for the digital forensics practitioner since the introduction of computers in business. Much of this fraud takes place in the retail industry. When trying to stop losses from insider retail fraud, triage, i.e. the quick identification of sufficiently suspicious behaviour to warrant further investigation, is crucial, given the amount of normal, or insignificant behaviour. It has previously been demonstrated that simple statistical threshold classification is a very successful way to detect fraud~\cite{Lopez-Rojas2015}. However, in order to do triage successfully the thresholds have to be set correctly. Therefore, we present a method based on simulation to aid the user in accomplishing this, by simulating relevant fraud scenarios that are foreseeing as possible and expected, to calculate optimal threshold limits. This method gives the advantage over arbitrary thresholds that it reduces the amount of labour needed on false positives and gives additional information, such as the total cost of a specific modelled fraud behaviour, to set up a proper triage process. With our method we argue that we contribute to the allocation of resources for further investigations by optimizing the thresholds for triage and estimating the possible total cost of fraud. Using this method we manage to keep the losses below a desired percentage of sales, which the manager consider acceptable for keeping the business properly running.

  • 11.
    Lopez-Rojas, Edgar Alonso
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Gorton, Dan
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    RetSim: A ShoeStore Agent-Based Simulation for Fraud Detection2013In: 25th European Modeling and Simulation Symposium, EMSS 2013, 2013, p. 25-34Conference paper (Refereed)
    Abstract [en]

    RetSim is an agent-based simulator of a shoe store basedon the transactional data of one of the largest retail shoesellers in Sweden. The aim of RetSim is the generationof synthetic data that can be used for fraud detection re-search. Statistical and a Social Network Analysis (SNA)of relations between staff and customers was used to de-velop and calibrate the model. Our ultimate goal is forRetSim to be usable to model relevant scenarios to gen-erate realistic data sets that can be used by academia, andothers, to develop and reason about fraud detection meth-ods without leaking any sensitive information about theunderlying data. Synthetic data has the added benefit ofbeing easier to acquire, faster and at less cost, for exper-imentation even for those that have access to their owndata. We argue that RetSim generates data that usefullyapproximates the relevant aspects of the real data.

  • 12.
    Nilsson, Alexander
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Andersson, Marcus
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Key-hiding on the ARM platform2014In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 11, no Supplement 1, p. S63-S67Article in journal (Refereed)
    Abstract [en]

    To combat the problem of encryption key recovery from main memory using cold boot-attacks, various solutions has been suggested, but most of these have been implemented on the x86 architecture, which is not prevalent in the smartphone market, where instead ARM dominates. One existing solution does exist for the ARM architecture but it is limited to key sizes of 128 bits due to not being able to utilise the full width of the CPU registers used for key storage. We developed a test-implementation of CPU-bound key storage with 256-bit capacity, without using more hardware resources than the previous solution. We also show that access to the key can be restricted for programs executing outside the kernel space.

  • 13.
    Osekowska, Ewa
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Carlsson, Bengt
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Potential fields in maritime anomaly detection2013Conference paper (Refereed)
    Abstract [en]

    This paper presents a novel approach for pattern extraction and anomaly detection in mari- time vessel traffic, based on the theory of potential fields. Potential fields are used to rep- resent and model normal, i.e. correct, behaviour in maritime transportation, observed in historical vessel tracks. The recorded paths of each maritime vessel generate potentials based on metrics such as geographical location, course, velocity, and type of vessel, resulting in a potential-based model of maritime traffic patterns. A prototype system STRAND, developed for this study, computes and displays distinctive traffic patterns as potential fields on a geographic representation of the sea. The system builds a model of normal behaviour, by collating and smoothing historical vessel tracks. The resulting visual presentation exposes distinct patterns of normal behaviour inherent in the recorded maritime traffic data. Based on the created model of normality, the system can then perform anomaly detection on current real-world maritime traffic data. Anomalies are detected as conflicts between vessel’s potential in live data, and the local history-based potential field. The resulting detection performance is tested on AIS maritime tracking data from the Baltic region, and varies depending on the type of potential. The potential field based approach contributes to maritime situational awareness and enables automatic detection. The results show that anomalous behaviours in maritime traffic can be detected using this method, with varying performance, necessitating further study.

  • 14.
    Osekowska, Ewa
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Carlsson, Bengt
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Potential fields in modeling transport over water2015In: Operations Research/Computer Science Interfaces Series, ISSN 1387-666X, Vol. 58, p. 259-280Article in journal (Refereed)
    Abstract [en]

    Without an explicit road-like regulation, following the proper sailing routes and practices is still a challenge mostly addressed using seamen’s know-how and experience. This chapter focuses on the problem of modeling ship movements over water with the aim to extract and represent this kind of knowledge. The purpose of the developed modeling method, inspired by the theory of potential fields, is to capture the process of navigation and piloting through the observation of ship behaviors in transport over water on narrow waterways. When successfully modeled, that knowledge can be subsequently used for various purposes. Here, the models of typical ship movements and behaviors are used to provide a visual insight into the actual normal traffic properties (maritime situational awareness) and to warn about potentially dangerous traffic behaviors (anomaly detection). A traffic modeling and anomaly detection prototype system STRAND implements the potential field based method for a collected set of AIS data. A quantitative case study is taken out to evaluate the applicability and performance of the implemented modeling method. The case study focuses on quantifying the detections for varying geographical resolution of the detection process. The potential fields extract and visualize the actual behavior patterns, such as right-hand sailing rule and speed limits, without any prior assumptions or information introduced in advance. The display of patterns of correct (normal) behavior aids the choice of an optimal path, in contrast to the anomaly detection which notifies about possible traffic incidents. A tool visualizing the potential fields may aid traffic surveillance and incident response, help recognize traffic regulation and legislative issues, and facilitate the process of waterways development and maintenance. © Springer International Publishing Switzerland 2015.

  • 15.
    Tribus, Hannes
    et al.
    Blekinge Institute of Technology, School of Computing.
    Morrigl, Irene
    Axelsson, Stefan
    Blekinge Institute of Technology, School of Computing.
    Using Data Mining for Static Code Analysis of C2012Conference paper (Refereed)
    Abstract [en]

    Static analysis of source code is one way to find bugs and problems in large software projects. Many approaches to static analysis have been proposed. We proposed a novel way of performing static analysis. Instead of methods based on semantic/logic analysis we apply machine learning directly to the problem. This has many benefits. Learning by example means trivial programmer adaptability (a problem with many other approaches), learning systems also has the advantage to be able to generalise and find problematic source code constructs that are not exactly as the programmer initially thought, to name a few. Due to the general interest in code quality and the availability of large open source code bases as test and development data, we believe this problem should be of interest to the larger data mining community. In this work we extend our previous approach and investigate a new way of doing feature selection and test the suitability of many different learning algorithms. This on a selection of problems we adapted from large publicly available open source projects. Many algorithms were much more successful than our previous proof-of-concept, and deliver practical levels of performance. This is clearly an interesting and minable problem.

  • 16.
    Westphal, Florian
    et al.
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Axelsson, Stefan
    Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science and Engineering.
    Neuhaus, Christian
    Polze, Andreas
    VMI-PL: A monitoring language for virtual platforms using virtual machine introspection2014In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 11, p. S85-S94 Supplement: 2Article in journal (Refereed)
    Abstract [en]

    With the growth of virtualization and cloud computing, more and more forensic investigations rely on being able to perform live forensics on a virtual machine using virtual machine introspection (VMI). Inspecting a virtual machine through its hypervisor enables investigation without risking contamination of the evidence, crashing the computer, etc. To further access to these techniques for the investigator/researcher we have developed a new VMI monitoring language. This language is based on a review of the most commonly used VMI-techniques to date, and it enables the user to monitor the virtual machine's memory, events and data streams. A prototype implementation of our monitoring system was implemented in KVM, though implementation on any hypervisor that uses the common x86 virtualization hardware assistance support should be straightforward. Our prototype outperforms the proprietary VMWare VProbes in many cases, with a maximum performance loss of 18% for a realistic test case, which we consider acceptable. Our implementation is freely available under a liberal software distribution license.

1 - 16 of 16
CiteExportLink to result list
Permanent link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf