APK Auditor: Permission-based Android malware detection system

Android operating system has the highest market share in 2014; making it the most widely used mobile operating system in the world. This fact makes Android users the biggest target group for malware developers. Trend analyses show large increase in mobile malware targeting the Android platform. Android's security mechanism is based on an instrument that informs users about which permissions the application needs to be granted before installing them. This permission system provides an overview of the application and may help gain awareness about the risks. However, we do not have enough information to conclude that standard users read or digital investigators understand these permissions and their implications. Digital investigators need to be on the alert for the presence of malware when examining Android devices, and can benefit from supporting tools that help them understand the capabilities of such malicious code. This paper presents a permission-based Android malware detection system, APK Auditor that uses static analysis to characterize and classify Android applications as benign or malicious. APK Auditor consists of three components: (1) A signature database to store extracted information about applications and analysis results, (2) an Android client which is used by end-users to grant application analysis requests, and (3) a central server responsible for communicating with both signature database and smartphone client and managing whole analysis process. To test system performance, 8762 applications in total, 1853 benign applications from Google's Play Store and 6909 malicious applications from different sources were collected and analyzed by the system developed. The results show that APK Auditor is able to detect most well-known malwares and highlights the ones with a potential in approximately 88% accuracy with a 0.925 specificity.     

A study of user data integrity during acquisition of Android devices

At the time of this writing, Android devices are widely used, and many studies considering methods of forensic acquisition of data from Android devices have been conducted. Similarly, a diverse collection of smartphone forensic tools has also been introduced. However, studies conducted thus far do not normally guarantee data integrity required for digital forensic investigations. Therefore, this work uses a previously proposed method of Android device acquisition utilizing ‘Recovery Mode’. This work evaluates Android Recovery Mode variables that potentially compromise data integrity at the time of data acquisition. Based on the conducted analysis, an Android data acquisition tool that ensures the integrity of acquired data is developed, which is demonstrated in a case study to test tool's ability to preserve data integrity.     

A blind trial evaluation of a crime scene methodology for deducing impact velocity and droplet size from circular bloodstains

In a previous study, mechanical engineering models were utilized to deduce impact velocity and droplet volume of circular bloodstains by measuring stain diameter and counting spines radiating from their outer edge. A blind trial study was subsequently undertaken to evaluate the accuracy of this technique, using an applied, crime scene methodology. Calculations from bloodstains produced on paper, drywall, and wood were used to derive surface-specific equations to predict 39 unknown mock crime scene bloodstains created over a range of impact velocities (2.2-5.7 m/sec) and droplet volumes (12-45 microL). Strong correlations were found between expected and observed results, with correlation coefficients ranging between 0.83 and 0.99. The 95% confidence limit associated with predictions of impact velocity and droplet volume was calculated for paper (0.28 m/sec, 1.7 microL), drywall (0.37 m/sec, 1.7 microL), and wood (0.65 m/sec, 5.2 microL).     

The contemporary cybercrime ecosystem: A multi-disciplinary overview of the state of affairs and developments

This article provides a multi-disciplinary overview of the contemporary cybercrime ecosystem and its developments. It does so by reviewing and synthesising recent cybercrime research from fields such as cybersecurity, law and criminology. The article also examines ways in which gaps between the aforementioned fields arise and how to lessen them to increase cybersecurity. This article is divided into four main parts. The first part offers background on cybercrime and some of its main elements. It defines terminology, sets out a legal taxonomy of cybercrime offences and presents the estimated costs, threat agents and characteristics of various illicit activities and technical aspects of cybercrime. Parts two, three and four build on this preceding analysis by (separately) examining three prominent threat vectors within the ecosystem – malware, the darknet and Bitcoin and other cryptocurrencies. For each threat vector, the article identifies and investigates features, history, functions and current and expected states of development within the ecosystem. Through its attention to and synthesis of current research and results from different fields, this article offers a synoptic account of the cybercrime ecosystem, which can bridge potential knowledge gaps between fields.     

Scalable code clone search for malware analysis

Reverse engineering is the primary step to analyze a piece of malware. After having disassembled a malware binary, a reverse engineer needs to spend extensive effort analyzing the resulting assembly code, and then documenting it through comments in the assembly code for future references. In this paper, we have developed an assembly code clone search system called ScalClone based on our previous work on assembly code clone detection systems. The objective of the system is to identify the code clones of a target malware from a collection of previously analyzed malware binaries. Our new contributions are summarized as follows: First, we introduce two assembly code clone search methods for malware analysis with a high recall rate. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we present a scalable system with a database model to support large-scale assembly code search. Finally, experimental results on real-life malware binaries suggest that our proposed methods can effectively identify assembly code clones with the consideration of different scenarios of code mutations.     

A proposed methodology for assessing the economic needs of safeguard zones protecting groundwater intended for human consumption within the context of the European Water Framework Directive

This paper describes the gross domestic product and hydrological environment service method for assessing the socio-economic consequences of implementing necessary measures for safeguarding the quality of groundwater for human consumption and eliminating the risk of pollution. This method assesses the positive and negative impacts of designations of protected areas. Economic assets and social goods are the two integrated variables used in analysing the method. The first includes economic impacts on the local gross domestic product of defining protected areas, and the second considers the benefits of this designation in the conservation of water resources, assigning a monetary value to the preserved resources. In addition, tools have been incorporated, such as payment for hydrological services and generation of permissible activities, which reduce negative social impacts through positive economic impacts. These tools can only be used when compliance with conservation requirements for protected areas is demonstrated. The conclusions of this study include an application of the proposed methodology and provide essential and specific assessments that show that this methodology fulfils the requirements of the European Water Framework Directive requirements and that it is an effective tool in the implementation and development of strategies for hydrological planning processes.     

A RAM triage methodology for Hadoop HDFS forensics

This paper discusses the challenges of performing a forensic investigation against a multi-node Hadoop cluster and proposes a methodology for examiners to use in such situations. The procedure's aim of minimising disruption to the data centre during the acquisition process is achieved through the use of RAM forensics. This affords initial cluster reconnaissance which in turn facilitates targeted data acquisition on the identified DataNodes. To evaluate the methodology's feasibility, a small Hadoop Distributed File System (HDFS) was configured and forensic artefacts simulated upon it by deleting data originally stored in the cluster. RAM acquisition and analysis was then performed on the NameNode in order to test the validity of the suggested methodology. The results are cautiously positive in establishing that RAM analysis of the NameNode can be used to pinpoint the data blocks affected by the attack, allowing a targeted approach to the acquisition of data from the DataNodes, provided that the physical locations can be determined. A full forensic analysis of the DataNodes was beyond the scope of this project.     

蛇毒检测方法的实验研究

目的建立系统的蛇毒检测方法。方法通过对3种常见蛇毒样品检测,确定用ELISA法检测蛇毒的最适条件。结果本研究所建立的ELISA蛇毒检测法灵敏度为3.9ng/ml;交叉实验结果显示,该方法特异性高,只有个别蛇毒存在交叉反应;样本从采集到检出时间在1h40min之内;动物实验显示,半致死量中毒家兔的血液蛇毒检测在中毒后48h内有效,中毒死亡家兔的血液蛇毒检测在死后72h内有效。结论所建立方法灵敏、准确、快速、简便,是一种可靠的蛇毒检测法。     

A methodology for predicting the effects of changes in civil commitment decision making

We review a three-step civil commitment model and formulas for calculating the probability of release from commitment and the relative importance of the three steps in determining the outcome. New formulas are developed which enable predictions to be made about the effects of changes on the outcome of the three steps on the release probability. With the use of data from Oregon's civil commitment process, we present an example of the application of the methodology and conclude with a discussion of its major administrative and research implications.     

A methodology based on NMR spectroscopy for the forensic analysis of condoms.

Both solution and solid state Nuclear Magnetic Resonance (NMR) spectroscopic techniques have been used to determine differences in commercially available condoms. Whilst solid state NMR is useful for determining the polymer backbone, it is not useful for forensic analysis due to the commonality of the latex condom. However solution NMR spectra obtained following a simple extraction procedure using hexane, provides a fingerprint of the additives in the lubricants. Following the development of a flow chart, basing decisions on the presence of particular peaks present in the solution spectra, 33 of 38 condoms could be individualized. Samples were also analyzed after having the lubricant manually removed and soaking the condom in water for 3 to 24 h. These experiments were performed to simulate a case of the sample having been used and disposed of by flushing down the toilet, as may be experienced in a case of a sexual assault. The results indicated that the only significant water soluble component was polyethylene glycol. The overall results suggest that the method developed may be a quick and useful technique in characterizing condoms. The information obtained can be used to provide associative evidence between suspect and crime, and so be useful in sexual assault cases.     

Pre-set estimation-based in-silico silhouette-based methodology for improving the robustness to viewing direction difference for assisting forensic gait analysis

Forensic gait analysis is used to visually and quantitatively analyze information regarding the appearance and style of walking that can be presented as evidence in the court. The demand for analyzing CCTV pedestrian footage in video surveillance has been increasing. The dependence of the accuracy of semiautomatic silhouette-based analysis, often used in forensic science, on the differences in the viewing directions is a very challenging issue that is yet to be resolved for real case applications. Currently, the different viewing directions used in comparison footage significantly decrease the accuracy of same person analysis when using the silhouette-based method, often used in the Japanese forensic science domain. A calibration-based method was previously prosed to resolve this problem, but it requires performing an elaborate measurement procedure at the camera installation site for an accurate analysis. In this study, we propose a novel in-silico silhouette-based analysis method that significantly expands the number of viewing direction pre-set settings to 900 from the 24 used in the previous method. Several software tools have been developed to ensure that all the procedures can be executed on a computer. The experimental results confirm that the accuracy of the proposed method is comparable to that of the calibration-based method. Furthermore, the practical comparison results from actual consultation confirmed the effectiveness of the proposed method under existing viewing direction differences. We therefore anticipate that the proposed method will be beneficial for improving the analysis accuracy in real cases and therefore serve as a substitute of the previous method.     

试卷安全立法模式研究

在国家教育考试部门组织的各类教育考试中,涉及命题组织管理、试卷印刷、运送、保管、考试实施、评卷组织管理等诸多环节,充分体现了教育考试系统运行的复杂性。我国现行的试卷安全法律制度模式,偏重于防范试卷泄密,至于试卷安全事件一旦发生后的处置,则缺乏法律设计,从而导致了试卷安全事件发生后,有关应急处置机构职责不清,工作程序紊乱,采取得力措施时又找不到法律依据的现象。基于此,本文对如何应对教育考试安全事件进行了初步的立法思考。     

Standardisation: A tool for addressing market failure within the software industry

Despite the maturity of the software industry, empirical research demonstrates that average software quality, when measured through the presence of software defects, is low. Such defects cause a wide array of issues, not least in the form of vulnerabilities, which support a multi-billion pound a year industry of fraud in cyber crime. This paper suggests that this is the result of market failure stemming from two factors: the first is that information asymmetry prevents the establishment of software quality prior to purchase; whilst the second is that the legal provisions available under private law are unable in their current form to adequately address software liability issues. On that basis this paper proposes the use of standardisation as a tool to address both of these shortcomings by providing an industry benchmark against which software quality can be ascertained, as well as forming a legal tool for determining causation for the purposes of establishing legal liability.     

A two-level model for evidence evaluation

A random effects model using two levels of hierarchical nesting has been applied to the calculation of a likelihood ratio as a solution to the problem of comparison between two sets of replicated multivariate continuous observations where it is unknown whether the sets of measurements shared a common origin. Replicate measurements from a population of such measurements allow the calculation of both within-group and between-group variances/covariances. The within-group distribution has been modelled assuming a Normal distribution, and the between-group distribution has been modelled using a kernel density estimation procedure. A graphical method of estimating the dependency structure among the variables has been used to reduce this highly multivariate problem to several problems of lower dimension. The approach was tested using a database comprising measurements of eight major elements from each of four fragments from each of 200 glass objects and found to perform well compared with previous approaches, achieving a 15.2% false-positive rate, and a 5.5% false-negative rate. The modelling was then applied to two examples of casework in which glass found at the scene of the criminal activity has been compared with that found in association with a suspect.     

A motion detection-based framework for improving image quality of CCTV security systems

Closed-circuit television (CCTV) security systems have been widely used in banks, convenience stores, and other facilities. They are useful to deter crime and depict criminal activity. However, CCTV cameras that provide an overview of a monitored region can be useful for criminal investigation but sometimes can also be used for object identification (e.g., vehicle numbers, persons, etc.). In this paper, we propose a framework for improving the image quality of CCTV security systems. This framework is based upon motion detection technology. There are two cameras in the framework: one camera (camera A) is fixed focus with a zoom lens for moving-object detection, and the other one (camera B) is variable focus with an auto-zoom lens to capture higher resolution images of the objects of interest. When camera A detects a moving object in the monitored area, camera B, driven by an auto-zoom focus control algorithm, will take a higher resolution image of the object of interest. Experimental results show that the proposed framework can improve the likelihood that images obtained from stationary unattended CCTV cameras are sufficient to enable law enforcement officials to identify suspects and other objects of interest.     

A study of stranger rapists from the English high security hospitals

Abstract

Heterogeneity hinders our understanding of sexual violence; but does this problem extend to stranger rape and, if so, would the construction of homogeneous subtypes advance our understanding of this crime and aid criminal investigations and clinical practice? To answer these questions, 41 stranger rapists from the English high security hospitals were examined using version 3 of the Massachusetts Treatment Centre rapist typology (MTC:R3) and multidimensional scaling (MDS). The MTC:R3 suggested that sexual desire and opportunism were the primary motivations for these men, but that proportionately more psychopaths were violent and sadistic. In accordance with previous research, the men experienced problematic childhoods and displayed high rates of criminality and psychiatric morbidity in adulthood. However, MDS found that rapist histories and offence behaviours generally divide into sexual and violent themes. These results have important implications for theory, criminal investigations and clinical practice.     

A new evaluation of the rate of actualiasation for the French economy

Economic Change and Restructuring -     

失地农民社会保障问题研究

目前,在我国农村,由于缺乏基本的社会保障,加之农民的再就业能力较差,导致大量的失地农民成为无地可种、无工可打、无保可依、生活水平较低的弱势群体。本文分析了制约失地农民社会保障的因素,认为应通过尽快完善征地制度,加快筹集社会保障基金,推进农村社会保障制度建设,完善就业保障机制。     

A psychometric evaluation of the Defence Style Questionnaire-40 in a UK forensic patient population

Psychological defence mechanisms have been considered important personality processes in the onset, maintenance and recovery of mental disorders. More recently, their application to understanding presenting problems and as potential outcome indicators for forensic patients has been recommended. However, to date there have been no investigations into the reliability and factor structure of defence mechanism assessments for this population. The current study investigated the factor structure, internal consistency and test-retest reliability of the Defence Style Questionnaire-40 (DSQ) for 160 adult male UK forensic patients. The three-factor model of defences proposed by the DSQ-40 developers was not confirmed in the study sample. Reliability indices of the three factors indicated that the Immature factor was the most ‘acceptable’ in terms of internal consistency. Test-retest reliability coefficients ranged from .70 to .91. A revised three-factor structure that closely corresponds to the original validation study is recommended following an exploratory factor analysis. The findings are compared with previous reliability and factor analytic evaluations of the DSQ-40, and recommendations for its use with forensic patients are discussed.     

A statistical methodology for the comparison of blue gel pen inks analyzed by laser desorption/ionization mass spectrometry

A statistical methodology for the objective comparison of LDI-MS mass spectra of blue gel pen inks was evaluated. Thirty-three blue gel pen inks previously studied by RAMAN were analyzed directly on the paper using both positive and negative mode. The obtained mass spectra were first compared using relative areas of selected peaks using the Pearson correlation coefficient and the Euclidean distance. Intra-variability among results from one ink and inter-variability between results from different inks were compared in order to choose a differentiation threshold minimizing the rate of false negative (i.e. avoiding false differentiation of the inks). This yielded a discriminating power of up to 77% for analysis made in the negative mode. The whole mass spectra were then compared using the same methodology, allowing for a better DP in the negative mode of 92% using the Pearson correlation on standardized data. The positive mode results generally yielded a lower differential power (DP) than the negative mode due to a higher intra-variability compared to the inter-variability in the mass spectra of the ink samples.