R. Nigel Horspool’s research while affiliated with University of Victoria and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (116)


Experience with constructing code hunt contests
  • Conference Paper

July 2015

·

6 Reads

·

1 Citation

R. Nigel Horspool

·

·

Jonathan de Halleux

·

Puzzles are the basic building block of Code Hunt contests. Creating puzzles and choosing suitable puzzles from the puzzle bank turns out to be a complex operation requiring skill and experience. Constructing a varied and interesting mix of puzzles is based on several factors. The major factor is the difficulty of the puzzle, so that the contest can build up from easier puzzles to more difficult ones. For a successful and fun contest aimed at the expected abilities of the contestants, other factors include the language features needed to solve the puzzle, clues to provide when the puzzle is presented to the player, and test cases to seed into the Code Hunt engine. We describe our experience with contest construction over a period of year and provide guidelines for choosing and making adjustments to the puzzles so that a Code Hunt contest will provide a satisfying trouble-free experience for the contestants.



Figure 11 An Office Mix persentation 
Figure 2 of 2
Code Hunt: Experience with Coding Contests at Scale
  • Conference Paper
  • Full-text available

May 2015

·

289 Reads

·

48 Citations

Download

Table 1 An example, comparing the change in frequency of Opcodes with the change in frequency of MAIL pattern ASSIGN, of a Windows program sort.exe compiled with different level of optimizations
Table 4 Comparison of SWOD-CFWeight with the malware detection techniques discussed in Sect. 2
Sliding window and control flow weight for metamorphic malware detection

May 2014

·

1,594 Reads

·

25 Citations

Journal of Computer Virology and Hacking Techniques

The latest stealth techniques, such as metamorphism, allow malware to evade detection by today’s signature-based anti-malware programs. Current techniques for detecting malware are compute intensive and unsuitable for real-time detection. Techniques based on opcode patterns have the potential to be used for real-time malware detection, but have the following issues: (1) The frequencies of opcodes can change by using different compilers, compiler optimizations and operating systems. (2) Obfuscations introduced by polymorphic and metamorphic malware can change the opcode distributions. (3) Selecting too many features (patterns) results in a high detection rate but also increases the runtime and vice versa. In this paper we present a novel technique named SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight) that helps mitigate these effects and provides a solution to these problems. The SWOD size can be changed; this property gives anti-malware tool developers the ability to select appropriate parameters to further optimize malware detection. The CFWeight feature captures control flow information to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the proposed scheme using an existing dataset yields a malware detection rate of 99.08 % and a false positive rate of 0.93 %.


MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection

May 2014

·

195 Reads

·

71 Citations

Computers & Security

Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6% and a false positive rate of 4%.


Figure 2: Example of pattern matching of two isomorphic CFGs. The CFG in (a) is isomorphic to the subgraph (blocks 0-3) of the CFG in (b).
Figure 2: Example of pattern matching of two isomorphic CFGs. The CFG in (a) is isomorphic to the subgraph (blocks 0 -3) of the CFG in (b).  
MAIL: Malware Analysis Intermediate Language - A Step Towards Automating and Optimizing Malware Detection

November 2013

·

730 Reads

·

29 Citations

Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. Such malware are very difficult to analyse and detect manually even with the help of tools. We need to automate the analysis and detection process of such malware. This paper introduces and presents a new language named MAIL (Malware Analysis Intermediate Language) to automate and optimize this process. MAIL also provides portability for building malware analysis and detection tools. Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. Experimental evaluation of the proposed approach using an existing dataset yields malware detection rate of 93.92% and false positive rate of 3.02%.


TouchDevelop Services

June 2013

·

4 Reads

This appendix reproduces material found on the TouchDevelop website at https://www.touchdevelop.com/docs/api . It is provided here to make the book more self-contained. Appendix B covers the objects (known as resources or services) provided by the API. The datatypes are covered in Appendix C.KeywordsDatatypeAppendixScript ReviewCalendar ServiceWindows PhoneThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


TouchDevelop Datatypes

June 2013

·

15 Reads

This appendix reproduces material found on the TouchDevelop website at https://www.touchdevelop.com/docs/api . This appendix provides descriptions of the datatypes implemented in TouchDevelop. Appendix B covers services (also called resources).


The Scripting Language

June 2013

·

28 Reads

A TouchDevelop script appears to the user as statements in a language which is not unlike many other programming languages. This chapter covers the syntax and semantics of that language. The language is augmented by a powerful and rich API (Application Programming Interface), an API which significantly extends the programming capabilities of the TouchDevelop language. The API is covered in the chapters which follow this one.KeywordsResult ParameterObject TypeCollection TypeReference TypeWindow PhoneThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Sensors

June 2013

·

8 Reads

A typical smartphone or tablet contains sensors which track the device’s location, movement and orientation. Scripts can use these sensors in many ways. Sensors can provide input for navigation aids, they can be an integral part of a game, and they can provide simple input to scripts. The possibilities are endless. These sensors are probably absent from laptops and computers, however.KeywordsMagnetic CompassMagnetic NorthWindow PhoneSmall High FrequencyFollow Code SnippetThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Citations (61)


... It is out there for developer and learners in many areas. Some examples are included here: Alice [31], TouchDevelop [32] (programming environment by Microsoft), Scratch [19] (coding tool by MIT for kids), Studio [33] (Studio for game creation by YoYo Games), and LabVIEW [34] (for engineers and scientists) to mention a small list. We adopted their idea of design easiness for the new comers to the field of operating systems. ...

Reference:

A Framework for Visual Modular Design of Educational Operating System
TouchDevelop: Programming on the Go
  • Citing Book
  • June 2013

... Although quizzes usually focus on factual knowledge, they may be insufficient for software testing, as software testing is considered more as a practical skill than a mere knowledge domain (Tan et al., 2014). Moreover, the game Code Hunt by Bishop et al. (2015) consists of sectors and levels, requiring students to write program code that implements specific formulas or algorithms. In this game, students iteratively write and refine code through a series of modifications until it meets predefined testing criteria (Bishop et al., 2015). ...

Code Hunt: Experience with Coding Contests at Scale

... "Crowdsourced Software Engineering is the act of undertaking any external software engineering tasks by an undefined, potentially large group of online workers in an open call format" [18]. Crowdsourcing allows a requestor to tap into a global community of users with various types of expertise and background to facilitate the completion of a task that would be difficult to complete without a large group of individuals [19]. Crowdsourcing has also been utilized in software engineering to resolve coding, validation, and architectural problems. ...

Crowdsourcing Code and Process via Code Hunt
  • Citing Conference Paper
  • May 2015

... They used 5305 sample programs: 1020 metamorphic malware, 4285 benign Windows and Cygwin programs. Their technique showed 94% detection rate, 3.1% false positive rate and a mean maximum accuracy of 96% (Alam, Horspool, & Issa, MAIL: Malware Analysis Intermediate Language -A Step Towards Automating and Optimizing Malware Detection, 2013)(Alam, Sogukpinar, Issa, & Horspool, 2015). ...

Sliding window and control flow weight for metamorphic malware detection

Journal of Computer Virology and Hacking Techniques

... Also the luck of support for encapsulation, code clarity and unportability feature of C# lead to poor support for software reusability and its program units cannot be reused again. Another problem of C# is that it has less power to support and obtain high integrity systems or software (Bishop et al. 2002). ...

Experience with integrating Java with new technologies
  • Citing Conference Paper
  • January 2002

... Due to the dynamically changing and ever-evolving threat landscape, malware has become more sophisticated and cunning. Hence, to counteract this rapidly changing landscape, malware detection systems have trended towards real-time malware analysis [1,46] and self-protection systems [32,57], which provide benefits, such as early to immediate detection and consistent active monitoring. In this work, we apply the advantages of real-time malware analysis and the aforementioned benefits of system call-level analysis to dynamically identify behavioural patterns of crypto ransomware. ...

MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection
  • Citing Conference Paper
  • May 2014

Computers & Security

... Some recent endeavors have delved into the domain of graph matching for enhanced detection capabilities, where Control Flow Graphs (CFGs) are employed as program signatures. Specifically, these approaches involve the generation of CFGs from the programs under analysis, which are subsequently compared against a database of CFGs associated with known malware instances [1,3,5]. ...

MAIL: Malware Analysis Intermediate Language - A Step Towards Automating and Optimizing Malware Detection

... The overhead for a seal capsule is 1.2KB, but a typical agent in our demonstrator application is about 84KB. To alleviate this problem we developed a custom code compressor called Jazz [9] which is able to reduce Java bytecode files to 24% of their original size, that is one half the size of gzipped archive. Jazz is invoked by calling the compact method on a seal capsule. ...

JAZZ, compression of Java bytecode
  • Citing Article
  • January 1998

... Much attention was given recently to efficient implementation of message dispatching [14,17,[21][22][23][24][25][26][27]35,44,45,52,53,59,[69][70][71]73] and subtyping tests [1,8,9,33,34,41,42,[47][48][49]58,66,74]. This paper revisits these two problems, studying their dynamic or incremental variants, in which the type hierarchy may grow during program execution, as allowed, e.g., in JAVA [4]. ...

Taming message passing: efficient method lookup for dynamically typed object-oriented languages
  • Citing Article
  • January 1994