Kar Wai Fok

Thesath Wijayasiri, Kar Wai Fok, Vrizlynn L. L. Thing

Static malware analysis remains a core technique in cybersecurity due to its ability to assess potentially malicious software without execution. Nevertheless, many existing static approaches rely on handcrafted features or curated datasets that may not generalize well to evolving malware distributions. In this work, we investigate an alternative representation that operates directly on raw binary content. Executable files are transformed into visual encodings that preserve local structural relationships, enabling the use of deep learning models without requiring semantic disassembly or dynamic behavior profiling. This study explores the use of a Consistency Bi-directional Generative Adversarial Network (CBi-GAN) as an anomaly detection framework rather than as a generative model. The method enforces consistency between latent encodings and reconstructions, allowing deviations from learned benign structure to be quantified through reconstruction discrepancies. Importantly, the approach does not introduce a new generative architecture, instead, it evaluates how consistency based generative modeling can be applied at scale to heterogeneous malware data. The proposed framework is evaluated across multiple datasets comprising both Portable Executable (PE) and Object Linking and Embedding (OLE) files, including a large self-collected corpus spanning 214 malware families. Results demonstrate stable detection performance in terms of Area Under the Curve (AUC) while maintaining a unified and computationally lightweight processing pipeline. These findings suggest that consistency based generative modeling provides a practical and scalable direction for malware anomaly detection across diverse file formats and threat families.

Rahul Kale, Zhi Lu, Kar Wai Fok et al.

Cyber intrusion attacks that compromise the users' critical and sensitive data are escalating in volume and intensity, especially with the growing connections between our daily life and the Internet. The large volume and high complexity of such intrusion attacks have impeded the effectiveness of most traditional defence techniques. While at the same time, the remarkable performance of the machine learning methods, especially deep learning, in computer vision, had garnered research interests from the cyber security community to further enhance and automate intrusion detections. However, the expensive data labeling and limitation of anomalous data make it challenging to train an intrusion detector in a fully supervised manner. Therefore, intrusion detection based on unsupervised anomaly detection is an important feature too. In this paper, we propose a three-stage deep learning anomaly detection based network intrusion attack detection framework. The framework comprises an integration of unsupervised (K-means clustering), semi-supervised (GANomaly) and supervised learning (CNN) algorithms. We then evaluated and showed the performance of our implemented framework on three benchmark datasets: NSL-KDD, CIC-IDS2018, and TON_IoT.

Martin Kodys, Zhi Lu, Kar Wai Fok et al.

Internet of Things (IoT) has become a popular paradigm to fulfil needs of the industry such as asset tracking, resource monitoring and automation. As security mechanisms are often neglected during the deployment of IoT devices, they are more easily attacked by complicated and large volume intrusion attacks using advanced techniques. Artificial Intelligence (AI) has been used by the cyber security community in the past decade to automatically identify such attacks. However, deep learning methods have yet to be extensively explored for Intrusion Detection Systems (IDS) specifically for IoT. Most recent works are based on time sequential models like LSTM and there is short of research in CNNs as they are not naturally suited for this problem. In this article, we propose a novel solution to the intrusion attacks against IoT devices using CNNs. The data is encoded as the convolutional operations to capture the patterns from the sensors data along time that are useful for attacks detection by CNNs. The proposed method is integrated with two classical CNNs: ResNet and EfficientNet, where the detection performance is evaluated. The experimental results show significant improvement in both true positive rate and false positive rate compared to the baseline using LSTM.

Kar Wai Fok, Vrizlynn L. L. Thing

Malwares are the key means leveraged by threat actors in the cyber space for their attacks. There is a large array of commercial solutions in the market and significant scientific research to tackle the challenge of the detection and defense against malwares. At the same time, attackers also advance their capabilities in creating polymorphic and metamorphic malwares to make it increasingly challenging for existing solutions. To tackle this issue, we propose a methodology to perform malware detection and family attribution. The proposed methodology first performs the extraction of opcodes from malwares in each family and constructs their respective opcode graphs. We explore the use of clustering algorithms on the opcode graphs to detect clusters of malwares within the same malware family. Such clusters can be seen as belonging to different sub-family groups. Opcode graph signatures are built from each detected cluster. Hence, for each malware family, a group of signatures is generated to represent the family. These signatures are used to classify an unknown sample as benign or belonging to one the malware families. We evaluate our methodology by performing experiments on a dataset consisting of both benign files and malware samples belonging to a number of different malware families and comparing the results to existing approach.