Skip to main content
SpringerLink
Log in

Uncovering Manipulated Files Using Mathematical Natural Laws

  • Conference paper
  • First Online:
Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications (CIARP 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14469))

Included in the following conference series:

  • 326 Accesses

Abstract

The data exchange between different sectors of society has led to the development of electronic documents supported by different reading formats, namely portable PDF format. These documents have characteristics similar to those used in programming languages, allowing the incorporation of potentially malicious code, which makes them a vector for cyberattacks. Thus, detecting anomalies in digital documents, such as PDF files, has become crucial in several domains, such as finance, digital forensic analysis and law enforcement. Currently, detection methods are mostly based on machine learning and are characterised by being complex, slow and mainly inefficient in detecting zero-day attacks. This paper aims to propose a Benford Law (BL) based model to uncover manipulated PDF documents by analysing potential anomalies in the first digit extracted from the PDF document’s characteristics.

The proposed model was evaluated using the CIC Evasive PDFMAL2022 dataset, consisting of 1191 documents (278 benign and 918 malicious). To classify the PDF documents, based on BL, into malicious or benign documents, three statistical models were used in conjunction with the mean absolute deviation: the parametric Pearson and the non-parametric Spearman and Cramer-Von Mises models. The results show a maximum F1 score of \(87.63\%\) in detecting malicious documents using Pearson’s model, demonstrating the suitability and effectiveness of applying Benford’s Law in detecting anomalies in digital documents to maintain the accuracy and integrity of information and promoting trust in systems and institutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adobe: Zero day malware threat prevention, July 2015. chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/ https://www.oracle.com/a/otn/docs/zero-day-malware-protection-brief.pdf

  2. Arno Berger, T.P.H.: An Introduction to Benford’s Law. Princeton University Press (2015). https://www.ebook.de/de/product/23323656/arno_berger_theodore_p_hill_an_introduction_to_benford_s_law.html

  3. Arshadi, L., Jahangir, A.H.: Benford’s law behavior of internet traffic. J. Netw. Comput. Appl. 40, 194–205 (2014). https://doi.org/10.1016/j.jnca.2013.09.007

    Article  Google Scholar 

  4. Caelen, O.: A Bayesian interpretation of the confusion matrix. Ann. Math. Artif. Intell. 81(3–4), 429–450 (2017). https://doi.org/10.1007/s10472-017-9564-8

    Article  MathSciNet  MATH  Google Scholar 

  5. Cerioli, A., Barabesi, L., Cerasa, A., Menegatti, M., Perrotta, D.: Newcomb-Benford law and the detection of frauds in international trade. Proc. Natl. Acad. Sci. 116(1), 106–115 (2018). https://doi.org/10.1073/pnas.1806617115

    Article  MathSciNet  MATH  Google Scholar 

  6. Check Point: Snake Keylogger (2022). https://research.checkpoint.com/2022/18th-july-threat-intelligence-report/

  7. Collins, J.C.: Using excel and Benford’s law to detect fraud, April 2017. https://www.journalofaccountancy.com/issues/2017/apr/excel-and-benfords-law-to-detect-fraud.html

  8. Corum, A., Jenkins, D., Zheng, J.: Robust PDF malware detection with image visualization and processing techniques, June 2019. https://doi.org/10.1109/icdis.2019.00024

  9. Ferreira, S., Antunes, M., Correia, M.E.: Exposing manipulated photos and videos in digital forensics analysis. J. Imaging 7(7), 102 (2021). https://doi.org/10.3390/jimaging7070102

    Article  Google Scholar 

  10. Gopaldinne, S.R., Kaur, H., Kaur, P., Kaur, G., Madhuri: Overview of PDF malware classifiers. In: 2021 2nd International Conference on Intelligent Engineering and Management (ICIEM). IEEE, April 2021. https://doi.org/10.1109/iciem51511.2021.9445341

  11. Gottwalt, F., Waller, A., Liu, W.: Natural laws as a baseline for network anomaly detection. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 370–377 (2016). https://doi.org/10.1109/TrustCom.2016.0086

  12. Hajdarevic, K., Pattinson, C., Besic, I.: Improving learning skills in detection of denial of service attacks with newcombe - Benford’s law using interactive data extraction and analysis. TEM J., 527–534 (2022). https://doi.org/10.18421/tem112-05

  13. Hill, T.P.: The significant-digit phenomenon 102(4), 322–327. https://digitalcommons.calpoly.edu/cgi/viewcontent.cgi?article=1041 &context=rgp_rsr

  14. ISO: ISO 32000–1:2008document management - portable document format - part 1: Pdf 1.7, July 2008. https://www.iso.org/obp/ui/#iso:std:iso:32000:-1:ed-1:v1:en

  15. ISO: ISO 32000–2:2020document management - portable document format - part 2: Pdf 2.0, December 2020. https://www.iso.org/standard/75839.html

  16. Issakhani, M., Victor, P., Tekeoglu, A., Lashkari, A.: PDF malware detection based on stacking learning. In: Proceedings of the 8th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, pp. 562–570. INSTICC, SciTePress (2022). https://doi.org/10.5220/0010908400003120

  17. Kang, A., Jeong, Y.S., Kim, S., Woo, J.: Malicious PDF detection model against adversarial attack built from benign PDF containing JavaScript 9(22), 4764. https://doi.org/10.3390/app9224764

  18. Kurien, K.L., Chikkamannur, A.: An ameliorated hybrid model for fraud detection based on tree based algorithms and Benford’s law. In: 2020 Third International Conference on Advances in Electronics, Computers and Communications (ICAECC). IEEE, December 2020. https://doi.org/10.1109/icaecc50550.2020.9339471

  19. Le, T., Lobo, G.J.: Audit quality inputs and financial statement conformity to Benford’s law. J. Account. Audit. Finance 37(3), 586–602 (2022). https://doi.org/10.1177/0148558X20930467

    Article  Google Scholar 

  20. Mainka, C., Mladenov, V., Rohlmann, S.: Shadow attacks: hiding and replacing content in signed PDFs. In: Proceedings 2021 Network and Distributed System Security Symposium. Internet Society (2021). https://doi.org/10.14722/ndss.2021.24117

  21. Maiorca, D., Biggio, B.: Digital investigation of pdf files: Unveiling traces of embedded malware. IEEE Secur. Priv. 17(1), 63–71 (2019). https://doi.org/10.1109/MSEC.2018.2875879

    Article  Google Scholar 

  22. Issakhani, M., Victor, P., Tekeoglu, A., Lashkari, A.H.: PDF malware detection based on stacking learning. In: The International Conference on Information Systems Security and Privacy, February 2022. https://www.unb.ca/cic/datasets/pdfmal-2022.html

  23. Mavric, S.H.T., Yeo, C.K.: Online binary visualization for pdf documents. In: 2018 International Symposium on Consumer Technologies (ISCT). IEEE, May 2018. https://doi.org/10.1109/isce.2018.8408906

  24. Milano, F., Gomez-Exposito, A.: Detection of cyber-attacks of power systems through Benford’s law. IEEE Trans. Smart Grid 12(3), 2741–2744 (2021). https://doi.org/10.1109/tsg.2020.3042897

    Article  Google Scholar 

  25. Nigrini, M.J.: The patterns of the numbers used in occupational fraud schemes. Manag. Audit. J. 34(5), 606–626 (2019). https://doi.org/10.1108/maj-11-2017-1717

    Article  Google Scholar 

  26. Nunes, A., Ináicio, H., Marques, R.P.: Benford’s law and fraud detection in Portuguese enterprises. In: 2019 14th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–6 (2019). https://doi.org/10.23919/CISTI.2019.8760922

  27. POINT, C.: Cyber attack trends: 2022 mid-year report, August 2022

    Google Scholar 

  28. Rohlmann, S., Mladenov, V., Mainka, C., Schwenk, J.: Breaking the specification: PDF certification, May 2021. https://doi.org/10.1109/sp40001.2021.00110

  29. Schmitt, F., Gassen, J., Gerhards-Padilla, E.: PDF scrutinizer: detecting JavaScript-based attacks in PDF documents. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust. IEEE, July 2012. https://doi.org/10.1109/pst.2012.6297926

  30. Sergeev, A.V., Khorev, P.B.: Analysis of methods for hiding information in PDF documents and opportunities for their progress, March 2020. https://doi.org/10.1109/reepe49198.2020.9059117

  31. Sethi, K., Kumar, R., Prajapati, N., Bera, P.: A lightweight intrusion detection system using Benford’s law and network flow size difference. In: 2020 International Conference on COMmunication Systems & NETworkS (COMSNETS). IEEE, January 2020. https://doi.org/10.1109/comsnets48256.2020.9027422

  32. Singh, P., Tapaswi, S., Gupta, S.: Malware detection in PDF and office documents: a survey. Inf. Secur. J. Global Perspect. 29(3), 134–153 (2020). https://doi.org/10.1080/19393555.2020.1723747

    Article  Google Scholar 

  33. Tharwat, A.: Classification assessment methods. Appl. Comput. Inform. 17(1), 168–192 (2020). https://doi.org/10.1016/j.aci.2018.08.003

    Article  Google Scholar 

  34. Wang, L., Ma, B.Q.: A concise proof of Benford’s law. Fundamental Research (2023). https://doi.org/10.1016/j.fmre.2023.01.002. https://www.sciencedirect.com/science/article/pii/S2667325823000043

Download references

Author information

Authors and Affiliations

  1. Department of Information Technology, Technological University of the Shannon, Moylish Park, Limerick, V94 EC5T, Ireland

    Pedro Fernandes & Séamus Ó Ciardhuáin

  2. School of Technology and Management, Polytechnic of Leiria, Leiria, Portugal

    Mário Antunes

  3. INESC TEC, CRACS, R. Campo Alegre 1021/1055, 4169-007, Porto, Portugal

    Mário Antunes

Authors
  1. Pedro Fernandes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Séamus Ó Ciardhuáin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mário Antunes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pedro Fernandes .

Editor information

Editors and Affiliations

  1. Polytechnic Institute of Coimbra, Coimbra Institute of Engineering, Coimbra, Portugal

    Verónica Vasconcelos

  2. Polytechnic Institute of Coimbra, Coimbra Institute of Engineering, Coimbra, Portugal

    Inês Domingues

  3. Polytechnic Institute of Coimbra, Coimbra Institute of Engineering, Coimbra, Portugal

    Simão Paredes

Rights and permissions

Reprints and permissions

Copyright information

© 2024 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fernandes, P., Ó Ciardhuáin, S., Antunes, M. (2024). Uncovering Manipulated Files Using Mathematical Natural Laws. In: Vasconcelos, V., Domingues, I., Paredes, S. (eds) Progress in Pattern Recognition, Image Analysis, Computer Vision, and Applications. CIARP 2023. Lecture Notes in Computer Science, vol 14469. Springer, Cham. https://doi.org/10.1007/978-3-031-49018-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-49018-7_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-49017-0

  • Online ISBN: 978-3-031-49018-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation