A Worm Detection System Based on Deep Learning

In today’s cyber world, worms pose a great threat to the global network infrastructure. In this paper, we propose a worm detection system based on deep learning. It includes two main modules: one worm detection module based on a convolutional neural network (CNN) and one automatic worm signature generation module based on a deep neural network (DNN). In the CNN-based worm detection module, we propose three kinds of data preprocessing methods: frequency processing, frequency weighted processing, and difference processing, and use CNN to train the model for worm detection. In the DNN-based worm signature generation module, there are two phrase: DNN is firstly utilized for training the model with worm payloads and their corresponding signatures as input in the training phrase. After worm payloads are fed into the trained DNN model in the test phrase, worm signatures are generated by our proposed Signature Beam Search algorithm. In the experiment, we firstly analyzed the impact of different data preprocessing methods and the number of convolution-pooling layers in the CNN model on the worm detection performance. Then we analyzed the effects of different signatures in the DNN algorithm on the automatic generation of worm signatures. Experiments show that the generated signatures have a good detection performance.


I. INTRODUCTION
Cyber threats from Internet worms are not new, but how to effectively detect and defend against them still remains an ongoing challenge. For example, global financial and economic losses from the ''WannaCry'' attack that crippled computers in at least 150 countries could swell into the billions of dollars, making it one of the most damaging incidents involving the so-called ransomware [1].
One of the most common and effective ways to detect worm attacks is to implement a signature-based intrusion detection system (IDS). However, signatures are usually analyzed and generated manually by security experts after worms have already launched attacks and caused severe damage.
The associate editor coordinating the review of this manuscript and approving it for publication was Pengcheng Liu . Furthermore, it is easy to fool signature-based solutions by obfuscation [2]. This technique simply skirts around the signature database stored in the IDS, giving the hacker an ideal opportunity to gain access to the network. As a result, the key to worm signature generation is to find matching invariant strings from worm payloads as soon as possible.
In recent years, there are a large number of researches on the automatic generation of worm signatures. Kaur and Singh [2] provided a detailed survey to outline the research efforts to the detection of modern zero-day malware in the form of zero-day polymorphic worms. Aljawarneh et al. [3] investigated the current automatic methods used to generate efficient and accurate signatures to create countermeasures against attacks by polymorphic worms. Bayoǧlu et al. [4] proposed a new polymorphic worm signature scheme called Conjunction of Combinational Motifs (CCM). CCM utilizes common substrings of polymorphic worm copies and also the relation between those substrings through dependency analysis. Tang et al. [5] designed a network-based signature generation (NSG) system-PolyTree, to defend against polymorphic worms. They observed that signatures from worms and their variants are relevant and a tree structure can accurately reflect their familiar resemblance. Mondal et al. [6] declared an automatic method that will generate signatures for the detection of polymorphic worms, and they applied Principal Component Analysis (PCA) for determining the critical substrings that appear mostly and are pooled amongst the instances of polymorphic worms for using them as signatures. Eskandari et al. [7] proposed a signature generation scheme based on token extraction and multiple sequence alignment. However, these methods are usually based on the features manually presented, and then design an algorithm to detect worms. As a result, the performance is much more dependent on those manually pre-defined features which may become the bottleneck.
Nowadays, significant achievements have been achieved in the fields of image processing, video processing, and natural language because of the remarkable technological breakthrough in feature learning in deep learning [8], [9]. Researchers feed the computer a learning algorithm, expose it to data to train it, and then allow the computer to figure out by itself how to recognize the desired objects, words, sentences, or speeches. Therefore, the cybersecurity academic community has begun to pay attention to the application of deep learning in intrusion detection. Zhu et al. [10] introduced DeepFlow, a novel deep learning-based approach for identifying malware directly from the data flows in the Android application. Özkan et al. [11] contributed the CNN features to overcome the malware detection problem. Kim et al. [12] proposed a convolutional gated recurrent neural network model that is capable of classifying malware to their respective families. Although there are already some researches on malware detection that utilizes deep learning to detect malicious code, most of them are classification. They can not help security products, for example virus products, detect attacks.
Worms spread over networks by payloads to exploit vulnerabilities in operating system or installed software. Payloads usually perform actions on affected computers. Therefore, payloads can distinguish worms. Due to the capacity of deep learning on learning features automatically, we choose to use deep learning to detect worms and extract worm signatures.
In this paper, we propose a novel worm detection system based on deep learning, which can detect worms accurately and generate worm signatures automatically. It includes two core parts: one CNN-based worm detection module and one DNN-based worm signature generation module. In the CNN-based worm detection module, three payload preprocessing methods are proposed: frequency processing, frequency weighted processing, and difference processing. CNN is utilized for training the model with processed payloads as inputs. In the DNN-based worm signature generation module, DNN is used to learn from worm payloads and their corresponding signatures to obtain the DNN model. Then we present a new signature generation algorithm called Signature Beam Search. Worm payloads are fed into the trained DNN model, and the Signature Beam Search algorithm is used to generate worm signatures. In the experiments, we firstly analyzed the effects of different preprocessing methods and the number of convolution-pooling layers used by CNN on detection. Then we analyzed the performance of DNN to extract signatures. Experiments show that the generated signatures have both low false positives and low false negatives.
The rest of the paper is organized as follows: we discuss the related work of worm detection in Section II. We introduce the system architecture of the worm detection system based on deep learning in Section III. Section IV introduces the worm detection approach based on CNN. The DNN-based automatic worm signature generation approach is described in Section V. Section VI discusses our extensive experiments in evaluating the proposed worm detection system. In the end, section VII draws the conclusion.

II. RELATED WORK
There are two types of intrusion detection systems: anomaly-based and signature-based intrusion detection systems. Anomaly-based intrusion detection system regularly monitors events and compares them with the statistical model. The signature-based detection method used by intrusion prevention systems involves a dictionary of uniquely identifiable signatures located in the code of each exploit. A vital advantage of this method is that signatures are easy to develop and understand for security experts. However, signatures are usually generated after worms have caused damage, so there are researches on automatic generation methods for worm signatures.
References [3], [13] investigated the current automatic methods used to generate efficient and accurate signatures to create countermeasures against attacks by polymorphic worms. Nahmias et al. [14] presented TrustSign, a novel, trusted automatic malware signature generation method based on high-level deep features transferred from a VGG-19 neural network model pre-trained on the ImageNet dataset. Szynkiewicz et al. [15] developed an efficient algorithm for token extraction and a novel method for automatic multitoken signature composition. Wang et al. [16] proposed an automatic signature extraction algorithm for polymorphic worms based on the improved Term Frequency-Inverse Document Frequency (TF-IDF). Afek et al. [17] presented a basic tool for zero-day attack signature extraction.
Due to the capacity of learning features automatically by deep learning, researchers apply deep learning to intrusion detection to resolve the characteristic dependence problem mentioned above. Nguyen et al. [18] built an IDS platform based on a convolutional neural network (CNN) called IDS-CNN to detect DDoS attacks. Experiments have shown that the CNN-based DDoS detection method outperforms traditional methods such as KNN, SVM, and Naive Bayes. Vinayakumar et al. [19] modeled network traffic as time-series, in a predefined time range with supervised learning methods.
Researchers have presented some DNN-based approaches to detect malware that have shown better results. Venkatraman et al. [20] proposed a novel and unified hybrid deep learning and visualization approach for the effective detection of malware. Zhong et al. [21] proposed a Multi-Level Deep Learning System (MLDLS) that organizes multiple deep learning models using the tree structure.

III. THE SYSTEM ARCHITECTURE
The architecture of our proposed worm detection system based on deep learning is shown in Figure 1. It is mainly divided into four modules, including a data collection engine, CNN-based worm detection module, DNN-based worm signature automatic generation module, and a worm alarm module.
The data collection engine is responsible for collecting network traffic and extracting payloads. The CNN-based worm detection approach detects worms by the payloads processed by the data collection engine. It distinguishes worm payloads from normal payloads based on CNN. If it detects worm, the corresponding payloads are submitted to the DNN-based worm signature generation module, which is responsible for generating signatures automatically. The DNN-based worm signature generation module is trained by learning the characteristics of worm payloads based on historic known worm traffic. Worm payloads are fed into the trained DNN network to generate corresponding signatures. All the results from the three components above are submitted to the worm alarm component, which helps to manage the system. Since the data collection engine and worm alarm are the auxiliary components of the system, this paper will not describe them in detail, but elaborate on the two core components of the CNN-based worm detection method and the DNN-based worm feature generation module.
The formal definitions of the detection process can be described as follows: The signature set SIG = {sig cpl | sig cpl ∈ dnn(cpl) cpl ∈ CPL}, where dnn() is the function that represents signatures generated by DNN-based worm signature automatic generation module, and sig cpl represents the generated signature of the payload cpl.
The description of the notations used in this paper is given in Table 1.

IV. CNN-BASED WORM DETECTION
With the in-depth research of CNN, it has achieved outstanding classification performance in image recognition. To capture the critical characteristics of worm payloads, we choose to use CNN for worm detection. The variable length of payloads should be first converted to a fixed length because CNN can only deal with fixed-length data. Although vectors, two-dimensional and three-dimensional matrices can all be considered as input to CNN, vectors have the following advantages: they can decrease the storage space and reduce the calculation during training. Therefore, we convert payloads into vectors as the input of CNN.
Definition 5: prep = preprocess(pl), where pl is the payload in Definition 1 and preprocess(pl) is the preprocessing function which coverts the payload pl to the generated vector prep.
We use the following three methods to process payloads: frequency processing, frequency weighted processing, and differential processing.
Frequency Processing: payloads are processed by counting the number of occurrences of each byte in the payload. Algorithm 1 illustrates the detailed procedure.
Frequency Weighted Processing: both the byte value and its frequency are considered in this method. Firstly, the frequency of each byte in the payload is counted, and then the weighted operation is performed by multiplying the byte value with its frequency. Algorithm 2 is the specific processing procedure.

Algorithm 1 Frequency Processing
Input: q Output: data[], the data after preprocessing Difference Processing: based on the 2-gram model, two adjacent bytes in worm payloads are closely correlated. As a result, we process payloads by calculating the difference between two adjacent bytes in the payload. The detail is in Algorithm 3.
Frequency processing represents the byte distribution of payloads. Frequency weighted processing represents the combination of the value and its frequency. Difference processing exploits the relationship of two adjacent bytes. All the methods above can reflect the features of payloads from different perspectives. And they can convert payloads to the corresponding format. We input the corresponding data to CNN to detect worm attacking. Although we tried to utilize other approaches to process payloads, they did not work after the processed data was input to the CNN network.
We established multilayer convolution-pool CNN models to study the effectiveness of the CNN-based worm detection. In this section, we introduce a three-layer convolutionpooling CNN model as an example, which is shown in Figure 2. The input in the figure represents the preprocessing vector, and Conv- * represents the convolutional layer, Pool- * represents the pooled layer, and Fc- * represents the fully connected layer. The processed payloads are fed into the CNN network as input for training. The convolution layer extracts features through a convolutional operation. The pooling layer down-samples the extracted feature maps. The fully connected layer combines the extracted features into a vector, and the SoftMax layer classifies and outputs the category. The where D is the number of layers in CNN, and l is the l-th convolutional layer, and M is the size of feature maps, K is the size of convolutional kernels, and C l is the output channels of l-th convolutional layer.

V. DNN-BASED WORM SIGNATURE GENERATION
The automatic signature generation helps shorten the response time for identifying malware by dynamically extracting signatures of unknown worms without human intervention. With the development of deep learning, Deep Neural Network (DNN) models have yielded many state-ofthe-art results in natural language processing. We choose to use DNN to extract worm signatures automatically, because worm signature generation is also a sequence-to-sequence task, and both payloads and signatures can be considered as a special text.
The whole process for automatic generation of worm signatures is divided into two parts: training the DNN model and generating worm signatures. In the training phase, both worm payloads and their corresponding signatures are fed to the DNN network for training. At the stage of generating signatures, worm payloads are input into the DNN network model, and our newly proposed Signature Beam Search algorithm is used to generate their corresponding signatures. VOLUME 8, 2020 A. MODEL Definition 6: The input a is a sequence of M bytes (a 1 , a 2 , . . . , a M ) and represents a worm payload.
Definition 8: X represents the set of all worm payloads, Y represents the set of all possible signatures.
The signature generation algorithm takes worm payloads as input and outputs its corresponding signature. There is a scoring function s: X × Y → R and the algorithm aims to find signatures b' ∈ Y so that: When the score function takes the window into account, it can be approximately represented as: where b c b[i-c + 1, . . . , i] represents the signature context with window C, and function dnn() represents the prediction function. The scoring function s(a, b) can be expressed as the form of conditional log-probability: s(a, b) = log p(b|a; θ) ≈ p(b|a, b c ; θ), where i refers to the index of position in signatures. We make a Markov hypothesis on b c and suppose that when i <1, b i is a start symbol <s>. From the above scoring function, we need to model the probability distribution of the local condition: p(b i+1 |a, b c ; θ). We utilize machine translation to parameterize the conditional probability distribution into a neural network, including a DNN model and a conditional signature generation encoder.

1) DNN MODEL
We construct a deep neural network model with four hidden layers based on the standard feed-forward neural network language model (NNLM) [22]. There are two reasons why we choose to use rectified linear unit(ReLU), for the hidden layer activation function. Firstly, it is more computationally efficient to compute than Sigmoid like functions, because ReLU does not perform expensive exponential operations as in Sigmoid. Secondly, it may reduce the likelihood of the gradient to vanish. The DNN model is as follows:  size of the byte embedding, V is the size of the vocabulary composed of worm payloads, H represents the number of neurons in the hidden layer, and C represents the context size in signatures. Figure 3 gives a schematic diagram of a deep neural network model, where a represents worm payloads, and b represents corresponding signatures. Four hidden layers are selected because the performance of the model with fewer layers is worse and the performance of the model with more layers is almost the same. Therefore, the computational complexity is o( |E| + |U| + |U'| + |U''| + |U'''| + |V| + |W|), where |P| is the size of P.

2) ATTENTION-BASED ENCODER
Signatures, which may be composed of multiple consecutive sub-strings, are the key information to identify worms. As a result, we only need to focus on the context of a limited number of bytes instead of the entire text. Therefore, we use an Attention-based encoder [23] that can construct representations based on worm payloads and signatures. Given a worm payload, there is a sliding window of size Q which is moving from the very left of the payload to the very right in the encoder. Each time the sliding window moves right by one byte. The specific formulas are described as follows: enc (a, b c ) = p Tā (9) p ∝ exp ãPb c (10) In formulas (9-13), G in R D×V represents an embedding of the signature context, P ∈ R H ×(CD) is a weight matrix, F ∈ R H ×V represents the embedding matrix of payloads; Q is the size of a smoothing window and configured as ten optimized by the data driven method. a is the input(payloads) where a = [ a 1 , a 2 , . . . ,a M ];ã can be computed by equation (11), andã i is the element ofã;ā can be calculated by equation (13) andā i is the element ofā; p T is the transpose of p. Therefore, the computational complexity is o(|F| + |G|+2|P| + |ã i |-Q), where |U| is the size of U.
We define the model above as p(y i+1 |x, y c ; θ), and then the loss function can be defined as follows: where x (j) is the input (payloads), and y (j) is the corresponding signatures.

B. WORM SIGNATURE GENERATION
The signature generation algorithm needs to find an optimal signature b' ∈ Y as follows: Machine translation is an NP problem, but the computation cost is not large when generating worm signatures. The dictionary V is composed of 256 ASCII in the worm signature generation. Furthermore, the location of the signature in the worm payload is orderly and sequential. Using the above characteristics of signatures, we propose a new method--Signature Beam Search algorithm to solve argmax function when generating signatures.
The Signature Beam Search algorithm uses a global search to generate worm signatures. In the search process, the appropriate bytes are selected by judging whether the predicted bytes are adjacent to the previously predicted bytes in worm payloads. When generating worm signatures, we select K bytes to the previously predicted bytes for each position in signatures. Before outputting the predicted signatures, the best signature is selected by sorting the log-probability of the candidate K signatures. As a result, the maximum time complexity of the Signature Beam Search algorithm is O(KNV). Signature Beam Search algorithm is described in Algorithm 4.

VI. EXPERIMENTS
In our experiments, we implemented both CNN and DNN algorithms for worm detection and signature generation based on the Torch framework [24]. Since most related and well-known methods (like Polygraph and PolyTree) evaluate their performance using synthetically generated payloads which are based on real-world exploits, we follow the same evaluation approach.
We used three synthetic worm payload datasets which are presented by Polygraph: Apache-Knacker [25], ATPhttpd [26], and TSIG [27]. Each payload dataset contains about 5000 records. All synthetically created worms use either the HTTP protocol or DNS protocol, so we collected real-world normal traffic data under the HTTP and DNS protocols. First of all, we collected a 10-day HTTP trace from our campus network gateway. Secondly, we utilized a 5day DNS trace from a DNS server that served in a company. Finally, the worm payload datasets were randomly combined with the real-world traffic traces.
We randomly divided 80% of the dataset as the training dataset and 20% as the testing dataset in the experiment. For the learning phase, we used a k-fold cross-validation method: the training dataset was partitioned into k subsets randomly. A single subset was retained as the validation dataset for testing the model, while the remaining k-1 subsets of the original dataset were used as training data. We repeated the process for k = 10 times, which was the same as [29], [30]; each one of the k subsets had been used once as the validation dataset. To obtain a single estimate, we computed the average of the k results from the folds.

A. CNN-BASED WORM DETECTION
To explore the validation of the CNN model to detect worms, we performed the CNN algorithm by binary classification. Binary classification is to distinguish worm attacks from normal traffic. There are additional experiments, including known and unknown worm detection. For known worm detection, there are both worm and normal payloads except Code Red II worm payloads in the training and test dataset. For the unknown worm detection, the test dataset is composed of all five CodeRed II worm payloads and a private worm VOLUME 8, 2020 payload dataset, and the training dataset consists of both worm payloads which do not contain payloads in the test dataset and normal payloads.
We use accuracy, false positive rate(FPR), false negative rate (FNR), Precision, Recall, F1-score, and AUC to evaluate CNN model as follows: Accuracy is the fraction of predictions that our model is right. It is defined as follows: where TP = True Positive, TN = True Negative, FP = False Positive, FN = False Negative. FPR is computed as the ratio between the number of negative events incorrectly classified as positive and the total number of actual negative events: FNR is the proportion of positives that yield negative prediction: Precision is defined as (19), which is the fraction of relevant samples between the retrieved samples: The Recall is the fraction of positive samples that are correctly classified as 'positive': The harmonic mean of precision and recall defines as F1score: Area Under Curve (AUC) measures the trade-off between misclassification rate and FPR: AUC = 0.5 * (TP/(TP + FP) + TN/(TN + FP)) (22) The loss function is defined as follows: where n denotes the number of output; Y denotes the output.

1) DATA PREPROCESSING METHODS
In this section, we trained CNN models with data processed by three different methods proposed in Section IV to assess the performance under the condition of one convolution-pooling layer.
The results for binary classification are shown in Table 2. The accuracy of frequency, frequency weight, and difference processing methods are 98.72%, 99.01%, and 99.27%, respectively. The accuracy of the difference processing method is the best. It also outperforms the other two processing methods in other metrics. Therefore, the difference processing approach outperforms the other approaches in binary classification. Figure 4 shows the accuracy trend of three processing methods in binary classification as execution time progresses for the 10-fold cross-validation on the dataset. Considering the accuracy of training data and validation data in binary classification, we observe that the accuracy is steady after the epoch is larger than 6. There are similar results in other metrics, so we do not report the corresponding curve.

2) CONVOLUTIONAL-POOLING LAYERS
We configured the CNN model with one, two, and three convolution-pooling layers to evaluate the effect of the number of layers on the accuracy of the CNN model. We choose the frequency processing method as an example while others hold similar results.
The results achieved by 10-fold cross-validation criterion in binary classification are presented in Table 3 to expound the performance of different layers, and also reveal the general information of the relation between the number of layers and the prediction accuracy for worm detection. The accuracy of one, two, and three layers are 98.72%, 99.07%, and 99.25%, respectively. Generally speaking, the number of convolution-pooling layers has little effect on the accuracy, because the accuracy is only improved by 0.5%. There are similar results to other metrics. Although more layers might improve the accuracy further, we do not report the result since it becomes trivial to simply add more layers, and the improved performance might not compensate for the increased computational cost. However, the less the layers are, the less the parameters are. As a result, one convolution-pooling layer is a good choice due to less occupation of system resources.

B. WORM SIGNATURE GENERATION
In this experiment, we used signatures generated by Polygraph [11], CCM [4], PolyTree [5] which are shown in Table 4, Table 5, and Table 6. Perplexity is utilized to study  the performance of the DNN model. The formula is as follows:    where w i represents the ith byte in the predicted signatures, and p(w i |w 1 w 2 . . . w i−1 ) indicates the probability of w i . As a result, the smaller the perplexity is, the better the performance of the model is.
In addition, accuracy is used to evaluate the effect of the DNN algorithm on extracting worm signatures. The accuracy can be obtained by matching the signatures extracted by the DNN algorithm and the original signatures. Accuracy's formula is as follows: where matchFalse denotes the number of bytes generated by the DNN algorithm that does not match the original signatures, matchTrue represents the number of bytes generated by the DNN algorithm that matches the original signatures.

1) SIGNATURE GENERATION OF KNOWN WORMS
We use signatures that Polygraph [11], CCM [4], PolyTree [5] extracted, and their corresponding polymorphic worm payloads as training data to evaluate the performance of DNN model by the accuracy. The results are shown in Table7,  Table 8, and Table 9. The accuracy of Apache-Knacker, ATPhttpd, and TSIG is 98.7%, 98%,99.3%, respectively.    It suggests that the DNN model has a good performance for accurate signature generation. The selection of proper signatures has little influence on the signature generation accuracy.   beginning of training and stay in a small range. That means the DNN model can be trained easily.

2) SIGNATURE GENERATION OF UNKNOWN WORMS
We used 10-fold cross-validation to train the model with three signatures extracted by Polygraph, CCM, PolyTree, and also used CodeRed worm payloads not previously utilized in training to explore the utility of our approach to detect unknown polymorphic worms. The payloads of unseen payloads (CodeRed worm payloads) and dataset payloads had different distribution, and the generated signatures are shown in Table  10. To test the accuracy of signatures, we combined the CodeRed worm packets with the real traces randomly. Then Snort implemented by the generated signatures monitors the network the combined traces are replayed to. The corresponding accuracy is 97.5%,96.5%,97%. That means that the signatures generated by the DNN model have a good performance.
Although we have a private worm payload dataset of a company(3000 worm payloads), we cannot show the generated signatures due to the privacy. We wrote the Snort rules based on the generated signatures of the private payload dataset and conducted the same experiment with CodeRed worm payloads above. The accuracy is 95.1%, which means that the DNN model can construct high-quality signatures of unknown worms.
We experimented with the DNN model which had less than four hidden layers, and the results were very bad. On the contrary, if we selected the model which had more than four layers, the results were almost the same. So we selected the DNN model with four hidden layers. The results are very similar to the results shown in Table 9 and 10, thus we do not show the results here again.

3) COMPARISON
To test the feasibility of our proposed model, we compared the DNN model with the hybrid method [31]. The results are shown in Table 10. The DNN model outperforms the hybrid method.That means that it holds great superiority in generating signatures of worms.

VII. CONCLUSION
In this paper, we propose a worm detection system based on deep learning. It includes a CNN-based worm detection module and a DNN-based worm signature automatic generation module. In the CNN-based worm detection module, we propose three data preprocessing methods: frequency processing, frequency weight processing, and differential processing, and use the CNN model to detect worms based on the three kinds of preprocessed data. In the DNN-based worm signature automatic generation module, worm payloads are input into the trained DNN model, and worm signatures are generated by the proposed Signature Beam Search algorithm.
In the experiments, we firstly analyzed the effects of different elements on the worm detection performance. Then we analyzed the effects of different signatures on the automatic generation of worm signatures. Experiments show that the generated signatures have both low false positives and false negatives. Further research is needed, for example, on the signature generation of other attacking methods. YESHUAI HU was born in 1994. He received the B.D. degree in science from Shanxi Normal University, in 2018. He is currently pursuing the master's degree with Liaoning University. His research interests include digital economy and cybersecurity.
XINLIN YANG was born in 1996. He graduated from the Shandong University of Technology, in 2019. He is currently pursuing the master's degree with Liaoning University. He followed Dr. Zhou Hanxun to learn the direction of network security based on machine learning and so on.
HONG PAN was born in 1979. He received the Ph.D. degree in economics from Liaoning University, in 2016. He is currently an Associate Professor with Liaoning University. His research interests include digital economy, big data management, distributed data management, and uncertain data management.
WEI GUO was born in China, in 1983. She received the B.S., M.S., and Ph.D. degrees from Northeast University, Shenyang, Liaoning, China, in 2006, 2008, and 2011, respectively. Since her graduation, she has been working with Shenyang Aerospace University, China, where she is currently an Associate Professor. Her research interests include artificial intelligence, machine learning, and image processing.