DroidEnemy: Battling adversarial example attacks for Android malware detection

In recent years, we have witnessed a surge in mobile devices such as smartphones, tablets, smart watches, etc., most of which are based on the Android operating system. However, because these Android-based mobile devices are becoming increasingly popular, they are now the primary target of mobile malware, which could lead to both privacy leakage and property loss. To address the rapidly deteriorating security issues caused by mobile malware, various research efforts have been made to develop novel and effective detection mechanisms to identify and combat them. Nevertheless, in order to avoid being caught by these malware detection mechanisms, malware authors are inclined to initiate adversarial example attacks by tampering with mobile applications. In this paper, several types of adversarial example attacks are investigated and a feasible approach is proposed to fight against them. First, we look at adversarial example attacks on the Android system and prior solutions that have been proposed to address these attacks. Then, we specifically focus on the data poisoning attack and evasion attack models, which may mutate various application features, such as API calls, permissions and the class label, to produce adversarial examples. Then, we propose and design a malware detection approach that is resistant to adversarial examples. To observe and investigate how the malware detection system is influenced by the adversarial example attacks, we conduct experiments on some real Android application datasets which are composed of both malware and benign applications. Experimental results clearly indicate that the performance of Android malware detection is severely degraded when facing adversarial example attacks.     

Towards improving detection performance for malware with a correntropy-based deep learning method

With the rapid development of Internet of Things (IoT) technologies, the detection and analysis of malware have become a matter of concern in the industrial application of Cyber-Physical System (CPS) that provides various services using the IoT paradigm. Currently, many advanced machine learning methods such as deep learning are popular in the research of malware detection and analysis, and some achievements have been made so far. However, there are also some problems. For example, considering the noise and outliers in the existing datasets of malware, some methods are not robust enough. Therefore, the accuracy of malware classification still needs to be improved. Aiming at this issue, we propose a novel method that combines the correntropy and the deep learning model. In our proposed method for malware detection and analysis, given the success of the mixture correntropy as an effective similarity measure in addressing complex datasets with noise, it is therefore incorporated into a popular deep learning model, i.e., Convolutional Neural Network (CNN), to reconstruct its loss function, with the purpose of further detecting the features of outliers. We present the detailed design process of our method. Furthermore, the proposed method is tested both on a real-world malware dataset and a popular benchmark dataset to verify its learning performance.     

一种基于深度学习的强对抗性Android恶意代码检测方法

针对现有Android恶意代码检测方法容易被绕过的问题,提出了一种强对抗性的Android恶意代码检测方法.首先设计实现了动静态分析相结合的移动应用行为分析方法,该方法能够破除多种反分析技术的干扰,稳定可靠地提取移动应用的权限信息、防护信息和行为信息.然后,从上述信息中提取出能够抵御模拟攻击的能力特征和行为特征,并利用一个基于长短时记忆网络（Long Short-Term Memory,LSTM）的神经网络模型实现恶意代码检测.最后通过实验证明了本文所提出方法的可靠性和先进性.     

N-gram MalGAN: Evading machine learning detection via feature n-gram

In recent years, many adversarial malware examples with different feature strategies, especially GAN and its variants, have been introduced to handle the security threats, e.g., evading the detection of machine learning detectors. However, these solutions still suffer from problems of complicated deployment or long running time. In this paper, we propose an n-gram MalGAN method to solve these problems. We borrow the idea of n-gram from the Natural Language Processing (NLP) area to expand feature sources for adversarial malware examples in MalGAN. Generally, the n-gram MalGAN obtains the feature vector directly from the hexadecimal bytecodes of the executable file. It can be implemented easily and conveniently with a simple program language (e.g., C++), with no need for any prior knowledge of the executable file or any professional feature extraction tools. These features are functionally independent and thus can be added to the non-functional area of the malicious program to maintain its original executability. In this way, the n-gram could make the adversarial attack easier and more convenient. Experimental results show that the evasion rate of the n-gram MalGAN is at least 88.58% to attack different machine learning algorithms under an appropriate group rate, growing to even 100% for the Random Forest algorithm.     

基于网络连接的攻击分类研究

随着IDS技术的不断成熟,近年来面向IDS检测的攻击分类层出不穷.在分析比较三种具有代表性的面向IDS检测攻击分类基础上,针对它们各自在分类数据基础的全面性、攻击特征的具体性、对IDS检测精确度与效率提高的促进性等方面的不足,从攻击的地址信息A、协议状态P和连接状态C等三方面考虑,提出一种基于网络连接的APC攻击分类方法.经过实验分析证明,该攻击分类方法分类数据基础更全面、攻击特征更具体、更易于IDS检测和构造攻击数据.     

Homology analysis of malware based on graph

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity,the analysis of malware based on the graph structure with low efficiency.Therefore,this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes,and construct neighborhood receptive field,the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family,shows that the accuracy rate of homology malware analysis achieves 93%,and the accuracy rate of the detection of malicious code to 96%.     

基于对比权限模式的安卓恶意软件检测方法(英文)

As the risk of malware is sharply increasing in Android platform,Android malware detection has become an important research topic.Existing works have demonstrated that required permissions of Android applications are valuable for malware analysis,but how to exploit those permission patterns for malware detection remains an open issue.In this paper,we introduce the contrasting permission patterns to characterize the essential differences between malwares and clean applications from the permission aspect Then a framework based on contrasting permission patterns is presented for Android malware detection.According to the proposed framework,an ensemble classifier,Enclamald,is further developed to detect whether an application is potentially malicious.Every contrasting permission pattern is acting as a weak classifier in Enclamald,and the weighted predictions of involved weak classifiers are aggregated to the final result.Experiments on real-world applications validate that the proposed Enclamald classifier outperforms commonly used classifiers for Android Malware Detection.     

基于层次分析法的智能手机恶意软件静态检测及评价模型

Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this mali-cious software on Android platform. We design a de-tection engine consisting of six parts: decompile, grammar parsing, control flow and data flow analysis, safety analysis, and comprehensive evaluation. In the comprehensive evaluation, we obtain a weight vector of 29 evaluation indexes using the analytic hierarchy process. During this process, the detection engine ex-ports a list of suspicious API. On the basis of this list, the evaluation part of the engine performs a compre-hensive evaluation of the hazard assessment of soft-ware sample. Finally, hazard classification is given for the software. The false positive rate of our approach for detecting malware samples is 4. 7% and normal samples is 7.6% . The experimental results show that the accuracy rate of our approach is almost similar to the method based on virus signatures. Compared with the method based on virus signatures, our approach performs well in detecting unknown malware. This approach is promising for the application of malware detection.     

Future IoT‐enabled threats and vulnerabilities: State of the art,challenges, and future prospects

In the recent era, the security issues affecting the future Internet‐of‐Things (IoT) standards has fascinated noteworthy consideration from numerous research communities. In this view, numerous assessments in the form of surveys were proposed highlighting several future IoT‐centric subjects together with threat modeling, intrusion detection systems (IDS), and various emergent technologies. In contrast, in this article, we have focused exclusively on the emerging IoT‐related vulnerabilities. This article is a multi‐fold survey that emphasizes on understanding the crucial causes of novel vulnerabilities in IoT paradigms and issues in existing research. Initially, we have emphasized on different layers of IoT architecture and highlight various emerging security challenges associated with each layer along with the key issues of different IoT systems. Secondly, we discuss the exploitation, detection, and defense methodologies of IoT malware‐enabled distributed denial of service (DDoS), Sybil, and collusion attack capabilities. We have also discussed numerous state‐of‐the‐art strategies for intrusion detection and methods for IDS setup in future IoT systems. Third, we have presented a brief classification of existing IoT authentication protocols and a comparative analysis of such protocols based on different IoT‐enabled cyber attacks. For conducting a real‐time future IoT research, we have presented some emerging blockchain solutions. We have also discussed a comparative examination of some of the recently developed simulation tools and IoT test beds that are characterized based on different layers of IoT infrastructure. We have also outlined some of the open issues and future research directions and also facilitate the readers with broad classification of existing surveys in this domain that addresses several scopes related to the IoT paradigm. This survey article focuses in enabling IoT‐related research activities by comparing and merging scattered surveys in this domain.     

基于改进贝叶斯分类的Android恶意软件检测

针对Android手机安全受恶意软件威胁越来越严重这一问题,提出一种改进的Android恶意软件检测算法。监控从Android移动设备应用程序获取的多种行为特征值,应用机器学习技术,通过与卡方检验滤波测试结合的方式改进传统的朴素贝叶斯算法,检测Android系统中的恶意软件。通过实验仿真,结果表明在采取朴素贝叶斯分类模型之前,使用卡方检验过滤应用程序的行为特征,可以使基于Android的恶意软件检测技术拥有较低的误报率和较高的精度。     

基于代码进化的恶意代码沙箱规避检测技术研究

为了对抗恶意代码的沙箱规避行为,提高恶意代码的分析效率,该文提出基于代码进化的恶意代码沙箱规避检测技术。提取恶意代码的静态语义信息和动态运行时信息,利用沙箱规避行为在代码进化过程中所产生的动静态语义上的差异,设计了基于相似度差异的判定算法。在7个实际恶意家族中共检测出240个具有沙箱规避行为的恶意样本,相比于JOE分析系统,准确率提高了12.5%,同时将误报率降低到1%,其验证了该文方法的正确性和有效性。     

A Novel Game Theoretic Method for Efficient Downlink Resource Allocation in Dual Band 5G Heterogeneous Network

In this paper obfuscation techniques used by novel malwares presented and compared. IAT smashing, string encryption and dynamic programing are explained in static methods and hooking at user and kernel level of OS with DLL injection, modifying of SSDT and IDT table addresses, filter IRPs, and possessor emulation are techniques in dynamic methods. This paper suggest Approach for passing through malware obfuscation techniques. In order that it can analyze malware behaviors. Our methods in proposed approach are detection presence time of a malware at user and kernel level of OS, dumping of malware executable memory at correct time and precise hook installing. Main purpose of this paper is establishment of an efficient platform to analyze behavior and detect novel malwares that by use of metamorphic engine, packer and protector tools take action for obfuscation and metamorphosis of themself. At final, this paper use a dataset embeds different kind of obfuscated and metamorphic malwares in order to prove usefulness of its methods experiments. Show that proposed methods can confront most malware obfuscation techniques. It evaluated success rate to unpacking, obfuscated malwares and it shows 85% success rate to recognize kernel level malwares.     

基于混合特征的Android恶意软件静态检测

当前智能手机市场中,Android占有很大的市场份额,又因其他的开源,基于Android系统的智能手机很容易成为攻击者的首选目标。随着对Android恶意软件的快速增长,Android手机用户迫切需要保护自己手机安全的解决方案。为此,对多款Android恶意软件进行静态分析,得出Android恶意软件中存在危险API列表、危险系统调用列表和权限列表,并将这些列表合并,组成Android应用的混合特征集。应用混合特征集,结合主成分分析(PCA)和支持向量机(SVM),建立Android恶意软件的静态检测模型。利用此模型实现仿真实验,实验结果表明,该方法能够快速检测Android应用中恶意软件,且不用运行软件,检测准确率较高。     

Intrusion detection in MANET using classification algorithms: The effects of cost and model selection

Intrusion detection is frequently used as a second line of defense in Mobile Ad-hoc Networks (MANETs). In this paper we examine how to properly use classification methods in intrusion detection for MANETs. In order to do so we evaluate five supervised classification algorithms for intrusion detection on a number of metrics. We measure their performance on a dataset, described in this paper, which includes varied traffic conditions and mobility patterns for multiple attacks. One of our goals is to investigate how classification performance depends on the problem cost matrix. Consequently, we examine how the use of uniform versusweighted cost matrices affects classifier performance. A second goal is to examine techniques for tuning classifiers when unknown attack subtypes are expected during testing. Frequently, when classifiers are tuned using cross-validation, data from the same types of attacks are available in all folds. This differs from real-world employment where unknown types of attacks may be present. Consequently, we develop a sequential cross-validation procedure so that not all types of attacks will necessarily be present across all folds, in the hope that this would make the tuning of classifiers more robust. Our results indicate that weighted cost matrices can be used effectively with most statistical classifiers and that sequential cross-validation can have a small, but significant effect for certain types of classifiers.     

虚拟化环境下恶意软件攻击的修复机制

 恶意软件常常能够成功攻击虚拟机和其管理系统,使虚拟环境处于一种不安全、难以恢复的状态.传统的安全防护机制无法满足虚拟环境的安全要求,本文提出一种基于代理的检测和协作修复机制,通过多个虚拟机节点共享修复情况信息,快速获取有效的修复工具,提高恢复能力.模拟分析和仿真实验结果证明该机制的实用性和效率.     

Differential Power Analysis on Countermeasures Using Binary Signed Digit Representations

Side channel attacks are a very serious menace to embedded devices with cryptographic applications. To counteract such attacks many randomization techniques have been proposed. One efficient technique in elliptic curve cryptosystems randomizes addition chains with binary signed digit (BSD) representations of the secret key. However, when such countermeasures have been used alone, most of them have been broken by various simple power analysis attacks. In this paper, we consider combinations which can enhance the security of countermeasures using BSD representations by adding additional countermeasures. First, we propose several ways the improved countermeasures based on BSD representations can be attacked. In an actual statistical power analysis attack, the number of samples plays an important role. Therefore, we estimate the number of samples needed in the proposed attack.     

基于N-gram特征的恶意代码可视化方法

本文提出了两种基于N-gram特征的恶意代码可视化方法.方法一以空间填充曲线的形式表示,解决了灰度图方法不能定位字符信息进行交互分析的问题;方法二可视化恶意代码的2-gram特征,解决了重置代码段或增加冗余信息来改变全局图像特征的问题.经深度融合网络验证所提方法的识别与分类性能,取得了较优的结果.     

当前移动应用软件常用安全检测技术

在各类移动应用给人们的生活带来便利的同时,恶意应用对终端安全的威胁也在逐渐增多。文章针对恶意应用安全检测的问题,总结了四种常用的检测技术:静置检测、特征码扫描、二进制代码逆向分析和动态行为监测,给出了这四种技术的检测方法、检测流程以及关键技术,分析了每种技术的优点和不足。     

Misbehavior Detection in Industrial Wireless Networks: Challenges and Directions

In communications, there has been a paradigm shift toward the widespread adoption of wireless technologies in recent years. This evolution to—often ad-hoc—wireless communication has led to significant benefits in terms of flexibility and mobility. However, alongside these benefits, arise new attack vectors, which cannot be mitigated by traditional security measures. Especially in scenarios where traditional, proactive cryptographic techniques cannot be deployed or have been compromised, reactive mechanisms are necessary to detect intrusions. In this paper, we discuss new directions and future challenges in detecting insider attacks for the exemplary application domain of industrial wireless networks, an enabling technology for current smart factory trends. First, we review existing work on intrusion detection in mobile ad-hoc networks with a focus on physical-layer-based detection mechanisms. Second, we conduct a proof-of-concept study of insider detection in industrial wireless networks using real-world measurements from an industrial facility. Based on the study, we point out new directions for future research.