基于权重分析的网页木马检测模型

鉴于传统的检测方案无法准确地检测复杂多变的网页木马行为,文中提出一种基于行为特征权重分析的检测模型。总结网页木马的典型行为,利用权重分析的方法进行综合评价,最终根据阈值判别待检测脚本文件是否是网页木马。实验表明,该方法可以有效地检测网页木马,提高检测效率。该检测模型是对基于特征码检测技术的补充,在新型网页木马不断涌现的今天,在基于特征码检测技术中,具有一定的应用意义。     

一种基于代码特征的网页木马改良模型研究

鉴于传统的检测方案无法准确地检测复杂多变的网页木马行为,简要介绍了网页木马的原理,结合了传统检测方案的优点,总结了检测网页木马的分析流程,归纳了网页木马的典型特征,以空间向量模型为理论依据,提出了一种改进的基于代码特征的网页木马检测模型,并依据此网页木马模型对网页木马样本进行分析与总结,为有效的检测网页木马提供理论依据、为防止其恶意行为提供新思路。     

基于温度特征分析的硬件木马检测方法

硬件木马是一种在特定条件下使集成电路失效或泄露机密信息等的恶意电路,给现代信息系统带来了严重的安全隐患。该文基于硬件木马在芯片工作之初造成的温度响应特征,提出一种利用芯片温度变化特性并进行比对的硬件木马检测方法。该方法采用环形振荡器作为片内温度特征测量传感器,提取温度变化特征信息,并采用曲线拟合评价指标来评估硬件木马对温度变化特征的影响,通过比对无木马芯片温度响应特征从而完成木马检测。通过对10个不同芯片的检测,结果表明该方法能够对面积消耗32个逻辑单元硬件木马的检测率达到100%,对16个逻辑单元检测概率也能达到90%;同时检测结果表明该方法完成硬件木马检测后,能够对硬件木马的植入位置进行粗定位。     

基于网络行为分析的木马病毒检测算法

木马病毒检测是保证计算机网络安全的关键。针对此问题,提出了一种基于网络行为分析的木马病毒检测方法。首先,提取变长度N-Gram特征作为木马行为特征;其次,针对NGram特征存在的冗余问题,采用信息增益进行筛选,提高特征对木马检测的针对性;最后,构建了一个基于支持向量机的木马病毒检测分类器。仿真实验结果表明,提出的检测方法能够有效检测各类木马病毒程序,且各项检测指标均优于目前检测方法。     

用于检测硬件木马延时的线性判别分析算法

针对芯片生产链长、安全性差、可靠性低,导致硬件木马防不胜防的问题,该文提出一种针对旁路信号分析的木马检测方法。首先采集不同电压下电路的延时信号,通过线性判别分析(LDA)分类算法找出延时差异,若延时与干净电路相同,则判定为干净电路,否则判定有木马。然后联合多项式回归算法对木马延时特征进行拟合,基于回归函数建立木马特征库,最终实现硬件木马的准确识别。实验结果表明,提出的LDA联合线性回归(LR)算法可以根据延时特征识别木马电路,其木马检测率优于其他木马检测方法。更有利的是,随着电路规模的增大意味着数据量的增加,这更便于进行数据分析与特征提取,降低了木马检测难度。通过该方法的研究,对未来工艺极限下识别木马电路、提高芯片安全性与可靠性具有重要的指导作用。     

基于特征提取和SVM的硬件木马检测方法

针对现有基于机器学习的硬件木马检测方法检测率不高的问题,提出了一种基于特征提取和支持向量机(SVM)的硬件木马检测方法。首先在门级网表的节点中提取6个与硬件木马强相关的特征,并将其作为6维特征向量。然后将这些特征向量分为训练集和测试集。最后使用SVM检测木马。将该方法应用于15个Trust-Hub基准电路,实验结果表明,该方法可实现高达93%的平均硬件木马检测率,部分基准电路的硬件木马检测率达到100%。     

工艺偏差下基于功耗与延时的硬件木马检测有效性分析

首先简述了硬件木马以及现有的硬件木马检测方法,之后考虑了工艺偏差对硬件木马检测的影响;工艺偏差的存在对电路功耗和延时等都会造成一定的影响,从而在一定程度上掩盖了硬件木马电路引起的功耗和延时特征变化.实验中针对AES加密核心S-box电路设计植入了一种基于组合电路的功能型硬件木马电路,并在40 nm工艺下利用HSPICE模拟不同大小硬件木马电路下S-box电路功耗轨迹和延时数据,在不同工艺模式下分析基于功耗与延时检测木马的有效性.结果显示,基于延时的硬件木马检测方法在木马规模较小时更能有效实现硬件木马检测.当木马规模增大时,基于功耗的检测方法的优势更明显,其抗工艺偏差干扰的能力会更强.     

融入环形振荡器木马特征的无监督硬件木马检测

机器学习用于集成电路硬件木马的检测可以有效提高检测率。无监督学习方法在特征选择上还存在不足,目前研究工作主要集中于有监督学习方法。文章引入环形振荡器木马的新特征,研究基于无监督机器学习的硬件木马检测方法。首先针对待测电路网表,提取每个节点的5维特征值,然后利用局部离群因子(LOF)算法计算各节点的LOF值,筛选出硬件木马节点。对Trust-HUB基准电路的仿真实验结果表明,该方法用于网表级电路硬件木马的检测,与现有基于无监督学习的检测方法相比,TPR(真阳性率)、P(精度)和F(度量)分别提升了16.19%、10.79%和15.56%。针对Trust-HUB基准电路的硬件木马检测的平均TPR、TNR和A,分别达到了58.61%、97.09%和95.60%。     

基于行为分析的木马检测

首先介绍了特洛伊木马的基本概念,其利用的基本技术,再介绍了常用的木马检测方法。阐述了木马检测的现状和发展趋势。分析并归纳了木马在安装阶段的行为特征,以此提出基于行为分析的木马检测方法。     

基于XGBoost的混合模式门级硬件木马检测方法

针对恶意的第三方厂商在电路设计阶段中植入硬件木马的问题,该文提出一种基于XGBoost的混合模式门级硬件木马检测方法.该检测方法将电路的每个线网类型作为节点,采用混合模式3层级的检测方式.首先,基于提取的电路静态特征,利用XGBoost算法实现第1层级的检测.继而,通过分析扫描链的结构特征,对第1层级分离得到的正常电路继续进行第2层级的面向扫描链中存在木马电路的静态检测.最后,在第3层级采用动态检测方法进一步提升检测的准确性.Trust-Hub基准测试集的实测结果表明,该方法与现有的其他检测方法相比具有较优的木马检测率,可达到94.0％的平均真阳率(TPR)和99.3％的平均真阴率(TNR).     

基于电路模块自相似性的硬件木马检测方法

由于硬件木马种类的多样性和SoC电路制造过程中不可预测的工艺变化,硬件木马检测变得极具挑战性。现有的旁路信号分析法存在两个缺点,一是需要黄金模型作为参考,二是工艺波动会掩盖部分硬件木马的活动效果。针对上述不足,提出一种利用电路模块结构自相似性的无黄金模型检测方法。通过对32位超前进位加法器的软件仿真实验和对128位AES加密电路的硬件仿真实验,验证了该方法的有效性。实验结果表明,在45 nm工艺尺寸下,对于面积占比较小的硬件木马,该方法的检测成功率可以达到90.0%以上。     

基于旁路分析的集成电路芯片硬件木马检测

针对密码芯片中硬件木马电路检测的困难性,介绍了根据芯片旁路信息进行硬件木马检测的思想．在形式化定义基于旁路分析的硬件木马检测问题的基础上,分析了含硬件木马与不含硬件木马的密码芯片对应旁路信号在主成份分析结果上的差异,并以此对FPGA实现的含硬件木马的DES密码原型芯片进行了检测实验,实验结果表明了基于旁路信号主成份分析在密码芯片硬件木马检测中的效果．     

Personal Trusted Devices for Web Services: Revisiting Multilevel Security

In this paper we revisit the concept of mandatory access control and investigate its potential with personal digital assistants (PDA). Only if applications are clearly separated and Trojans cannot leak personal information can these PDAs become personal trusted devices. Limited processing power and memory can be overcome by using Web services instead of full-fledged applications – a trend also in non-mobile computing. Web services, however, introduce additional security risks, some of them specific for mobile users. We propose an identification scheme that can be effectively used to protect privacy and show how this system builds upon a light-weight version of mandatory access control.     

Effective usage of redundancy to aid neutralization of hardware Trojans in Integrated Circuits

Hardware Trojans are malicious alterations in Integrated Circuits (ICs) that leak confidential information or disable the entire IC. The detection of these Trojans is performed through logic or side channel based testing. Under sub-nm technologies the detection of Hardware Trojans will face more problems due to process variations. Hence, there is a need to devise countermeasures which do not depend completely on detection. In order to achieve such a countermeasure, we propose to neutralize the effect of Hardware Trojans through redundancy. In this work, we present a Triple Modular Redundancy (TMR) based methodology to neutralize Hardware Trojans. In order to address the inevitable overhead on area, TMR will be implemented only on select paths of the circuit. Using a probabilistic model of a given digital circuit, we have measured the effect of Trojan on different paths of the circuit and found that equally probable output paths are vulnerable to Trojan placement. Therefore for security we propose that TMR should be implemented on the paths that lead to equally probable primary outputs. We have also shown that the detection of Trojans placed on predictable paths can be achieved through logic based testing methods. In order for the adversary to beat the proposed redundancy model, the size of the Trojan has to be larger. We have shown that such implementation can be detected using side channel based testing.     

Rule-Based Security Capabilities Matching for Web Services

A primary problem for security aware Web service discovery is how to discover security capabilities of Web services and how these security capabilities can be matched with security requirements of various requesters. Presently, most approaches are based on syntactic matching, which is prone to result in false negative because of lacking of semantics. In this paper, we propose a rule-based approach to decide whether security capabilities match security requirements. Based on a semantic model of security policy, security capabilities are inferred from security policy of Web services. General Web service security ontology is proposed to semantically model security requirements of various service requesters. The architecture of rule-based matching engine is also presented to describe the whole matching process. The prototype system and case study show that the proposed approach is flexible and feasible.     

A survey of hardware Trojan threat and defense

Hardware Trojans (HTs) can be implanted in security-weak parts of a chip with various means to steal the internal sensitive data or modify original functionality, which may lead to huge economic losses and great harm to society. Therefore, it is very important to analyze the specific HT threats existing in the whole life cycle of integrated circuits (ICs), and perform protection against hardware Trojans. In this paper, we elaborate an IC market model to illustrate the potential HT threats faced by the parties involved in the model. Then we categorize the recent research advances in the countermeasures against HT attacks. Finally, the challenges and prospects for HT defense are illuminated.     

基于XGBoost的混合模式门级硬件木马检测方法

针对恶意的第三方厂商在电路设计阶段中植入硬件木马的问题,该文提出一种基于XGBoost的混合模式门级硬件木马检测方法。该检测方法将电路的每个线网类型作为节点,采用混合模式3层级的检测方式。首先,基于提取的电路静态特征,利用XGBoost算法实现第1层级的检测。继而,通过分析扫描链的结构特征,对第1层级分离得到的正常电路继续进行第2层级的面向扫描链中存在木马电路的静态检测。最后,在第3层级采用动态检测方法进一步提升检测的准确性。Trust-Hub基准测试集的实测结果表明,该方法与现有的其他检测方法相比具有较优的木马检测率,可达到94.0%的平均真阳率(TPR)和99.3%的平均真阴率(TNR)。     

Integrated Trojan detecting model based on period feature statistics

Aiming at the problem that more popular network application and more complicated network traffic bring big challenge to current Trojan detecting technique, communication behavior of remote access Trojan (RAT) is analyzed, traffic features’ different performance in different communication sub-periods is discussed, and an integrated Trojan detecting model based on period feature statistics is presented. Feature statistics based on sub-periods and whole session （WS）respectively can increase the gap and classification ability of traffic features. The weighted integrated classifier can take full use of each base classifier’s advantage and compensate for each other’s weaknesses, therefore can strong system’s detecting and generalization capability. Experiment result shows that this system can recognize Trojan traffics from many kinds of normal traffic effectively.     

基于肤色模型的人脸检测研究

现有的人脸检测方法,对复杂光照环境下获得的彩色人脸图像的检测效果仍不太理想。在仔细研究目前人脸检测方法的基础上,对基于肤色分割结合模板匹配的人脸检测方法进行改进,提出基于“光照预处理＋肤色模型＋模板匹配”的人脸检测问题解决思路。实验结果表明,该方法对实际场景中正面和准正面的人脸图像,平均准检率达到84％,同时对光照变化不敏感,而且对姿态和表情的变化也具有较好的鲁棒性。