政府Web应用安全建设浅析

从政府Web应用系统运营者的考虑角度,专门针对政府Web应用特定业务应用的原有被动式安全防御建设基础上,提出在贯穿网站全生命周期的信息安全建设过程中,从事前检测防御、事中应急响应以及事后恢复三个方面对政府网站信息安全体系的完善。将政府网站安全需求转化为更加主动的防御技术,使各级政府网站具备一定的对抗能力和应急恢复能力。     

基于API和Permission的Android恶意软件静态检测方法研究

当前大量的Android恶意软件在后台收集用户的位置信息、通话记录、电话号码及短信等信息并将其上传至指定服务器,造成了难以估量的危害。为解决此问题,提出一种Android恶意软件静态检测方法。对收集到的训练集中的所有APK文件进行静态反编译,提取其中的静态信息;对静态信息中的API和Permission进行统计学分析,得到API和Permission在恶意APK和正常APK中的使用率;根据它们的使用率确定基准API和Permission集合,将每一个APK转换成可参与计算的关于API和Permission的特征向量;利用改进的k-NN分类器,对待检测的APK进行分类判定。实验结果表明,该方法可以有效地对APK进行恶意分类。     

恶意软件对网络安全的威胁、现状、对策的分析研究

恶意软件对网络安全的威胁备受关注,成为影响互联网使用的“恶魔”。本文针对恶意软件的相关问题进行了详尽的探讨研究。     

Cybercrime: Understanding and addressing the concerns of stakeholders

Cybercrime and cybercriminal activities continue to impact communities as the steady growth of electronic information systems enables more online business. The collective views of sixty-six computer users and organizations, that have an exposure to cybercrime, were analyzed using concept analysis and mapping techniques in order to identify the major issues and areas of concern, and provide useful advice. The findings of the study show that a range of computing stakeholders have genuine concerns about the frequency of information security breaches and malware incursions (including the emergence of dangerous security and detection avoiding malware), the need for e-security awareness and education, the roles played by law and law enforcement, and the installation of current security software and systems. While not necessarily criminal in nature, some stakeholders also expressed deep concerns over the use of computers for cyberbullying, particularly where younger and school aged users are involved. The government’s future directions and recommendations for the technical and administrative management of cybercriminal activity were generally observed to be consistent with stakeholder concerns, with some users also taking practical steps to reduce cybercrime risks.     

基于N-gram的Android恶意检测

随着Android系统的广泛应用,Android平台下的恶意应用层出不穷,并且恶意应用躲避现有检测工具的手段也越来越复杂,亟需更有效的检测技术来分析恶意行为。文中提出并设计了一种基于N-gram的静态恶意检测模型,该模型通过逆向手段反编译Android APK文件,利用N-gram技术在字节码上提取特征,以此避免传统检测中专家知识的依赖。同时,该模型使用深度置信网络,能够快速而准确地学习训练。通过对1267个恶意样本和1200个善意样本进行测试,结果显示模型整体的检测准确率最高可以达到98.34%。实验进一步比较了该模型和其他算法的检测结果,并对比了相关工作的检测效果,结果表明该模型有更好的准确率和鲁棒性。     

恶意代码安全虚拟执行环境研究

入侵容忍的系统要求具有在现实环境中执行不安全程序且不遭受永久性伤害的能力.虚拟机技术提供了一种虚拟的可执行环境,能够满足这个需求.通过对操作系统调用接口资源的重命名的研究,在此基础上设计并实现了一种Windows平台下基于操作系统层的安全虚拟执行环境的体系结构.实验结果表明,该系统可以有效地模拟应用程序的各种运行行为和结果,并为后续分析提供充足的信息.经对比发现,基于操作系统资源虚拟化的安全执行环境技术比传统虚拟技术更灵活,消耗系统资源更少.     

针对指令乱序变形技术的归一化研究

新出现的恶意代码大部分是在原有恶意代码基础上修改转换而来.许多变形恶意代码更能自动完成该过程,由于其特征码不固定,给传统的基于特征码检测手段带来了极大挑战.采用归一化方法,并结合使用传统检测技术是一种应对思路.本文针对指令乱序这种常用变形技术提出了相应的归一化方案.该方案先通过控制依赖分析将待测代码划分为若干基本控制块,然后依据数据依赖图调整各基本控制块中的指令顺序,使得不同变种经处理后趋向于一致的规范形式.该方案对指令乱序的两种实现手段,即跳转法和非跳转法,同时有效.最后通过模拟测试对该方案的有效性进行了验证.     

基于栈的恶意程序隐式系统调用的检测方法

提出了一种检测恶意程序中隐式系统调用的方法.该方法使用地址栈和地址栈图来检测恶意程序中隐式的系统调用信息,其中,地址栈将每个栈的元素和栈操作的指令相结合,而地址栈图抽象地表示可执行体并且检测恶意的系统调用.通过实验表明,这是一种有效的方法.     

Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method

In this paper, a new approach for detecting previously unencountered malware targeting mobile device is proposed. In the proposed approach, time-stamped security data is continuously monitored within the target mobile device (i.e., smartphones, PDAs) and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e.g., the number of sent SMSs) and events (e.g., software installation) are integrated with a mobile device security domain knowledge-base (i.e., an ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions are then monitored to detect suspicious temporal patterns and to issue an alert. These patterns are compatible with a set of predefined classes of malware as defined by a security expert (or the owner) employing a set of time and value constraints. The goal is to identify malicious behavior that other defensive technologies (e.g., antivirus or firewall) failed to detect. Since the abstraction derivation process is complex, the KBTA method was adapted for mobile devices that are limited in resources (i.e., CPU, memory, battery). To evaluate the proposed modified KBTA method a lightweight host-based intrusion detection system (HIDS), combined with central management capabilities for Android-based mobile phones, was developed. Evaluation results demonstrated the effectiveness of the new approach in detecting malicious applications on mobile devices (detection rate above 94% in most scenarios) and the feasibility of running such a system on mobile devices (CPU consumption was 3% on average).