Dynamic camouflage event based malicious node detection architecture

Compromised sensor nodes may collude to segregate a specific region of the sensor network preventing event reporting packets in this region from reaching the basestation. Additionally, they can cause skepticism over all data collected. Identifying and segregating such compromised nodes while identifying the type of attack with a certain confidence level is critical to the smooth functioning of a sensor network. Existing work specializes in preventing or identifying a specific type of attack and lacks a unified architecture to identify multiple attack types. Dynamic Camouflage Event-Based Malicious Node Detection Architecture (D-CENDA) is a proactive architecture that uses camouflage events generated by mobile-nodes to detect malicious nodes while identifying the type of attack. We exploit the spatial and temporal information of camouflage event while analyzing the packets to identify malicious activity. We have simulated D-CENDA to compare its performance with other techniques that provide protection against individual attack types and the results show marked improvement in malicious node detection while having significantly less false positive rate. Moreover, D-CENDA can identify the type of attack and is flexible to be configured to include other attack types in future.     

改进攻击树的恶意代码检测方法

为了解决传统攻击树模型在恶意代码检测中存在行为差异性描述不准确、危害量化不合理的问题,提出一种将攻击树结构进行改造、构建攻击树文本图的改进攻击树检测方法,并设计了危害权值算法,从而可以更好地描述和判断恶意代码的攻击行为,引入云检测技术构建检测系统对算法进行验证.实验结果表明,该算法较传统算法对恶意代码及其变种的检测有明显的提高.     

Resource monitoring for the detection of parasite P2P botnets

Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered.     

检测迷惑恶意代码的层次化特征选择方法

各种迷惑恶意代码能够轻易躲避传统静态检测,而动态检测方式虽有较好的检测率,却消耗大量系统资源。为提高低系统开销下迷惑恶意代码的检测率,提出一种层次化特征选择方法,依次在引导层、个体层、家族层和全局层上生成并选择特征。层次方法以逐层精化特征的方式寻求特征冗余和信息漏选之间的平衡。实际数据集上的实验结果表明所提方法的迷惑恶意代码检测率较高,与传统特征选择方法相比,具有所需训练样本集小、泛化能力强的优点。     

Adaptive security design with malicious node detection in cluster-based sensor networks

Distributed wireless sensor networks have problems on detecting and preventing malicious nodes, which always bring destructive threats and compromise multiple sensor nodes. Therefore, sensor networks need to support an authentication service for sensor identity and message transmission. Furthermore, intrusion detection and prevention schemes are always integrated in sensor security appliances so that they can enhance network security by discovering malicious or compromised nodes. This study provides adaptive security modules to improve secure communication of cluster-based sensor networks. A dynamic authentication scheme in the proposed primary security module enables existing nodes to authenticate new incoming nodes, triggering the establishment of secure links and broadcast authentication between neighboring nodes. This primary security design prevents intrusion from external malicious nodes using the authentication scheme. For advanced security design, the proposed intrusion detection module can exclude internal compromised nodes, which contains alarm return, trust evaluation, and black/white lists schemes. This study adopts the two above mentioned modules to achieve secure communication in cluster-based sensor networks when the network lifetime is divided into multiple cluster rounds. Finally, the security analysis results indicate that the proposed design can prevent and detect malicious nodes with a high probability of success by cluster-based and neighbor monitor mechanisms. According to the performance evaluation results, the proposed security modules cause low storage, computation, and communication overhead to sensor nodes.     

A study on hybrid trust evaluation model for identifying malicious behavior in mobile P2P

P2P network has been widely used because of advantages such as efficient use of network bandwidth, saving of computing resources, and quick information exchange. In particular, the infra that manages each nodes centrally in P2P network does not exist and each node is a structure performing the sender and receiver roles. The service applying P2P technique in MANET is increased because this structure is very similar to the structure of MANET. However, the reliability may be lower by providing an erroneous service from malicious nodes because the supervision of management for nodes participating in P2P does not perform. In this paper, we propose hybrid trust evaluation technique based on Trust Zone structure to improve the reliability between nodes. TZM node is elected for trust evaluation of member nodes internal each TrustZone. The certificate of member nodes is issued in the elected TZM and the information is stored in TZMT. The data transmission of malicious nodes is blocked by limiting the data transmission of nodes that do not issued the certificate. The reputation-based trust management technique was applied to perform the fair file transmission of nodes and block the behavior of selfish nodes. The excellent performance of the proposed technique in this paper was confirmed through experiments.     

基于多特征融合的Webshell恶意流量检测方法

Webshell是针对Web应用系统进行持久化控制的最常用恶意后门程序,对Web服务器安全运行造成巨大威胁。对于 Webshell 检测的方法大多通过对整个请求包数据进行训练,该方法对网页型 Webshell 识别效果较差,且模型训练效率较低。针对上述问题,提出了一种基于多特征融合的Webshell恶意流量检测方法,该方法以Webshell的数据包元信息、数据包载荷内容以及流量访问行为3个维度信息为特征,结合领域知识,从3个不同维度对数据流中的请求和响应包进行特征提取;并对提取特征进行信息融合,形成可以在不同攻击类型进行检测的判别模型。实验结果表明,与以往研究方法相比,所提方法在正常、恶意流量的二分类上精确率得到较大提升,可达99.25%;训练效率和检测效率也得到了显著提升,训练时间和检测时间分别下降95.73%和86.14%。     

基于统计学特征的android恶意应用检测方法

Android系统作为世界上最流行的智能手机系统,其用户正面临着来自恶意应用的诸多威胁。如何有效地检测Android恶意应用是非常严峻的问题。本文提出基于统计学特征的Android恶意应用检测方法。该方法收集5560个恶意应用和3000个良性应用的统计学特征作为训练数据集并采用聚类算法预处理恶意数据集以降低个体差异性对实验结果的影响。另一方面,该方法结合特征和多种机器学习算法（如线性回归、神经网络等）建立了检测模型。实验结果表明,该方法提供的两个模型在时间效率和检测精度上都明显优于对比模型。     

An anomaly-introduced learning method for abnormal event detection

Multimedia Tools and Applications - Abnormal event detection aims at identifying anomalies under specific scene and it is widely utilized in health monitoring, public security and pedestrian...     

分布式RFID数据流的复合事件检测方法*

针对当前RFID(radio frequency identification)复合事件处理技术在性能和处理分布式应用方面的不足,提出了一种基于CORBA（分布对象请求代理体系结构）的分布式复合事件处理模型以及高效的基于查询规划和代价估算的分布式复合事件处理方法。实验结果表明,该方法在处理大规模的分布式RFID应用时是有效的。     

A method for detecting obfuscated calls in malicious binaries

Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the first push pushes the address of instruction after the ret instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This work presents a method to statically detect obfuscated calls in binary code. The idea is to use abstract interpretation to detect where the normal call-ret convention is violated. These violations can be detected by what is called an abstract stack graph. An abstract stack graph is a concise representation of all potential abstract stacks at every point in a program. An abstract stack is used to associate each element in the stack to the instruction that pushes the element. An algorithm for constructing the abstract stack graph is also presented. Methods for using the abstract stack graph are shown to detect eight different obfuscations. The technique is demonstrated by implementing a prototype tool called DOC (detector for obfuscated calls).     

面向内容监管的P2P-TV音视频数据还原与在线检测方法研究*

为实现对P2P-TV应用的实时内容检测,简要介绍了P2P-TV监控系统对P2P-TV平台与频道的精细识别,针对PPTV采用ASF流媒体格式进行数据流传输、节点之间通过UDP协议获取数据,在精确识别出平台与频道的基础上,识别出数据传输过程中的A/V数据包,获知A/V数据包的序号、A/V数据的长度及起始终止位置,通过在线将A/V数据提取并还原为媒体文件并进行内容检测。     

A privacy-conserving framework based intrusion detection method for detecting and recognizing malicious behaviours in cyber-physical power networks

Applied Intelligence - Contemporary Smart Power Systems (SPNs) depend on Cyber-Physical Systems (CPSs) to connect physical devices and control tools. Developing a robust privacy-conserving...     

基于网络环境感知的P2P通信方案设计

为解决当前各种P2P方案的局限性,提高P2P通信的效率,针对P2P通信网络环境的复杂性,提出了一种具有网络环境感知能力的P2P通信方案并予以实现。该方案借助中间服务器能对P2P客户所处的网络环境进行感知并在两个P2P客户之间采用最优的通信方案进行通信。通过Vmware软件搭建了实验环境,并对各种拓扑下的方案性能进行实验模拟。实验结果表明,相对于其它常用的P2P通信方案,该方案的会话具有更高的会话建立连接率,而且具有更少的信令开销,同时具有更优的端到端延时性能,证明了提出的方案优于其它方案。     

面向边缘端设备的轻量化视频异常事件检测方法

现有基于CNN模型的视频异常事件检测方法在精度不断提升的同时,面临架构复杂、参数庞大、训练冗长等问题,致使硬件算力需求高,难以适配无人机等计算资源有限的边缘端设备。为此,提出一种面向边缘端设备的轻量化异常事件检测方法,旨在平衡检测性能与推理延迟。首先,由原始视频序列提取梯度立方体与光流立方体作为事件表观与运动特征表示;其次,设计改进的小规模PCANet获取梯度立方体对应的高层次分块直方图特征;再次,根据每个局部分块的直方图特征分布情况计算表观异常得分,同时基于内部像素光流幅值累加计算运动异常得分;最后,依据表观与运动异常得分的加权融合值判别异常分块,实现表观与运动异常事件联合检测与定位。在公开数据集UCSD的Ped1与Ped2子集上进行实验验证,所提方法的帧层面AUC分别达到86.7%与94.9%,在领先大多数对比方法的同时参数量明显降低。实验结果表明该方法在低算力需求下,可以实现较高的异常检测稳定性和准确率,能够有效兼顾检测精度与计算资源,因此适用于低功耗边缘端设备。     

A new spatio-temporal method for event detection and personalized retrieval of sports video

In this paper, a new spatio-temporal method for adaptively detecting events based on Allen temporal algebra and external information support is presented. The temporal information is captured by presenting events as the temporal sequences using a lexicon of non-ambiguous temporal patterns. These sequences are then exploited to mine undiscovered sequences with external text information supports by using class associate rules mining technique. By modeling each pattern with linguistic part and perceptual part those work independently and connect together via transformer, it is easy to deploy this method to any new domain (e.g baseball, basketball, tennis, etc.) with a few changes in perceptual part and transformer. Thus the proposed method not only can work well in unwell structured environments but also can be able to adapt itself to new domains without the need (or with a few modification) for external re-programming, re-configuring and re-adjusting. Results of automatic event detection progress are tailored to personalized retrieval via click-and-see style using either conceptual or conceptual-visual query scheme. Experimental results carried on more than 30 hours of soccer video corpus captured at different broadcasters and conditions as well as compared with well-known related methods, demonstrated the efficiency, effectiveness, and robustness of the proposed method in both offline and online processes.     

基于多尺度特征融合的恶意HTTP请求检测方法

针对当前网络环境中恶意HTTP请求攻击泛滥的问题,提出了一种多尺度特征融合的检测方法。首先从单词级和字符级两个尺度对HTTP请求进行建模,然后使用卷积神经网络提取其高阶语义特征;再借助多尺度特征融合技术,学习HTTP请求的多尺度公共向量表示;最后使用线性分类器进行分类。实验结果表明该方法性能在HTTP CSIC 2010数据集和WAF真实数据集上优于现有方法。     

DApriori：一种基于Apriori的Android恶意应用检测方法

目前很少有研究者使用有关联的静态与动态相结合的方式检测Android恶意应用,多数静态分析方法考虑具体代码运行流程,计算复杂度较高,而单纯的动态检测方法占用Android系统资源,大大降低手机的运行速度。本文提出DApriori算法,能够有效的检测出Android恶意应用。DApriori算法分别计算恶意应用样本与良性应用样本权限关联规则,对比两种样本得到的用户权限之间的差异性,并使用恶意样本得到的关联规则对一定的混合样本进行检测,实验结果表明,该算法能够有效地检测出Android恶意应用,并将关联规则应用于Android恶意应用动态检测中。     

THS-IDPC: A three-stage hierarchical sampling method based on improved density peaks clustering algorithm for encrypted malicious traffic detection

The Journal of Supercomputing - With the rapid increase in amount of network encrypted traffic and malware samples using encryption to evade identification, detecting encrypted malicious traffic...