基于纹理指纹的恶意代码变种检测方法研究

提出一种基于纹理指纹的恶意代码特征提取及检测方法,通过结合图像分析技术与恶意代码变种检测技术,将恶意代码映射为无压缩灰阶图片,基于纹理分割算法对图片进行分块,使用灰阶共生矩阵算法提取各个分块的纹理特征,并将这些纹理特征作为恶意代码的纹理指纹;然后,根据样本的纹理指纹,建立纹理指纹索引结构;检测阶段通过恶意代码纹理指纹块生成策略,采用加权综合多分段纹理指纹相似性匹配方法检测恶意代码变种和未知恶意代码;在此基础上,实现恶意代码的纹理指纹提取及检测原型系统。通过对6种恶意代码样本数据集的分析和检测,完成了对该系统的实验验证。实验结果表明,基于上述方法提取的特征具有检测速度快、精度高等特点,并且对恶意代码变种具有较好的识别能力。     

入侵检测系统的规则研究与基于机器学习的入侵检测系统模型

入侵检测系统（IDS）分为异常检测模型和误用检测模型。异常检测模型首先总结正常操作应该具有的特征，得出正常操作的模型，对后续的操作进行监视，一旦发现偏离正常统计学意义上的操作模式，即进行报警。误用检测模型是收集入侵检测行为的特征，建立相关的规则库，在后续的检测过程中，将收集到的数据与规则库中的特征代码进行比较，得出是否是入侵的结论。本文主要研究了入侵检测系统中的规则的建立，并通过在基于误用检测的Snort入侵检测系统中增加一个规则学习模块——LERAD，提出了一个基于机器学习的入侵检测系统模型。     

A new ontology‐based multi agent framework for intrusion detection

Ontologies play an essential role in knowledge sharing and exploration, especially in multiagent systems. Intrusion is an unauthorized activity in a network, which is achieved by either active manner (information gathering) or passive manner (harmful packet forwarding). Most of the existing intrusion detection system (IDS) suffers from the following issues: it is usually adjusted to detect known service level network attacks and leaves from vulnerable to original and novel malicious attacks. Thus, it provides low accuracy and detection rate, which are the important problems of existing IDS. To overwhelm these drawbacks, an ontology‐based multiagent IDS framework is developed in this work for intrusion detection. The main intention of this work is to detect the network attacks with the help of multiple detection agents. In this analysis, there are 3 different types of agents, ie, IDS broker, deputy commander, and response agent, which are used to prevent and detect the attacks in a network. The novel concept of this work is based on the concept of signature matching; it identifies and detects the attackers with the help of multiple agents.     

高速网络中入侵检测的抽样方法

提出了一个面向主干网入侵检测,以内存瓶颈消耗量为测度的动态自适应抽样方法IDSampling.通过分析攻击流量的流长和熵聚类信息特征指导抽样,过滤掉攻击可疑性低的报文,采取"节流"方法解决万兆网络入侵检测存在的性能和精度不平衡问题.在大规模异常发生时采用基于单报文属性熵的单一抽样策略,其他情况下采用带反馈指导的混合抽样策略,试图用尽可能小的检测代价来取得同样的检测效果.实验结果表明①IDSampling可以大幅减低IDS处理输入,同时保证对主干网人规模攻击趋势性信息的检测精度;②相较于随机报文抽样和随机流抽样方法,IDSampling凭借流长、熵聚类信息和后期检测结果等启发式信息的指导,其抽取攻击报文的准确性高于前2种方法,尤其是在大规模、高强度攻击情况下IDSampling抽中攻击报文的数目甚至高于其他2种方法一个数量级.     

Generating Lightweight Behavioral Signature for Malware Detection in People-Centric Sensing

People-centric sensing (PCS) is an emerging paradigm of sensor network which turns daily used mobile devices (such as smartphones and PDAs) to sensors. It is promising but faces severe security problems. As smartphones are already and will keep up to be attractive targets to attackers, even more, with strong connectivity and homogeneous applications, all mobile devices in PCS will risk being infected by malware more rapidly. Even worse, attackers usually obfuscate their malwares in order to avoid simple (syntactic signature based) detection. Thus, more intelligent (behavioral signature based) detection is needed. But in the field of network security, the state-of-the-art behavioral signature—behavior graph—is too complicated to be used in mobile devices. This paper proposes a novel behavioral signature generation system—SimBehavior—to generate lightweight behavioral signature for malware detection in PCS. Generated lightweight behavioral signature is a bit like regex (regular expression) rules. And thus, unlike malware detection using behavior graph is NP-Complete, using our lightweight behavioral signature is efficient and very suitable for malware detection in PCS. Our experimental results show that SimBehavior can extract behavioral signatures effectively, and generated lightweight behavioral signatures can be used to detect new malware samples in PCS efficiently and effectively.     

基于引擎划分的入侵检测系统模型分析

入侵检测系统是保护网络安全的手段之一,在选择入侵检测系统时,其引擎是基于签名检测还是异常检测是决策的关键点.文章从技术角度分析了两种模型的优势及不足,在实际应用中,可以根据保护对象的特点,灵活部署入侵检测系统,如果需要提供更高的保护策略,应该使用两者兼顾的产品.     

基于人工智能的威胁检测与防护系统

文中针对传统的基于签名匹配的威胁检测系统存在的局限,探讨了人工智能技术在网络安全防护中的应用。通过分析异常检测、恶意软件检测和自动化安全响应3个方面,阐明了机器学习和深度学习模型可以实现对未知威胁的检测和主动防御。研究认为,人工智能驱动的网络安全防护系统代表了技术发展的方向,但还需进一步的数据积累和模型优化,以实现更智能的商业安全产品的开发。     

Similarity as a central approach to flow‐based anomaly detection

Network flow monitoring is currently a common practice in mid‐ and large‐size networks. Methods of flow‐based anomaly detection are subject to ongoing extensive research, because detection methods based on deep packets have reached their limits. However, there is a lack of comprehensive studies mapping the state of the art in this area. For this reason, we have conducted a thorough survey of flow‐based anomaly detection methods published on academic conferences and used by the industry. We have analyzed these methods using the perspective of similarity which is inherent to any anomaly detection method. Based on this analysis, we have proposed a new taxonomy of network anomalies and a similarity‐oriented classification of flow‐based detection methods. We have also identified four issues requiring further research: the lack of flow‐based evaluation datasets, infeasible benchmarking of proposed methods, excessive false positive rate and limited coverage of certain anomaly classes. Copyright © 2014 John Wiley & Sons, Ltd.     

An Autonomous Host-Based Intrusion Detection System for Android Mobile Devices

Intrusion Detection System (IDS) is crucial to protect smartphones from imminent security breaches and ensure user privacy. Android is the most popular mobile Operating System (OS), holding above 85% market share. The traffic generated by smartphones is expected to exceed the one generated by personal computers by 2021. Consequently, this prevalent mobile OS will stay one of the most attractive targets for potential attacks on fifth generation mobile networks (5G). Although Android malware detection has received considerable attention, offered solutions mostly rely on performing resource intensive analysis on a server, assuming a continuous connection between the device and the server, or on employing supervised Machine Learning (ML) algorithms for profiling the malware’s behaviour, which essentially require a training dataset consisting of thousands of examples from both benign and malicious profiles. However, in practice, collecting malicious examples is tedious since it entails infecting the device and collecting thousands of samples in order to characterise the malware’s behaviour and the labelling has to be done manually. In this paper, we propose a novel Host-based IDS (HIDS) incorporating statistical and semi-supervised ML algorithms. The advantage of our proposed IDS is two folds. First, it is wholly autonomous and runs on the mobile device, without needing any connection to a server. Second, it requires only benign examples for tuning, with potentially a few malicious ones. The evaluation results show that the proposed IDS achieves a very promising accuracy of above 0.9983, reaching up to 1.

     

欺诈类手机恶意软件识别方法研究

提出了一种欺诈类手机恶意软件多维度检测模型,通过静态检测识别和动态运行验证的双重验证法确保恶意软件的精准识别。建立签名信息、权限、分组名等多个维度的应用软件特征识别库,根据特征库将应用软件打上正常软件和恶意软件的标签,最大限度完善现有欺诈类手机恶意软件安全防护手段,支撑第三方应用软件商店规范发展,有效提升用户对欺诈类手机恶意软件防范意识和保护手机使用安全起到积极作用。     

A meta‐heuristic Bayesian network classification for intrusion detection

Software‐defined networking (SDN) is an innovative network paradigm much in demand today in academics and industry. In this network, the SDN controller must be able to observe and examine traffic flow through the network systems. However, intrusion‐based data packets affect the whole system is a major drawback. To overcome this issue, we propose a Novel Agent Program (NAP) framework for preventing switches from the external compromised attacks. A Meta‐Heuristic Bayesian Network Classification (MHBNC) algorithm for intrusion detection is proposed in this paper. The proposed algorithm follows certain procedures for preprocessing, feature selection, feature optimization, and classification. Normal and anomaly‐based data packets are classified successfully with its improved detection capabilities based on the optimization technique. The simulation results of the proposed ID_MBC (intrusion detection based on meta‐heuristic Bayesian classifier) technique is compared with existing techniques such as the association rule, PSO+GA, and the GA+RVM. The proposed MHBNC classifier performs better than existing methods.     

Malware variants detection based on ensemble learning

Application programming interface (API) is a procedure call interface to operation system resource. API-based behavior features can capture the malicious behaviors of malware variants. However, existing malware detection approaches have a deal of complex operations on constructing and matching. Furthermore, graph matching is adopted in many approaches, which is a nondeterministic polynominal (NP)-complete problem because of computational complexity. To address these problems, a novel approach is proposed to detect malware variants. Firstly, the API of the malware are divided by their functions and parameters. Then, the classified behavior graph (CBG) is constructed from the API call sequences. Finally, the signature based on CBGs for each malware family is generated. Besides, the malware variants are classified by ensemble learning algorithm. Experiments on 1 220 malware samples show that the true positive rate (TPR) is up to 89.0% with the low false positive rate (FPR) 3.7% by ensemble learning.     

基于误用和异常技术相结合的入侵检测系统的设计与研究

目前,入侵检测系统(IDS) 的漏报率和误报率高一直是困扰IDS用户的主要问题,而入侵检测系统主要有误用型和异常型两种检测技术,根据这两种检测技术各自的优点,以及它们的互补性,将两种检测技术结合起来的方案越来越多地应用于IDS中。该文提出了基于统计的异常检测技术和基于模式匹配的误用检测技术相结合的IDS模型,减少了单纯使用某种入侵检测技术时的漏报率和误报率,从而提高系统的安全性。     

入侵检测技术研究现状与未来发展

入侵检测技术是一种主动防御型安全技术,可以弥补传统安全技术的不足.文章对入侵检测技术进行了归类,介绍了两种通用的入侵检测方法:一种是根据采集点的不同,将IDS分为基于主机的IDS和基于网络的IDS;另外一种是根据检测所基于的原则不同,将入侵检测系统划分为异常检测IDS和误用检测IDS.文章还对入侵检测技术的未来发展方向进行了讨论.     

Future IoT‐enabled threats and vulnerabilities: State of the art,challenges, and future prospects

In the recent era, the security issues affecting the future Internet‐of‐Things (IoT) standards has fascinated noteworthy consideration from numerous research communities. In this view, numerous assessments in the form of surveys were proposed highlighting several future IoT‐centric subjects together with threat modeling, intrusion detection systems (IDS), and various emergent technologies. In contrast, in this article, we have focused exclusively on the emerging IoT‐related vulnerabilities. This article is a multi‐fold survey that emphasizes on understanding the crucial causes of novel vulnerabilities in IoT paradigms and issues in existing research. Initially, we have emphasized on different layers of IoT architecture and highlight various emerging security challenges associated with each layer along with the key issues of different IoT systems. Secondly, we discuss the exploitation, detection, and defense methodologies of IoT malware‐enabled distributed denial of service (DDoS), Sybil, and collusion attack capabilities. We have also discussed numerous state‐of‐the‐art strategies for intrusion detection and methods for IDS setup in future IoT systems. Third, we have presented a brief classification of existing IoT authentication protocols and a comparative analysis of such protocols based on different IoT‐enabled cyber attacks. For conducting a real‐time future IoT research, we have presented some emerging blockchain solutions. We have also discussed a comparative examination of some of the recently developed simulation tools and IoT test beds that are characterized based on different layers of IoT infrastructure. We have also outlined some of the open issues and future research directions and also facilitate the readers with broad classification of existing surveys in this domain that addresses several scopes related to the IoT paradigm. This survey article focuses in enabling IoT‐related research activities by comparing and merging scattered surveys in this domain.     

基于对比权限模式的安卓恶意软件检测方法(英文)

As the risk of malware is sharply increasing in Android platform,Android malware detection has become an important research topic.Existing works have demonstrated that required permissions of Android applications are valuable for malware analysis,but how to exploit those permission patterns for malware detection remains an open issue.In this paper,we introduce the contrasting permission patterns to characterize the essential differences between malwares and clean applications from the permission aspect Then a framework based on contrasting permission patterns is presented for Android malware detection.According to the proposed framework,an ensemble classifier,Enclamald,is further developed to detect whether an application is potentially malicious.Every contrasting permission pattern is acting as a weak classifier in Enclamald,and the weighted predictions of involved weak classifiers are aggregated to the final result.Experiments on real-world applications validate that the proposed Enclamald classifier outperforms commonly used classifiers for Android Malware Detection.     

基于云计算和动态贝叶斯博弈的WSN恶意程序传播优化抑制方法

为有效地应用入侵检测系统检测WSN（wireless sensor network,无线传感网络）恶意程序从而抑制WSN恶意程序传播,在考虑WSN节点资源有限和云计算平台资源几乎无限的现状基础上,借助云计算平台提出WSN入侵检测网络结构。依据传感节点和WSN入侵检测代理之间博弈过程的分析,使用动态贝叶斯博弈建立了考虑WSN入侵检测代理监控数据发送能耗和传感节点隐私保护需求的WSN恶意程序传播抑制博弈模型。依据建立的博弈类型,并基于精炼贝叶斯均衡提出抑制WSN恶意程序传播的优化策略,并给出具体的算法。实验分析了影响WSN入侵检测代理选择优化策略的因素,为具体应用提供了实验依据。     

当前移动应用软件常用安全检测技术

在各类移动应用给人们的生活带来便利的同时,恶意应用对终端安全的威胁也在逐渐增多。文章针对恶意应用安全检测的问题,总结了四种常用的检测技术:静置检测、特征码扫描、二进制代码逆向分析和动态行为监测,给出了这四种技术的检测方法、检测流程以及关键技术,分析了每种技术的优点和不足。     

Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, misuse, and abuse of computer systems by both system insiders and external penetrators. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification. Intrusion detection systems (IDSs) are based on the beliefs that an intruder's behavior will be noticeably different from that of a legitimate user and that many unauthorized actions are detectable. Typically, IDSs employ statistical anomaly and rulebased misuse models in order to detect intrusions. A number of prototype IDSs have been developed at several institutions, and some of them have also been deployed on an experimental basis in operational systems. In the present paper, several host-based and network-based IDSs are surveyed, and the characteristics of the corresponding systems are identified. The host-based systems employ the host operating system's audit trails as the main source of input to detect intrusive activity, while most of the network-based IDSs build their detection mechanism on monitored network traffic, and some employ host audit trails as well. An outline of a statistical anomaly detection algorithm employed in a typical IDS is also included     

An immunological approach for file recovery over JXTA peer‐to‐peer framework

Peer‐to‐peer (P2P) file‐sharing systems are characterized by highly replicated content that is distributed among nodes with enormous aggregate resources for storage and communication. File consistency is often compromised by undesirable changes, which should be detected and corrected in a timely fashion. The artificial immune system (AIS) is a novel evolutionary paradigm inspired by aspects of the biological immune system (BIS), such as protection, decentralization, autonomy, and anomaly detection. The AIS paradigm suggests a wide variety of mechanisms for solving complex computer problems. In this paper, we propose the ImmunoJXTA framework for file consistency management and file recovery using the main aspects of AIS in P2P systems. We implemented ImmunoJXTA on the JXTA P2P framework to recover distributed inconsistent files between peers efficiently. Promising results are achieved from experimental runs of the proposed framework. Copyright © 2010 John Wiley & Sons, Ltd.