网络数据采集技术研究

随着网络带宽的不断增长,网络安全系统(如网络入侵检测系统--NIDS)对网络数据包捕获能力要求越来越高,为了提高网络数据包的捕获能力以适应当今高速网络环境,本文在分析传统网络数据采集系统的基础上,采用地址映射、零拷贝捕包和零拷贝存储等技术,提出一种新的捕包系统,该系统的性能较传统的方法有了大幅的提高,在千兆网络环境下,能够满足网络安全对网络数据包捕获能力的需求.     

虚拟机软件在网络安全教学中的应用

本文主要简单的介绍了虚拟机软件的相关内容,通过对现阶段我国网络安全教学中存在的问题进行分析,来探讨虚拟软件在网络安全教学中的有效应用,以保障网络安全教学质量。据此,有利于充分利用虚拟机软件,提高网络安全课程的教学水平,培养学生对网络安全课程学习的兴趣,激发学生的学习潜能,让学生能够积极主动地投入到教学过程中,深入理解网络安全教学中的知识,从而实现网络安全教学效益最大化。     

恶意软件行为分析中的虚拟化技术应用

在网络安全中。恶意软件对系统和应用程序的破坏已经逐渐占了很大的比例，恶意软件的行为分析技术也在与恶意软件的斗争中不断地深入和发展。在本文中，致力于利用CPU强大的硬件虚拟技术，IntelvT技术、将恶意软件的运行完全置于一个虚拟化的操作系统内，从而对其行为进行分析，而不会对真实系统造成任何的负面效果。     

基于教评一体化的网络安全人才BITS能力培养新模式

分析网络安全人才培养过程中存在的问题,提出BITS能力成长的培养新路径,从教学过程创新和课程评价创新两方面探讨如何进行以提高学生BITS能力为导向的网络安全人才培养,通过对学生问卷调查数据的对比统计,说明网络安全人才BITS能力培养新模式的有效性。     

基于HoneyNet的军事信息网络主动防御能力实现

文章针对军事信息网络攻防技术的发展现状,提出基于HoneyNet实现"信息佯动和攻击捕获"主动防御能力的网络安全体系改进方案,提高现有体系中入侵检测系统的有效性,增强对网络攻击的捕获能力并通过信息佯动手段进一步加强对网络关键节点的保护.     

基于dpdk的高效数据包捕获技术分析与应用

对Intel dpdk数据包捕获技术进行了深入研究,对其优缺点进行了详细的分析。在此基础上,利用dpdk设计并实现了一套基于Linux的数据包捕获系统,成功地将其应用于千兆网络安全防护系统中。使用BPS软件对基于dpdk的网络安全防护系统与基于pf_ring的网络安全防护系统进行仿真分析,结果表明dpdk对整体系统性能的提高成效显著,取得了良好的效果,验证了该方法的可行性。     

基于签名与数据流模式挖掘的Android恶意软件检测系统

随着Android软件开发和维护的不断增多,以及恶意软件的抗检测能力逐渐增强,主流的静态检测方法开始面临一些问题:签名检测虽然检测速度快,但是对代码混淆、重打包类的恶意软件的检测能力不强;基于数据流的检测方法虽然精度高,但检测效率低。针对上述技术存在的缺点,提出了一种混合型静态检测系统。该系统改进了多级签名检测方法,通过对method与class签名进行多级匹配,提高了对代码混淆类恶意软件的检测能力。系统还改进了传统数据流分析技术,通过数据流模式挖掘,找出恶意软件频繁使用的数据流模式,省去了人工确认环节,提高了数据流分析的自动化程度与效率。两种技术的结合使得系统在检测精度与效率两方面达到一个合理的折中点。实验结果表明,该系统对于代码混淆和重打包的恶意软件具有较好的检测能力,对主流恶意软件的检测精确度达到88%。     

基于行为的移动智能终端恶意软件自动化分析与检测系统

文章介绍了一款基于行为的移动智能终端恶意软件自动化分析与检测系统,通过对大量恶意样本的研究,构建了一套敏感行为库,在不依赖恶意软件静态特征库的情况下,可有效判别已知和未知的恶意软件。该系统将静态分析技术与动态分析技术相结合,在静态分析技术中,增加了敏感API代码快速定位功能;动态分析技术的使用有效提升了可疑样本的敏感行为捕获的覆盖面和准确性。最后,基于SVM算法对样本的恶意性进行自动化判定。实验结果表明,该系统能够有效分析可疑样本行为,检出率高、误报率低,具有良好的应用前景。     

网络安全技术的比较及在校园网中的应用研究

在高速发展的校园网系统中,如何保障网络免受黑客,病毒,恶意软件和其他不良意图的攻击显得尤为重要。介绍了几种常见网络安全技术,对比了防火墙、入侵检测系统(IDS)、虚拟专用网(VPN)和访问控制等网络安全技术的优缺点。最后,针对大同煤炭职业技术学院校园网的网络安全需求,提出了大同煤炭职业技术学院的校园网络安全方案。     

网络安全协议课程的实践教学设计

在充分考虑网络安全协议课程的特点、要求以及学生具体情况的基础上,设计总体实践教学方案,以SSL/TLS协议为例,阐述如何通过对实践教学方案的实施,进一步提高学生对安全协议原理的理解和掌握、全面提升学生对网络安全协议的应用能力。     

Spatial-temporal modeling of malware propagation in networks

Network security is an important task of network management. One threat to network security is malware (malicious software) propagation. One type of malware is called topological scanning that spreads based on topology information. The focus of this work is on modeling the spread of topological malwares, which is important for understanding their potential damages, and for developing countermeasures to protect the network infrastructure. Our model is motivated by probabilistic graphs, which have been widely investigated in machine learning. We first use a graphical representation to abstract the propagation of malwares that employ different scanning methods. We then use a spatial-temporal random process to describe the statistical dependence of malware propagation in arbitrary topologies. As the spatial dependence is particularly difficult to characterize, the problem becomes how to use simple (i.e., biased) models to approximate the spatially dependent process. In particular, we propose the independent model and the Markov model as simple approximations. We conduct both theoretical analysis and extensive simulations on large networks using both real measurements and synthesized topologies to test the performance of the proposed models. Our results show that the independent model can capture temporal dependence and detailed topology information and, thus, outperforms the previous models, whereas the Markov model incorporates a certain spatial dependence and, thus, achieves a greater accuracy in characterizing both transient and equilibrium behaviors of malware propagation.     

Security implications of running windows software on a Linux system using Wine: a malware analysis study

Linux is considered to be less prone to malware compared to other operating systems, and as a result Linux users rarely run anti-malware. However, many popular software applications released on other platforms cannot run natively on Linux. Wine is a popular compatibility layer for running Windows programs on Linux. The level of security risk that Wine poses to Linux users is largely undocumented. This project was conducted to assess the security implications of using Wine, and to determine if any specific types of malware or malware behavior have a significant effect on the malware being successful in Wine. Dynamic analysis (both automated and manual) was applied to 30 malware samples both in a Windows environment and Linux environment running Wine. Behavior analyzed included file system, registry, and network access, and the spawning of processes, and services. The behavior was compared to determine malware success in Wine. The study results provide evidence that Wine can pose serious security implications when used to run Windows software in a Linux environment. Five samples of Windows malware were run successfully through Wine on a Linux system. No significant relationships were discovered between the success of the malware and its high-level behavior or malware type. However, certain API calls could not be recreated in a Linux environment, and led to failure of malware to execute via Wine. This suggests that particular malware samples that utilize these API calls will never run completely successfully in a Linux environment. As a consequence, the success of some samples can be determined from observing the API calls when run within a Windows environment.

     

木马恶意软件的电子数据勘查与取证分析初探

木马等恶意软件已经成为网络违法犯罪分子经常利用的作案工具。勘查木马恶意软件可以掌握木马行为、传播机理和信息窃取途径,进而为涉网案件侦办工作提供有价值的情报线索。文章简要分析了木马的功能特点、工作机理和关键技术,针对木马恶意软件的技术特点,紧密结合公安机关网络安全保卫部门的工作实际,研究探讨了木马勘查取证的基本流程、常用工具与方法,并用实例讲述了木马勘查分析技术在涉网案件侦办中的应用。     

Simulating malware with MAlSim

This paper describes MAlSim—Mobile Agent Malware Simulator—a mobile agent framework developed to address one of the most important problems related to the simulation of attacks against information systems, i.e. the lack of adequate tools for reproducing behaviour of malicious software (malware). The framework can be deployed over the network of an arbitrary information system and it aims at simulating behaviour of each instance of malware independently. MAlSim Toolkit provides multiple classes of agents and diverse behavioural and migration/replication patterns (which, taken together, form malware templates), to be used for implementation of various types of malware (viruses, worms, malicious mobile code). The primary application of MAlSim is to support security assessments of information systems based on simulation of attacks against these systems. In this context, the framework was successfully applied to the studies on security of the information system of a power plant. The case study proved the operability, applicability and usefulness of the simulation framework and it led to very interesting conclusions on the security of the evaluated system.     

基于节点差异性的无线传感网恶意软件传播模型研究*

针对目前无线传感网络中恶意软件模型化工作的不足,在二维元胞自动机基础上提出了节点差异性的恶意软件传播模型。该模型引入了MAC无线信道争用机制和邻域通信距离因素,描述了节点差异度对恶意软件在无线传感网传播扩散的影响。分析仿真实验表明,大规模无线传感网络的节点差异度、无线信道争用机制都对传播行为产生了重要影响,降低了恶意软件的传播速度。与传统传播模型相比,该模型更能够准确描述恶意软件在无线传感网络环境下的传播行为,为无线传感网络安全防御研究提供基础。     

基于One-Hot的CNN恶意代码检测技术

恶意软件的爆炸性增长,以及对用户机和网络环境造成的严重威胁,逐渐成为了网络空间安全领域的主要矛盾。当前传统的基于特征码的静态扫描技术和基于软件行为的恶意软件检测技术容易产生误报和漏报,渐渐无法满足信息安全领域的新要求。为了解决这些问题,提出基于卷积神经网络CNN的恶意代码检测技术。利用Cuckoo沙箱系统来模拟运行环境并提取分析报告;通过编写Python脚本对分析报告进行预处理;搭建深度学习CNN训练模型来实现对恶意代码的检测,并将其与机器学习以及常见的杀毒软件进行比较。实验结果表明,该方法在相比之下更具有优势,并且取得了较好的检测效果,具有更高的可行性。     

A Game Theoretical Method for Cost-Benefit Analysis of Malware Dissemination Prevention

ABSTRACT

Literature in malware proliferation focuses on modeling and analyzing its spread dynamics. Epidemiology models, which are inspired by the characteristics of biological disease spread in human populations, have been used against this threat to analyze the way malware spreads in a network. This work presents a modified version of the commonly used epidemiology models Susceptible Infected Recovered (SIR) and Susceptible Infected Susceptible (SIS), which incorporates the ability to capture the relationships between nodes within a network, along with their effect on malware dissemination process. Drawing upon a model that illustrates the network’s behavior based on the attacker’s and the defender’s choices, we use game theory to compute optimal strategies for the defender to minimize the effect of malware spread, at the same time minimizing the security cost. We consider three defense mechanisms: patch, removal, and patch and removal, which correspond to the defender’s strategy and use probabilistically with a certain rate. The attacker chooses the type of attack according to its effectiveness and cost. Through the interaction between the two opponents we infer the optimal strategy for both players, known as Nash Equilibrium, evaluating the related payoffs. Hence, our model provides a cost-benefit risk management framework for managing malware spread in computer networks.     

IT2FS-based ontology with soft-computing mechanism for malware behavior analysis

Antimalware application is one of the most important research issues in the area of cyber security threat. Nowadays, because hackers continuously develop novel techniques to intrude into computer systems for various reasons, many security researchers should analyze and track new malicious program to protect sensitive and valuable information in the organization. In this paper, we propose a novel soft-computing mechanism based on the ontology model for malware behavioral analysis: Malware Analysis Network in Taiwan (MAN in Taiwan, MiT). The core techniques of MiT contain two parts listed as follows: (1) collect the logs of network connection, registry, and memory from the operation system on the physical-virtual hybrid analysis environment to get and extract more unknown malicious behavior information. The important information is then extracted to construct the ontology model by using the Web Ontology Language and Fuzzy Markup Language. Additionally, MiT is also able to automatically provide and share samples and reports via the cloud storage mechanism; (2) apply the techniques of Interval Type-2 Fuzzy Set to construct the malware analysis domain knowledge, namely the Interval Type-2 Fuzzy Malware Ontology (IT2FMO), for malware behavior analysis. Simulation results show that the proposed approach can effectively execute the malware behavior analysis, and the constructed system has also released under GNU General Public License version 3. In the future, the system is expected to largely collect and analyze malware samples for providing industries or universities to do related applications via the established IT2FMO.     

The other guys: automated analysis of marginalized malware

In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types of threats. Therefore, it is difficult to gather information from public systems about CPL, .NET/Mono, 64-bits, reboot-dependent, or malware targeting systems newer than Windows XP, which result in a lack of understanding about how current malware behave during infections on modern operating systems. In this paper, we discuss the challenges and issues faced during the development of this type of analysis system, mainly due to security features available in NT 6.x kernel versions of Windows OS. We also introduce a dynamic analysis system that addresses the aforementioned types of malware as well as present results obtained from their analyses.     

恶意软件对网络安全的威胁、现状、对策的分析研究

恶意软件对网络安全的威胁备受关注,成为影响互联网使用的“恶魔”。本文针对恶意软件的相关问题进行了详尽的探讨研究。