Shadow attacks: automatically evading system-call-behavior based malware detection

Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, we present a new class of attacks, namely ??shadow attacks??, to evade current behavior-based malware detectors by partitioning one piece of malware into multiple ??shadow processes??. None of the shadow processes contains a recognizable malicious behavior specification known to single-process-based malware detectors, yet those shadow processes as an ensemble can still fulfill the original malicious functionality. To demonstrate the feasibility of this attack, we have developed a compiler-level prototype tool, AutoShadow, to automatically generate shadow-process version of malware given the source code of original malware. Our preliminary result has demonstrated the effectiveness of shadow attacks in evading several behavior-based malware analysis/detection solutions in real world. With the increasing adoption of multi-core computers and multi-process programs, malware writers may exploit more such shadow attacks in the future. We hope our preliminary study can foster more discussion and research to improve current generation of behavior-based malware detectors to address this great potential threat before it becomes a security problem of the epidemic proportions.     

Component behavior-based adaptation in embedded software

Several models of computation have been used in software development approaches. The specialization of the existing models makes them suitable to specific application domains. Nevertheless, when there is no solution for applications at hand, heterogeneous models have been used. Within this context, this paper discusses a heterogeneous model called extended dataflow with a focus on component-based design. The emphasis lies on the dynamics of the components, including the way they interact with each other, their behavioral modeling, and flow of control. The main objective is to provide mechanisms for supporting both the ability of the run-time environment to safely dispatch tasks and the ability of components to adapt their interfaces. This paper focuses on embedded software. The purpose of the mechanisms we have been working on is to improve robustness while promoting component-based design. An adaptive application involving digital filters is used to illustrate our approach.     

FOREPOST: finding performance problems automatically with feedback-directed learning software testing

A goal of performance testing is to find situations when applications unexpectedly exhibit worsened characteristics for certain combinations of input values. A fundamental question of performance testing is how to select a manageable subset of the input data faster in order to automatically find performance bottlenecks in applications. We propose FOREPOST, a novel solution, for automatically finding performance bottlenecks in applications using black-box software testing. Our solution is an adaptive, feedback-directed learning testing system that learns rules from execution traces of applications. Theses rules are then used to automatically select test input data for performance testing. We hypothesize that FOREPOST can find more performance bottlenecks as compared to random testing. We have implemented our solution and applied it to a medium-size industrial application at a major insurance company and to two open-source applications. Performance bottlenecks were found automatically and confirmed by experienced testers and developers. We also thoroughly studied the factors (or independent variables) that impact the results of FOREPOST.     

C/S客户端软件自动更新系统的设计与实现

针对客户端/服务器(C/S)模式软件更新不是太方便的实际问题,详细讲述了C/S模式软件自动更新系统从设计到实现的过程,并且实现了各模块有选择的更新,系统在C Builder6.0环境下开发完成.利用FTP协议实现了更新文件的传输,利用NMMsg和NMMSGServ等通信组件实现了消息的传递,利用ini文件储存更新文件的配置信息.该系统方便的解决了C/S软件客户端更新难问题,作为一个工具,该软件具有较强的实用性.     

RoboMusic: a behavior-based approach

Based on principles from modern artificial intelligence and robotics, we developed the RoboMusic concept. In RoboMusic, we use a number of robotic devices as instruments, and the tunes are composed as a behavior-based system. The music artist composes a baseline behavior for the robotic instruments, and composes the behavioral response to interactions by human musicians. The music artist is transformed from a composer of static music tunes to a developer of robot behavior: behavior that is expressed by the robotic system as music pieces. Music compositions are transformed to become robotic behavior as in a behavior-based system. A RoboMusic concert is performed with robotic instruments, and changes the concept of live concerts by inviting the audience to interact with the band’s instruments themselves and thereby guide the live performance of the music themselves. This work was presented in part at the 12th International Symposium on Artificial Life and Robotics, Oita, Japan, January 25–27, 2007     

More on graph theoretic software watermarks: Implementation,analysis, and attacks

This paper presents an implementation of the watermarking method proposed by Venkatesan et al. in their paper [R. Venkatesan, V. Vazirani, S. Sinha, A graph theoretic approach to software watermarking, in: Fourth International Information Hiding Workshop, Pittsburgh, PA, 2001]. An executable program is marked by the addition of code for which the topology of the control-flow graph encodes a watermark. We discuss issues that were identified during construction of an actual implementation that operates on Java bytecode. We present two algorithms for splitting a watermark number into a redundant set of pieces and an algorithm for turning a watermark number into a control-flow graph. We measure the size and time overhead of watermarking, and evaluate the algorithm against a variety of attacks.     

On using machine learning to automatically classify software applications into domain categories

Software repositories hold applications that are often categorized to improve the effectiveness of various maintenance tasks. Properly categorized applications allow stakeholders to identify requirements related to their applications and predict maintenance problems in software projects. Manual categorization is expensive, tedious, and laborious – this is why automatic categorization approaches are gaining widespread importance. Unfortunately, for different legal and organizational reasons, the applications’ source code is often not available, thus making it difficult to automatically categorize these applications. In this paper, we propose a novel approach in which we use Application Programming Interface (API) calls from third-party libraries for automatic categorization of software applications that use these API calls. Our approach is general since it enables different categorization algorithms to be applied to repositories that contain both source code and bytecode of applications, since API calls can be extracted from both the source code and byte-code. We compare our approach to a state-of-the-art approach that uses machine learning algorithms for software categorization, and conduct experiments on two large Java repositories: an open-source repository containing 3,286 projects and a closed-source repository with 745 applications, where the source code was not available. Our contribution is twofold: we propose a new approach that makes it possible to categorize software projects without any source code using a small number of API calls as attributes, and furthermore we carried out a comprehensive empirical evaluation of automatic categorization approaches.     

L-ALLIANCE: Task-oriented multi-robot learning in behavior-based systems

A large application domain for multi-robot teams involves task-oriented missions, in which potentially heterogeneous robots must solve several distinct tasks. Previous research addressing this problem in multi-robot systems has largely focused on issues of efficiency, while ignoring the real-world situated robot needs of fault tolerance and adaptivity. This paper addresses this problem by developing an architecture called L-ALLIANCE that incorporates task-oriented action selection mechanisms into a behavior-based system, thus increasing the efficiency of robot team performance while maintaining the desirable characteristics of fault tolerance and adaptivity. We present our investigations of several competing control strategies and derive an approach that works well in a wide variety of multi-robot task-oriented mission scenarios. We provide a formal model of this technique to illustrate how it can be incorporated into any behavior-based system.     

多秤联动式自动称重包装机的原理与软件设计

本文介绍一种采用单片机控制的多秤联动自动称重包装机的工作原理、硬件组成以及软件设计。     

Cooperation without deliberation: A minimal behavior-based approach to multi-robot teams

While terminology and some concepts of behavior-based robotics have become widespread, the central ideas are often lost as researchers try to scale behavior to higher levels of complexity. “Hybrid systems” with model-based strategies that plan in terms of behaviors rather than simple actions have become common for higher-level behavior. We claim that a strict behavior-based approach can scale to higher levels of complexity than many robotics researchers assume, and that the resulting systems are in many cases more efficient and robust than those that rely on “classical AI” deliberative approaches. Our focus is on systems of cooperative autonomous robots in dynamic environments. We will discuss both claims that deliberation and explicit communication are necessary to cooperation and systems that cooperate only through environmental interaction. In this context we introduce three design principles for complex cooperative behavior—minimalism, statelessness and tolerance—and present a RoboCup soccer system that matches the sophistication of many deliberative soccer systems while exceeding their robustness, through the use of strict behavior-based techniques with no explicit communication.     

PICO: automatically designing custom computers

The paper discusses the PICO (program in, chip out) project, a long-range HP Labs research effort that aims to automate the design of optimized, application-specific computing systems - thus enabling the rapid and cost-effective design of custom chips when no adequately specialized, off-the-shelf design is available. PICO research takes a systematic approach to the hierarchical design of complex systems and advances technologies for automatically designing custom nonprogrammable accelerators and VLIW processors. While skeptics often assume that automated design must emulate human designers who invent new solutions to problems, PICO's approach is to automatically pick the most suitable designs from a well-engineered space of designs. Such automation of embedded computer design promises an era of yet more growth in the number and variety of innovative smart products by lowering the barriers of design time, designer availability, and design cost.     

A Model-based approach for the synthesis of software to firmware adapters for use with automatically generated components

This paper presents the MDE process in use at Elettronica SpA (ELT) for the development of complex embedded systems integrating software and firmware. The process is based on the adoption of SysML as the system-level modeling language and the use of Simulink for the refinement of selected subsystems. Implementations are generated automatically for both the software (C++ code) and firmware parts, and communication adapters are automatically generated from SysML using a dedicated profile and open-source tools for modeling and code generation. The process starts from a SysML system model, developed according to the platform-based design paradigm, in which a functional model of the system is paired to a model of the execution platform. Subsystems are refined as Simulink models or hand-coded in C++. An implementation for Simulink models is generated as software code or firmware on FPGA. Based on the SysML system architecture specification, our framework drives the generation of Simulink models with consistent interfaces, allows the automatic generation of the communication code among all subsystems (including the HW–FW interface code). In addition, it provides for the automatic generation of connectors for system-level simulation and of test harnesses and mockups to ease the integration and verification stage. We provide early results on the time savings obtained by using these technologies in the development process.     

Hardware/software optimization for array & pointer boundary checking against buffer overflow attacks

Malicious intrusions by buffer overflow attacks cause serious security problems and pose serious threats for networks and distributed systems such as clusters, Grids and P2P systems. Array & pointer boundary checking is one of the most effective approaches for defending against buffer overflow attacks. However, a big performance overhead may occur after boundary checking is applied. Typically, it may cause 2–5 times slowdown [T.M. Austin, E.B. Scott, S.S. Gurindar, Efficient detection of all pointer and array access errors, in: Proceedings of the ACM SIGPLAN ’94 Conference on Programming Language Design and Implementation, 1994, pp. 290–301; R.W.M. Jones, P.H.J. Kelly, Backwards-compatible bounds checking for arrays and pointers in c programs, in: The Third International Workshop on Automated and Algorithmic Debugging, 1997, pp. 13–26]. In this paper, we propose a hardware/software method to optimize the performance of array & pointer boundary checking by designing a special boundary checking instruction. The experimental results show that our method can effectively reduce the overhead of array & pointer boundary checking.     

Human behavior-based optimization: a novel metaheuristic approach to solve complex optimization problems

Optimization techniques, specially evolutionary algorithms, have been widely used for solving various scientific and engineering optimization problems because of their flexibility and simplicity. In this paper, a novel metaheuristic optimization method, namely human behavior-based optimization (HBBO), is presented. Despite many of the optimization algorithms that use nature as the principal source of inspiration, HBBO uses the human behavior as the main source of inspiration. In this paper, first some human behaviors that are needed to understand the algorithm are discussed and after that it is shown that how it can be used for solving the practical optimization problems. HBBO is capable of solving many types of optimization problems such as high-dimensional multimodal functions, which have multiple local minima, and unimodal functions. In order to demonstrate the performance of HBBO, the proposed algorithm has been tested on a set of well-known benchmark functions and compared with other optimization algorithms. The results have been shown that this algorithm outperforms other optimization algorithms in terms of algorithm reliability, result accuracy and convergence speed.

     

SVD-NET: an algorithm that automatically selects network structure

An algorithm is developed for training feedforward neural networks that uses singular value decomposition (SVD) to identify and eliminate redundant hidden nodes. Minimizing redundancy gives smaller networks, producing models that generalize better and thus eliminate the need of using cross-validation to avoid overfitting. The method is demonstrated by modeling a chemical reactor.     

ARGOS: automatically extracting repeating objects from multimedia streams

Many media streams consist of distinct objects that repeat. For example, broadcast television and radio signals contain advertisements, call sign jingles, songs, and even whole programs that repeat. The problem we address is to explicitly identify the underlying structure in repetitive streams and de-construct them into their component objects. Our algorithm exploits dimension reduction techniques on the audio portion of a multimedia stream to make search and buffering feasible. Our architecture assumes no a priori knowledge of the streams, and does not require that the repeating objects (ROs) be known. Everything the system needs, including the position and duration of the ROs, is learned on the fly. We demonstrate that it is perfectly feasible to identify in realtime ROs that occur days or even weeks apart in audio or video streams. Both the compute and buffering requirements are comfortably within reach for a basic desktop computer. We outline the algorithms, enumerate several applications and present results from real broadcast streams.     

ATABS: A technique for automatically training agent-based simulators

The automatic training of agent-based simulators can be a complex task because of (a) their common nondeterministic behavior and (b) their complex relationships between their input parameters and the outputs. This work presents a technique called ATABS for automatically training agent-based simulators. This technique is based on a novel mechanism for generating random numbers that reduces the variability of the global results. This work provides a framework that automates this training by considering the relationships between the simulation parameters and the output features. This technique and framework have been applied to automatically train two different simulators. The current approach has been empirically compared with the most similar alternative. The results show that ATABS outperforms this alternative considering (1) the similarity between simulated and real data and (2) the execution time in the training process. The ATABS framework is publicly available. In this way, it ensures not only the reproducibility of the experiments, but also allows practitioners to apply the current approach to different agent-based simulators.