Dynamic emulation based modeling and detection of polymorphic shellcode at the network level

It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.     

Network-level polymorphic shellcode detection using emulation

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDS- embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.     

Specification and evaluation of polymorphic shellcode properties using a new temporal logic

It is a well-known fact that polymorphism is one of the greatest find of malicious code authors. Applied in the context of Buffer Overflow attacks, the detection of such codes becomes very difficult. In view of this problematic, which constitutes a real challenge for all the international community, we propose in this paper a new formal language (based on temporal logics such as CTL) allowing to specify polymorphic codes, to detect them and to better understand their nature. The efficiency and the expressiveness of this language are shown via the specification of a variety of properties characterizing polymorphic shellcodes. Finally, to make the verification process automatic, this language is supported by a new IDS (Intrusion Detection System) that will also be presented in this paper.     

shellcode攻击与防范技术

针对Windows系统环境下,攻击者通过shellcode代码威胁系统安全的问题,研究shellcode攻击与防范方法。分析shellcode代码的工作原理、攻击过程及多种变化,介绍新型Windows系统采用的GS和ASLR保护对shellcode攻击的防范机制,并通过实验验证其防范效果。结果证明,实施shellcode攻击需要一定的条件,而GS和ALSR可破坏这些攻击条件的形成,有效阻止攻击。     

Technology forecasting using DEA in the presence of infeasibility

As a predictive application of data envelopment analysis (DEA), technology forecasting using DEA (TFDEA) measures the rate of frontier shift by which the arrival of future technologies can be estimated. However, it is well known that DEA and therefore TFDEA may suffer from the issue of infeasible super‐efficiency especially under the condition of variable returns to scale. This study develops an extended TFDEA model based on the modified super‐efficiency model proposed in the literature, which has the benefit of yielding radial super‐efficiency scores equivalent to those obtained from the original super‐efficiency model when feasibility is present. The previously published application of liquid crystal displays (LCD) is revisited to illustrate the use of the new model. The results show that the proposed approach makes a reasonable forecast for formerly infeasible targets as well as a consistent forecast for feasible targets.     

The infeasibility of quantifying the reliability of life-criticalreal-time software

This work affirms that the quantification of life-critical software reliability is infeasible using statistical methods, whether these methods are applied to standard software or fault-tolerant software. The classical methods of estimating reliability are shown to lead to exorbitant amounts of testing when applied to life-critical software. Reliability growth models are examined and also shown to be incapable of overcoming the need for excessive amounts of testing. The key assumption of software fault tolerance-separately programmed versions fail independently-is shown to be problematic. This assumption cannot be justified by experimentation in the ultrareliability region, and subjective arguments in its favor are not sufficiently strong to justify it as an axiom. Also, the implications of the recent multiversion software experiments support this affirmation     

On polymorphic types of untyped terms

Let S be a finite set of β normal closed terms and M and N a pair of β normal, η   distinct, closed terms. Then there exist polymorphic types a,b$a,b$ such that every member of S can be typed as a, and M and N have η expansions which can be typed as b; where, in the resulting typings, the members of S can be simultaneously consistently identified, and the η expansions of M and N are βη inconsistent (no model with more than one element of any type). A similar result holds in the presence of surjective pairing.     

基于shellcode检测的缓冲区溢出攻击防御技术研究

缓冲区溢出攻击对计算机和网络安全构成极大威胁。从缓冲区溢出攻击原理和shellcode实现方式出发，提出针对shellcode的溢出攻击防御技术。描述shellcode获取控制权前后，从代码特点、跳转方式及shellcode恶意功能实现过程等方面入手，检测并阻止shellcode以对抗溢出攻击的几种技术。最后对这些技术的优缺点进行比较分析，指出其中较为优秀的方法，并就更全面提高系统安全性提出了一些建议。     

An infeasibility pricing algorithm for the multicommodity minimum cost flow problem

In this study we develop a price-directive algorithm for solving the minimum cost multicommodity flow problem. The algorithm is a specialization of Balas' infeasibility pricing method. The subproblems are first solved and the infeasibility in the common resources is used to generate a new direction for the price vector. By making use of the network structure, the process of finding the new direction is simplified. The subproblems are solved only once and the procedure is illustrated by a numerical example.     

基于不可行度和内分泌原理的多目标粒子群方法

针对有约束条件的多目标优化问题,提出了一种求解带约束的基于内分泌思想的多目标粒子群算法。利用不可行度方法和约束主导原理指导进化过程中精英种群的选择操作和约束条件的处理,根据生物体激素调节机制中促激素和释放激素间的相互作用原理,考虑当前非劣解集中的个体对其最邻近的一类群体的监督控制,引入当前粒子的类全局最优位置来反映其所属类中最好位置粒子对当前粒子的影响。为验证多目标约束优化算法的有效性,对两个典型的多目标优化问题进行了仿真实验,仿真结果表明该算法能较大概率地获得多目标约束优化问题的可行Pareto最优解。     

User satisfaction aware routing and energy modeling of polymorphic network on chip architecture

In mobile devices, multiple applications contend for limited resources in the underlying embedded system framework. Application resource requirements in mobile systems vary by computation needs, energy consumption and user interaction frequency. Quality of service (QoS) is the predominant metric of choice to manage resources among contending applications. Resource allocation policies to support static QoS for applications do not reflect the changing demands of the user in contemporary network on chip (NoC) based embedded architectures. User satisfaction with the user interactions and user interface design ought to be the primary design driver. Some recent research has integrated a saturating, non-linear user satisfaction function in the application thread scheduler. The application and operating system level user satisfaction research assumes that the throughput of inter-thread edges is limited only by the computational constraints of the nodes. With NoC, however, NoC resource allocation policies play an important role in determining the inter-thread communication flow’s throughput and the resulting application level user satisfaction. In this paper, we filter down the user satisfaction from an application layer attribute to a router level attribute to improve the resource and energy utilization for routing in order to leverage the user satisfaction at the application and system level. We demonstrate that this technique improves the user satisfaction of audio (MP3) application by 10% while maintaining the user satisfaction of video (MPEG-2) application. Experiments also show that a fixed energy source can be extended for an average of 18% of the time using the NoC user satisfaction based energy optimization proposed in this research.     

On neuro-wavelet modeling

We survey a number of applications of the wavelet transform in time series prediction. The Haar à trous wavelet transform is proposed as a means of handling time series data when future data is unknown. Results are exemplified on financial futures and S&P500 data. Nonlinear and linear multiresolution autoregressionmodels are studied. Experimentally, we show that multiresolution approaches can outperform the traditional single resolution approach to modeling and prediction.     

A comment on modified big-M method to recognize the infeasibility of linear programming models

Recently Soleimani-Damaneh (modified big-M method to recognize the infeasibility of linear programming models, Knowledge-Based Systems 21 (2008) 377–382), proposed a modified big-M method for detecting the infeasibility of a linear programming problem. This note discusses on the essential theorem given in the mentioned study and gives the required assumption for distinguishing the infeasibility of an LP model using the big-M method.     

On modeling of bioreactors for control

Bioreactors are noted for their dynamic behavior deviant from that of chemical reactors because of metabolic regulation. Consequently model-based control of bioreactors must rely on models that can accommodate regulatory behavior. Although the framework of kinetics, the hallmark of analysis of all chemical reaction systems (of which metabolism is but an illustrious member), would be a natural implement for describing biological processes, its facileness has suffered at the hands of regulatory phenomena. In this paper, we review the cybernetic modeling effort of Ramkrishna and coworkers that has had a notable run of success in dealing with the diverse effects of metabolic regulation in numerous microbial processes. These effects include multiplicity of steady states of widely varying physiological activity, transient behavior traversing through multiple domains of metabolic shifts, and so on. This review will expound the basic tenets of the cybernetic framework in its current state of evolution, highlight the various developments of this methodology, and in effect, foster its future for model-based control of bioreactors towards maintaining a meticulously monitored metabolic activity.     

On the modeling and generation of service-oriented tool chains

Tool chains have grown from ad-hoc solutions to complex software systems, which often have a service-oriented architecture. With service-oriented tool integration, development tools are made available as services, which can be orchestrated to form tool chains. Due to the increasing sophistication and size of tool chains, there is a need for a systematic development approach for service-oriented tool chains. We propose a domain-specific modeling language (DSML) that allows us to describe the tool chain on an appropriate level of abstraction. We present how this language supports three activities when developing service-oriented tool chains: communication, design and realization. A generative approach supports the realization of the tool chain using the service component architecture. We present experiences from an industrial case study, which applies the DSML to support the creation of a service-oriented tool chain. We evaluate the approach both qualitatively and quantitatively by comparing it with a traditional development approach.     

On the use of the weighted fuzzy c-means in fuzzy modeling

This paper proposes a fuzzy clustering-based algorithm for fuzzy modeling. The algorithm incorporates unsupervised learning with an iterative process into a framework, which is based on the use of the weighted fuzzy c-means. In the first step, the learning vector quantization (LVQ) algorithm is exploited as a data pre-processor unit to group the training data into a number of clusters. Since different clusters may contain different number of objects, the centers of these clusters are assigned weight factors, the values of which are calculated by the respective cluster cardinalities. These centers accompanied with their weights are considered to be a new data set, which is further elaborated by an iterative process. This process consists of applying in sequence the weighted fuzzy c-means and the back-propagation algorithm. The application of the weighted fuzzy c-means ensures that the contribution of each cluster center to the final fuzzy partition is determined by its cardinality, meaning that the real data structure can be easier discovered. The algorithm is successfully applied to three test cases, where the produced fuzzy models prove to be very accurate as well as compact in size.     

On the modeling and optimal flow control of the Jacksonian network

The modeling and optimal flow control of a Jacksonian network in equilibrium is investigated. The model employed consists of a controller node cascaded with the Jacksonian network. Input packets arrive at the controller node with a Poissonian rate δ. For a blocking type strategy for accessing the network it is shown that the control which maximizes the average throughput of the network subject to a bounded average time delay constraint is a window flow control mechansim. The window size depends on the offered load δ, the maximum service rate of the controlling queueing system, c, and the Norton equivalent service rate of the network μ. The dependence of the average throughput and the average time delay on the control is also analyzed.