基于shellcode检测的缓冲区溢出攻击防御技术研究

缓冲区溢出攻击对计算机和网络安全构成极大威胁。从缓冲区溢出攻击原理和shellcode实现方式出发，提出针对shellcode的溢出攻击防御技术。描述shellcode获取控制权前后，从代码特点、跳转方式及shellcode恶意功能实现过程等方面入手，检测并阻止shellcode以对抗溢出攻击的几种技术。最后对这些技术的优缺点进行比较分析，指出其中较为优秀的方法，并就更全面提高系统安全性提出了一些建议。     

典型Shellcode引擎特征检测方法研究

通用的shellcode引擎大都采用特定运算对shellcode进行编码,使得shellcode具有规避传统的代码特征检测系统的能力。为了检测具有规避传统检测能力的shellcode,深入分析目前典型shellcode引擎的工作原理,在此基础上研究引擎产生shellcode的代码特征和行为特征,进而提出了基于这两类特征的针对性综合检测方法。实验结果表明,这种综合检测方法可以针对性地、有效地检测并阻止这类shellcode的执行,同时对其它shellcode也能实现一定程度上的检测,而且虚警和漏警率为0。该检测系统对恶意代码的检测具有一定的应用价值。     

Network-level polymorphic shellcode detection using emulation

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDS- embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.     

Algorithms for a distributed IDS in MANETs

This paper presents a set of distributed algorithms that support an Intrusion Detection System (IDS) model for Mobile Ad hoc NETworks (MANETs). The development of mobile networks has implicated the need of new IDS models in order to deal with new security issues in these communication environments. More conventional models have difficulties to deal with malicious components in MANETs. In this paper, we describe the proposed IDS model, focusing on distributed algorithms and their computational costs. The proposal employs fault tolerance techniques and cryptographic mechanisms to detect and deal with malicious or faulty nodes. The model is analyzed along with related works. Unlike studies in the references, the proposed IDS model admits intrusions and malice in their own algorithms. In this paper, we also present test results obtained with an implementation of the proposed model.     

Data mining applications in hydrocarbon exploration

This paper presents a review of the use of intelligent data analysis techniques in Hydrocarbon Exploration. The term “intelligent” is used in its broadest sense. The process of hydrocarbon exploration exploits data which have been collected from different sources. Different dimensions of data are analyzed by using Statistical Analysis, Data Mining, Artificial Neural Networks and Artificial Intelligence. This review is meant not only to describe the evolution of intelligent data analysis techniques used in different phases of hydrocarbon exploration but also signifying the growing use of Data Mining in various application domains; we avoided a general review of Data Mining and other intelligent data analysis techniques in this paper. The volume of general literature might affect the precision of our view regarding the application of these techniques in hydrocarbon exploration. The review reveals the suitability of existing techniques to data collected from diverse sources in addition to the use of analytical techniques for the process of hydrocarbon exploration.     

Knowledge capitalisation through case bases and knowledge engineering for road safety analysis

New generation knowledge-based systems should be fully integrated into their environment, by exploiting existing information sources, and should be flexible and easily extensible. This article describes the architecture of an organisational memory (OM) for road safety analysis. Starting from the design of a knowledge-based system, we show how we address knowledge capitalisation issues through the building of an OM. We present its main components and describe how knowledge engineering techniques can be exploited to build and enrich it. We then describe the major task that exploits the OM as decision support for site analysis. We also explain how domain knowledge can be exploited and capitalised using case-based reasoning and collaborative work.     

Software transformations to improve malware detection

Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware transformer can drastically improve the detection rates of commercial malware detectors.     

Intrusion Detection Systems in Internet of Things and Mobile Ad-Hoc Networks

Internet of Things (IoT) devices work mainly in wireless mediums; requiring different Intrusion Detection System (IDS) kind of solutions to leverage 802.11 header information for intrusion detection. Wireless-specific traffic features with high information gain are primarily found in data link layers rather than application layers in wired networks. This survey investigates some of the complexities and challenges in deploying wireless IDS in terms of data collection methods, IDS techniques, IDS placement strategies, and traffic data analysis techniques. This paper’s main finding highlights the lack of available network traces for training modern machine-learning models against IoT specific intrusions. Specifically, the Knowledge Discovery in Databases (KDD) Cup dataset is reviewed to highlight the design challenges of wireless intrusion detection based on current data attributes and proposed several guidelines to future-proof following traffic capture methods in the wireless network (WN). The paper starts with a review of various intrusion detection techniques, data collection methods and placement methods. The main goal of this paper is to study the design challenges of deploying intrusion detection system in a wireless environment. Intrusion detection system deployment in a wireless environment is not as straightforward as in the wired network environment due to the architectural complexities. So this paper reviews the traditional wired intrusion detection deployment methods and discusses how these techniques could be adopted into the wireless environment and also highlights the design challenges in the wireless environment. The main wireless environments to look into would be Wireless Sensor Networks (WSN), Mobile Ad Hoc Networks (MANET) and IoT as this are the future trends and a lot of attacks have been targeted into these networks. So it is very crucial to design an IDS specifically to target on the wireless networks.     

The Well Mannered Wearable Computer

In this paper we describe continuing work being carried out as part of the Bristol Wearable Computing Initiative. We are interested in the use of context sensors to improve the usefulness of wearable computers. A CyberJacket incorporating a Tourist Guide application has been built, and we have experimented with location and movement sensing devices to improve its performance. In particular, we have researched processing techniques for data from accelerometers which enable the wearable computer to determine the user’s activity. We have experimented with, and review, techniques already employed by others; and then propose new methods for analysing the data delivered by these devices. We try to minimise the number of devices needed, and use a single X-Y accelerometer device. Using our techniques we have adapted our CyberJacket and Tourist Guide to include a multimedia presentation which gives the user information using different media depending on the user’s activity as well as location.     

<Emphasis Type="Italic">HumanPT</Emphasis>: An Open-source,HumanPT Architecture-based,Robotic Application for Low Cost Robotic Tasks

In this paper, first HumanPT architecture for low cost robotic applications is presented. HumanPT architecture differs than other architectures because it is implemented on existing robotic systems (robot  robotic controller) and exploits the minimum communication facilities for real-time control that these systems provide. It is based on well-known communication methods like serial communication (USB, RS232, IEEE-1394) and windows sockets (server–client model) and permits an important number of different type of components like actuators, sensors and particularly vision systems to be connected in a robotic system. The operating system (OS) used is Microsoft Windows, the most widely spread OS. The proposed architecture exploits features of this OS that is not a real-time one, to ensure – in case that the robotic system provide such a facility – control and real time communication with the robotic system controller and to integrate by means of sensors and actuators an important number of robotic tasks and procedures. As implementation of this architecture, HumanPT robotic application and experimental results concerning its performance and its implementation in real tasks are provided. HumanPT robotic application, developed in Visual C++, is an integrated, but simultaneously an open-source software that can be adapted in different types of robotic systems. An important number of robotic tasks or procedures including sensors and particularly vision systems can be generated and executed. Small enterprises by means of the proposed architecture and the open source software can be automated at low cost enhancing in this way their production.     

A review of satellite and airborne sensors for remote sensing based detection of minefields and landmines

This paper focuses on the use of space and airborne sensors that can be applied to detect landmines and minefields. First the landmine and minefield problem is addressed and examples of the use of remote sensing images are presented that could provide valuable information for the mine action process and assist in conventional minefield and landmine detection methods. This is followed by an overview on relevant (declassified) aspects related to strategic overhead detection techniques developed by the military/intelligence community as well as those of civilian space and airborne remote sensing programmes. The airborne sensing techniques describe the state of the art of sensors such as optical (film, multi- and hyperspectral sensors), thermal infrared as well as microwave sensors and their suitability--limitations for remote sensing based minefield and landmine detection purposes.     

Improving the quality of alerts and predicting intruder’s next goal with Hidden Colored Petri-Net

Intrusion detection systems (IDS) often provide poor quality alerts, which are insufficient to support rapid identification of ongoing attacks or predict an intruder’s next likely goal. In this paper, we propose a novel approach to alert postprocessing and correlation, the Hidden Colored Petri-Net (HCPN). Different from most other alert correlation methods, our approach treats the alert correlation problem as an inference problem rather than a filter problem. Our approach assumes that the intruder’s actions are unknown to the IDS and can be inferred only from the alerts generated by the IDS sensors. HCPN can describe the relationship between different steps carried out by intruders, model observations (alerts) and transitions (actions) separately, and associate each token element (system state) with a probability (or confidence). The model is an extension to Colored Petri-Net (CPN). It is so called “hidden” because the transitions (actions) are not directly observable but can be inferred by looking through the observations (alerts). These features make HCPN especially suitable for discovering intruders’ actions from their partial observations (alerts) and predicting intruders’ next goal. Our experiments on DARPA evaluation datasets and the attack scenarios from the Grand Challenge Problem (GCP) show that HCPN has promise as a way to reducing false positives and negatives, predicting intruder’s next possible action, uncovering intruders’ intrusion strategies after the attack scenario has happened, and providing confidence scores.     

基于策略的分布式入侵检测系统的动态配置

在分布式入侵检测系统中,随着使用的传感器数量的增加,手工配置组件的复杂度和费用也在不断提高,为解决这一问题,提出了一种基于策略的IDS组件配置方法,该方法使用了来自资源管理数据库和自学习传感器的额外信息,简化了策略设计,实现了分布式入侵检测系统的动态重配置。     

基于数据挖掘的入侵检测系统研究

文章将数据挖掘引入入侵检测系统,介绍了应用几种数据挖掘方法进行入侵检测的过程,其基本思想是运用数据挖掘的方法发现用户行为轮廓,检测新的入侵方式。并在此基础上提出了一种基于Agent的入侵检测系统模型,这种模型中数据挖掘Agent持续地进行挖掘分析并为检测Agent提供最新的检测规则。最后对该IDS中相关的问题进行了分析。     

Linux 2.6 kernel exploits

Exploits are increasingly targeting operating system kernel vulnerabilities. For one, applications in user space are better protected by the developers and the kernel than in the past. Second, the promise of a successful kernel exploit is tantalizing full control over the targeted environment. Under Linux, kernel space exploits differ noticeably from user space exploits. Constraints such as execution context problems, module relocation, system calls usage prerequisites and kernel shellcode development have to be dealt with. These kernel exploits are the focus of this paper. We first give an overview of major kernel data structures which are used to handle processes under Linux 2.6 on an Intel IA-32 architecture. We then illustrate the aforementioned constraints by means of two practical Wifi Linux Drivers Stack Overflow exploits. This paper is an expanded version of two conference talks given at SSTIC 2007 in Rennes and at SYSCAN 2007 in Singapore.     

The use of artificial intelligence based techniques for intrusion detection: a review

The Internet connects hundreds of millions of computers across the world running on multiple hardware and software platforms providing communication and commercial services. However, this interconnectivity among computers also enables malicious users to misuse resources and mount Internet attacks. The continuously growing Internet attacks pose severe challenges to develop a flexible, adaptive security oriented methods. Intrusion detection system (IDS) is one of most important component being used to detect the Internet attacks. In literature, different techniques from various disciplines have been utilized to develop efficient IDS. Artificial intelligence (AI) based techniques plays prominent role in development of IDS and has many benefits over other techniques. However, there is no comprehensive review of AI based techniques to examine and understand the current status of these techniques to solve the intrusion detection problems. In this paper, various AI based techniques have been reviewed focusing on development of IDS. Related studies have been compared by their source of audit data, processing criteria, technique used, dataset, classifier design, feature reduction technique employed and other experimental environment setup. Benefits and limitations of AI based techniques have been discussed. The paper will help the better understanding of different directions in which research has been done in the field of IDS. The findings of this paper provide useful insights into literature and are beneficial for those who are interested in applications of AI based techniques to IDS and related fields. The review also provides the future directions of the research in this area.     

Approaches to large-scale urban modeling

Large-scale urban modeling technologies use a variety of sensors and data acquisition techniques. The authors categorize current approaches and describe their advantages and disadvantages. Their survey examines current research with respect to several performance criteria including data acquisition sources, user interaction level, geometric fidelity, model completeness, and intended applications. Although modeling systems vary with respect to these criteria, data acquisition strongly influences model characteristics and usefulness. We therefore cluster the methods into those based on photogrammetry, active sensors, and hybrid sensor systems.     

网络取证及其应用技术研究

网络取证技术的研究目前还很不成熟，术语的使用也较混乱．本文主要研究了网络取证的分析技术，着重分析了基于IDS、蜜阱、Agent、模糊专家系统和SVM等技术的网络取证实现方法，提出了基于入侵容忍、网络监控等技术的网络取证系统设计思想，从而系统地介绍了网络取证技术的概念、分析方法、取证技术、系统实现方法及其发展趋势．