Titans’ revenge: Detecting Zeus via its own flaws

Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus.The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware—and Zeus in particular—that could pave the way for further investigation in this field.     

Clustering NGN user behavior for anomaly detection

In the vision of both researchers and standardization committees, networks and services will evolve in the direction of increasing pervasiveness, convergence, and quality of service management capability. Consequently, users will gain an increasing dependency on the presence and availability of network connectivity and the huge plethora of provided services. Yet fostering the development of our society, such dependency on a relatively young technology poses serious threats, especially from the trustworthiness, security and privacy point of view. In this paper, we will describe and critically evaluate user behavior clustering aimed at monitoring and assuring the security of NGN-based applications. Different models of user behavior, developed within both ISP and academic research projects will be described, and several techniques for manipulating and exploiting such model for the anomaly detection purpose will be described and evaluated.     

具有隐私保护的安全电子交易协议

电子交易的普及在给用户带来便利的同时,其在交易支付中所暴露出的隐私保护和安全性问题也受到不同程度的挑战。针对此问题,提出一个安全的电子交易协议。协议中,优化后的签密算法可保证交易的安全性;同时支付服务商具有去匿名性功能,可以在保护用户隐私的基础上进行追责。经性能分析,本协议在提高通信性能的基础上,满足消息的机密性和不可否认性、购买者的匿名性和可追踪性以及电子交易的公平性。     

A comprehensive survey on deep learning based malware detection techniques

Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical methods were used for detecting malware embedded with various features like the signature, heuristic, and others. Traditional malware detection techniques were unable to defeat new generations of malware and their sophisticated obfuscation tactics. Deep Learning is increasingly used in malware detection as DL-based systems outperform conventional malware detection approaches at finding new malware variants. Furthermore, DL-based techniques provide rapid malware prediction with excellent detection rates and analysis of different malware types. Investigating recently proposed Deep Learning-based malware detection systems and their evolution is hence of interest to this work. It offers a thorough analysis of the recently developed DL-based malware detection techniques. Furthermore, current trending malwares are studied and detection techniques of Mobile malware (both Android and iOS), Windows malware, IoT malware, Advanced Persistent Threats (APTs), and Ransomware are precisely reviewed.     

Joint network-host based malware detection using information-theoretic tools

In this paper, we propose two joint network-host based anomaly detection techniques that detect self-propagating malware in real-time by observing deviations from a behavioral model derived from a benign data profile. The proposed malware detection techniques employ perturbations in the distribution of keystrokes that are used to initiate network sessions. We show that the keystrokes’ entropy increases and the session-keystroke mutual information decreases when an endpoint is compromised by a self-propagating malware. These two types of perturbations are used for real-time malware detection. The proposed malware detection techniques are further compared with three prominent anomaly detectors, namely the maximum entropy detector, the rate limiting detector and the credit-based threshold random walk detector. We show that the proposed detectors provide considerably higher accuracy with almost 100% detection rates and very low false alarm rates.     

可隐私保护的电子交易新方案

针对电子交易中的隐私安全问题,提出了一个可保护用户隐私的电子交易方案。方案将不经意传输协议和ElGamal签名相结合,实现了电子交易中交易双方的隐私安全。用户使用序号选择商品,匿名付费给银行;银行将商品的数字签名发送给用户,用户使用数字签名和商家进行不经意信息交互;对序号进行幂运算加密得到密钥,商家不知道用户订购何种数字商品,序号的隐蔽性和制约性也使得用户不能以没有选择的序号打开消息,用户得到且只能得到自己订购的数字商品。正确性证明和安全性分析结果表明,方案保护了交易双方在电子交易过程中的交互信息,同时防止商家恶意欺诈行为。方案签名短,计算量小,密钥动态变化,安全性强。     

Parasitic authentication to protect your e-wallet

The electronic wallet (e-wallet), a handheld computer that consolidates a user's personal items, stores vital information and facilitates financial transactions, has received much attention lately. It promises to consolidate many of the personal items carried around by the modern individual: wallet, phone, pager, diary and keys. In fact, Nokia's 9001 Communicator already combines the phone, pager and diary into one unit. The question arises, however, as to how to provide user authentication. Traditional protection mechanisms require users to enter a PIN or password every time they wish to perform a transaction. More sophisticated techniques include using a biometric device, such as a fingerprint scanner, which is integrated into the e-wallet. Both of these options have disadvantages. Usability problems due to authentication are a significant barrier to the adoption of e-wallets. How can an e-wallet guarantee security without being cumbersome? In this article, the authors present some uses of existing protocols whereby a concealable, wireless and portable device can temporarily act as an authentication proxy for the user. The e-wallet then becomes a parasite - feeding off the small device for required authentication and identification information. Parasitic authentication attempts to provide handheld computers with security without reducing convenience     

面向5G MEC基于行为的用户异常检测方案

5G边缘计算靠近用户侧提供服务,而边缘侧汇聚着用户的敏感信息,用户非法接入或合法用户自身的恶意行为威胁到整个边缘网络的安全。将机器学习算法应用于边缘计算架构,提出一种基于行为的用户异常检测方案。对用户行为进行建模,采用独热编码和互信息进行数据预处理和特征选择,并利用极限梯度提升算法训练一个多分类器分类识别进入园区的用户,根据识别结果与用户身份是否一致来判定用户是否异常。在此基础上,通过孤立森林算法对授权用户历史行为数据进行模型训练,从而检测可信任用户的行为是否异常,实现对小型固定园区内未授权用户的识别以及对授权用户异常行为的检测。实验结果表明,该方案可满足边缘计算场景的时间复杂度要求,并且能够有效区分不同用户,分类准确率达到0.953,而对异常行为样本的误报率仅为0.01。     

一种Hadoop集群下的行为异常检测方法

随着分布式计算技术的发展,Hadoop成为大规模数据处理领域的典型代表,由于安全机制相对薄弱,缺少用户行为活动的监控,容易受到隐藏的安全威胁,如数据泄露等。结合主成分分析计算的特点,基于MapReduce对其做并行化处理,克服了传统主成分分析计算的缺点,提高了模型训练效率。提出了一种基于并行化主成分分析的异常行为检测方法,即比较当前用户的行为模式是否与历史行为模式相匹配作为判定用户行为异常与否的度量标准。实验表明该方法能够较好地发现用户的异常行为。     

电子支付中的密码技术应用（上）

电子支付的本质是网上电子资金流信息,必须严加安全风险防范。没有密码学就没有信息系统的安全。本文着重论述了金融界电子支付中使用的各种密码技术,其中包括了传统对称密码技术、非对称密码技术、密码杂凑函数以及数字证书、OTP等采用的密码技术。电子支付中应用了这些密码技术,确保了电子交易的安全,保障了交易支付数据的完整性、保密性、可靠性、不可否认性和可审计性。     

A fuzzy logic-based system for assessing the level of business-to-consumer (B2C) trust in electronic commerce

The purpose of this paper is to present an application of fuzzy logic to human reasoning about electronic commerce (e-commerce) transactions. This paper uncovers some of the hidden relationships between critical factors such as security, familiarity, design, and competitiveness. We analyze the effect of these factors on human decision process and how they affect the Business-to-Consumer (B2C) outcome when they are used collectively. This research provides a toolset for B2C vendors to access and evaluate a user's transaction decision process, and also an assisted reasoning tool for the online user.     

Design and Analysis of Techniques for Detection of Malicious Activities in Database Systems

Existing host-based Intrusion Detection Systems use the operating system log or the application log to detect misuse or anomaly activities. These methods are not sufficient for detecting intrusion in the database systems. In this paper, we describe a method for detecting malicious activities in a database management system by using data dependency relationships. Typically, before a data item is updated in the database, some other data items are read or written. And after the update, other data items may also be written. These data items read or written in the course of update of a data item construct the read set, prewrite set, and the postwrite set for this data item. The proposed method identifies malicious transactions by comparing these sets with data items read or written in user transactions. We have provided mechanisms for finding data dependency relationships among transactions and use Petri-Nets to model normal data update patterns at user task level. Using this method, we ascertain more hidden anomalies in the database log. Our simulation on synthetic data reveals that the proposed model can achieve desirable performance when both transaction and user task level intrusion detection methods are employed.Yi Hu is a PhD candidate in Computer Science and Computer Engineering Department at the University of Arkansas. His research interests are in Database Intrusion Detection, Database Damage Assessment, Data Mining, and Trust Management. Previously, he received the BS and MS degree in Computer Science from the Southwest Jiaotong University and the University of Arkansas, respectively.Brajendra Panda received his MS degree in mathematics from Utkal University, India, in 1985 and PhD degree in computer science from North Dakota State University in 1994. He is currently an associate professor with the Computer Science and Computer Engineering Department at the University of Arkansas. His research interests include database systems, computer security, digital forensics, and information assurance. He has published over 60 research papers in these areas.     

基于防篡改技术的电子签约服务平台

信息互联网的快速发展推进了电子商务的广泛应用,用户身份被盗用、电子合同的易篡改性严重影响了网上电子交易的公平性与安全性.对于交易主体来说,如何确认交易对方的数据身份未被冒用,如何确认交易的电子合同为对方发送且未被截获篡改是需要首要解决的关键问题.通过结合用户身份认证、电子合同加密传输、公证处参与公证等方法进行电子签约服务平台的设计,确保用户身份的唯一性、传输数据的完整性和不可篡改性、签约过程的可追溯性,实现了平台使用的公平公正性.     

Employing transaction aggregation strategy to detect credit card fraud

Credit card fraud costs consumers and the financial industry billions of dollars annually. However, there is a dearth of published literature on credit card fraud detection. In this study we employed transaction aggregation strategy to detect credit card fraud. We aggregated transactions to capture consumer buying behavior prior to each transaction and used these aggregations for model estimation to identify fraudulent transactions. We use real-life data of credit card transactions from an international credit card operation for transaction aggregation and model estimation.     

融合密度聚类与集成学习的数据库异常检测

目前,针对数据库系统内部攻击与威胁的检测方法较少,且已有的数据库异常检测方案存在代价开销高、检测准确率低等问题.为此,将密度聚类和集成学习融合,提出一种基于密度聚类和集成学习的数据库异常检测方法.利用OPTICS(Ordering Points To Identify the Clustering Structure)密度聚类算法对用户产生的数据库SQL操作日志进行聚类,通过对SQL语句中的各属性进行分析,提取用户的异常行为,形成先验知识;将Bagging、Boosting和Stacking进行组合,形成集成学习模型,以OPTICS聚类形成的先验知识为基础,并利用该集成学习模型对用户行为作进一步分析,并创建用户行为特征库.基于用户形成特征库,对用户行为进行检测.给出了方案的详细构建过程,包括数据预处理、训练、学习模型建立以及异常检测;利用相关实验数据进行测试,结果表明本方案能以较高的效率检测出数据库异常行为,并且在准确率方面优于同类方案.     

基于行为语义分析的Web恶意代码检测机制研究

在Web安全问题的研究中,如何提高Web恶意代码的检测效率一直是Web恶意代码检测方法研究中需要解决的问题。为此,针对跨站脚本漏洞、ActiveX控件漏洞和Web Shellcode方面的检测,提出一种基于行为语义分析的Web恶意代码检测机制。通过对上述漏洞的行为和语义进行分析,提取行为特征,构建Web客户端脚本解析引擎和Web Shellcode检测引擎,实现对跨站脚本漏洞、ActiveX控件漏洞和Web Shellcode等的正确检测,以及对Web Shellcode攻击行为进行取证的功能。实验分析结果表明,新的Web恶意代码检测机制具有检测能力强、漏检率低的性能。     

A defense framework against malware and vulnerability exploits

Current anti-malware tools have proved to be insufficient in combating ever-evolving malware attacks and vulnerability exploits due to inevitable vulnerabilities present in the complex software used today. In addition, the performance penalty incurred by anti-malware tools is magnified when security approaches designed for desktops are migrated to modern mobile devices, such as tablets and laptops, due to their relatively limited processing capabilities and battery capacities. In this paper, we propose a fine-grained anomaly detection defense framework that offers a cost-efficient way to detect malicious behavior and prevent vulnerability exploits in resource-constrained computing platforms. In this framework, a trusted third party (e.g., the publisher) first tests a new application by running it in a heavily monitored testing environment that emulates the target system and extracts a behavioral model from its execution paths. Extensive security policies are enforced during this process. In case of a violation, the program is denied release to the user. If the application passes the tests, the user can download the behavioral model along with the tested application binary. At run-time, the application is monitored against the behavioral model. In the unlikely event that a new execution path is encountered, conservative but lightweight security policies are applied. To reduce overhead at the user end, the behavioral model may be further reduced by the publisher through static analysis. We have implemented the defense framework using a netbook with the Intel Atom processor and evaluated it with a suite of 51 real-world Linux viruses and malware. Experiments demonstrate that our tool achieves a very high coverage (98 %) of considered malware and security threats. The four antivirus tools we compare our tool against were found to have poor virus coverage, especially of obfuscated viruses. By removing safe standard library blocks from the behavioral model, we reduce the model size by 8.4 \(\times \) and the user’s run-time overhead by 23 %.     

A recent review of conventional vs. automated cybersecurity anti-phishing techniques

In the era of electronic and mobile commerce, massive numbers of financial transactions are conducted online on daily basis, which created potential fraudulent opportunities. A common fraudulent activity that involves creating a replica of a trustful website to deceive users and illegally obtain their credentials is website phishing. Website phishing is a serious online fraud, costing banks, online users, governments, and other organisations severe financial damages. One conventional approach to combat phishing is to raise awareness and educate novice users on the different tactics utilised by phishers by conducting periodic training or workshops. However, this approach has been criticised of being not cost effective as phishing tactics are constantly changing besides it may require high operational cost. Another anti-phishing approach is to legislate or amend existing cyber security laws that persecute online fraudsters without minimising its severity. A more promising anti-phishing approach is to prevent phishing attacks using intelligent machine learning (ML) technology. Using this technology, a classification system is integrated in the browser in which it will detect phishing activities and communicate these with the end user. This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing approaches. More importantly, ways to combat phishing by intelligent and conventional are highlighted, besides revealing these approaches differences, similarities and positive and negative aspects from the user and performance prospective. Different stakeholders such as computer security experts, researchers in web security as well as business owners may likely benefit from this review on website phishing.     

StealthyFlow:一种对抗条件下恶意代码动态流量伪装框架

恶意代码问题使国家安全面临严重威胁.随着TLS协议快速普及,恶意代码呈现出流量加密化的趋势,通信内容加密导致检测难度的进一步提高.本文提出一种恶意代码流量伪装框架StealthyFlow,以采用加密流量进行远控通信的公共资源型恶意代码与GAN结合,对恶意流量进行不影响攻击功能的伪装,旨在实现伪装后的对抗流量与良性流量的...