Determining malicious executable distinguishing attributes and low-complexity detection

Detection of rapidly evolving malware requires classification techniques that can effectively and efficiently detect zero-day attacks. Such detection is based on a robust model of benign behavior and deviations from that model are used to detect malicious behavior. In this paper we propose a low-complexity host-based technique that uses deviations in static file attributes to detect malicious executables. We first develop simple statistical models of static file attributes derived from the empirical data of thousands of benign executables. Deviations among the attribute models of benign and malware executables are then quantified using information-theoretic (Kullback-Leibler-based) divergence measures. This quantification reveals distinguishing attributes that are considerably divergent between benign and malware executables and therefore can be used for detection. We use the benign models of divergent attributes in cross-correlation and log-likelihood frameworks to classify malicious executables. Our results, using over 4,000 malicious file samples, indicate that the proposed detector provides reasonably high detection accuracy, while having significantly lower complexity than existing detectors.     

基于词性的文本挖掘算法在IDS日志中的应用

提出一种以词性为参考值的文本挖掘算法,能有效挖掘与种子词有关的关联规则。基于Bootstrapping算法思想,既减少了预处理阶段对于词根还原的依赖,能处理日志中出现的中文词汇。增加了对于日志文本上下的理解,提高了关联规则的有效性,并应用与IDS日志挖掘之中,有效改善挖掘效率,为规则库提供关联规则。     

A multi-strategy knowledge interoperability framework for heterogeneous learning objects

This paper presents a knowledge exchange framework that can leverage the interoperability among semantically heterogeneous learning objects. With the release of various e-Learning standards, learning contents and digital courses are easy to achieve cross-platform sharing, exchanging, and even reorganizing. However, knowledge sharing in semantic level is still a challenge due to that the learning materials can be presented in any form, such as audios, videos, web pages, and even flash files. The proposed knowledge exchange framework allows users to share their learning materials (also called “learning objects”) in semantic level automatically. This framework contains two methodologies: the first is a semantic mapping between knowledge bases (i.e. ontologies) which have essentially similar concepts, and the second is an ontology-based classification algorithm for sharable learning objects. The proposed algorithm adopts the IMS DRI standard and classifies the sharable learning objects from heterogeneous repositories into a local knowledge base by their inner meaning instead of keyword matching. Significance of this research lies in the semantic inferring rules for ontology mapping and learning objects classification as well as the full automatic processing and self-optimizing capability. Focused on digital learning materials and contrasted to other traditional technologies, the proposed approach has experimentally demonstrated significantly improvement in performance.     

A TCAM-based solution for integrated traffic anomaly detection and policy filtering

The survivability of the future Internet is largely dependent on whether it will be able to successfully address both security and performance issues facing the Internet. On one hand, the Internet becomes more and more vulnerable due to fast spreading malicious attacks. On the other hand, it is under great stress to meet ever growing/changing application demands while having to sustain multi-gigabit forwarding performance. In this paper, we propose a Ternary Content Addressable Memory (TCAM) coprocessor based solution for high speed, integrated TCP flow anomaly detection and policy filtering. The attacking packets with spoofed source IP addresses are detected through two-dimensional (2D) matching. The key features of the solution are: (1) setting flag bits in TCAM action code to support various packet treatments; (2) managing TCP flow state in pair to do 2D matching. We evaluate the solution’s ability to detect TCP-based flooding attacks based on real-world-trace simulations. The results show that the proposed solution can match up OC-192 line rate. The possible modifications of the solution for the detection of low rate TCP-targeted attacks are also discussed.     

Utility function of TCP

Understanding the TCP congestion control mechanism from a global optimization point of view is not only important in its own right, but also crucial to the design of other transport layer traffic control protocols with provable properties. In this paper, we derive a global utility function and the corresponding optimal control law, known as TCP control law, which maximizes the global utility. The TCP control law captures the essential behaviors of TCP, including slow start, congestion avoidance, and the binary nature of congestion feedback in TCP. We find that the utility function of TCP is linear in the slow start phase and is proportional to the additive increase rate and approaches the well-known logarithm function as the data rate becomes large in the congestion avoidance phase. We also find that understanding the slow start phase with a fixed threshold is critical to the design of new transport layer control protocols to enable quality of service features. Finally, as an application, we design a Minimum Rate Guaranteed (MRG) traffic control law that shares the same utility function as the TCP control law. Our simulation study of the MRG control law indicates that it is indeed TCP friendly and can provide minimum rate guarantee as long as the percentage of network resource consumed by the MRG flows is moderately small.     

An ERP software selection process with using artificial neural network based on analytic network process approach

An enterprise resource planning (ERP) software selection is known to be multi attribute decision making (MADM) problem. This problem has been modeled according with analytic network process (ANP) method due to fact that it considers criteria and sub criteria relations and interrelations in selecting the software.Opinions of many experts are obtained while building ANP model for the selection ERP then opinions are reduced to one single value by methods like geometric means so as to get desired results. To use ANP model for the selection of ERP for a new organization, a new group of expert’s opinions are needed. In this case the same problem will be in counter. In the proposed model, when ANP and ANN models are setup, an ERP software selection can be made easily by the opinions of one single expert. In that case calculation of geometric mean of answers that obtained from many experts will be unnecessary. Additionally the effect of subjective opinion of one single decision maker will be avoided. In terms of difficulty, ANP has some difficulties due to eigenvalue and their limit value calculation.An ANN model has been designed and trained with using ANP results in order to calculate ERP software priority. The artificial neural network (ANN) model is trained by results obtained from ANP. It seems that there is no any major difficulty in order to predict software priorities with trained ANN model. By this results ANN model has been come suitable for using in the selection of ERP for another new decision.     

基于CORBA框架的RPC包装集成技术

文章从分析系统集成策略对信息系统研究和发展的重要作用入手,阐述了建立通用一致应用系统集成框架的重要性,并给出基于ＣＯＲＢＡ规范的集成框架总体结构及实现策略;在此基础上实现了ＲＰＣ部件的包装集成,并对遇到的关键技术问题进行论述。     

一种基于模块化结构的大学英语四级MCAI系统实现方法研究

Authorware是一种优秀的多种媒体开发工具,能实现非常复杂的多媒体接入及程序流程控制,但在开发功能结构类似,信息资源丰富的模块时,还存在程序设计复复,代码重复量大,模块功能更改困难等问题,本文针对以上问题,在设计大学英国四级多媒体教学系统时,提出了一套基于模块化结构的大学英语四级MCAI教学软件的设计思想,并以听力部分为例,详细介绍了该部分各功能模块的实现。     

GENOTOXICITY IN CHIRONOMUS KIIENSIS (CHIRONOMIDAE: DIPTERA) AFTER EXPOSURE TO POLLUTED SEDIMENTS FROM RIVERS OF NORTH PENINSULAR MALAYSIA: IMPLICATION FOR ECOTOXICOLOGICAL MONITORING

Rapid industrialization and urbanization has led to increasing input of chemical contaminants into the aquatic environment of Malaysia. Despite the threat civilization poses to the biota, there are still very few relevant studies on ecotoxicological testing of river ecosystems. To overcome this knowledge gap, we examined lethal and genotoxic effects of sediments from different rivers of the northern Malaysia against Chironomus kiiensis, a group well represented in the aquatic fauna of this region. We exposed the larvae to sediments from Selama River (SR), Permatang Rawa River (PRR) and Kilang Ubi River (KUR) at various durations (0, 6, 12, 24 and 48 h). The larval mortality was monitored, whereas DNA damage in survivors' cells was determined using the comet assay. Pollution level indexed by the amounts of heavy metals and other organic contaminants in the sediment showed progressive increases from SR to PRR to KUR. Highly polluted sediments (PRR to KUR) were detrimental to C. kiiensis larvae, most of which did not survive following exposure for long periods. DNA analyses revealed greater damages in nuclei derived from larvae maintained on polluted sediments, in particular, those from KUR. The effects on the genomic material of C. kiiensis larvae occurred in a time‐dependent manner, with damage level increasing as exposure time progressed. Our results highlight the genotoxic properties of polluted sediments. More importantly, this study showed that C. kiiensis larvae could respond to different levels of pollution with respect to exposure time. It is concluded that C. kiiensis larvae is a potential candidate for river ecotoxicological monitoring. Copyright © 2012 John Wiley & Sons, Ltd.