一种识别病毒和蠕虫的算法

对现有的恶意软件检测算法进行研究之后发现,某些检测算法只能检测一种恶意软件,并且部分传统的检测算法在检测恶意程序时漏检率偏高。针对目前现有的检测算法缺乏综合性检测能力的短板,在此文中提出了一种新的检测算法,该检测算法具有一定的综合检测能力。新算法的思路如下：第一步区分某种软件是恶意软件还是非恶意软件,如果是恶意软件则提取其特征码,然后使用决策树根据恶意软件的特征码对恶意软件进行识别和分类,如果存在特征码不能识别的恶意软件,那么再根据病毒和蠕虫的特征使用相似性计算算法对未知的恶意软件进行相似性计算,最后使用决策系统对相似性算法计算的结果进行决策,该恶意软件是病毒还是蠕虫。将相似性计算算法,决策树和决策系统在检测恶意软件算法中进行应用是本文的创新之处。     

A Hybrid Analysis-Based Approach to Android Malware Family Classification

With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained protocol layers. The Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.     

Hfinger: Malware HTTP Request Fingerprinting

Malicious software utilizes HTTP protocol for communication purposes, creating network traffic that is hard to identify as it blends into the traffic generated by benign applications. To this aim, fingerprinting tools have been developed to help track and identify such traffic by providing a short representation of malicious HTTP requests. However, currently existing tools do not analyze all information included in the HTTP message or analyze it insufficiently. To address these issues, we propose Hfinger, a novel malware HTTP request fingerprinting tool. It extracts information from the parts of the request such as URI, protocol information, headers, and payload, providing a concise request representation that preserves the extracted information in a form interpretable by a human analyst. For the developed solution, we have performed an extensive experimental evaluation using real-world data sets and we also compared Hfinger with the most related and popular existing tools such as FATT, Mercury, and p0f. The conducted effectiveness analysis reveals that on average only 1.85% of requests fingerprinted by Hfinger collide between malware families, what is 8–34 times lower than existing tools. Moreover, unlike these tools, in default mode, Hfinger does not introduce collisions between malware and benign applications and achieves it by increasing the number of fingerprints by at most 3 times. As a result, Hfinger can effectively track and hunt malware by providing more unique fingerprints than other standard tools.     

An Efficient DenseNet-Based Deep Learning Model for Malware Detection

Recently, there has been a huge rise in malware growth, which creates a significant security threat to organizations and individuals. Despite the incessant efforts of cybersecurity research to defend against malware threats, malware developers discover new ways to evade these defense techniques. Traditional static and dynamic analysis methods are ineffective in identifying new malware and pose high overhead in terms of memory and time. Typical machine learning approaches that train a classifier based on handcrafted features are also not sufficiently potent against these evasive techniques and require more efforts due to feature-engineering. Recent malware detectors indicate performance degradation due to class imbalance in malware datasets. To resolve these challenges, this work adopts a visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model. We propose an efficient malware detection system based on deep learning. The system uses a reweighted class-balanced loss function in the final classification layer of the DenseNet model to achieve significant performance improvements in classifying malware by handling imbalanced data issues. Comprehensive experiments performed on four benchmark malware datasets show that the proposed approach can detect new malware samples with higher accuracy (98.23% for the Malimg dataset, 98.46% for the BIG 2015 dataset, 98.21% for the MaleVis dataset, and 89.48% for the unseen Malicia dataset) and reduced false-positive rates when compared with conventional malware mitigation techniques while maintaining low computational time. The proposed malware detection solution is also reliable and effective against obfuscation attacks.     

Droid-MCFG: Android malware detection system using manifest and control flow traces with multi-head temporal convolutional network

Android is the most popular mobile operating system, making it the main target of malware attacks. Machine learning-based attack detection techniques have recently emerged as promising methods that relies heavily on particular features to classify malware. Despite machine learning-based malware detectors having hundreds of features, attackers can use feature-related expertise to generate malware variants to avoid detection. Therefore, the Android security team must constantly develop novel features to detect suspicious attacks. This paper proposes a novel malware detection method called Droid-MCFG that combines the Android features of manifest and Control Flow Graph (CFG). First, reverse engineering tools are used to mine manifest files and Java source codes from Android Package Kit (APK). Second, to represent Android apps with elevated features, we develop a features selection method that retrieves API calls and API sequences from CFGs. The API calls and manifest information are then combined to produce digital fingerprints of Android app actions. Third, a transfer learning approach based on word2vec is developed to extract trained features from digital fingerprints. To thoroughly analyze the novel features, the word2vec is fine-tuned with random, static, and dynamic strategies. Finally, the multi-head Temporal Convolutional Network (TCN) is designed to identify malware based on fine-tuned features. The TCN employs casual convolutions and dilations due to its temporality and broad receptive fields, making it very responsive to API-call sequences and malware activities in the manifest file. The proposed method achieves a classification accuracy of 96.24% using the CICInvesAndMal2019 dataset.     

Effect of anti-virus software on infectious nodes in computer network: A mathematical model

An e-epidemic model of malicious codes in the computer network through vertical transmission is formulated. We have observed that if the basic reproduction number is less than unity, the infected proportion of computer nodes disappear and malicious codes die out and also the malicious codes-free equilibrium is globally asymptotically stable which leads to its eradication. Effect of anti-virus software on the removal of the malicious codes from the computer network is critically analyzed. Analysis and simulation results show some managerial insights that are helpful for the practice of anti-virus in information sharing networks.     

Getting Ahead of the Arms Race: Hothousing the Coevolution of VirusTotal with a Packer

Malware detection is in a coevolutionary arms race where the attackers and defenders are constantly seeking advantage. This arms race is asymmetric: detection is harder and more expensive than evasion. White hats must be conservative to avoid false positives when searching for malicious behaviour. We seek to redress this imbalance. Most of the time, black hats need only make incremental changes to evade them. On occasion, white hats make a disruptive move and find a new technique that forces black hats to work harder. Examples include system calls, signatures and machine learning. We present a method, called Hothouse, that combines simulation and search to accelerate the white hat’s ability to counter the black hat’s incremental moves, thereby forcing black hats to perform disruptive moves more often. To realise Hothouse, we evolve EEE, an entropy-based polymorphic packer for Windows executables. Playing the role of a black hat, EEE uses evolutionary computation to disrupt the creation of malware signatures. We enter EEE into the detection arms race with VirusTotal, the most prominent cloud service for running anti-virus tools on software. During our 6 month study, we continually improved EEE in response to VirusTotal, eventually learning a packer that produces packed malware whose evasiveness goes from an initial 51.8% median to 19.6%. We report both how well VirusTotal learns to detect EEE-packed binaries and how well VirusTotal forgets in order to reduce false positives. VirusTotal’s tools learn and forget fast, actually in about 3 days. We also show where VirusTotal focuses its detection efforts, by analysing EEE’s variants.     

基于一维元胞自动机的复杂网络恶意软件传播研究

基于一维元胞自动机,研究复杂网络恶意软件传播行为.利用信息网络节点全局交互的特点,建立元胞自动机邻域和状态转换函数,提出恶意软件传播模型,研究在多种网络拓扑下恶意软件传播的概率行为.研究表明,该模型能够准确描述在最近邻耦合网络（nearest-neighbor coupled network, NC）,Erdos-Renyi（ER）随机网络,Watts-Strogatz（WS） 小世界网络和Barabasi-Albert（BA）幂率网络等拓扑下的传播动力学行为,不仅能反映恶意软件传播的平均趋势,而且可以描述病毒消亡和渗透等稀有概率事件,有效克服基于平均场方法建立的微分方程模型只能反映传播的平均趋势,只适合对传播作整体预测的局限性.同时,研究指出网络中度分布的异质化程度和网络的局域空间交互特征是影响传播及免疫行为的关键要素. 关键词： 复杂网络 恶意软件传播 元胞自动机 状态转换函数     

Analog-symbolic memory that tracks via reconsolidation

A fundamental part of a computational system is its memory, which is used to store and retrieve data. Classical computer memories rely on the static approach and are very different from human memories. Neural network memories are based on auto-associative attractor dynamics and thus provide a high level of pattern completion. However, they are not used in general computation since there are practically no algorithms to load an arbitrary landscape of attractors into them. In this sense neural network memory models cannot communicate well with symbolic and prior knowledge.We propose the design of a new memory based on localist attractor dynamics with reconsolidation called Reconsolidation Attractor Network (RAN). RAN combines symbolic and subsymbolic features in a very attractive way: it is based on attractors; enables pattern classification under missing data; and demonstrates dynamic reconsolidation, which is very useful for tracking changing concepts. The perception RAN enables is somewhat reminiscent of human perception due to its context sensitivity. Furthermore, it enables an immediate and clear interface with symbolic memories, including loading of attractors by means of trivial wiring, updating attractors, and retrieving them faster without waiting for full convergence. It also scales to any number of concepts. This provides a useful counterpoint to more conventional memory systems, such as random access memory and auto-associative neural networks.     

Multiple angle acoustic classification of zooplankton

The use of multiple angle acoustic scatter to discriminate between two taxa of fluid-like zooplankton, copepods and euphausiids, is explored. Using computer modeling, feature extraction, and subsequent classification, the accuracy in discriminating between the two taxa is characterized via computer simulations. The model applies the distorted wave Born approximation together with a simple system geometry, a linear array, to predict a set of noisy training and test data. Three feature spaces are designed, exploiting the relationship between the shape of the scatterer and angularly varying scattering amplitude, to extract discriminant features from these data. Under the assumption of uniform random length and uniform three-dimensional orientation distributions for each class of scatterers, the performance of several classification algorithms is evaluated. Simulations reveal that the incorporation of multiple angle data leads to a marked improvement in classification performance over single angle methods. The improvement is more substantial using broadband scatter. The simulations indicate that under the stated assumptions, a low classification error can be obtained. The use of multiple angle scatter therefore holds promise to substantially improve the in situ acoustic classification of fluid-like zooplankton using simple observation geometries.     

A Modified FlowDroid Based on Chi-Square Test of Permissions

Android devices are currently widely used in many fields, such as automatic control, embedded systems, the Internet of Things and so on. At the same time, Android applications (apps) always use multiple permissions, and permissions can be abused by malicious apps that disclose users’ privacy or breach the secure storage of information. FlowDroid has been extensively studied as a novel and highly precise static taint analysis for Android applications. Aiming at the problem of complex detection and false alarms in FlowDroid, an improved static detection method based on feature permission and risk rating is proposed. Firstly, the Chi-square test is used to extract correlated permissions related to malicious apps, and mutual information is used to cluster the permissions to generate feature permission clusters. Secondly, risk calculation method based on permissions and combinations of permissions are proposed to identify dangerous data flows. Experiments show that this method can significantly improve detection efficiency while maintaining the accuracy of dangerous data flow detection.     

物理隔离网络电磁漏洞研究

物理隔离网络的电磁攻击手段, 其主要目标是建立与外部互联网的隐蔽连接通道。近年来跨越物理隔离网络的方法和工具被陆续公开, 相应的分析方法和检测手段也逐步被国内外安全团队提出。掌握漏洞才能掌握网络安全的主动权, 对比网络安全漏洞, 电磁漏洞定义为能对设备或系统造成损害的电磁因素。以物理隔离网络为例, 电磁漏洞主要指的是网络的硬件和系统缺陷, 利用这些缺陷可以直接建立或通过植入恶意软件建立能突破物理隔离的电磁信号的信息收、发隐蔽通道。通过广泛的漏洞挖掘与验证, 从物理信号类型、信息传递方向、信号生成与作用机理、漏洞利用方式以及漏洞检测方法上提出物理隔离网络电磁漏洞分类方法; 通过综合借鉴网络安全漏洞、电磁信息安全检测、物理隔离隐蔽通道等领域的研究方法, 提出电磁漏洞的研究方法; 从深化主动检测、群智漏洞挖掘、网络电磁安全融合、大数据监测等角度, 提出了物理隔离网络电磁漏洞库的建立方法。     

智能化计算机安全监控信息网络技术研究

为了保障计算机以及使用者信息的安全性、隐秘性,并且提高计算机的使用生命周期,需要对计算机进行安全智能监控。但采用当前的计算机安全监控技术对计算机安全进行监控时,没有设置具体的安全监控指标,无法计算出计算机安全监控的非安全因素权重,存在计算机网络可能自动泄密,无法智能监控以及监控数据误差大的问题。为此,将信息网络技术应用于计算机安全智能监控中,提出了一种基于LINUX的计算机安全智能监控方法。该方法先将计算机非安全因素进行分类,其中包括计算机网络配置,自带系统和网络病毒。然后利用SAltera EPM7128S芯片对计算机安全智能监控进行硬件构造,采用CPLD结构根据计算机非安全因素分类结果对计算机安全智能监控软件部分进行设计,软件设计中依据计算机安全智能监控失真衰减的抑制方法,实现计算机远程安全智能监控,最后根据Delphi法来建立计算机安全智能监控网络环境总体运行情况的评估指标体系,对大规模无法定量分析的计算机安全监控因素做出概率估计,以概率估计结果为依据对计算机安全智能监控的风险进行评估,从而实现对计算机安全的智能化监控。实验仿真证明,所提方法提高了计算机安全智能监控的全面性和高效性,减少了计算机安全智能监控数据传输的丢包率。     

基于unity和kinect的交警手势识别仿真系统的设计和实现

为研究计算机辅助驾驶系统中交警手势的识别,搭建了一个虚拟驾驶场景的实验室研究仿真系统。采用了微软公司的Kinect设备采集人体骨骼数据,经由经验模型提取特征并使用模式识别对交警手势信号进行信号分类,使用unity公司的unity3D软件实现虚拟驾驶场景的三维重建。系统测试表明,使用kinect进行手势识别响应快,准确率高,使用unity作为虚拟驾驶场景的开发平台方便快捷,两者组合非常适宜搭建基于视觉的辅助驾驶系统的仿真环境。     

节点抗攻击存在差异的无尺度网络恶意软件传播研究

在考虑节点抗攻击能力存在差异情形下,研究了恶意软件在无尺度网络中的传播行为.基于元胞自动机理论,建立了节点具有攻击差异的恶意软件传播模型.通过定义脆弱性函数,以描述不同度节点的抗攻击差异,使得模型更具普遍性.研究了不同形式的脆弱性函数对恶意软件在无尺度网络中的传播临界值和时间演化的影响.研究表明,节点抗攻击能力的差异对传播行为会产生重要影响,如导致传播临界值改变、传播速度减缓.研究指出,脆弱性函数是网络选择适合的免疫策略的重要依据.     

Outlier-aware cooperative spectrum sensing in cognitive radio networks

This paper considers the problem of cooperative spectrum sensing in cognitive radio networks (CRN). Communication in CRNs may be disrupted due to the presence of malicious secondary users (SU) or channel impairments such as shadowing. This paper proposes a spatio-frequency framework that can detect and track malicious users and anomalous measurements in CRNs. The joint problem of spectrum sensing and malicious user identification is posed as an optimization problem that aims to exploit the sparsity inherent to both, spectrum occupancy and malicious user occurrence. Proposed scheme obtains improved performance by utilizing node location information, and can handle missing or inaccurate location information, and noisy SU reports. A distributed block-coordinate descent-based algorithm is proposed that is shown to outperform the state-of-the-art PCA-based approach, and is flexible enough to defeat a variety of attacks encountered in SU networks. An online algorithm, that can handle incorporate multiple SU readings sequentially and adapt to time-varying channels, primary user, and malicious user activity, is also proposed and shown to be consistent. Simulation results demonstrate the efficacy of the proposed algorithms.     

Information Bottleneck Classification in Extremely Distributed Systems

We present a new decentralized classification system based on a distributed architecture. This system consists of distributed nodes, each possessing their own datasets and computing modules, along with a centralized server, which provides probes to classification and aggregates the responses of nodes for a final decision. Each node, with access to its own training dataset of a given class, is trained based on an auto-encoder system consisting of a fixed data-independent encoder, a pre-trained quantizer and a class-dependent decoder. Hence, these auto-encoders are highly dependent on the class probability distribution for which the reconstruction distortion is minimized. Alternatively, when an encoding–quantizing–decoding node observes data from different distributions, unseen at training, there is a mismatch, and such a decoding is not optimal, leading to a significant increase of the reconstruction distortion. The final classification is performed at the centralized classifier that votes for the class with the minimum reconstruction distortion. In addition to the system applicability for applications facing big-data communication problems and or requiring private classification, the above distributed scheme creates a theoretical bridge to the information bottleneck principle. The proposed system demonstrates a very promising performance on basic datasets such as MNIST and FasionMNIST.     

An Insider Data Leakage Detection Using One-Hot Encoding,Synthetic Minority Oversampling and Machine Learning Techniques

Insider threats are malicious acts that can be carried out by an authorized employee within an organization. Insider threats represent a major cybersecurity challenge for private and public organizations, as an insider attack can cause extensive damage to organization assets much more than external attacks. Most existing approaches in the field of insider threat focused on detecting general insider attack scenarios. However, insider attacks can be carried out in different ways, and the most dangerous one is a data leakage attack that can be executed by a malicious insider before his/her leaving an organization. This paper proposes a machine learning-based model for detecting such serious insider threat incidents. The proposed model addresses the possible bias of detection results that can occur due to an inappropriate encoding process by employing the feature scaling and one-hot encoding techniques. Furthermore, the imbalance issue of the utilized dataset is also addressed utilizing the synthetic minority oversampling technique (SMOTE). Well known machine learning algorithms are employed to detect the most accurate classifier that can detect data leakage events executed by malicious insiders during the sensitive period before they leave an organization. We provide a proof of concept for our model by applying it on CMU-CERT Insider Threat Dataset and comparing its performance with the ground truth. The experimental results show that our model detects insider data leakage events with an AUC-ROC value of 0.99, outperforming the existing approaches that are validated on the same dataset. The proposed model provides effective methods to address possible bias and class imbalance issues for the aim of devising an effective insider data leakage detection system.     

利用融合数据分布特征的模糊双支持向量机对恒星光谱分类

恒星光谱分类是天文学研究的一个热点问题。随着观测光谱数量的急剧增加,传统的人工分类无法满足实际需求,急需利用自动化技术,特别是数据挖掘算法来对恒星光谱进行自动分类。关联规则、神经网络、自组织网络等数据挖掘算法已广泛应用于恒星光谱分类。其中,支持向量机（SVM）分类能力突出,被广泛应用于恒星光谱分类。该方法试图在两类样本之间找到一个最优分类面将两类分开。该方法具有较高的时间复杂度,计算效率有限。双支持向量机（TWSVM）的出现有效地解决了SVM面临的效率问题。该方法通过构造两个非平行的分类面将两类分开,每一类靠近某个分类面,而远离另一个分类面。TWSVM的计算效率较之传统SVM提高近4倍,因此,自TWSVM提出后便受到研究人员的持续关注。但上述方法在分类决策时,一方面没有考虑数据的分布特征,另一方面较易受噪声点和奇异点的影响,分类效率难以显著提升。鉴于此,在双支持向量机的基础上,提出融合数据分布特征的模糊双支持向量机（TWSVM-SDP）。该方法引入线性判别分析（LDA）的类间离散度和类内离散度,用以表征光谱数据的分布性状;引入模糊隶属度函数用以降低噪声点和奇异点对分类结果的影响。在SDSS DR8恒星光谱数据集上的比较实验表明,与支持向量机SVM、双支持向量机TWSVM等传统分类方法相比,融合数据分布特征的模糊双支持向量机TWSVM-SDP具有更优的分类能力。该方法亦存在一定的局限性,其中一大难题是其无法处理海量光谱数据。接下来将利用大数据处理技术,来对所提方法在大数据环境下的适应性展开进一步研究。     

Classifier ensembles for fMRI data analysis: an experiment

Functional magnetic resonance imaging (fMRI) is becoming a forefront brain–computer interface tool. To decipher brain patterns, fast, accurate and reliable classifier methods are needed. The support vector machine (SVM) classifier has been traditionally used. Here we argue that state-of-the-art methods from pattern recognition and machine learning, such as classifier ensembles, offer more accurate classification. This study compares 18 classification methods on a publicly available real data set due to Haxby et al. [Science 293 (2001) 2425–2430]. The data comes from a single-subject experiment, organized in 10 runs where eight classes of stimuli were presented in each run. The comparisons were carried out on voxel subsets of different sizes, selected through seven popular voxel selection methods. We found that, while SVM was robust, accurate and scalable, some classifier ensemble methods demonstrated significantly better performance. The best classifiers were found to be the random subspace ensemble of SVM classifiers, rotation forest and ensembles with random linear and random spherical oracle.