Chia-Mei Chen

Malicious web content detection by machine learning

The recent development of the dynamic HTML gives attackers a new and powerful technique to compromise computer systems. A malicious dynamic HTML code is usually embedded in a normal webpage. The malicious webpage infects the victim when a user browses it. Furthermore, such DHTML code can disguise itself easily through obfuscation or transformation, which makes the detection even harder. Anti-virus software packages commonly use signature-based approaches which might not be able to efficiently identify camouflaged malicious HTML codes. Therefore, our paper proposes a malicious web page detection using the technique of machine learning. Our study analyzes the characteristic of a malicious webpage systematically and presents important features for machine learning. Experimental results demonstrate that our method is resilient to code obfuscations and can correctly determine whether a webpage is malicious or not.

A new framework for mobile Web services

The goal of the paper is to propose a way to make Web services more convenient and efficient to use. We develop an architecture that integrates mobile agents with Web services to achieve the goal. We first survey the key technologies, which are adopted in the paper. Next, we introduce our mobile Web service framework and describe how we take advantage of the location information in the Web service. Finally, we give an example to illustrate a typical scenario in which a mobile user receives Web services from our proposed platform.

An efficient network intrusion detection

Exploit code based on system vulnerability is often used by attacker. Such exploit program often sends attack packets in the first few packets. A Lightweight Network Intrusion Detection system (LNID) is proposed for detecting such attacks on Telnet traffic. It characterizes normal traffic behavior and computes the anomaly score of a packet based on the deviation from the normal behavior. Instead of processing all traffic packets, an efficient filtering scheme proposed in the study can reduce system workload and only 0.3% of the original traffic volume is examined for anomaly. According to the performance comparisons with other network-based IDS, LNID is the most efficient on detection rate and workload reduction.

Ant-based IP traceback

The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic. In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack. Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network. The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks.

A collaborative anti-spam system

Growing volume of spam mails has generated a need for a precise anti-spam filter detecting unsolicited emails. Most works only focus on spam rule generation on a standalone mail server. This paper presents a collaborative framework on spam rule generation, exchange and management. The spam filter can be built based on the mixture of rough set theory, genetic algorithm, and reinforcement learning. In this paper, we use rough set theory to generate spam rules and XML format for exchanging spam rules. The spam rule management is achieved by reinforcement learning approach. The results of experiment draw the following conclusion: (1) Rule management can keep high performance rules and discard out-of-date rules to improve the accuracy and efficiency of spam filter. (2) Rules exchanged among mail servers indeed help the spam filter block more spam messages than standalone one.

An optimal new-node placement to enhance the coverage of wireless sensor networks

Wireless sensor networks provide a wide range of applications, such as environment surveillance, hazard monitoring, traffic control, and other commercial or military applications. The quality of service provided by a sensor network relies on its coverage, i.e., how well an event can be tracked by sensors. This paper studies how to optimally deploy new sensors in order to improve the coverage of an existing network. The best- and worst-case coverage problems that are related to the observability of a path are addressed and formulated into computational geometry problems. We prove that there exists a duality between the two coverage problems, and then solve the two problems together. The presented placement algorithm is shown to deploy new nodes optimally in polynomial time.

An Alliance-Based Anti-spam Approach

The growing problem of spam mails has generated a need for reliable anti-spam filters. Much work has been done to improve specific algorithms for the task of detecting spam, but less work has been report on leveraging multiple algorithms in spam mails analysis. We presents an alliance-based approach to classify, discovery and exchange interesting information on spam mails. The spam filter is built based on the mixture of rough set theory, genetic algorithm and XCS classifier system. The filtering results of spam mails by alliance-based approach are evaluated with several metrics, the performance is great. Two main conclusions can be drawn from this paper: (1). The rules exchanged from other mail servers indeed help the spam filter blocking more spam mails than before. (2). A combination of several algorithms improves accuracy and reduces false positives for the problem of spam detection.

Node placement for optimal coverage in sensor networks

Wireless sensor networks provide an alternative way of improving our environments, such as environment surveillance, hazard monitoring, and other customized environmental applications. Good coverage of service in a sensor network is an essential issue to ensure the service of quality. This paper studies the deployment of new sensor nodes so that the improvement of coverage is optimized. We propose an optimal polynomial time algorithm for this problem. Based on computational geometry and graph theory, we show the properties of such a deployment and the correctness of its optimality

Scheduling an overloaded real-time system

The real-time systems differ from the conventional systems in that every task in the real-time system has a timing constraint. Failure to execute the tasks under the timing constraints may result in fatal errors. Sometimes, it may be impossible to execute all the tasks in the task set under their timing constraints. Considering a system with limited resources, one solution to handle the overload problem is to reject some of the tasks in order to generate a feasible schedule for the rest. In this paper, we consider the problem of scheduling a set of tasks without preemption in which each task is assigned criticality and weight. The goal is to generate an optimal schedule such that all of the critical tasks are scheduled and then the non-critical tasks are included so that the weight of rejected non-critical tasks is minimized. We consider the problem of finding the optimal schedule in two steps. First, we select a permutation sequence of the task set. Secondly, a pseudopolynomial algorithm is proposed to generate an optimal schedule for the permutation sequence. If the global optimal is desired, all permutation sequences have to be considered. Instead, we propose to incorporate the simulated annealing technique to deal with the large search space. Our experimental results show that our algorithm is able to generate near optimal schedules for the task sets in most cases while considering only a limited number of permutations.

Web botnet detection based on flow information

Botnets are a combination of cyber attack, infection, and dissemination, and they become one of the most severe threats on the Internet. Cross the Internet, the infected host might launch any kind of attacks such as DDoS (Distributed Denial-of-Service) or Phishing. Comparing with botnets using other command-and-control (C&C) channels, web-based botnets are difficult to detect, because the C&C messages of web botnet are spread over HTTP protocol hiding behind normal flows. Most previous work tackles IRC-based botnet detection, while this study analyzes web botnet behaviors and develops a detection mechanism based on anomaly web flow traffic over an administrative network domain. Web bots exhibit routine and regular web connections which can be used to identify unusual web flow in a network. The experimental results show that the proposed approach can detect web botnets efficiently both in the simulated networks and a real campus network.