Hu Changzhen

Hierarchical Distributed Alert Correlation Model

Alert correlation is a promising technique in intrusion detection. It takes the alerts produced by intrusion detection systems and produces compact reports which provide a more succinct and high-level view of occurring or attempted intrusions and highly improve security expert’s work efficiency. Traditional alert correlation system adopts a centralized architecture which can be easily over flooded by the raw alarms. To address this issue, a distributed alert correlation model based on hierarchical architecture is proposed. This model greatly improves the performance of alert correlation through integrating three novel methods. The experiments show effectiveness of this alert correlation model on 2000 DARPA intrusion detection scenario specific datasets.

An Improved ID-Based Group Key Agreement Protocol

ID-based constant-round group key agreement protocols are efficient in both computation and communication, but previous protocols did not provide valid message authentication. An improvement based on attack analysis is proposed in this paper. The improved method takes full advantage of the data transmitted at various stages of the protocol. By guaranteeing the freshness of authentication messages, the authenticity of the generator of authentication messages, and the completeness of the authenticator, the improved protocol can resist various passive and active attacks. The forward secrecy of the improved protocol is proved under a Katz-Yung (KY) model. Compared with existing methods, the improved protocol is more effective and applicable.

Multi-sensor information intelligence fusion model using fuzzy colored Petri Nets

The uncertainty knowledge representation, reasoning and its model complexity are the main difficulties in multi-sensor information intelligence fusion (MSIIF) system. A fuzzy colored Petri net (FCPN) model was presented to solve above questions. Its operation mechanism was profoundly studied in details. FCPN model can effectively deal with uncertainty, fuzzy knowledge, especially for fuzzy production rules in MSIIF. It makes MSIIF reasoning process become more easy and intuitionistic. Furthermore, MSIIF model complexity can be remarkably reduced. It has been illustrated throughout FCPN applications to the network security surveillance system (NS/sup 3/) and shown superior performance. This technique is quite general and can be applied to other uncertainty information fusion systems or intelligence decision-making systems.

Mining Frequent Patterns for Item-Oriented and Customer-Oriented Analysis

Frequent pattern mining can well extract insight from transaction patterns, and it is a desired capability for fully understanding the customers purchase behavior. However, most of the algorithms are focus on the transverse relationship and the longitudinal analysis is missed. To address this defect, FP-ICA, a Frequent Pattern mining algorithm for Item-oriented and Customer-oriented Analysis is proposed. A pattern with its items occur in the same transaction is item-oriented, and a pattern with its items occur cross several transactions of a customer is customer-oriented. FP-ICA transforms the transactions to a bitmap which contains a header for recording customer information, and the frequent patterns are obtained by logic And-operation. Different mining rules are used for item-oriented and customer-oriented discovery. Experiments are conducted to demonstrate the fast speed achievement and good scalability of FP-ICA.

A Secure Pairing-Free Certificate-Less Authenticated Key Agreement Protocol

Pairing-free certificate-less two-party authenticated key agreement (CT-AKA) protocol is computation-efficient, easily manageable, and less key escrow dependent compared to traditional pairing-based identity-based protocol. In this paper, we propose four types of attacks on CT-AKA, present a pairing-free CT-AKA protocol and analyze its security in Lippold model. Compared with relevant CT-AKA protocols, our protocol is more efficient, secure and practical to apply.

A concurrent security monitoring method for virtualization environments

Recently, virtualization technologies have been widely used in industry. In order to monitor the security of target systems in virtualization environments, conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems. However, these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems. To address these problems, in this paper, we present a concurrent security monitoring method which decouples traditional serial mechanisms, including security event collector and analyzer, into two concurrent components. On one hand, we utilize the SIM framework to deploy the event collector into the target virtual machine. On the other hand, we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment. To address the synchronization problem between these two concurrent components, we make use of Lamports ring buffer algorithm. Based on the Xen hypervisor, we have implemented a prototype system named COMO. The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.

OPKH: A lightweight online approach to protecting kernel hooks in kernel modules

Kernel hooks are very important control data in OS kernel. Once these data are compromised by attackers, they can change the control flow of OS kernels execution. Previous solutions suffer from limitations in that: 1) some methods require modifying the source code of OS kernel and kernel modules, which is less practical for wide deployment; 2) other methods cannot well protect the kernel hooks and function return addresses inside kernel modules whose memory locations cannot be predetermined. To address these problems, we propose OPKH, an on-the-fly hook protection system based on the virtualization technology. Compared with previous solutions, OPKH offers the protected OS a fully transparent environment and an easy deployment. In general, the working procedure of OPKH can be divided into two steps. First, we utilise the memory virtualization for offline profiling so that the dynamic hooks can be identified. Second, we exploit the online patching technique to instrument the hooks for runtime protection. The experiments show that our system can protect the dynamic hooks effectively with minimal performance overhead.

A Novel Framework for Active Detection of HTTP Based Attacks

Web application vulnerabilities represent a substantial portion of the security exposures of computer networks. Considering HTTP protocol is stateless, we explore the effectiveness of HTTP-session model to effectively describe http behavior. Based on the HTTP-session model and the analysis of http attack behavior, we present a novel framework to actively detect http attacks. Our method takes http requests as input and calculates anomalous probability for each session attribute and for the session as a whole as output. All the probabilities are weighted and summed up to produce final probability, and this probability is used to decide whether http session is attack or not. We demonstrate the effectiveness of the proposed methods via simulation studies using real-world web access logs. Experiments prove that our detection framework achieves high detection rates under very few false positives.

Protecting Kernel Data through Virtualization Technology

Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.

DSMFI-Miner: An Algorithm for Mining Maximal Frequent Itemsets on Data Streams

In order to improve the mining efficiency of frequent itemsets on data streams, we present an algorithm DSMFI_Miner for mining maximal frequent itemsets on data streams. First, a data structure DSMFI_tree is constructed to store the potential frequent itemsets and the data stream is divided into a set of segments, then the potential maximal frequent itemsets on each segment are obtained by a breadth-first algorithm, while the generated itemsets and their subsets are stored in the local DSMFI_tree which is updated dynamically, finally, the maximal frequent itemsets on the data stream can be rapidly found by a bottom-up search strategy from DSMFI_tree. The experimental result shows that the execution efficiency of DSMFI_Miner is better than that of INSTANT algorithm.