Jianyi Liu

An attack pattern mining algorithm based on fuzzy logic and sequence pattern

How to get the correlation rules is one of the main challenges in alert correlation research fields. In this paper, we propose an attack pattern mining algorithm to solve this problem. Our method can be divided into two steps: Fast Fuzzy Cluster Analysis (FFCA) and Frequent Sequence Mining (FSM). FFCA can accurately describe the similarity among the alerts attributes accurately, while FSM can dig the correlation between alerts. In order to find the hidden attack patterns behind massive data efficiently and accurately, we combines the characteristics and advantages of them in our method. At first we design the similarity function for each attribute and separate the raw sequence into alert cluster sets through fuzzy cluster based on the similarity function. Then we dig the Frequent Sequences from these cluster sets. Finally we use experiment results to show the feasibility of our method.

An Android malware detection method based on AndroidManifest file

As one of the most developed intelligent operating systems on mobile devices, Android has taken the most part of the cell phone market. A rapid increase in the number of mobile applications make them more and more relevant to peoples daily lives than ever before. Due to Androids security mechanism and the validation lack of publishing Android apps, Android malware detection still remains to be a critical issue. To solve this problem, this paper found that the statistical information of Android components (mainly activity) from the Manifest file cannot be ignored, based on the traditional method of Android permission detection. In this paper, a new feature vector is extracted from the AndroidManifest file, which combines the permission information and the component information of the Android application. We combine the naive Bias classification algorithm, and propose a malicious application detection method based on AndroidManifest file information. The experimental results show that the new method performance better than that of the traditional permission detection.

A web page malicious script detection system

Security risks brought by Web page information has been a matter that can no longer be ignored. Malicious script is a major challenge the Web sites security is facing currently. According to the data from the Google Research Centre, more than 10% of Web pages is malicious. Especially in China, the proportion of malicious Web pages has reached 43.21%. This paper presents a detection system which is used to locate the malicious scripts in Web pages. It acquires and builds up malicious code features base, URL of hidden links base etc. based on safety data published on security research Web sites. The Web crawler is applied to collecting Web pages source code in this system and learning algorithm for classification is used to train the classifier. The classification results would be evaluated and improved in the end.

Network Security Situation Assessment Approach Based on Attack-Defense Stochastic Game Model

To analyze the influence of threat propagation on network system and accurately evaluate system security, this paper proposes an approach to improve the awareness of network security, based on Attack-Defense Stochastic Game Model (ADSGM). The variety of network security elements collected by multi-sensors are fused into a standard dataset such as assets, threats and vulnerabilities. For every threat, it builds a threat propagation network and propagation rule. By using the game theory to analyze the network offensive and defensive process, it establishes the ADSGM. The ADSGM can dynamically evaluate network security situation and provide the best reinforcement schema. Experimental results on a specific network indicate that the approach is more precise and more suitable for a real network environment. The reinforcement schema can effectively prevent the propagation of threats and reduce security risks.

Attack pattern mining algorithm based on security log

This paper proposes an attack pattern mining algorithm to extract attack pattern in massive security logs. The improved fuzzy clustering algorithm is used to generate sequence set. Then PrefixSpan is used to mine frequent sequence from the sequence set. The experimental results show that this algorithm can effectively mine the attack pattern, improve the accuracy and generate more valuable attack pattern.

Constructing APT Attack Scenarios Based on Intrusion Kill Chain and Fuzzy Clustering

The APT attack on the Internet is becoming more serious, and most of intrusion detection systems can only generate alarms to some steps of APT attack and cannot identify the pattern of the APT attack. To detect APT attack, many researchers established attack models and then correlated IDS logs with the attack models. However, the accuracy of detection deeply relied on the integrity of models. In this paper, we propose a new method to construct APT attack scenarios by mining IDS security logs. These APT attack scenarios can be further used for the APT detection. First, we classify all the attack events by purpose of phase of the intrusion kill chain. Then we add the attack event dimension to fuzzy clustering, correlate IDS alarm logs with fuzzy clustering, and generate the attack sequence set. Next, we delete the bug attack sequences to clean the set. Finally, we use the nonaftereffect property of probability transfer matrix to construct attack scenarios by mining the attack sequence set. Experiments show that the proposed method can construct the APT attack scenarios by mining IDS alarm logs, and the constructed scenarios match the actual situation so that they can be used for APT attack detection.

Phishing sites detection based on Url Correlation

With the rapid development of the information technology, internet security has drawn more and more attention. Nowadays, most researchers focus on lexical and host features to classify Phishing URLs. In this paper, we proposed Vulnerable Sites List and a new feature which is named URL Correlation. URL Correlation is based on the similarity of URLs with the List above that we created. In addition, a large improvement of accuracy is observed by comparing methods which use our new feature with the others which use the normal one.

Efficiently secure multiparty computation based on homomorphic encryption

The existing security multiparty computation (SMC) protocols are either insecure, demand the input information to be encrypted under a public key, or rely heavily on user interaction. These deficiencies limit the protocol to be employed. We put forward a protocol based on homomorphic encryption (HE) that allows the input of function to be encrypted with various public keys. Comparing the methodology with the known technique shows that the communication complexity in our paper is lower.

A model for website anomaly detection based on log analysis

To found security events from web logs has become an important aspect of network security. This paper proposes a website anomaly detection model based on security-log-analysis. After creating a anomaly feature sets of the model, C4.5 algorithm was used to improve feature sets, making the abnormal records in feature sets store hierarchically. Compared logs in website with the treated feature stes, the model ultimately achieves the purpose of checking websites security event fast and accurately.

A system for web page sensitive keywords detection

In the current diversity and complexity of the network information environment, the technology of web page sensitive keywords detection is an important and immediate way to manage public opinion online. We propose a system for web page sensitive keywords detection. This system can detect sensitive keywords in the web pages timely and effectively. And it will mark the position of the keywords in web pages and writes the related information such as detection results and detection time to the detection result table in order to help managers of websites to take measures to filter sensitive keywords in time.