Jinqiao Shi

A Bigram based Real Time DNS Tunnel Detection Approach

Abstract DNS (Domain Name System) tunnels can provide high-bandwidth covert channels that pose a significant risk to sensitive information inside the company networks. Sensitive data are embedded in DNS query and response packets to exfiltrate and infiltrate the network boundaries. However, traditional Intrusion Detection Systems (IDS) and Firewalls let DNS packets pass without any checking. This paper explores a novel approach to detect in real time whether a DNS packet is in a tunnel by scoring the query domain based on bigram. Experiment shows that the bigrams of domains follow Zipfs law whereas tunnelled traffic is obedient to random distribution. The score mechanism in detecting DNS tunnels is proved to be usable theoretically and is confirmed in the experiment. Our approach can get a high accuracy of 98.74% and low false positive of 1.24%.

Towards Fast and Optimal Grouping of Regular Expressions via DFA Size Estimation

Regular Expression (RegEx) matching, as a core operation in many network and security applications, is typically performed on Deterministic Finite Automata (DFA) to process packets at wire speed; however, DFA size is often exponential in the number of RegExes. RegEx grouping is the practical way to address DFA state explosion. Prior RegEx grouping algorithms are extremely slow and memory intensive. In this paper, we first propose DFAestimator, an algorithm that can quickly estimate DFA size for a given RegEx set without building the actual DFA. Second, we propose RegexGrouper, a RegEx grouping algorithm based on DFA size estimation. In terms of speed and memory consumption, our work is orders of magnitude more efficient than prior art because DFA size estimation is much faster and memory efficient than DFA construction. In terms of the resulting size sum of DFAs, our work is significantly more effective than prior art because we use a much finer grained quantification of the degree of interaction between two RegExes. For example, to divide the RegEx set of the L7-filter system into 7 groups, prior art uses 279.3 minutes and the resulting 7 DFAs have a total of 29047 states, whereas RegexGrouper uses 3.2 minutes and the resulting 7 DFAs have a total of 15578 states.

Empirical Measurement and Analysis of I2P Routers

With the increased focus on Internet privacy, especially after the exposure of PRISM(an Internet surveillance program), anonymous communication have been getting more and more attentions. One of the most widely used anonymous communication systems is I2P(Invisible Internet Project). And as opposed to Tor’s(another popular anonymous communication system) directory-based approach, which provides a centralized directory server to manage the overall ‘view’ of the network, I2P is fully distributed and self organizing, which aims to avoid attackers’ enumeration of all I2P’s routers. In this paper, based on I2P’s operating mechanism, we presented two passive and two active methods to discover I2P routers. In a more than two week’s collecting experiment, about 25640 routers were discovered everyday, which turned out to be an almost full coverage(94.9%) of the I2P network compared with the data announced on the official website [1]. And based on the routers collected, this paper further made a preliminary analysis of both the I2P network’s overall status and its security. The result showed that I2P is a well structured P2P network, while some powerful attackers operating several routers are still possible to perform compromise attack to break I2P users’ anonymity given the current I2P’s security mechanism. Finally, this paper discussed some countermeasures to improve the security of the I2P network.

A Multi-Level Analysis Framework in Network Security Situation Awareness

Network Security Situation Awareness (NSSA) technology has been extensively studied in multi-data analyzing research these years. In this paper, we use a historical war story to explain the key points in situation awareness, present the conceptualizations and challenges aspects of NSSA, and discuss the methodologies of solving these problems. We provide an evaluation method for network security situation, and represent how to apply this method to NSSA. A multi-level analysis framework for NSSA is presented to demonstrate the advantages and effectiveness by using this method.

A Hierarchical Method for Clustering Binary Text Image

Image clustering is a crucial task in image retrieving, filtering and organizing. Most of recent work focuses on dealing with color images or gray scale images with features extracted from text content, annotation or image content. This paper aims at binary text images and proposes a novel clustering method that can be used for automatic image procession in digital library and automatic office. The method is divided into three main steps. Firstly images are preprocessed to denoise, correct orientation and produce coarse classes. Secondly, features are extracted and similar images are grouped into new classes with hierarchical clustering algorithm. At last new classes are combined to the nearest old ones under distance condition. To speed clustering Local Sensitive Hash algorithm is imported for boosting merging procedure. Experiments show that this method is faster and efficient compared with the basic clustering method.

An Efficient Ellipse-Shaped Blobs Detection Algorithm for Breaking Facebook CAPTCHA

A CAPTCHA is a test designed to distinguish computer programs from human beings, in order to prevent the abuse of network resources. And nowadays, academic researches on CAPTCHA, including designing friendly but secure CAPTCHA systems and breaking existing CAPTCHA systems, are becoming a more and more hot topic. Breaking an existing CAPTCHA system can help to perfect its designs and therefore to improve its security. In this paper, ESBDA, an Ellipse-Shaped Blobs Detection Algorithm, is proposed to detect the ellipse-shaped blobs used in Facebook CAPTCHA scheme, which can be used to break the Facebook CAPTCHA system. The approach is based on detecting the contour of the ellipse-shaped blobs on the basis of erosion and dilation technologies. And the experimental results show that ESBDA can effectively remove the noised ellipse-shaped blobs in the Facebook CPATCHA scheme.

An automatic approach to extract the formats of network and security log messages

Analyzing massive network and security logs that record network events is crucial for diagnosing network anomalies in large-scale network environments. Extracting log message formats is an important and necessary step to achieve the goal. However, it is time-consuming and costly to automatically and efficiently extract log message formats from massive network and security logs of many different types, which are generated by the increasing number of network and security devices and services used in large-scale networks. In this paper, we propose log template extraction (LTE), an approach that is semantics aware of network and security logs to address the problem. LTE first cleans log messages and then clusters the cleaned log messages based on the DBSCAN algorithm. At last it infers message templates by LDA Gibbs sampling algorithm. We evaluate our work on massive amount of network log messages collected from a large production network. Experimental results show that LTE approach infers and gets multiple log message formats at the same time with more than 90% accuracy and 100% recall.

Detecting Insider Threat Based on Document Access Behavior Analysis

In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users’ current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

Data Stolen Trojan Detection based on Network Behaviors

Abstract It is well known that data loss caused by data stolen Trojans is huge as it could upload privacy or secret data to hackers who controls it remotely. Most of current security tools monitor Trojans by scanning the signature code that is distinguished from normal software. However, this method can only recognize known Trojan except up-to-date malicious software that has unknown signature code. Some other security tools requiring preinstalled on hosts detects Trojans by program behaviors. This paper proposes a novel medel to detect data stolen Trojans based on their network behaviors. It consists of three detectors: 1) keep-alive detector detects keep-alive packets or connections; 2) master-slave-connection detector tries to find master and slave connections and 3) mistake detector analyses the rate of download vs. upload and connection time for different protocol. The experiments show that this method is efficient in recognizing data stolenTrojans. This protyped system proves the possibility of detection Trojans from network.

Using support vector machine in traffic analysis for Website recognition

Website recognition is the process of identifying specific Websites from analyzing the traffic flow. Encryption invalidates content analysis techniques, while traffic analysis can solve the problem by concentrating on the nature and behavior of traffic. Based on the structural-stable but content-mutable properties of Website, a method combining machine learning algorithm and traffic analysis technique is proposed for encrypted Website recognition. Session describing vector, composed of connection count and data volumes transferred in each connection, is introduced to characterize a Web surfing flow, and through vector normalization, generalization and ranking, the sequence, length and dimension weight are adjusted to improve the recognition effect. The recognition process can be considered as a binary classification problem, thus SVM (support vector machine) algorithm is adopted because of its excellent performance in pattern classification problems. Experiments show that the proposed method can discern the vectors of a specific Website from others clearly, and the process of generalization and ranking are of great help to classification.