Lansheng Han

Task-based behavior detection of illegal codes ☆

Abstract Detecting unseen illegal codes is always a challenging task. As the main action to deal with this problem, the behavior detection is unsatisfactory in both effectiveness and efficiency. This paper proposes task-based behavior detection (TBBD) which detects new illegal codes based on the user’s task instead of only on the software behavior. First, the paper proposes three prerequisites of TBBD and four judgment rules, i.e., resource abnormal rule, relation abnormal rule, space abnormal rule and time abnormal rule. Then, by analyzing the effectiveness and comparison of the four judgment rules, we present an explicit judgment process of TBBD. Finally, the paper carries on the experiments. The test result verifies the validity and feasibility of TBBD.

Cryptanalysis and improvement of a certificateless threshold signature secure in the standard model

In this paper, we focus on security analysis of certificateless signature (CLS) schemes and certificateless threshold signature (CLTHS) schemes. We first propose four common attack methods for analyzing security of CLS schemes and CLTHS schemes. Then we give seven existing schemes as examples for demonstrating how to use our common attack methods, and prove that these schemes are vulnerable against public key replacement attacks or malicious-but-passive key generation center (KGC) attacks. By comprehensively using the proposed attack ideas, we also present three attacks against a CLTHS scheme proposed by Xiong et al. (2010) [28]: two public key replacement attacks and a malicious-but-passive KGC attack. Furthermore, we point out the flaws in the security proofs of these insecure CLS or CLTHS schemes. Finally, to resist these attacks, we propose an improved CLTHS scheme.

Network Anomaly Detection Based on Projection Pursuit Regression

Network anomaly detection is an important issue in network security. Detecting network anomaly is a challenging because of the multivariate property of the collected data, the diversity of the causes and the complexity of the existing algorithms. However, traditional methods have some shortcomings, such as low real-time capability, great resource consumption, high false positive rate (FPR) and high false negative rate (FNR). Projection pursuit regression (PPR) is a widely used multivariate analysis method and can be exploited to mining structures in multivariate data set. Based on PPR, we propose a novel network anomaly detection approach, which combines regression learning of genetic algorithm (GA) and Projection Pursuit to eventually evaluate the anomaly results comprehensively. We verify the proposed approach on the 1999 DARPA data set, and network anomaly can be detected with higher detection rate (DR) and lower false positive rate, compared to the Phad method. Furthermore, our approach achieves good detection rate even for some specific kind of anomaly which is difficult to detect previously.

Owner based malware discrimination

Abstract A piece of malware code can be harmful in one’s system but totally harmless in another’s. In this paper, we point out that the detection of malicious code or software is actually a matter of discrimination which depends on the owners of the computer systems. We propose an owner based malicious software discrimination model, named as Unlimited Register Machine of Owners (URMO). First, we characterize and analyze the limitations of existing discrimination techniques in theory by using the discrimination model of Unlimited Register Machine (URM) and then move on to construct the URMO discrimination model by giving the two important elements of malicious behavior: an operation and the object of the operation. The relationship between an operation and the object of the operation is fundamental to solving the relativity of the discrimination problem about malice, which is also the advantage of the URMO model. Finally, by applying the model to discriminate real-world malware and comparing it with existing popular antivirus software, we demonstrate the effectiveness and superior performance of the URMO model.

Communities Evolution Analysis Based on Events in Dynamic Complex Network

In the dynamic complex networks, the community structure is constantly changing, such as generation, maintaining, merger, die, fusion, etc. These changes will lead to the dynamic evolution of the structure and morphology in an entire community. Current static community division methods can not be well used to analyze the dynamic network evolution. In this paper, based on events in the community evolution, firstly three evolutionary relationships are defined, as well as the definition of community aggregation and community divergence. Then based on the idea of time sheet and the overlapping community division algorithm, dynamic complex networks are divided. The whole evolution of the dynamic community is portrayed, through the comprehensive analysis of the evolution relationships of the community on the adjacent time sheet. And according to values of community aggregation and community divergence, a great polymerization or large dispersion will be found in the community evolution process, so major events hidden in the data can be revealed.

Intrusion detection model of wireless sensor networks based on game theory and an autoregressive model

Abstract An effective security strategy for Wireless Sensor Networks (WSNs) is imperative to counteract security threats. Meanwhile, energy consumption directly affects the network lifetime of a wireless sensor. Thus, an attempt to exploit a low-consumption Intrusion Detection System (IDS) to detect malicious attacks makes a lot of sense. Existing Intrusion Detection Systems can only detect specific attacks and their network lifetime is short due to their high energy consumption. For the purpose of reducing energy consumption and ensuring high efficiency, this paper proposes an intrusion detection model based on game theory and an autoregressive model. The paper not only improves the autoregressive theory model into a non-cooperative, complete-information, static game model, but also predicts attack pattern reliably. The proposed approach improves on previous approaches in two main ways: (1) it takes energy consumption of the intrusion detection process into account, and (2) it obtains the optimal defense strategy that balances the system’s detection efficiency and energy consumption by analyzing the model’s mixed Nash equilibrium solution. In the simulation experiment, the running time of the process is regarded as the main indicator of energy consumption of the system. The simulation results show that our proposed IDS not only effectively predicts the attack time and the next targeted cluster based on the game theory, but also reduces energy consumption.

Search engine: The social relationship driving power of Internet of Things

Abstract Social Internet of Things (SIoT) integrates the social network with the Internet of Things (IoT) and has become a hot research issue for its potential to support novel IoT applications and networking services in more effective and efficient ways. The search engine, which is primarily designed for social network users to acquire interested information, also plays an important role in SIoT. There even exist search engines specially designed for SIoT. Using a search engine, people can easily find the smart devices in SIoT. Specifically, a search engine assists the information dissemination, i.e., enabling users (both humans and things) to access interested objects (both humans and things) with keywords-searching and transferring contents from the source directly to potential interested users. Accompanying such processes, the SIoT evolves as new links emerge between users and their interested objects. In this paper, we aim to quantitatively characterize how a search engine influences the social relationship in the IoT. Firstly, we point out that the search engine serves as the medium between the social network and the IoT, and then we propose a Search Social Internet of Things (SSIoT) model for SIoT evolution. Secondly, we adopt six performance metrics, namely, degree distribution, network diameter, average distance, network density, network stability, and user betweenness. Theoretically, we prove that the degree distribution follows an intensified power-law, the network diameter and the average distance shrink, network density, network stability, and user betweenness are greater in SSIoTs. Thirdly, we quantitatively show that a search engine accelerates malicious code propagation in SIoTs. Finally, based on four real-world data sets (i.e., CDBLP, Facebook, Weibo, and P2P), we verify our theoretical findings.

An adaptive control momentum method as an optimizer in the cloud

Abstract Many issues in the cloud can be transformed into optimization problems, where data is of high dimension and randomness. Thus, stochastic optimizing is a key to Autonomous Cloud. And one of the most significant discussions in this field is how to adapt the learning rate and convergent path dynamically. This paper proposes a gradient-based algorithm called Adacom, that is based on an adaptive control system and momentum. Critically inheriting the previous studies, a reference model is introduced to generate the update. The method reduces noise and decides on paths with less oscillation, while maintaining the accumulated learning rate. Due to system design properties, the method requires fewer hyper-parameters for tuning. We state the prospect of Adacom as a general optimizer in Autonomous Cloud, and explore the potential of Adacom for pervasive computing by the assumption of transition data. Then we demonstrate the convergence of Adacom theoretically. The evaluations over the simulated transition data prove the feasibility and superiority of Adacom with other gradient-based methods.

Targeting malware discrimination based on reversed association task: Targeting malware discrimination based on reversed association task

Regarding the current situation that the recognition rate of malware is decreasing, the article points out that the reason for this dilemma is that more and more targeting malware have emerged, which share little or no common feature with traditional malware. The premise of malware recognition judging whether a software is malicious or benign is actually a decision problem. We propose that malware discrimination should resort to the corresponding task or purpose. We first present a formal definition of a task and then provide further classifications of malicious tasks. Based on the decidable theory, we prove that task performed by any software is recursive and determinable. By establishing a mapping from software to task, we prove that software is many‐to‐one reducible to corresponding tasks. Thus, we demonstrate that software, including malware, is also recursive and can be determined by the corresponding tasks. Finally, we present the discrimination process of our method. Nine real malwares are presented, which were firstly discriminated by our method but at that time could not be identified by Kaspersky, McAfee, Symantec Norton, or Kingsoft Antivirus.

Malware Discrimination Based on Reversed Association Task

Regarding the prominent threat of malware and the predicament faced by current identification technology, this paper considers that the primary reason is that the technical features used to identify malware are unstable and user-dependent. Furthermore, an in-depth analysis of those technical features leads us to believe that the root cause lies in the lag of discrimination theory behind practice. Because every piece of software has a specific task or purpose, we propose malware discrimination based on identifying the malicious tasks or purposes. We first present a formal definition of a task and then provide further classifications of malicious tasks. Then, based on decidable theory, we conclude that tasks are decidable, computable and finite, which enables us to prove that they are recursive and determinable. By establishing a map from software to task, we prove that software is many-to-one reducible to corresponding tasks. Thus, we show that software, including malware such as computer viruses, internet worms and Trojan horses, is also recursive and can be determined from the corresponding tasks. Finally, a discrimination process and practical examples are presented to verify our theory. Two key issues are identified for future research on malware discrimination.