Liming Wang

Efficient Key Agreement for Large and Dynamic Multicast Groups

Secure multicast represents the core component of many web and multimedia applications such as pay-TV, teleconferencing, real-time distribution of stock market price and etc. The main challenges for secure multicast is scalability, efficiency and authenticity. In this paper, we propose a scalable, efficient, authenticated group key agreement scheme for large and dynamic multicast systems. The proposed key agreement scheme is identity-based which uses the bilinear map over the elliptic curves. Compared with the previously published schemes, our scheme pro- vides group member authenticity without imposing extra mechanism. Furthermore, we give a scalability solution based on the subgroups, which has advantages over the existing schemes. Security analysis shows that our scheme satisfies both forward secrecy and backward secrecy.

Moving Target Network Defense Effectiveness Evaluation Based on Change-Point Detection

In order to evaluate the effectiveness of moving target network defense, a dynamic effectiveness evaluation approach based on change-point detection is presented. Firstly, the concept of multilayer network resource graph is defined, which helps establish the relationship between the change of resource vulnerability and the transfer of network node state. Secondly, a change-point detection and standardized measurement algorithm is proposed. Consequently, it improves the efficiency of evaluation by measuring the change-point dynamically and enhancing the accuracy of evaluation based on multilayer network resource graph. What’s more, in order to evaluate the defense effectiveness comprehensively, defense cost and benefits are set as evaluation indicators. Finally, experimental analysis, represented by MT6D and DNAT, proves the feasibility of the proposed evaluation method and the accuracy of the evaluation results.

Statistical cross-language Web content quality assessment

Cross-language Web content quality assessment plays an important role in many Web content processing applications. In the previous research, natural language processing, heuristic content and term frequency-inverse document frequency features based statistical systems have proven effective for Web content quality assessment. However, these are language-dependent features, which are not suitable for cross-language ranking. This paper proposes a cross-language Web content quality assessment method. First multi-modal language-independent features are extracted. The extracting features include character features, domain registration features, two-layer hyperlink analysis features and third-party Web service features. All the extracted features are then fused. Based on the fused features, feature selection is carried out to get a new eigenspace. Finally cross-language Web content quality model on the eigenspace can be learned. The experiments on ECML/PKDD 2010 Discovery Challenge cross-language datasets demonstrate that every scale feature has discriminability; different modalities of features are complementary to each other; and the feature selection is effective for statistical learning based cross-language Web content quality assessment.

A Self-adaptive Hopping Approach of Moving Target Defense to thwart Scanning Attacks

End-point hopping is one of important moving target defense (MTD) mechanisms to kill the attacker’s reconnaissance. This method involves periodically changing the network configuration in use by communicating end points. Since without the awareness of attack strategies, existing end-point hopping mechanisms is blind which leads the network defense to low security effectiveness and high overhead. In this paper we propose a novel MTD approach named self-adaptive end-point hopping, which is based on adversary strategy awareness and implemented by Software Defined Networking (SDN) technique. It can greatly counterpoise the defense benefit of end-point hopping and service quality of network system. Directed at the blindness problem of hopping mechanism in the course of defense, hopping trigger based on adversary strategy awareness is proposed for guiding the choice of hopping mode by discriminating the scanning attack strategy, which enhances targeted defense. Aimed at the low availability problem caused by limited network resource and high hopping overhead, satisfiability modulo theories and are used to formally describe the constraints of hopping, so as to ensure the low-overhead of hopping. Theoretical and experimental analysis shows the ability to thwart scanning attacks in a relatively reasonable hopping cost.

What should we do? A structured review of SCADA system cyber security standards

SCADA (Supervisory Control and Data Acquisition) system is the core component of industrial and critical infrastructure, and cyber security of SCADA system has become the key consideration of system managers and engineers. Therefore, a great many of standards, guidelines and best practices have been developed to give reference of SCADA system cyber security, hoping to provide some instructions for system managers. Unfortunately, there is little consensus on what to do. Whats worse, it is difficult to choose the right one for a particular industrial scene. These standards are usually long and complex texts, whose reading and understanding often takes much time and effort. We provide a comprehensive and structured review of SCADA cyber security standards, guidelines and best practices with three dimensions: release time, geographic location and intended audience. Finally, we use the theory of defense-in-depth as a reference to evaluate these standards. It is concluded that no standard performs better than others on all the criteria and that we should integrate different standards to apply them to a specific industrial scene.

DGASensor: Fast Detection for DGA-Based Malwares

DNS protocol has been used by many malwares for command-and-control (C&C). To improve the resiliency of C&C communication, Domain Generation Algorithm (DGA) has been utilized by recent malwares such as Locky, Conficker and Zeus. Many detection systems have been introduced for DGA-based botnets detection. However, such botnets detection approaches suffer from several limitations, for instance, requiring a group of DGA domains, period behaviors, the presence of multiple bots, and so forth. It is very hard for them to detect an individually running DGA-based malware which leave only a few traces. In this paper, we develop DGASensor to detect DGA-based malwares immediately by identifying a single DGA domain using lexical evidence. First, DGASensor automatically analyzes the lexical patterns of the most popular domains listed in Alexa top 100,000, and then extracts two templates, namely distribution template and structure template. Second, the above two templates, pronounceable attributes, and some frequently used properties like entropy and length, are used to extract features from a single domain. Third, we train our classifier using a non-DGA dataset consisting of domains obtained from Alexa rank and a DGA dataset generated by known DGAs. At last, we provide a short word filter to decrease the false positive rate. We implement a prototype system and evaluate it using the above training dataset with 10-fold cross validation. Moreover, a set of real world DNS traffic collected from a recursive DNS server is used to measure real world performance of our system. The results show that DGASensor detects DGA domains with accuracy 93% in our training dataset and is able to identify a variety of malwares in the real world dataset with an extremely high processing capability.

TrafficS: a behavior-based network traffic classification benchmark system with traffic sampling functionality

In recent years, there have been many methods proposed to perform network traffic classification based on application protocols. Still, there is a pressing need for a practical tool to benchmark the performance of these approaches in real-world high-performance network environments. In this paper, based on rigorous requirements analysis on real-world environments, we present a real-time traffic classification benchmark system, termed TrafficS, which aims at easy performance-evaluation between different intelligent methods. TrafficS is not only extensible to incorporate multiple traffic classification engines but supports different packet/stream sampling techniques as well. Furthermore, it could provide users a comprehensive means to perceive the difference between inspected methods in various aspects.

LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains

Domain Generation Algorithm (DGA) has been outfitted by various malware families to extend the resistance to the blacklist-based techniques. A lot of previous approaches have been developed to detect the DGA-based malware based on the lexical property of the random generated domains. Unfortunately, attackers can adjust their DGAs to produce domains by simulating the character distribution of popular domains or words and thus can evade the detection of these approaches.

A Novel Semantic-Aware Approach for Detecting Malicious Web Traffic

With regard to web compromise, malicious web traffic refers to requests from users visiting websites for malicious targets, such as web vulnerabilities, web shells and uploaded malicious advertising web pages. To directly and comprehensively understand malicious web visits is meaningful to prevent web compromise. However, it is challenging to identify different malicious web traffic with a generic model. In this paper, a novel semantic-aware approach is proposed to detect malicious web traffic by profiling web visits individually. And a semantic representation of malicious activities is introduced to make detection results more understandable. The evaluation shows that our algorithm is effective in detecting malice with an average precision and recall of 90.8% and 92.9% respectively. Furthermore, we employ our approach on more than 136 million web traffic logs collected from a web hosting service provider, where 3,995 unique malicious IPs are detected involving hundreds of websites. The derived results reveal that our method is conductive to figure out adversaries’ intentions.

A game theoretical framework for improving the quality of service in cooperative RAN caching

In this paper, we design a game theoretical framework for improving the Quality of Service (QoS) in cooperative RAN caching. Considering the cooperation under both single cell transmission and joint transmission, the QoS metric is uniformly quantified as the total content delivery time. Although the formulated cooperative content placement problem is proved NP-hard, noticing the local cooperative characteristics, we transform the problem into Local Altruistic Gaming where the Nash Equilibrium (NE) can be guaranteed and distributive algorithms such as Spatial Adaptive Play (SAP) are applicable. Then, two distributed learning algorithms are proposed, where the former overcomes the execution difficulties over tremendous action set in traditional SAP, and the latter further accelerate the convergence by reducing the number of additional suboptimal NEs brought by the former. To further improve the computation efficiency, an updating scheme is constructed to enable parallel updating in the proposed algorithms. Finally, based on a real-world LTE traffic dataset, the performance of the proposed algorithms and the updating scheme have been validated.