Nir Tzachar

Unknown Malcode Detection Using OPCODE Representation

The recent growth in network usage has motivated the creation of new malicious code for various purposes, including economic ones. Todays signature-based anti-viruses are very accurate, but cannot detect new malicious code. Recently, classification algorithms were employed successfully for the detection of unknown malicious code. However, most of the studies use byte sequence n-grams representation of the binary code of the executables. We propose the use of (Operation Code) OpCodes, generated by disassembling the executables. We then use n-grams of the OpCodes as features for the classification process. We present a full methodology for the detection of unknown malicious code, based on text categorization concepts. We performed an extensive evaluation of a test collection of more than 30,000 files, in which we evaluated extensively the OpCode n-gram representation and investigated the imbalance problem, referring to real-life scenarios, in which the malicious file content is expected to be about 10% of the total files. Our results indicate that greater than 99% accuracy can be achieved through the use of a training set that has a malicious file percentage lower than 15%, which is higher than in our previous experience with byte sequence n-gram representation [1].

Spanders: distributed spanning expanders

We consider self-stabilizing and self-organizing distributed construction of a spanner that forms an expander. We use folklore results to randomly define an expander graph. Given the randomized nature of our algorithms, a monitoring technique is presented for ensuring the desired results. The monitoring is based on the fact that expanders have a rapid mixing time and the possibility of examining the rapid mixing time by O(nlogn) short (O(log4 n) length) random walks even for non regular expanders. We then employ our results to construct a hierarchical sequence of spanders, each of them an expander spanning the previous one. Such a sequence of spanders may be used to achieve different quality of service assurances in different applications. Several snap-stabilizing algorithms that are used to utilize the monitoring are presented, including reset and token tracing algorithms for message passing systems.

Empire of Colonies: self-stabilizing and self-organizing distributed algorithms

Self-stabilization ensures automatic recovery from an arbitrary state; we define self-organization as a property of algorithms which display local attributes. More precisely, we say that an algorithm is self-organizing if (1) it converges in sublinear time and (2) reacts “fast” to topology changes. If s(n) is an upper bound on the convergence time and d(n) is an upper bound on the convergence time following a topology change, then s(n) ∈o(n) and d(n) ∈o(s(n)). The self-organization property can then be used for gaining, in sub-linear time, global properties and reaction to changes. We present self-stabilizing and self-organizing algorithms for many distributed algorithms, including distributed snapshot and leader election. We present a new randomized self-stabilizing distributed algorithm for cluster definition in communication graphs of bounded degree processors. These graphs reflect sensor networks deployment. The algorithm converges in O(logn) expected number of rounds, handles dynamic changes locally and is, therefore, self-organizing. Applying the clustering algorithm to specific classes of communication graphs, in O(logn) levels, using an overlay network abstraction, results in a self-stabilizing and self-organizing distributed algorithm for hierarchy definition. Given the obtained hierarchy definition, we present an algorithm for hierarchical distributed snapshot. The algorithms are based on a new basic snap-stabilizing snapshot algorithm, designed for message passing systems in which a distributed spanning tree is defined and in which processors communicate using bounded links capacity. The combination of the self-stabilizing and self-organizing distributed hierarchy construction and the snapshot algorithm form an efficient self-stabilizer transformer. Given a distributed algorithm for a specific task, we are able to convert the algorithm into a self-stabilizing algorithm for the same task with an expected convergence time of O(log2n) rounds.

Spanders: Distributed spanning expanders

Self-stabilizing distributed construction of expanders by the use of short random walks. We consider self-stabilizing and self-organizing distributed construction of a spanner that forms an expander. We advocate the importance of designing systems to be self-stabilizing and self-organizing, as designers cannot predict and address all fault scenarios and should address unexpected faults in the fastest possible way. We use folklore results to randomly define an expander graph. Given the randomized nature of our algorithms, a monitoring technique is presented for ensuring the desired results. The monitoring is based on the fact that expanders have a rapid mixing time and the possibility of examining the rapid mixing time by O(nlogn) short (O(log^4n) length) random walks even for non-regular expanders. We then use our results to construct a hierarchical sequence of spanders, each being an expander spanning the previous spander. Such a sequence of spanders may be used to achieve different quality of service (QoS) assurances in different applications. Several snap-stabilizing algorithms that are used for monitoring are presented, including: (i) Snap-stabilizing data-link, (ii) Snap-stabilizing message passing reset, and (iii) Snap-stabilizing token tracing.

Randomization adaptive self-stabilization

We present a scheme to convert self-stabilizing algorithms that use randomization during and following convergence to self-stabilizing algorithms that use randomization only during convergence. We thus reduce the number of random bits from an infinite number to an expected bounded number. The scheme is applicable to the cases in which there exits a local predicate for each node, such that global consistency is implied by the union of the local predicates. We demonstrate our scheme over the token circulation algorithm of Herman (Infor Process Lett 35:63–67, 1990) and the recent constant time Byzantine self-stabilizing clock synchronization algorithm by Ben-Or, Dolev and Hoch (Proceedings of the 27th Annual ACM SIGACT-SIGOPS symposium on principles of distributed computing, (PODC), 2008). The application of our scheme results in the first constant time Byzantine self-stabilizing clock synchronization algorithm that eventually stops using random bits.

Brief Announcment: Corruption Resilient Fountain Codes

A new aspect for erasure coding is considered, namely, the possibility that some portion of the arriving packets are corrupted in an undetectable fashion. In practice, the corrupted packets may be attributed to a portion of the communication paths that are leading to the receiver and are controlled by an adversary. Alternatively, in case packets are collected from several sources, the corruption may be attributed to a portion of the sources that are malicious.

Self-Stabilizing and Self-Organizing Virtual Infrastructures for Mobile Networks

Self-stabilizing algorithms can be started in any arbitrary state to exhibit a desired behavior following a convergence period. The class of self-organizing distributed algorithms is regarded here as a subclass of the self-stabilizing class of algorithms, where convergence is sub-linear in the size of the system and local perturbation of state is handled locally converging faster than the convergence from an arbitrary state. The chapter starts with a short overview of several virtual infrastructures and fitting self-stabilizing and self-organizing techniques:

Efficient and Universal Corruption Resilient Fountain Codes

In this paper, we present a new family of fountain codes which overcome adversarial errors. That is, we consider the possibility that some portion of the arriving packets of a rateless erasure code are corrupted in an undetectable fashion. In practice, the corrupted packets may be attributed to a portion of the communication paths which are controlled by an adversary or to a portion of the sources that are malicious. The presented codes resemble and extend rateless codes. Yet, their benefits over existing coding schemes are manifold. First, to overcome the corrupted packets, our codes use information theoretic techniques, rather than cryptographic primitives. Thus, no secret channel between the senders and the receivers is required. Second, the encoders in the suggested scheme are oblivious to the strength of the adversary, yet perform as if its strength was known in advance. Third, the sparse structure of the codes facilitates efficient decoding. Finally, the codes easily fit a decentralized scenario with several sources, when no communication between the sources is allowed. We present both exhaustive as well as efficient decoding rules. Beyond the obvious use as a rateless codes, our codes have important applications in distributed computing.

Randomization Adaptive Self-stabilization

Self-stabilizing algorithms are designed to start from an arbitrary state and eventually exhibit a desired behavior. Self-stabilizing algorithms that use randomization are able to achieve tasks that cannot be achieved by deterministic means. In addition, in some cases, randomization enables faster convergence of self-stabilizing algorithms. Often, randomized self-stabilizing algorithms are designed to use an infinite amount of random bits to operate correctly. However, the creation of (real) random bits is considered expensive; thus, a randomization adaptive self-stabilizing algorithm which uses random bits during convergence but does not use random bits following the convergence is desirable. Such a notion of adaptiveness has been studied in the past, where the resource demands of a self-stabilizing algorithm are reduced upon convergence, be it memory requirements, or communication requirements.