Shanqing Guo

Random-walk based approach to detect clone attacks in wireless sensor networks

Wireless sensor networks (WSNs) deployed in hostile environments are vulnerable to clone attacks. In such attack, an adversary compromises a few nodes, replicates them, and inserts arbitrary number of replicas into the network. Consequently, the adversary can carry out many internal attacks. Previous solutions on detecting clone attacks have several drawbacks. First, some of them require a central control, which introduces several inherent limits. Second, some of them are deterministic and vulnerable to simple witness compromising attacks. Third, in some solutions the adversary can easily learn the critical witness nodes to start smart attacks and protect replicas from being detected. In this paper, we first show that in order to avoid existing drawbacks, replica-detection protocols must be non-deterministic and fully distributed (NDFD), and fulfill three security requirements on witness selection. To our knowledge, only one existing protocol, Randomized Multicast, is NDFD and fulfills the requirements, but it has very high communication overhead. Then, based on random walk, we propose two new NDFD protocols, RAndom WaLk (RAWL) and Table-assisted RAndom WaLk (TRAWL), which fulfill the requirements while having only moderate communication and memory overheads. The random walk strategy outperforms previous strategies because it distributes a core step, the witness selection, to every passed node of random walks, and then the adversary cannot easily find out the critical witness nodes. We theoretically analyze the required number of walk steps for ensuring detection. Our simulation results show that our protocols outperform an existing NDFD protocol with the lowest overheads in witness selection, and TRAWL even has lower memory overhead than that protocol. The communication overheads of our protocols are higher but are affordable considering their security benefits.

Linear unsupervised hashing for ANN search in Euclidean space

Approximate nearest neighbors (ANN) search for large scale data has attracted considerable attention due to the fact that large amounts of data are easily available. Recently, hashing has been widely adopted for similarity search because of its good potential for low storage cost and fast query speed. Among of them, when semantic similarity information is available, supervised hashing methods show better performance than unsupervised ones. However, supervised hashing methods need explicit similarity information which is not available in some scenarios. In addition, they have the problems of difficult optimization and time consuming for training, which make them unpracticable to large scale data. In this paper, we propose an unsupervised hashing method - Unsupervised Euclidean Hashing (USEH), which learns and generates hashing codes to preserve the Euclidean distance relationship between data. Specifically, USEH first utilizes Locality-Sensitive Hashing (LSH) to generate pseudo labels; then, it adopts a sequential learning strategy to learn the hash functions, one bit at a time, which can generate very discriminative codes. Moreover, USEH avoids explicitly computing the similarity matrix by decomposing it into the product of a label matrix and its transposition, which makes the training complexity of USEH linear to the size of training samples when the number of training samples is much greater than the dimension of feature. Thus, it can efficiently work on large scale data. We test USEH on two large scale datasets - SIFT1M and GIST1M. Experimental results show that USEH is comparable to state-of-the-art unsupervised hashing methods.

Attribute-based re-encryption scheme in the standard model

In this paper, we propose a new attribute-based proxy re-encryption scheme, where a semi-trusted proxy, with some additional information, can transform a ciphertext under a set of attributes into a new ciphertext under another set of attributes on the same message, but not vice versa, furthermore, its security was proved in the standard model based on decisional bilinear Diffie-Hellman assumption. This scheme can be used to realize fine-grained selectively sharing of encrypted data, but the general proxy re-encryption scheme severely can not do it, so the proposed scheme can be thought as an improvement of general traditional proxy re-encryption scheme.

SWCA: A Secure Weighted Clustering Algorithm in Wireless Ad Hoc Networks

Clustering has been widely used in wireless ad hoc networks for various purposes such as routing, broadcasting and Qos. Many clustering algorithms have been proposed. However, most of them implicitly assume that nodes behave honestly in the clustering process. In practice, there might be some malicious nodes trying to manipulate the clustering process to make them serve as clusterheads, which can obtain some special power, e.g., eavesdropping more messages. In this paper we present a Secure Weighted Clustering Algorithm (SWCA). SWCA uses the Weighted Clustering Algorithm (WCA) for clustering and TELSA for efficiently authenticating packets. We propose a novel neighbor verification scheme to check whether the values of election-related features (e.g., node degree) are forged by malicious nodes. Also, we theoretically analyze the probability for a malicious node to tamper node degree without being detected and derive a lower bound on the probability. Finally, simulation results show that SWCA is secure but still has comparable performance with WCA. To the best of our knowledge, SWCA is the first algorithm considering the security of 1-hop type clustering (in this type only the clusterhead can communicate with ordinary members directly) in ad hoc networks.

Pollution Attack: A New Attack Against Localization in Wireless Sensor Networks

Many secure localization algorithms have been proposed. In these algorithms, collusion attack is usually considered as the strongest attack when evaluating their performance. Also, for ensuring correct localization under the collusion attack, a necessary number of normal beacons are needed and a lower bound on this number has been established (assuming the errors of distance measurements are ignorable). In this paper, we introduce pollution attack, a more powerful attack which can succeed even when the number of normal beacons is more than the lower bound. In this attack, victim node is misled to a special chosen location, which results in a confusion of compromised beacon with normal beacon. We propose a new metric to measure the vulnerability of a normal location reference set to pollution attack, and develop two algorithms to efficiently compute the value of the proposed metric. We also present a method to judge whether the output of the localization algorithm is credible under pollution attack. Simulation results show that the pollution attack can succeed with high probability.

Anomaly intrusion detection for evolving data stream based on semi-supervised learning

In network environment, time-varying traffic patterns make the detection model not characterize the current traffic accurately. At the same time, the deficiency of training samples also degrades the detection accuracy. This paper proposes an anomaly detection algorithm for evolving data stream based on semi-supervised learning. The algorithm uses data stream model with attenuation to solve the problem of the change of traffic patterns, as while as extended labeled dataset generated from semi-supervised learning is used to train detection model. The experimental results manifest that the algorithm have better accuracy than those based on all historical data equivalently by forgetting historical data gracefully, as while as be suitable for the situation of deficiency of labeled data.

Application of string kernel based support vector machine for malware packer identification

Packing is among the most popular obfuscation techniques to impede anti-virus scanners from successfully detecting malware. In this paper we propose a string-kernel-based support vector machine classifier to identify the packer that is used to create a given malware program. Our approach is featured by the following characteristics. First, the adoption of a string-kernel-based method bridges the gap between signature-based and machine-learning-base approaches. Second, the kernel function derived from the Levenshtein distance integrates important domain knowledge in the learning process. Then, application of support vector machine, a state-of-the-art classifier, enables an automated packer identification scheme with high generalization ability and time efficiency. Finally, selection of the code segment with the most essential packer relevant information further boosts the classification performance. Experiments on a dataset of 3228 binary programs composed of packed files created by 25 packers show that the proposed approach outperforms PEiD and previous machine-learning-based approaches in prediction accuracy with a large margin. This method can help to improve the scanning efficiency of anti-virus products and promote efficient back-end malware research.

A study on association rule mining of darknet big data

Global darknet monitoring provides an effective way to observe cyber-attacks that are significantly threatening network security and management. In this paper, we present a study on characterization of cyberattacks in the big stream data collected in a large scale distributed darknet using association rule learning. The experiment shows that association rule learning in the darknet stream data can support strategic cyberattack countermeasure in the following ways. First, statistics computed from malware-specific rules can lead to better understanding of the global trend of cyberattacks in the Internet. Second, strong association rules can lead to further insights into the nature of the attacking tools and hence expedite the diagnosis. Then, the discovery of emerging new attacks may lead to early detection and prompt prevention of pandemic incidents, preventing damage to the IT infrastructure and extensive financial loss. Finally, exploring the knowledge in the frequent attacking patterns can enable accurate prediction of future attacks from analyzed hosts, which could improve the performance of honeypot systems to collect more pertinent malware information using limited system and network resources.

Practical network traffic analysis in P2P environment

Recent statistical studies on telecommunication networks outline that peer-to-peer (P2P) file-sharing is keeping increasing and it now contributes about 50–80% of the overall Internet traffic [1]. Moreover, more and more network applications such as streaming media, internet telephony, and instant messaging are taking a form of P2P telecommunication. The bandwidth intensive nature of P2P applications suggests that P2P traffic can have significant impact on the underlying network. Therefore, analyzing and characterizing this kind of traffic is an essential step to develop workload models towards efficient amelioration in network traffic engineering and capacity planning. In this paper, we first introduce an adaptive system for handy P2P trace capturing and analysis. By using virtualization technology, the system can efficiently organize limited resources to build a reliable and tractable network that supports adjustable experimental study and practical performance tuning. Then the proposed system is applied to traffic characterization of File Sharing P2P (FSP2P) applications. To avoid excessive computing cost of payload information inspection, we proposed a more light-weighted analytical scheme which makes use of meta features extracted from packet headers. With carefully selected system parameters, we show that satisfactory prediction accuracy on differentiating FSP2P applications from ordinary network applications could be achieved with acceptable computing costs. The proposed scheme supports performance tuning between monitoring cost and the system response time, which enables its adaption to network environments with different specifications.

Integration of Multi-modal Features for Android Malware Detection Using Linear SVM

In light of the rapid growth of malware threats towards the Android platform, there is a pressing need to develop effective solutions. In this paper we explorate the potential of multi-modal features to enhance the detection accuracy while keep the false alarms low. Examined features include the permissions, Application Programming Interface (API) calls, and meta features such as the category information and Application Package (APK) descriptions. These multi-modal features are coded in a way to facilitate efficient learning and testing with the particular classifiers known as the linear support vector machine (SVM). Experiments show that our proposed method can obtain an accuracy more than 94%, over performing the conventional methods by a large margin. By employing high-performance learning tools, the training and testing can be done in a very time-efficient fashion for large scale and high-dimensional data.