Xiaofeng Wang

ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences

Abstract Malware obfuscation obscures malware into different versions, making traditional syntactic nature based detection ineffective. Furthermore, with the huge and exponentially growing number of malware samples, existing malware detection systems are either evaded by malware obfuscation, or overwhelmed by numerous malware samples. This paper proposes an anti-obfuscation, scalable and collaborative malware detection system—ENDMal. ENDMal identifies the program that behaves suspiciously in end-hosts and similarly between a group of suspicious programs in a wide area as malicious. We present the Iterative Sequence Alignment (ISA) method to defeat malware obfuscation. Instead of using complex behavior graph, we propose the Handle dependences and Probabilistic Ordering Dependence (HPOD) technology to represent the program behaviors. In addition, we design a novel information sharing infrastructure, RENShare, to collaboratively congregate the group characteristics of programs spreading over different network areas. Our experimental results show that ENDMal can detect unknown malwares much faster than the centralized detection system and is more effective than the existing distributed detection system.

VicSifter: A Collaborative DDoS Detection System with Lightweight Victim Identification

Flooding based Distributed Denial of Service (DDoS) attacks can cause very serious security problem by exhausting computing and bandwidth resources of victims. To mitigate these destructive attacks, it is crucially important to detect the occurrence of DDoS attacks and identify their targets as early as possible. In this paper, we propose a collaborative DDoS detection system, called VicSifter, which can detect ongoing DDoS attacks and identify victims at an early stage with good scalability and low overhead. VicSifter is deployed over multiple nodes with two kinds of functions: local anomaly detection and collaborative victim identification. The anomaly detection method is performed locally and is lightweight to save computation by measuring passing packets in a sketch. The collaborative victim identification is triggered only when a local anomaly is detected by employing our distinctive elimination mechanism. The mechanism can significantly reduce the number of packets to be processed by each node, making our system scalable for high-speed network links. We evaluate the performance of VicSifter by using real-world data traffic, mixing the real DDoS attack traces with captured campus gateway traffic. The results show that our system has high accuracy in the early detection of DDoS attacks and timely identification of targeted victims. Our system can outperform other existing methods with less space requirement, and thus achieving good system scalability.

Authenticating with Attributes in Online Social Networks

In online social networks (OSN), users capabilities of accessing a resource depend on attributes they owning. Considering of privacy, authentication with attributes require the signer dont leak more information than the predicate over attributes involving. Therere some works of attribute-based signatures (ABS) to satisfy this requirement, where users sign messages with their attributes issued from an attribute authority, and a signature attests not to the identity of the individual who signed a message, but a claim regarding the attributes the underlying signer possesses. However, none of existing works achieve expressive predicate or security under standard Diffie-Hellman assumption at the same time. In this paper, we propose an ABS scheme using attribute tree, which expresses any predicate consisting of AND, OR, Threshold gates, under standard Diffie-Hellman problem. Users cannot forge signatures with attributes they do not possess, and the signature assures that only a user with appropriate attributes satisfying the predicate endorse the message, resulting in unforgeability. On the other hand, a legitimate signer remains anonymous without the fear of revocation and is indistinguishable among all the users whose attributes satisfying the predicate specified in the signature, that is, attribute-signer privacy. Our scheme is suitable for authentication in OSN.

An introduction to network address shuffling

Moving Target Defense (MTD) has been proposed as a new revolutionary technology to alter the asymmetric situation between attacks and defences. Network address shuffling is an important branch of MTD technology. However, there is no systematic introduction to network address shuffling. In this paper, we present a brief introduction to the research achievements of network address shuffling according to two shuffling patterns which are identified and defined by us. We then summarize and analyze the supporting techniques and related features for each network address shuffling technique mentioned in this paper. Whats more, the key issues to implement an effective network address shuffling mechanism are discussed, with the expectation of invigorating subsequent research.

Multi-authority Attribute-Based Signature

Attribute-based signature (ABS) is a new cryptographic primitive, in which a signer can sign a message with his attributes, and the verifier can only known whether the signer owns attributes satisfying his policy. Moreover, the signature cannot be forged by any user not having attributes satisfying the policy. ABS has many applications, such as anonymous authentication, and attribute-based messaging systems. But these applications may require a user to obtain attributes from different authorities, which calls for a multi-authority ABS scheme. In addition, multiple authorities can distribute the trust to all authorities, instead of concerning on a single attribute authority. In this paper, we propose a multi-authority ABS scheme, supporting complex policies, expressing AND, OR, and threshold conditions. We use a central authority to assure the usability of attribute keys a user getting from different attribute authorities. To prevent collusion attacks, we adopt a unique global identity (GID) for a user to bind his attribute keys and identity together. And a secret key from the central authority help the verification be independent of the users identity. So our scheme can fit the requirements of real applications, and also distribute the trust to all authorities in the system.

DiffSig: resource differentiation based malware behavioral concise signature generation

Malware obfuscation obscures malware into a different form thats functionally identical to the original one, and makes syntactic signature ineffective. Furthermore, malware samples are huge and growing at an exponential pace. Behavioral signature is an effective way to defeat obfuscation. However, state-of-the-art behavioral signature, behavior graph, is although very effective but unfortunately too complicated and not scalable to handle exponential growing malware samples; in addition, it is too slow to be used as real-time detectors. This paper proposes an anti-obfuscation and scalable behavioral signature generation system, DiffSig, which voids information-flow tracking which is the chief culprit for the complex and inefficiency of graph behavior, thus, losing some data dependencies, but describes handle dependencies more accurate than graph behavior by restrict the profile type of resource that each handle dependency can reference to. Our experiment results show that DiffSig is scalable and efficient, and can detect new malware samples effectively.

Characterizing the running patterns of Moving Target Defense mechanisms

Moving Target Defense (MTD) has been proposed as a game-changing theme to increase the work effort to attack as well as the security of target system. There has been proposed a multitude of MTD mechanisms. Generally, these mechanisms follow some fundamental running patterns which determine their functionalities. In this paper, we introduce three main schools of thought on MTD mechanisms systematically and categorize the related works according to them. Then we identify and define three fundamental running patterns exhibited by these MTD mechanisms. Thereafter, we use five MTD mechanisms, which belong to the three schools of thought, as cases to confirm the patterns presented. This work can help the novices of this field to understand the running behaviours of MTDs better and easier, and can also give developers design guidance of new MTD system by providing insights of the running patterns.

A Location Management Algorithm for LEO Satellite Networks

Location management is a challenging issue for datagram service in LEO satellite constellation networks due to ceaseless satellite handover of land mobile nodes. With the aid of GEO satellites, a novel location management system is proposed. Mathematical analysis and simulations have been done to evaluate the performance of the proposed system.

Flexible multi-authority attribute-based signature schemes for expressive policy

Attribute-based signature ABS is a new cryptographic primitive, in which a signer can sign a message with his attributes, and the verifier can only known whether the signer owns attributes satisfying his policy. Moreover, the signature cannot be forged by any user not having attributes satisfying the policy. ABS has many applications, such as anonymous authentication, and attribute-based messaging systems. But many applications may require a user obtaining attributes from different authorities, which calls for multi-authority ABS schemes. In this paper, we first propose a multi-authority ABS scheme, called TR_MABS, adopting an attribute tree to support expressive policy consisting of AND, OR, threshold gates. As TR_MABS brings in expensive cost on adding or removing attribute authorities, we present another multi-authority ABS scheme, named DNF_MABS, which uses a disjunctive normal form DNF to express a policy, bringing in the capability of implementing NOT gate. To prevent collusion attack, we adopt a unique global identity GID for a user to combine his attribute keys and identity. Moreover, we use a central authority to assure the usability of attribute keys a user getting from different attribute authorities, make the verification independent of users identity, and allow attribute authorities dynamic change. Our schemes fit the requirements of applications, and also distribute the trust to authorities in the system. In addition, we prove the security of our schemes under computational Diffie-Hellman assumption.

A Distribute and Geographic Information Based Routing Algorithm for LEO Satellite Constellation Networks

Satellite networks can provide worldwide-coverage wireless data gram services, but cause great challenges for how to efficiently route data gram. The Low Earth Orbit (LEO) satellite is becoming an essential part of the Next-Generation internet with short round-trip delay and low power consumption. In this paper, we propose a routing algorithm for LEO satellite constellation networks with high performance. It needs less memory and computer power, but is capable of highly efficient data gram route. Through simulation we demonstrate the performance of the proposed algorithm. Moreover, we integrate the IP protocol into the algorithm to prove its deploy ability.