Xinxin Niu

Detection of command and control in advanced persistent threat based on independent access

Advanced Persistent Threat (APT) imposes increasing threats on cyber security with the developing network attack technologies. APT is a highly interactive, specifically targeted and extremely harmful network-centric attack, which employs various technologies to evade detection during attacks leading to the result that victims will not be aware of attacks until they suffer from tremendous losses. Since command and control (C&C) is an essential component during the lifetime of APT, the detection of it is a practical measure to defend against the APT. In this paper, we analyze the features of C&C in APT and find that the HTTP-based C&C is widely used. Based on the analysis results, we propose a new feature of C&C, i.e., independent access, to characterize the difference between C&C communications and normal HTTP requests. Applying the independent access feature into DNS records, we implement a novel C&C detection method and validate it on public dataset. As a new feature of C&C, its advantages and drawbacks are also analyzed.

Collaborative Authentication in Decentralized Dense Mobile Networks With Key Predistribution

Challenges of authentication in decentralized mobile networks arise from frequently changing topologies and unreliable contention-based transmissions. We propose a new protocol to speed up authentications, reduce communication costs, and support opportunistic routing under fast-changing topologies. Key pairs are predistributed across the network. Nodes that predistributed the same pair can instantly verify and route messages for each other in an opportunistic and cooperative fashion, combating fast-changing topologies. We also enable a node to increasingly combine unauthenticated messages and a new message for signature or message authentication code generation, while trying different keys on-the-fly. The messages can be verified altogether, once a key is matched. The communication overhead, thus, becomes independent of the number of keys tried. Closed-form expressions for authentication rate, delay, and throughput are derived through a new three-dimensional Markov model. Validated by simulations, analytical results corroborate the robustness of the proposed protocol against changing topologies, as well as the substantially improved resistance to collusion attacks, as compared with the state of the art.

Virus Propagation Modeling and Convergence Analysis in Large-Scale Networks

Biological epidemic models, widely used to model computer virus propagations, suffer from either limited scalability to large networks, or accuracy loss resulting from simplifying approximations. In this paper, a discrete-time absorbing Markov process is constructed to precisely characterize virus propagations. Conducting eigenvalue analysis and Jordan decomposition to the process, we prove that the virus extinction rate, i.e., the rate at which the Markov process converges to a virus-free absorbing state, is bounded. The bounds, depending on the infection and curing probabilities, and the minimum degree of the network topology, have closed forms. We also reveal that the minimum curing probability for a given extinction rate requirement, specified through the upper bound, is independent of the explicit size of the network. As a result, we can interpret the extinction rate requirement of a large network with that of a much smaller one, evaluate its minimum curing requirement, and achieve simplifications with negligible loss of accuracy. Simulation results corroborate the effectiveness of the interpretation, as well as its analytical accuracy in large networks.

Secure Data Transmission and Modelling in Vehicular Ad Hoc Networks

Data security is crucial to safety-related vehicular applications. Critical challenges of unstable topologies and the collisions of uncoordinated data transmissions arise, due to the mobile and distributed nature of vehicular ad-hoc networks (VANETs). We propose a new secure transmission protocol for VANETs, where the transmitter can adaptively switch between backing off transmissions to alleviate collisions, as well as changing keys, to increase success rate with matched keys. We also develop a new 3-dimensional (3-D) Markov model to characterize the protocol. Security analyses are carried out. Interesting insights and useful guidelines to adequately distribute keys among mobile vehicular nodes are also provided.

An Ensemble Method based on Selection Using Bat Algorithm for Intrusion Detection

Machine learning plays an important role in constructing intrusion detection models. However, the information era is an era of data. With the continuous increase in data size and the growth of data dimensions, the ability of a single classifier is becoming limited in predicting samples. In this paper, we present an ensemble method using random subspace in which an extreme learning machine (ELM) is chosen as the base classifier. To optimize the ensemble model, an ensemble pruning method based on the bat algorithm (BA) is proposed. Meanwhile, a fitness function based on the accuracy and diversity of an ensemble is defined in the BA to obtain an improved classifier subset. Three public datasets, the KDD99, NSL and Kyoto datasets, are adopted to assess the robustness of the method. The empirical results indicate that the ensemble method based on random subspace can improve the accuracy and robustness over the use of an individual ELM. The results also show that compared with when all the sub-classifiers are used in the ensemble, the pruning framework can not only achieve comparable or better performance but also save substantial computing resources in an intrusion detection system (IDS)

Computing Adaptive Feature Weights with PSO to Improve Android Malware Detection

Android malware detection is a complex and crucial issue. In this paper, we propose a malware detection model using a support vector machine (SVM) method based on feature weights that are computed by information gain (IG) and particle swarm optimization (PSO) algorithms. The IG weights are evaluated based on the relevance between features and class labels, and the PSO weights are adaptively calculated to result in the best fitness (the performance of the SVM classification model). Moreover, to overcome the defects of basic PSO, we propose a new adaptive inertia weight method called fitness-based and chaotic adaptive inertia weight-PSO (FCAIW-PSO) that improves on basic PSO and is based on the fitness and a chaotic term. The goal is to assign suitable weights to the features to ensure the best Android malware detection performance. The results of experiments indicate that the IG weights and PSO weights both improve the performance of SVM and that the performance of the PSO weights is better than that of the IG weights.

Fuzzy–synthetic minority oversampling technique: Oversampling based on fuzzy set theory for Android malware detection in imbalanced datasets

In previous work, imbalanced datasets composed of more benign samples (the majority class) than the malicious one (the minority class) have been widely adopted in Android malware detection. These imbalanced datasets bias learning toward the majority class, so that the minority class examples are more likely to be misclassified. To solve the problem, we propose a new oversampling method called fuzzy–synthetic minority oversampling technique, which is based on fuzzy set theory and the synthetic minority oversampling technique method. As the sample size of the majority class increases relative to that of the minority class, fuzzy–synthetic minority oversampling technique generates more synthetic examples for each minority class examples in the fuzzy region, where the minority examples have a low degree of membership to the minority class and are more likely to be misclassified. Using the new synthetic examples, the classifiers build larger decision regions that contain more minority examples, and they are no longer biased to the majority class. Compared with synthetic minority oversampling technique and Borderline–synthetic minority oversampling technique methods, fuzzy–synthetic minority oversampling technique achieves higher accuracy on both the minority class and the entire datasets.