Zheng Qin

Malware Variant Detection Using Opcode Image Recognition with Small Training Sets

Malware detection becomes mission critical as its threats spread from personal computers to industrial control systems. Modern malware generally equips with sophisticated anti-detection mechanisms such as code-morphism, which allows the malware to evolve into many variants and bypass traditional code feature based detection systems. In this paper, we propose to disassemble binary executables into opcodes sequences, and then convert the opcodes into images. By comparing the opcode images generated from binary targets with the opcode images generated from known malware sample codes, we can detect if the target binary executables contain variants of these known malwares. Theoretical analysis and real-life experiments results show that malware detection using visualized analysis is comparable in terms of accuracy, our approach can significantly improve 15% of detection accuracy when the detection set contains a large quantity of binaries and the training set is small.

A query privacy-enhanced and secure search scheme over encrypted data in cloud computing

Abstract With the emerging of the cloud computing, secure search over encrypted cloud data has become a hot research spot. Previous schemes achieve weaker query privacy-preserving ability due to the limitations of query trapdoor generation mechanisms. In these schemes, a data owner usually knows fully well the query contents of data users and a data user can also easily analyze query contents of another data user. In some application scenarios, the data user may be unwilling to leak their query privacy to anyone else except himself. We propose a privacy-enhanced search scheme by allowing the data user to generate random query trapdoor every time. We leverage Bloom filter and bilinear pairing operation to construct secure index for each data file, which enables the cloud to perform search without obtaining any useful information. We prove that our scheme is secure and extensive experiments demonstrate the correctness and practicality of the proposed scheme.

Multi-User Location Correlation Protection with Differential Privacy

In the big data era, with the rapid development of location-based applications, GPS enabled devices and big data institutions, location correlation privacy raises more and more peoples concern. Because adversaries may combine location correlations with their background knowledge to guess users privacy, such correlation should be protected to preserve users privacy. In order to deal with the location disclosure problem, location perturbation and generalization have been proposed. However, most proposed approaches depend on syntactic privacy models without rigorous privacy guarantee. Furthermore, many approaches only consider perturbing the locations of one user without considering multi-user location correlations, so these techniques cannot prevent various inference attacks well. Currently, differential privacy has been regarded as a standard for privacy protection, but there are new challenges for applying differential privacy in the location correlations protection. The privacy protection not only should meet the needs of users who request location-based services, but also should protect location correlation among multiple users. In this paper, we propose a systematic solution to protect location correlations privacy among multiple users with rigorous privacy guarantee. First of all, we propose a novel definition, private candidate sets which are obtained by hidden Markov models. Then, we quantify the location correlation between two users by using the similarity of hidden Markov models. Finally, we present a private trajectory releasing mechanism which can preserve the location correlations among users who move under hidden Markov models in a period of time. Experiments on real-world datasets also show that multi-user location correlation protection is efficient.

Android Malware Detection Using Local Binary Pattern and Principal Component Analysis

Nowadays, analysis methods based on big data have been widely used in malicious software detection. Since Android has become the dominator of smartphone operating system market, the number of Android malicious applications are increasing rapidly as well, which attracts attention of malware attackers and researchers alike. Due to the endless evolution of the malware, it is critical to apply the analysis methods based on machine learning to detect malwares and stop them from leakaging our privacy information. In this paper, we propose a novel Android malware detection method based on binary texture feature recognition by Local Binary Pattern and Principal Component Analysis, which can visualize malware and detect malware accurately. Also, our method analyzes malware binary directly without any decompiler, sandbox or virtual machines, which avoid time and resource consumption caused by decompiler or monitor in this process. Experimentation on 5127 benigns and 5560 malwares shows that we obtain a detection accuracy of 90%.

Achieving Secure, Universal, and Fine-Grained Query Results Verification for Secure Search Scheme over Encrypted Cloud Data

Secure search techniques over encrypted cloud data allow an authorized user to query data files of interest by submitting encrypted query keywords to the cloud server in a privacy-preserving manner. However, in practice, the returned query results may be incorrect or incomplete in the dishonest cloud environment. For example, the cloud server may intentionally omit some qualified results to save computational resources and communication overhead. Thus, a well-functioning secure query system should provide a query results verification mechanism that allows the data user to verify results. In this paper, we design a secure, easily integrated, and fine-grained query results verification mechanism, by which, given an encrypted query results set, the query user not only can verify the correctness of each data file in the set but also can further check how many or which qualified data files are not returned if the set is incomplete before decryption. The verification scheme is loose-coupling to concrete secure search techniques and can be very easily integrated into any secure query scheme. We achieve the goal by constructing secure verification object for encrypted cloud data. Furthermore, a short signature technique with extremely small storage cost is proposed to guarantee the authenticity of verification object and a verification object request technique is presented to allow the query user to securely obtain the desired verification object. Performance evaluation shows that the proposed schemes are practical and efficient.

Secure Conjunctive Multi-Keyword Search for Multiple Data Owners in Cloud Computing

Recently, secure search over encrypted cloud data has become a hot research spot and challenging task. Some secure search schemes have been proposed to try to meet this challenge. In this paper, we propose a conjunctive multi-keyword secure search scheme for multiple data owners. To guarantee data security and system flexibility in the multiple data owners environment, we design an ingenious secure query scheme that allows each data owner to adopt randomly chosen temporary keys to build secure indexes for different data files. An authorized data user does not need to know these temporary keys of constructing indexes and can instead randomly choose another temporary query keys to encrypt query keywords while the cloud can correctly perform keywords matching over encrypted data files. Extensive experiments demonstrate the correctness and practicality of the proposed scheme.

A malware variants detection methodology with an opcode based feature method and a fast density based clustering algorithm

Malware is one of the most terrible and major security threats facing the Internet today. In practice, the most widely used malware detection method is static detection. Static detection is effective for many types of malware. Operation code (opcode) sequences is one of the most important malware features for static analysis. In this paper, our goal is to optimize the accuracy and performance based on opcode features. Due to the diversity of the operation code, resulting in a large dimensions of feature of the malware, which will lead to low performance. We propose an information entropy based feature extraction method to extract a few but very useful information as representation of malware instances. At the same time, because of the low performance of the machine learning algorithm and the large set of features in the training and detection phase. We propose a generic Fast Density-Based Clustering algorithm for fast and accurately clustering malware instances. And our experiments demonstrate that our automated malware variant detection methodology is able to achieve high accuracy with significant speedup comparing with the other state-of-art approaches.

A Personalized Recommendation Approach Based on Content Similarity Calculation in Large-Scale Data

Recommendation algorithms are widely used to discover interesting content for users from massive data in many fields. However, with more diversification of user requirements, the recommended accuracy and efficiency become a serious concern for improving user satisfaction degree. In this paper, we redefine the concept of content similarity by combining search words with personalized search references and describing their dimensions, then propose the calculation method of content similarity by defining the Hamming distance among current keywords, classified items and historical keywords. Through the pretreatment of support vector data description (SVDD), we may find specific tendency from the personal preference of classified items and present the final recommendation results arranged from high similarity to low one. Simulation experiments show that our proposed approach improves recommendation performance over the other two classical algorithms by an average of 17.2 % and reduces the MAE by 6.3 % on our large-scale dataset. At the same time, our proposed approach has a better performance on recall rate and coverage rate, and user satisfaction degree is also improved at higher extent.

An Efficient and Privacy-Preserving Multiuser Cloud-Based LBS Query Scheme

Location-based services (LBSs) are increasingly popular in today’s society. People reveal their location information to LBS providers to obtain personalized services such as map directions, restaurant recommendations, and taxi reservations. Usually, LBS providers offer user privacy protection statement to assure users that their private location information would not be given away. However, many LBSs run on third-party cloud infrastructures. It is challenging to guarantee user location privacy against curious cloud operators while still permitting users to query their own location information data. In this paper, we propose an efficient privacy-preserving cloud-based LBS query scheme for the multiuser setting. We encrypt LBS data and LBS queries with a hybrid encryption mechanism, which can efficiently implement privacy-preserving search over encrypted LBS data and is very suitable for the multiuser setting with secure and effective user enrollment and user revocation. This paper contains security analysis and performance experiments to demonstrate the privacy-preserving properties and efficiency of our proposed scheme.

MPOPE: Multi-provider Order-Preserving Encryption for Cloud Data Privacy

Order-preserving encryption (OPE) has been proposed as a privacy-preserving query method for cloud computing. Existing researches of OPE diverge into two groups. One group focuses on single data provider scenarios and achieves strong security notion such as indistinguishability under ordered chosen plaintext attack (IND-OCPA). Another group of research designs multi-provider schemes and provides weaker security guarantees than those of single provider schemes. In this paper, we propose a novel security notion for multi-provider scenario, indistinguishability under multi-provider ordered chosen plaintext attack (IND-MPOPCA), which guarantees equivalent security level as IND-OCPA while hiding the frequency of plaintexts and enabling multi-provider data submissions and queries. We develop a multi-provider randomized order technique to construct our MPOPE scheme to achieve the IND-MPOPCA security notion. We also conduct extensive experiments to prove the practicality and efficiency of our proposed scheme.