Zhongqiang Chen

Malware characteristics and threats on the internet ecosystem

Malware encyclopedias now play a vital role in disseminating information about security threats. Coupled with categorization and generalization capabilities, such encyclopedias might help better defend against both isolated and clustered specimens.In this paper, we present Malware Evaluator, a classification framework that treats malware categorization as a supervised learning task, builds learning models with both support vector machines and decision trees and finally, visualizes classifications with self-organizing maps. Malware Evaluator refrains from using readily available taxonomic features to produce species classifications. Instead, we generate attributes of malware strains via a tokenization process and select the attributes used according to their projected information gain. We also deploy word stemming and stopword removal techniques to reduce dimensions of the feature space. In contrast to existing approaches, Malware Evaluator defines its taxonomic features based on the behavior of species throughout their life-cycle, allowing it to discover properties that previously might have gone unobserved. The learning and generalization capabilities of the framework also help detect and categorize zero-day attacks. Our prototype helps establish that malicious strains improve their penetration rate through multiple propagation channels as well as compact code footprints; moreover, they attempt to evade detection by resorting to code polymorphism and information encryption. Malware Evaluator also reveals that breeds in the categories of Trojan, Infector, Backdoor, and Worm significantly contribute to the malware population and impose critical risks on the Internet ecosystem.

Progressive and approximate techniques in ray-tracing-based radio wave propagation prediction models

Progressive and approximate techniques are proposed here for ray-tracing systems used to predict radio propagation. In a progressive prediction system, intermediate prediction results are fed back to users continuously. As more raypaths are processed, the accuracy of prediction results improves progressively. We consider how to construct a progressive system that satisfies the requirements of continuous observability and controllability as well as faithfulness and fairness. Adding a workload estimator to such a progressive prediction system allows termination of the computation when a desired accuracy (mean and standard deviation of the error) is achieved without knowing the final result that would be obtained if the prediction system runs to completion. The sample generator is at the core of the progressive prediction system and serves to cluster and prioritize raypaths according to their expected contributions to prediction results. Two types of progressive approaches, source-group-raypath-permute and raypath-interleave, are proposed. The workload estimator determines the number of raypaths to be processed to achieve the specified requirement on prediction accuracy. Two approximate models are described that adjust the workload dynamically during the prediction process. Our experiments show that the proposed progressive and approximate methods provide flexible mechanisms to trade prediction accuracy for prediction time in a relatively fine granularity.

Radio-wave propagation prediction using ray-tracing techniques on a network of workstations (NOW)

Ray-tracing based radio wave propagation prediction models play an important role in the design of contemporary wireless networks as they may now take into account diverse physical phenomena including reflections, diffractions, and diffuse scattering. However, such models are computationally expensive even for moderately complex geographic environments. In this paper, we propose a computational framework that functions on a network of workstations (NOW) and helps speed up the lengthy prediction process. In ray-tracing based radio propagation prediction models, orders of diffractions are usually processed in a stage-by-stage fashion. In addition, various source points (transmitters, diffraction corners, or diffuse scattering points) and different ray-paths require different processing times. To address these widely varying needs, we propose a combination of the phase-parallel and manager/workers paradigms as the underpinning framework. The phase-parallel component is used to coordinate different computation stages, while the manager/workers paradigm is used to balance workloads among nodes within each stage. The original computation is partitioned into multiple small tasks based on either raypath-level or source-point-level granularity. Dynamic load-balancing scheduling schemes are employed to allocate the resulting tasks to the workers. We also address issues regarding main memory consumption, intermediate data assembly, and final prediction generation. We implement our proposed computational model on a NOW configuration by using the message passing interface (MPI) standard. Our experiments with real and synthetic building and terrain databases show that, when no constraint is imposed on the main memory consumption, the proposed prediction model performs very well and achieves nearly linear speedups under various workload. When main memory consumption is a concern, our model still delivers very promising performance rates provided that the complexity of the involved computation is high, so that the extra computation and communication overhead introduced by the proposed model do not dominate the original computation. The accuracy of prediction results and the achievable speedup rates can be significantly improved when 3D building and terrain databases are used and/or diffuse scattering effect is taken into account.

A Pragmatic Methodology for Testing Intrusion Prevention Systems

Intrusion prevention systems (IPSs) not only attempt to detect attacks but also block malicious traffic and pro-actively tear down pertinent network connections. To effectively thwart attacks, IPSs have to operate both in real-time and inline fashion. This dual mode renders the design/implementation and more importantly the testing of IPSs a challenge. In this paper, we propose an IPS testing framework termed IPS Evaluator which consists of a trace-driven inline simulator-engine, mechanisms for generating and manipulating test cases, and a comprehensive series of test procedures. The engine features attacker and victim interfaces which bind to the external and internal ports of an IPS-under-testing (IUT). Our engine employs a bi-directional injection policy to ensure that replayed packets are subject to security inspection by the IUT before they are forwarded. Furthermore, the send-and-receive mechanism of our engine allows for the correlation of engine-replayed and IUT-forwarded packets as well as the verification of IUT actions on detected attacks. Using dynamic addressing and routing techniques, our framework rewrites both source and destination addresses for every replayed packet on-the-fly. In this way, replayed packets conform to the specific features of the IUT. We propose algorithms to partition attacker/victim-emanated packets so that they are subjected to security inspections by the IUT and in addition, we offer packet manipulation operations to shape replayed traces. We discuss procedures that help verify the IUTs detection and prevention accuracy, attack coverage and behavior under diverse traffic patterns. Finally, we evaluate the strengths of our framework by mainly examining the open-source IPS Snort-Inline. IPS deficiencies revealed during testing help establish the effectiveness of our approach.

A Digest and Pattern Matching-Based Intrusion Detection Engine

Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Building Footprint Simplification Techniques and Their Effects on Radio Propagation Predictions

Building footprint simplification is of critical importance to radio propagation predictions in wireless communication systems as the prediction time is closely related to the number of both buildings and vertices involved. Intuitively, if the complexity of footprints (i.e. the number of vertices in the footprints) is reduced, predictions can be generated more quickly. However, such reductions often affect the accuracy of results as the simplification error constrains the efficiency that can be achieved. To achieve a good vertex reduction rate for the footprints involved and at the same time preserve the shapes of footprints in terms of their areas, orientations and centroids, we propose a number of efficient single-pass methods to simplify building footprints. To satisfy constraints on edges, areas and centroids of simplified footprints, multi-pass methods are suggested. Hybrid methods take advantage of complementary properties exhibited by different footprint simplification methods. We assess the baseline effectiveness of our proposed techniques, and carry out an extensive comparative evaluation with real geographic information system data from different municipalities. Through experimentation, we find that hybrid methods deliver the best performance in both vertex reduction rate and simplification error. We examine the effects that these footprint simplification methods have on the ray-tracing based radio propagation prediction systems in terms of processing time and prediction accuracy. Our experiments show that footprint simplification methods indeed reduce prediction time up to three-fold, and maintain prediction accuracy with high confidence as well. We also investigate the relationship between footprint simplification error and the prediction accuracy. We find that the prediction accuracy is sensitive to the distortion (i.e. change of shape) of building footprints. This helps us to better understand the trade-off between precision of the building database and the accuracy of predictions generated by ray-tracing based radio propagation prediction systems.

A Categorization Framework for Common Computer Vulnerabilities and Exposures

The dictionary of common vulnerabilities and exposures (CVEs) is a compilation of known security loopholes whose objective is to both facilitate the exchange of security-related information and expedite vulnerability analysis of computer systems. Its lack of categorization and generalization capability renders the dictionary ineffective when it comes to developing defense strategies for clustered vulnerabilities instead of individual exploits. To address this issue, we propose a CVE categorization framework termed CVE Classifier that transforms the dictionary into a classifier that not only categorizes CVEs with respect to diverse taxonomic features but can also evaluate general trends in the evolution of vulnerabilities. With the help of support vector machines, CVE Classifier builds learning models for taxonomic features based on training data automatically extracted from pertinent vulnerability databases including BID, X-Force and Secunia, and CVE entries containing telltale keywords unique to taxonomic features. We use word-stemming and stopword-removal techniques to reduce the dimensions of the feature space formed by CVEs and develop a data fusion and cleansing process to eliminate data inconsistencies to improve classification performance. The CVE classification produced by the proposed framework reveals that the majority of the Internet security loopholes are harbored by a small set of services. Moreover, it becomes evident that the widespread deployment of security devices provides many additional attack points as such devices demonstrate a great mount of vulnerabilities. Finally, the CVE Classifier points out that remotely exploitable security loopholes continue to dominate the CVEs landscape.

Adaptive neighborhood selection in peer-to-peer networks based on content similarity and reputation

To address the two most critical issues in P2P file-sharing systems: efficient information discovery and authentic data acquisition, we propose a Gnutella-like file-sharing protocol termed Adaptive Gnutella Protocol (AGP) that not only improves the querying efficiency in a P2P network but also enhances the quality of search results at the same time. The reputation scheme in the proposed AGP evaluates the credibility of peers based on their contributions to P2P services and subsequently clusters nodes together according to their reputation and shared content, essentially transforming the P2P overlay network into a topology with collaborative and reputed nodes as its core. By detecting malicious peers as well as free-riders and eventually pushing them to the edge of the overlay network, our AGP propagates search queries mainly within the core of the topology, accelerating the information discovery process. Furthermore, the clustering of nodes based on authentic and similar content in our AGP also improves the quality of search results. We have implemented the AGP with the PeerSim simulation engine and conducted thorough experiments on diverse network topologies and various mixtures of honest/dishonest nodes to demonstrate improvements in topology transformation, query efficiency, and search quality by our AGP.

Adaptive Management of Communities Based on Peer Content and Reputation

Most P2P file-sharing systems are unable to create self- organizing communities of similar nodes that provide good services to their members. In this paper, we propose a Gnutella-like file-sharing protocol based on the premise that each peer only creates links with the best counterparts which the peer has discovered in the network. Termed adaptive Gnutella protocol (AGP), our proposal transforms the overlay topology based on a reputation scheme that evaluates the provided services and offers a mechanism that organizes trusted nodes with similar content. We have implemented the AGP protocol using the PeerSim engine and conducted experiments on diverse network topologies. Over time, the network topology improves as every peer locates counterparts with similar content and good reputation. Moreover, malicious nodes are pushed to the edge of the overlay network and are excluded from participating in the AGP search.