Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on t...Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on the mechanisms,attackers can cover themselves behind the network and modify data undetected.Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks,when attackers intrude cloud server to access the source or binary codes.Therefore,we proposed a novel method to resist this kind of reverse engineering by breaking these rules.Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era.Our method is capable of(1)replacing theoriginal assembly codes of theprotectedprogramwithequivalent assembly instructions inan iteration way,(2)obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs,(3)encrypting data to confuse attackers.In addition,the approach can periodically and automatically modify the protected software binary codes,and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis.Furthermore,a simplified virtual machine is implemented to make the protected codes unreadable to attackers.Cloud game is one of the specific scenarios which needs low latency and strong data consistency.Cheat engine,Ollydbg,and Interactive Disassembler Professional(IDA)are used prevalently for games.Our improved methods can protect the software from the most vulnerable aspects.The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations.We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis.Experiments show that hidden dangers can be eliminated with efficient methods:Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.展开更多
With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted...With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.展开更多
Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software econom...Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.展开更多
Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software econom...Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.展开更多
Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violatio...Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violation detection.To date,few studies have investigated the robustness of clone detectors,especially in-fashion deep learning-based ones,against obfuscation.Meanwhile,most of these studies only measure the difference between one code snippet and its obfuscation version.However,in reality,the attackers may modify the original code before obfuscating it.Then what we should evaluate is the detection of obfuscated code from cloned code,not the original code.For this,we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones.Regarding the data,we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators.We also collect 1424 non-clone pairs to evaluate the false positives.In sum,a benchmark of 524,148 code pairs(either clone or not)are generated,which are passed to clone detectors for evaluation.To automate the evaluation,we develop one uniform evaluation framework,integrating the clone detectors and obfuscators.The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors.In addition,we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.展开更多
Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.W...Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.We propose a cryptographic obfuscation scheme for smart contracts based on existing blockchain mechanisms,standard cryptographic assumptions,and witness encryption.In the proposed scheme,an obfuscated smart contract does not reveal its algorithm and hardcoded secrets and preserves encrypted states.Any user can provide it with encrypted inputs and allow an untrusted third party to execute it.Although multiparty computation(MPC)among dynamically changing users is necessary,its privacy is protected if at least one user is honest.If the MPC does not finish within a period of time,anyone can cancel and restart it.The proposed scheme also supports decentralized obfuscation where even the participants of the obfuscation process cannot learn secrets in the obfuscated smart contract unless all of them are malicious.As its applications,we present a new trustless bitcoin bridge mechanism that exposes no secret key and privacy-preserving anti-money laundering built into smart contracts.展开更多
IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable att...IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable attack target for malware intended to infect specific IoT devices due to their growing use in a variety of applications and their increasing computational and processing power.In this study,we investigate the possibility of detecting IoT malware using recurrent neural networks(RNNs).RNNis used in the proposed method to investigate the execution operation codes of ARM-based Internet of Things apps(OpCodes).To train our algorithms,we employ a dataset of IoT applications that includes 281 malicious and 270 benign pieces of software.The trained model is then put to the test using 100 brand-new IoT malware samples across three separate LSTM settings.Model exposure was not previously conducted on these samples.Detecting newly crafted malware samples with 2-layer neurons had the highest accuracy(98.18%)in the 10-fold cross validation experiment.A comparison of the LSTMtechnique to other machine learning classifiers shows that it yields the best results.展开更多
In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels...In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.展开更多
The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability t...The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability to virus attacks.Further,the study suggests using an advanced approach that utilizes machine learning,specifically the Wide Residual Network(WRN),to identify hidden malware in IoT systems.The research intends to improve privacy protection by accurately identifying malicious software that undermines the security of IoT devices,using the MalMemAnalysis dataset.Moreover,thorough experimentation provides evidence for the effectiveness of the WRN-based strategy,resulting in exceptional performance measures such as accuracy,precision,F1-score,and recall.The study of the test data demonstrates highly impressive results,with a multiclass accuracy surpassing 99.97%and a binary class accuracy beyond 99.98%.The results emphasize the strength and dependability of using advanced deep learning methods such as WRN for identifying hidden malware risks in IoT environments.Furthermore,a comparison examination with the current body of literature emphasizes the originality and efficacy of the suggested methodology.This research builds upon previous studies that have investigated several machine learning methods for detecting malware on IoT devices.However,it distinguishes itself by showcasing exceptional performance metrics and validating its findings through thorough experimentation with real-world datasets.Utilizing WRN offers benefits in managing the intricacies of malware detection,emphasizing its capacity to enhance the security of IoT ecosystems.To summarize,this work proposes an effective way to address privacy concerns on IoT devices by utilizing advanced machine learning methods.The research provides useful insights into the changing landscape of IoT cybersecurity by emphasizing methodological rigor and conducting comparative performance analysis.Future research could focus on enhancing the recommended approach by adding more datasets and leveraging real-time monitoring capabilities to strengthen IoT devices’defenses against new cybersecurity threats.展开更多
A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg e...A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg et al. introduced a candidate construction of iO in 2013. Following their steps, a new k-out-of-1 OT protocol is presented here, and its realization from decisional Diffie-Hellman (DDH) is described in this paper, in which iO was combined with the dual-mode cryptosystem. The security of the scheme mainly relies on the indistinguishability of the obf-branches (corresponding to the two modes in dual-mode model). This paper explores a new way for the application of iO.展开更多
The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the wid...The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.展开更多
Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure ...Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis.Since it is difficult to prevent the adversaries from accessing the network,providing secrecy in hostile environments becomes a serious concern.In this study,we propose AdaptiveMutate,a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps.First,we present a method for the identification of mobile apps using traffic analysis.Further,we propose a confusion system in which we obfuscate packet lengths,and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis.Our aim is to shape one class of app traffic to obscure its features with the minimum overhead.Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app.Also,AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate,depending on the type of apps analyzed and the classifier used,if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate.We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app.When applying the identification technique,we achieve a classification accuracy of 91.1%.Then,using our obfuscation technique,we are able to reduce this accuracy to 7%.Also,we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8%to 17.9%.Additionally,we analyze the tradeoff between the shaping cost and traffic privacy protection,specifically,the associated overhead and the feasibility for real-time implementation.展开更多
Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are e...Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are essential.However,modern malware evades existing solutions by applying code obfuscation and native code.To resolve this problem,we introduce an ensemble-based malware classification algorithm using malware family grouping.The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number.It also adopts unified feature extraction technique for handling seamless both bytecode and native code.We propose a unique feature selection algorithm that improves classification performance and time simultaneously.2-gram based features are generated from the instructions and segments,and then selected by using multiple filters to choose most effective features.Through extensive simulation with many obfuscated and native code malware applications,we confirm that it can classify malwares with high accuracy and short processing time.Most existing approaches failed to achieve classification speed and detection time simultaneously.Therefore,the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.展开更多
In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are ...In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is caught by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes.展开更多
The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection...The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection has increased significantly in recent years and many detection systems have been proposed.Despite these efforts,however,most systems can be thwarted by sophisticated Androidmalware adopting obfuscation or native code to avoid discovery by anti-virus tools.In this paper,we propose a new static analysis technique to address the problems of obfuscating and native malware applications.The proposed system provides a unified technique for extracting features from applications and native libraries using a selection algorithm that can extract a small set of unique and effective features for detecting malware applications rapidly and with a high detection rate.Evaluation using large Android malware detection datasets obtained from various sources confirmed that the proposed approach achieves very promising results in terms of improved accuracy,low false positive rate,and high detection rate.展开更多
There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found...There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found that comparing the whitespace patterns was not precise enough to identify copying by itself. However, several possible methods for improving the precision of a whitespace pattern comparison were presented, the most promising of which was an examination of the sequences of lines with matching whitespace patterns. This paper demonstrates a method of evaluating the sequences of matching whitespace patterns and a detailed study of the method’s reliability.展开更多
Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and ne...Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.展开更多
A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An advers...A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An adversary infers user’s locations from the trajectories, and gleans user’s private information through them via location-aware social networking applications and public available geographic data. In this paper, we propose a user proprietary obfuscate system to suit situations for position sharing and location privacy preserving in location-aware social network. Users transform the public available geographic data into personal obfuscate region maps with pre-defined profile to prevent the location leaking in stationary status. Our obfuscation with size restricted regions method tunes user’s transformed locations fitting into natural movement and prevents unreasonable snapshot locations been recorded in the trajectory.展开更多
The Internet of Things(loT)has grown rapidly due to artificial intelligence driven edge computing.While enabling many new functions,edge computing devices expand the vulnerability surface and have become the target of...The Internet of Things(loT)has grown rapidly due to artificial intelligence driven edge computing.While enabling many new functions,edge computing devices expand the vulnerability surface and have become the target of malware attacks.Moreover,attackers have used advanced techniques to evade defenses by transforming their malware into functionality-preserving variants.We systematically analyze such evasion attacks and conduct a large-scale empirical study in this paper to evaluate their impact on security.More specifically,we focus on two forms of evasion attacks:obfuscation and adversarial attacks.To the best of our knowledge,this paper is the first to investigate and contrast the two families of evasion attacks systematically.We apply 10 obfuscation attacks and 9 adversarial attacks to 2870 malware examples.The obtained findings are as follows.(1)Commercial Off-The-Shelf(COTS)malware detectors are vulnerable to evasion attacks.(2)Adversarial attacks affect COTS malware detectors slightly more effectively than obfuscated malware examples.(3)Code similarity detection approaches can be affected by obfuscated examples and are barely affected by adversarial attacks.(4)These attacks can preserve the functionality of original malware examples.展开更多
Users are vulnerable to privacy risks when providing their location information to location-based services (LBS). Existing work sacrifices the quality of LBS by degrading spatial and temporal accuracy for ensuring u...Users are vulnerable to privacy risks when providing their location information to location-based services (LBS). Existing work sacrifices the quality of LBS by degrading spatial and temporal accuracy for ensuring user privacy. In this paper, we propose a novel approach, Complete Bipartite Anonymity (CBA), aiming to achieve both user privacy and quality of service. The theoretical basis of CBA is that: if the bipartite graph of k nearby users' paths can be transformed into a complete bipartite graph, then these users achieve k-anonymity since the set of "end points connecting to a specific start point in a graph" is an equivalence class. To achieve CBA, we design a Collaborative Path Confusion (CPC) protocol which enables nearby nsers to discover and authenticate each other without knowing their real identities or accurate locations, predict tile encounter location using users' moving pattern information, and generate fake traces obfuscating the real ones. We evaluate CBA using a real-world dataset, and compare its privacy performance with existing path confusion approach. The results show that CBA enhances location privacy by increasing the chance for a user confusing his/her path with others by 4 to 16 times in low user density areas. We also demonstrate that CBA is secure under the trace identification attack.展开更多
基金supported by grants from Natural Science Foundation of Inner Mongolia Autonomous Region(No.2022MS06024)NSFC(No.61962040)+3 种基金Hainan Province Key R&D Program(ZDYF2022GXJS007,ZDYF2022GXJS010)Hainan Natural Science Foundation(620RC561)Hainan Province Higher Education and Teaching Reform Research Project(Hnjg2021ZD-3)Hainan Province Key Laboratory of Meteorological Disaster Prevention and Mitigation in the South China Sea,Open Fund Project(SCSF202210).
文摘Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on the mechanisms,attackers can cover themselves behind the network and modify data undetected.Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks,when attackers intrude cloud server to access the source or binary codes.Therefore,we proposed a novel method to resist this kind of reverse engineering by breaking these rules.Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era.Our method is capable of(1)replacing theoriginal assembly codes of theprotectedprogramwithequivalent assembly instructions inan iteration way,(2)obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs,(3)encrypting data to confuse attackers.In addition,the approach can periodically and automatically modify the protected software binary codes,and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis.Furthermore,a simplified virtual machine is implemented to make the protected codes unreadable to attackers.Cloud game is one of the specific scenarios which needs low latency and strong data consistency.Cheat engine,Ollydbg,and Interactive Disassembler Professional(IDA)are used prevalently for games.Our improved methods can protect the software from the most vulnerable aspects.The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations.We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis.Experiments show that hidden dangers can be eliminated with efficient methods:Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.
基金supported by National Natural Science Foundation of China (CN) Project (U153610079,61401038, 61762086)
文摘With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.
基金The work described in this paper was supported by the Research Grants Council of the Hong Kong Special Administrative Region,China(No.CUHK 14210717 of the General Research Fund).
文摘Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.
基金supported by the Research Grants Council of the Hong Kong Special Administrative Region,China(No.CUHK 14210717 of the General Research Fund).
文摘Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.
基金IIE authors are supported in part by the National Key R&D Program of China(2020AAA0140001)NSFC U1836211,Beijing Natural Science Foundation(No.M22004),the Anhui Department of Science and Technology under Grant 202103a05020009Youth Innovation Promotion Association CAS,Beijing Academy of Artificial Intelligence(BAAI)and a research grant from Huawei.
文摘Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violation detection.To date,few studies have investigated the robustness of clone detectors,especially in-fashion deep learning-based ones,against obfuscation.Meanwhile,most of these studies only measure the difference between one code snippet and its obfuscation version.However,in reality,the attackers may modify the original code before obfuscating it.Then what we should evaluate is the detection of obfuscated code from cloned code,not the original code.For this,we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones.Regarding the data,we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators.We also collect 1424 non-clone pairs to evaluate the false positives.In sum,a benchmark of 524,148 code pairs(either clone or not)are generated,which are passed to clone detectors for evaluation.To automate the evaluation,we develop one uniform evaluation framework,integrating the clone detectors and obfuscators.The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors.In addition,we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.
基金supported by the Mohammed bin Salman Center for Future Science and Technology for Saudi-Japan Vision 2030 at The University of Tokyo(MbSC2030).
文摘Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.We propose a cryptographic obfuscation scheme for smart contracts based on existing blockchain mechanisms,standard cryptographic assumptions,and witness encryption.In the proposed scheme,an obfuscated smart contract does not reveal its algorithm and hardcoded secrets and preserves encrypted states.Any user can provide it with encrypted inputs and allow an untrusted third party to execute it.Although multiparty computation(MPC)among dynamically changing users is necessary,its privacy is protected if at least one user is honest.If the MPC does not finish within a period of time,anyone can cancel and restart it.The proposed scheme also supports decentralized obfuscation where even the participants of the obfuscation process cannot learn secrets in the obfuscated smart contract unless all of them are malicious.As its applications,we present a new trustless bitcoin bridge mechanism that exposes no secret key and privacy-preserving anti-money laundering built into smart contracts.
文摘IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable attack target for malware intended to infect specific IoT devices due to their growing use in a variety of applications and their increasing computational and processing power.In this study,we investigate the possibility of detecting IoT malware using recurrent neural networks(RNNs).RNNis used in the proposed method to investigate the execution operation codes of ARM-based Internet of Things apps(OpCodes).To train our algorithms,we employ a dataset of IoT applications that includes 281 malicious and 270 benign pieces of software.The trained model is then put to the test using 100 brand-new IoT malware samples across three separate LSTM settings.Model exposure was not previously conducted on these samples.Detecting newly crafted malware samples with 2-layer neurons had the highest accuracy(98.18%)in the 10-fold cross validation experiment.A comparison of the LSTMtechnique to other machine learning classifiers shows that it yields the best results.
基金supported by the National Natural Science Foundation of China(No.U1936215)。
文摘In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.
基金The authors would like to thank Princess Nourah bint Abdulrahman University for funding this project through the researchers supporting project(PNURSP2024R435)and this research was funded by the Prince Sultan University,Riyadh,Saudi Arabia.
文摘The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability to virus attacks.Further,the study suggests using an advanced approach that utilizes machine learning,specifically the Wide Residual Network(WRN),to identify hidden malware in IoT systems.The research intends to improve privacy protection by accurately identifying malicious software that undermines the security of IoT devices,using the MalMemAnalysis dataset.Moreover,thorough experimentation provides evidence for the effectiveness of the WRN-based strategy,resulting in exceptional performance measures such as accuracy,precision,F1-score,and recall.The study of the test data demonstrates highly impressive results,with a multiclass accuracy surpassing 99.97%and a binary class accuracy beyond 99.98%.The results emphasize the strength and dependability of using advanced deep learning methods such as WRN for identifying hidden malware risks in IoT environments.Furthermore,a comparison examination with the current body of literature emphasizes the originality and efficacy of the suggested methodology.This research builds upon previous studies that have investigated several machine learning methods for detecting malware on IoT devices.However,it distinguishes itself by showcasing exceptional performance metrics and validating its findings through thorough experimentation with real-world datasets.Utilizing WRN offers benefits in managing the intricacies of malware detection,emphasizing its capacity to enhance the security of IoT ecosystems.To summarize,this work proposes an effective way to address privacy concerns on IoT devices by utilizing advanced machine learning methods.The research provides useful insights into the changing landscape of IoT cybersecurity by emphasizing methodological rigor and conducting comparative performance analysis.Future research could focus on enhancing the recommended approach by adding more datasets and leveraging real-time monitoring capabilities to strengthen IoT devices’defenses against new cybersecurity threats.
基金supported by Opening Project of State Key Laboratory of Cryptology, Scientific Research and Postgraduate Training Cooperation Project-Scientific Research Base-New Theory of Block Cipher and Obfuscation and their Application Research, and Information Management and Professional Building of Information System
文摘A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg et al. introduced a candidate construction of iO in 2013. Following their steps, a new k-out-of-1 OT protocol is presented here, and its realization from decisional Diffie-Hellman (DDH) is described in this paper, in which iO was combined with the dual-mode cryptosystem. The security of the scheme mainly relies on the indistinguishability of the obf-branches (corresponding to the two modes in dual-mode model). This paper explores a new way for the application of iO.
基金This work was supported as part of Military Crypto Research Center(UD210027XD)funded by Defense Acquisition Program Administration(DAPA)and Agency for Defense Development(ADD).
文摘The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.
文摘Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis.Since it is difficult to prevent the adversaries from accessing the network,providing secrecy in hostile environments becomes a serious concern.In this study,we propose AdaptiveMutate,a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps.First,we present a method for the identification of mobile apps using traffic analysis.Further,we propose a confusion system in which we obfuscate packet lengths,and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis.Our aim is to shape one class of app traffic to obscure its features with the minimum overhead.Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app.Also,AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate,depending on the type of apps analyzed and the classifier used,if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate.We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app.When applying the identification technique,we achieve a classification accuracy of 91.1%.Then,using our obfuscation technique,we are able to reduce this accuracy to 7%.Also,we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8%to 17.9%.Additionally,we analyze the tradeoff between the shaping cost and traffic privacy protection,specifically,the associated overhead and the feasibility for real-time implementation.
基金This work was supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT)(NRF-2019R1F1A1062320).
文摘Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are essential.However,modern malware evades existing solutions by applying code obfuscation and native code.To resolve this problem,we introduce an ensemble-based malware classification algorithm using malware family grouping.The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number.It also adopts unified feature extraction technique for handling seamless both bytecode and native code.We propose a unique feature selection algorithm that improves classification performance and time simultaneously.2-gram based features are generated from the instructions and segments,and then selected by using multiple filters to choose most effective features.Through extensive simulation with many obfuscated and native code malware applications,we confirm that it can classify malwares with high accuracy and short processing time.Most existing approaches failed to achieve classification speed and detection time simultaneously.Therefore,the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.
文摘In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is caught by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes.
基金This work was supported in part by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT)(NRF-2019R1F1A1062320)the Information Technology Research Center(ITRC)Support Program supervised by the Institute for Information and Communications Technology Planning and Evaluation(IITP)(IITP-2021-2016-0-00313).
文摘The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection has increased significantly in recent years and many detection systems have been proposed.Despite these efforts,however,most systems can be thwarted by sophisticated Androidmalware adopting obfuscation or native code to avoid discovery by anti-virus tools.In this paper,we propose a new static analysis technique to address the problems of obfuscating and native malware applications.The proposed system provides a unified technique for extracting features from applications and native libraries using a selection algorithm that can extract a small set of unique and effective features for detecting malware applications rapidly and with a high detection rate.Evaluation using large Android malware detection datasets obtained from various sources confirmed that the proposed approach achieves very promising results in terms of improved accuracy,low false positive rate,and high detection rate.
文摘There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found that comparing the whitespace patterns was not precise enough to identify copying by itself. However, several possible methods for improving the precision of a whitespace pattern comparison were presented, the most promising of which was an examination of the sequences of lines with matching whitespace patterns. This paper demonstrates a method of evaluating the sequences of matching whitespace patterns and a detailed study of the method’s reliability.
文摘Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.
文摘A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An adversary infers user’s locations from the trajectories, and gleans user’s private information through them via location-aware social networking applications and public available geographic data. In this paper, we propose a user proprietary obfuscate system to suit situations for position sharing and location privacy preserving in location-aware social network. Users transform the public available geographic data into personal obfuscate region maps with pre-defined profile to prevent the location leaking in stationary status. Our obfuscation with size restricted regions method tunes user’s transformed locations fitting into natural movement and prevents unreasonable snapshot locations been recorded in the trajectory.
文摘The Internet of Things(loT)has grown rapidly due to artificial intelligence driven edge computing.While enabling many new functions,edge computing devices expand the vulnerability surface and have become the target of malware attacks.Moreover,attackers have used advanced techniques to evade defenses by transforming their malware into functionality-preserving variants.We systematically analyze such evasion attacks and conduct a large-scale empirical study in this paper to evaluate their impact on security.More specifically,we focus on two forms of evasion attacks:obfuscation and adversarial attacks.To the best of our knowledge,this paper is the first to investigate and contrast the two families of evasion attacks systematically.We apply 10 obfuscation attacks and 9 adversarial attacks to 2870 malware examples.The obtained findings are as follows.(1)Commercial Off-The-Shelf(COTS)malware detectors are vulnerable to evasion attacks.(2)Adversarial attacks affect COTS malware detectors slightly more effectively than obfuscated malware examples.(3)Code similarity detection approaches can be affected by obfuscated examples and are barely affected by adversarial attacks.(4)These attacks can preserve the functionality of original malware examples.
基金supported by the National Natural Science Foundation of China under Grant Nos.61373011,91318301,and 61321491
文摘Users are vulnerable to privacy risks when providing their location information to location-based services (LBS). Existing work sacrifices the quality of LBS by degrading spatial and temporal accuracy for ensuring user privacy. In this paper, we propose a novel approach, Complete Bipartite Anonymity (CBA), aiming to achieve both user privacy and quality of service. The theoretical basis of CBA is that: if the bipartite graph of k nearby users' paths can be transformed into a complete bipartite graph, then these users achieve k-anonymity since the set of "end points connecting to a specific start point in a graph" is an equivalence class. To achieve CBA, we design a Collaborative Path Confusion (CPC) protocol which enables nearby nsers to discover and authenticate each other without knowing their real identities or accurate locations, predict tile encounter location using users' moving pattern information, and generate fake traces obfuscating the real ones. We evaluate CBA using a real-world dataset, and compare its privacy performance with existing path confusion approach. The results show that CBA enhances location privacy by increasing the chance for a user confusing his/her path with others by 4 to 16 times in low user density areas. We also demonstrate that CBA is secure under the trace identification attack.