As the cyber security has attracted great attention in recent years,and with all kinds of tools’(such as Network Agent,VPN and so on)help,traditional methods of tracking users like log analysis and cookie have been n...As the cyber security has attracted great attention in recent years,and with all kinds of tools’(such as Network Agent,VPN and so on)help,traditional methods of tracking users like log analysis and cookie have been not that effective.Especially for some privacy sensitive users who changed their browser configuration frequently to hide themselves.The Browser Fingerprinting technology proposed by Electronic Frontier Foundation(EFF)gives a new approach of tracking users,and then our team designed an enhanced fingerprint dealing solution based on browser fingerprinting technology.Our enhanced solution plays well in recognizing the similar fingerprints,but it is not that efficient.Nowadays we improve the algorithm and propose a high-performance,efficient Browser Fingerprint Recognition Model.Our new model reforms the fingerprint items set by EFF and propose a Fingerprint Tracking Algorithm(FTA)to deal with collected data.It can associate users with some browser configuration changes in different periods of time quickly and precisely.Through testing with the experimental website built on the public network,we prove the high-performance and efficiency of our algorithm with a 20%time-consuming decrease than ever.展开更多
Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memor...Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memory.Mali-cious programs that use this attack method are called memory-resident malware,with excellent evasion capability,and have posed huge threats to cyber security.Traditional static and dynamic methods are not effective in detect-ing memory-resident malware.In addition,existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis.This paper proposes MRm-DLDet,a state-of-the-art memory-resident malware detection framework,to overcome these drawbacks.MRm-DLDet first builds a virtual machine environment and captures memory dumps,then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping,followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them.MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18,which extracts the features of the sub-images.Then trains a network of gated recurrent units with an attention mechanism.Finally,it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer.We created a high-quality dataset consisting of 2,060 benign and memory-resident programs.In other words,the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images.We implement MRm-DLDet for Windows 10,and it performs better than the latest methods,with a detection accuracy of up to 98.34%.Moreover,we measured the effects of mimicry and adversarial attacks on MRm-DLDet,and the experimental results demonstrated the robustness of MRm-DLDet.展开更多
The illegal use of compromised email accounts by adversaries can have severe consequences for enterprises and society.Detecting compromised email accounts is more challenging than in the social network field,where ema...The illegal use of compromised email accounts by adversaries can have severe consequences for enterprises and society.Detecting compromised email accounts is more challenging than in the social network field,where email accounts have only a few interaction events(sending and receiving).To address the issue of insufficient features,we propose a novel approach to detecting compromised accounts by combining time zone differences and alternate logins to identify abnormal behavior.Based on this approach,we propose a compromised email account detection framework that relies on widely available and less sensitive login logs and does not require labels.Our framework characterizes login behaviors to identify logins that do not belong to the account owner and outputs a list of account-subnet pairs ranked by their likelihood of having abnormal login relationships.This approach reduces the number of account-subnet pairs that need to be investigated and provides a reference for investigation priority.Our evaluation demonstrates that our method can detect most email accounts that have been accessed by disclosed malicious IP addresses and outperforms similar research.Additionally,our framework has the capability to uncover undisclosed malicious IP addresses.展开更多
Software-defined networking(SDN),a novel network paradigm,separates the control plane and data plane into dif-ferent network equipment to realize the flexible control of network traffic.Its excellent programmability a...Software-defined networking(SDN),a novel network paradigm,separates the control plane and data plane into dif-ferent network equipment to realize the flexible control of network traffic.Its excellent programmability and global view present many new opportunities.DDoS detection under the SDN context is an important and challenging research field.Some previous works attempted to collect and analyze statistics related to flows,usually recorded in switches,to address DDoS threats.In contrast,other works applied machine learning-based solutions to identify DDos and achieved promising results.Generally,most previous works need to periodically request flow rules or packets to obtain flow statistics or features to detect stealthy exceptions.Nevertheless,the request for flow rules is very time-consuming and CPU-consuming;moreover may congest the communication channel between the controller and the switches.Therefore,we present FORT,a lightweight DDoS detection scheme,which spreads the rule-based detection algorithm at edge switches and determines whether to start it by periodically retrieving the ports state.A time-series algorithm,ARIMA,is utilized to determine the port statistics adaptively,and an SVM algorithm is applied to detect whether a DDoS attack does occur.Representative experiments demonstrate that FORT can significantly reduce the controller load and provide a reliable detection accuracy.Referring to the false alarm rate of 1.24%in the comparison scheme,the false alarm rate of this scheme is only 0.039%,which significantly reduces the probability of false alarm.Besides,by introducing the alarm mechanism,this scheme can reduce the load of the southbound chan-nel by more than 60%in the normal state.展开更多
基金supported by the Beijing Municipal Natural Science Foundation(No.4172006)Humanity and Social Science Youth foundation of Ministry of Education of China under Grant No. 13YJCZH065+2 种基金General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No. km201410005012Open Research Fund of Beijing Key Laboratory of Trusted ComputingOpen Research Fund of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education..
文摘As the cyber security has attracted great attention in recent years,and with all kinds of tools’(such as Network Agent,VPN and so on)help,traditional methods of tracking users like log analysis and cookie have been not that effective.Especially for some privacy sensitive users who changed their browser configuration frequently to hide themselves.The Browser Fingerprinting technology proposed by Electronic Frontier Foundation(EFF)gives a new approach of tracking users,and then our team designed an enhanced fingerprint dealing solution based on browser fingerprinting technology.Our enhanced solution plays well in recognizing the similar fingerprints,but it is not that efficient.Nowadays we improve the algorithm and propose a high-performance,efficient Browser Fingerprint Recognition Model.Our new model reforms the fingerprint items set by EFF and propose a Fingerprint Tracking Algorithm(FTA)to deal with collected data.It can associate users with some browser configuration changes in different periods of time quickly and precisely.Through testing with the experimental website built on the public network,we prove the high-performance and efficiency of our algorithm with a 20%time-consuming decrease than ever.
基金supported by the Youth Innovation Promotion Association CAS(No.2019163)the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100)the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences and Beijing Key Laboratory of Network security and Protection Technology.
文摘Cyber attackers have constantly updated their attack techniques to evade antivirus software detection in recent years.One popular evasion method is to execute malicious code and perform malicious actions only in memory.Mali-cious programs that use this attack method are called memory-resident malware,with excellent evasion capability,and have posed huge threats to cyber security.Traditional static and dynamic methods are not effective in detect-ing memory-resident malware.In addition,existing memory forensics detection solutions perform unsatisfactorily in detection rate and depend on massive expert knowledge in memory analysis.This paper proposes MRm-DLDet,a state-of-the-art memory-resident malware detection framework,to overcome these drawbacks.MRm-DLDet first builds a virtual machine environment and captures memory dumps,then creatively processes the memory dumps into RGB images using a pre-processing technique that combines deduplication and ultra-high resolution image cropping,followed by our neural network MRmNet in MRm-DLDet to fully extract high-dimensional features from memory dump files and detect them.MRmNet receives the labeled sub-images of the cropped high-resolution RGB images as input of ResNet-18,which extracts the features of the sub-images.Then trains a network of gated recurrent units with an attention mechanism.Finally,it determines whether a program is memory-resident malware based on the detection results of each sub-image through a specially designed voting layer.We created a high-quality dataset consisting of 2,060 benign and memory-resident programs.In other words,the dataset contains 1,287,500 labeled sub-images cut from the MRm-DLDet transformed ultra-high resolution RGB images.We implement MRm-DLDet for Windows 10,and it performs better than the latest methods,with a detection accuracy of up to 98.34%.Moreover,we measured the effects of mimicry and adversarial attacks on MRm-DLDet,and the experimental results demonstrated the robustness of MRm-DLDet.
基金supported by the Youth Innovation Promotion Association CAS(No.2019163)the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100)the Key Laboratory of Network Assessment Technology at Chinese Academy of Sciences and Beijing Key Laboratory of Network security and Protection Technology.
文摘The illegal use of compromised email accounts by adversaries can have severe consequences for enterprises and society.Detecting compromised email accounts is more challenging than in the social network field,where email accounts have only a few interaction events(sending and receiving).To address the issue of insufficient features,we propose a novel approach to detecting compromised accounts by combining time zone differences and alternate logins to identify abnormal behavior.Based on this approach,we propose a compromised email account detection framework that relies on widely available and less sensitive login logs and does not require labels.Our framework characterizes login behaviors to identify logins that do not belong to the account owner and outputs a list of account-subnet pairs ranked by their likelihood of having abnormal login relationships.This approach reduces the number of account-subnet pairs that need to be investigated and provides a reference for investigation priority.Our evaluation demonstrates that our method can detect most email accounts that have been accessed by disclosed malicious IP addresses and outperforms similar research.Additionally,our framework has the capability to uncover undisclosed malicious IP addresses.
基金This work was supported by the National Key R&D Program of China with No.2018YFC0806900Beijing Municipal Science&Technology Commission with Project No.Z191100007119009+1 种基金NSFC No.61671448NSFC No.61902397.
文摘Software-defined networking(SDN),a novel network paradigm,separates the control plane and data plane into dif-ferent network equipment to realize the flexible control of network traffic.Its excellent programmability and global view present many new opportunities.DDoS detection under the SDN context is an important and challenging research field.Some previous works attempted to collect and analyze statistics related to flows,usually recorded in switches,to address DDoS threats.In contrast,other works applied machine learning-based solutions to identify DDos and achieved promising results.Generally,most previous works need to periodically request flow rules or packets to obtain flow statistics or features to detect stealthy exceptions.Nevertheless,the request for flow rules is very time-consuming and CPU-consuming;moreover may congest the communication channel between the controller and the switches.Therefore,we present FORT,a lightweight DDoS detection scheme,which spreads the rule-based detection algorithm at edge switches and determines whether to start it by periodically retrieving the ports state.A time-series algorithm,ARIMA,is utilized to determine the port statistics adaptively,and an SVM algorithm is applied to detect whether a DDoS attack does occur.Representative experiments demonstrate that FORT can significantly reduce the controller load and provide a reliable detection accuracy.Referring to the false alarm rate of 1.24%in the comparison scheme,the false alarm rate of this scheme is only 0.039%,which significantly reduces the probability of false alarm.Besides,by introducing the alarm mechanism,this scheme can reduce the load of the southbound chan-nel by more than 60%in the normal state.
