The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static a...The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static analysis or behavior analysis.However,recent studies have shown that both analyses are vulnerable to modern malware files that use several techniques to avoid analysis and detection.Therefore,extracted features could be meaningless and a distraction for malware analysts.However,the volatile memory can expose useful information about malware behaviors and characteristics.In addition,memory analysis is capable of detecting unconventional malware,such as in-memory and fileless malware.However,memory features have not been fully utilized yet.Therefore,this work aims to present a new malware detection and classification approach that extracts memory-based features from memory images using memory forensic techniques.The extracted features can expose the malware’s real behaviors,such as interacting with the operating system,DLL and process injection,communicating with command and control site,and requesting higher privileges to perform specific tasks.We also applied feature engineering and converted the features to binary vectors before training and testing the classifiers.The experiments show that the proposed approach has a high classification accuracy rate of 98.5%and a false positive rate as low as 1.24%using the SVM classifier.The efficiency of the approach has been evaluated by comparing it with other related works.Also,a new memory-based dataset consisting of 2502 malware files and 966 benign samples forming 8898 features and belonging to six memory types has been created and published online for research purposes.展开更多
Memory analysis gains a weight in the area of computer live forensics.How to get network connection information is one of the challenges in memory analysis and plays an important role in identifying sources of malicio...Memory analysis gains a weight in the area of computer live forensics.How to get network connection information is one of the challenges in memory analysis and plays an important role in identifying sources of malicious cyber attack. It is more difficult to fred the drivers and get network connections information from a 64-bit windows 7 memory image file than from a 32-bit operating system memory image f'de. In this paper, an approach to fred drivers and get network connection information from 64-bit windows 7 memory images is given. The method is verified on 64-bit windows 7 version 6.1.7600 and proved reliable and efficient.展开更多
Although FireWire-based memory acquisition method has been introduced for several years, the methodologies are not discussed in detail and still lack of practical tools. Besides, the existing method is not working sta...Although FireWire-based memory acquisition method has been introduced for several years, the methodologies are not discussed in detail and still lack of practical tools. Besides, the existing method is not working stably when dealing with different versions of Windows. In this paper, we try to compare different memory acquisition methods and discuss their virtues and disadvantages. Then, the methodologies of FireWire-based memory acquisition are discussed. Finally, we give a practical implementation of FireWire-based acquisition tool that can work well with different versions of Windows without causing BSoD problems.展开更多
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the informatio...A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/ IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Xflsta operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.展开更多
Memory analysis is one of the key techniques in computer live forensics. Especially,the analysis of a Mac OS X operating system's memory image file plays an important role in identifying the running status of an a...Memory analysis is one of the key techniques in computer live forensics. Especially,the analysis of a Mac OS X operating system's memory image file plays an important role in identifying the running status of an apple computer. However,how to analyze the image file without using extra"mach-kernel"file is one of the unsolved difficulties. In this paper,we firstly compare several approaches for physical memory acquisition and analyze the effects of each approach on physical memory. Then,we discuss the traditional methods for the physical memory file analysis of Mac OS X. A novel physical memory image file analysis approach without using extra"mach-kernel"file is proposed base on the discussion. We verify the performance of the new approach on Mac OS X 10. 8. 2. The experimental results show that the proposed approach is simpler and more practical than previous ones.展开更多
Previous research on deep-space networks based on delay-tolerant networking(DTN)has mainly focused on the performance of DTN protocols in simple networks;hence,research on complex networks is lacking.In this paper,we ...Previous research on deep-space networks based on delay-tolerant networking(DTN)has mainly focused on the performance of DTN protocols in simple networks;hence,research on complex networks is lacking.In this paper,we focus on network evaluation and protocol deployment for complex DTNbased deep-space networks and apply the results to a novel complex deep-space network based on the Universal Interplanetary Communication Network(UNICON-CDSN)proposed by the National Space Science Center(NSSC)for simulation and verification.A network evaluation method based on network capacity and memory analysis is proposed.Based on a performance comparison between the Licklider Transmission Protocol(LTP)and the Transmission Control Protocol(TCP)with the Bundle Protocol(BP)in various communication scenarios,a transport protocol configuration proposal is developed and used to construct an LTP deployment scheme for UNICON-CDSN.For the LTP deployment scheme,a theoretical model of file delivery time over complex deep-space networks is built.A network evaluation with the method proposed in this paper proves that UNICONCDSN satisfies the requirements for the 2020 Mars exploration mission Curiosity.Moreover,simulation results from a universal space communication network testbed(USCNT)designed by us show that the LTP deployment scheme is suitable for UNICON-CDSN.展开更多
In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievingh...In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievinghigh-value data in plaintext form and/or the associated decryption key.Inthis paper,the author presents a number of simple methods for identifyingand extracting crypfographic keys from memory dumps of softwareapplications that utilize the Microsoft.NET Framework,as well as source-code level countermeasures to protect against same.Given the EXE file ofan application and a basic knowledge of the cryptographic libraries utilizedin the NET Framework,the author shows how to create a memory dumpof a running application and how to extract cryptographic keys from sameusing WinDBG-without any prior knowledgel of the cryptographic keyutilized.Whilst the proof-of-concept application utilized as part of thispaper uses an implementation of the DES cipher,it should be noted that thesteps shown can be utilized against all three generations of symmetric andasymmetric ciphers supported within the NET Framework.展开更多
The global growth of the Internet and the rapid expansion of social networks such as Facebook make multilingual sentiment analysis of social media content very necessary. This paper performs the first sentiment analys...The global growth of the Internet and the rapid expansion of social networks such as Facebook make multilingual sentiment analysis of social media content very necessary. This paper performs the first sentiment analysis on code-mixed Bambara-French Facebook comments. We develop four Long Short-term Memory(LSTM)-based models and two Convolutional Neural Network(CNN)-based models, and use these six models, Na?ve Bayes, and Support Vector Machines(SVM) to conduct experiments on a constituted dataset. Social media text written in Bambara is scarce. To mitigate this weakness, this paper uses dictionaries of character and word indexes to produce character and word embedding in place of pre-trained word vectors. We investigate the effect of comment length on the models and perform a comparison among them. The best performing model is a one-layer CNN deep learning model with an accuracy of 83.23 %.展开更多
A power balance static random-access memory(SRAM) for resistance to differential power analysis(DPA) is proposed. In the proposed design, the switch power consumption and short-circuit power consumption are balanc...A power balance static random-access memory(SRAM) for resistance to differential power analysis(DPA) is proposed. In the proposed design, the switch power consumption and short-circuit power consumption are balanced by discharging and pre-charging the key nodes of the output circuit and adding an additional shortcircuit current path. Thus, the power consumption is constant in every read cycle. As a result, the DPA-resistant ability of the SRAM is improved. In 65 nm CMOS technology, the power balance SRAM is fully custom designed with a layout area of 5863.6 μm^2.The post-simulation results show that the normalized energy deviation(NED) and normalized standard deviation(NSD) are 0.099% and 0.04%, respectively. Compared to existing power balance circuits, the power balance ability of the proposed SRAM has improved 53%.展开更多
基金supported in part by Universiti Kebangsaan Malaysia(UKM)under Grant GUP-2019-062 and Grant GP-2019-K005539in part by the Ministry of Education Malaysia under Grant FRGS/1/2018/ICT04/UKM/02/3.
文摘The study of malware behaviors,over the last years,has received tremendous attention from researchers for the purpose of reducing malware risks.Most of the investigating experiments are performed using either static analysis or behavior analysis.However,recent studies have shown that both analyses are vulnerable to modern malware files that use several techniques to avoid analysis and detection.Therefore,extracted features could be meaningless and a distraction for malware analysts.However,the volatile memory can expose useful information about malware behaviors and characteristics.In addition,memory analysis is capable of detecting unconventional malware,such as in-memory and fileless malware.However,memory features have not been fully utilized yet.Therefore,this work aims to present a new malware detection and classification approach that extracts memory-based features from memory images using memory forensic techniques.The extracted features can expose the malware’s real behaviors,such as interacting with the operating system,DLL and process injection,communicating with command and control site,and requesting higher privileges to perform specific tasks.We also applied feature engineering and converted the features to binary vectors before training and testing the classifiers.The experiments show that the proposed approach has a high classification accuracy rate of 98.5%and a false positive rate as low as 1.24%using the SVM classifier.The efficiency of the approach has been evaluated by comparing it with other related works.Also,a new memory-based dataset consisting of 2502 malware files and 966 benign samples forming 8898 features and belonging to six memory types has been created and published online for research purposes.
基金This work is supported by the National Natural Science Foundation of China(61070163) and Shandong Natural Science Foundation (Y2008G35).
文摘Memory analysis gains a weight in the area of computer live forensics.How to get network connection information is one of the challenges in memory analysis and plays an important role in identifying sources of malicious cyber attack. It is more difficult to fred the drivers and get network connections information from a 64-bit windows 7 memory image file than from a 32-bit operating system memory image f'de. In this paper, an approach to fred drivers and get network connection information from 64-bit windows 7 memory images is given. The method is verified on 64-bit windows 7 version 6.1.7600 and proved reliable and efficient.
基金This work is supported by the National Natural Science Foundation of China (61070163) and Shandong Natural Science Foundation (Y2008G35).
文摘Although FireWire-based memory acquisition method has been introduced for several years, the methodologies are not discussed in detail and still lack of practical tools. Besides, the existing method is not working stably when dealing with different versions of Windows. In this paper, we try to compare different memory acquisition methods and discuss their virtues and disadvantages. Then, the methodologies of FireWire-based memory acquisition are discussed. Finally, we give a practical implementation of FireWire-based acquisition tool that can work well with different versions of Windows without causing BSoD problems.
基金This work is supported by the National Natural Science Foundation of China (61070163) and Shandong Natural Science Foundation (Y2008G35).
文摘A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/ IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote port, etc., from a physical memory on Windows Xflsta operating system. This method is reliable and efficient. It is verified on Windows Vista, Windows Vista SP1, Windows Vista SP2.
基金Sponsored by the National Natural Science Foundation of China (Grant No.61303199)Natural Science Foundation of Shandong Province (Grant No.ZR2013FQ001 and ZR2011FQ030)+1 种基金Outstanding Research Award Fund for Young Scientists of Shandong Province (Grant No.BS2013DX010)Academy of Sciences Youth Fund Project of Shandong Province (Grant No.2013QN007)
文摘Memory analysis is one of the key techniques in computer live forensics. Especially,the analysis of a Mac OS X operating system's memory image file plays an important role in identifying the running status of an apple computer. However,how to analyze the image file without using extra"mach-kernel"file is one of the unsolved difficulties. In this paper,we firstly compare several approaches for physical memory acquisition and analyze the effects of each approach on physical memory. Then,we discuss the traditional methods for the physical memory file analysis of Mac OS X. A novel physical memory image file analysis approach without using extra"mach-kernel"file is proposed base on the discussion. We verify the performance of the new approach on Mac OS X 10. 8. 2. The experimental results show that the proposed approach is simpler and more practical than previous ones.
基金supported by the Strategic leading project of the Chinese Academy of Sciences (Grant No. XDA15014603)。
文摘Previous research on deep-space networks based on delay-tolerant networking(DTN)has mainly focused on the performance of DTN protocols in simple networks;hence,research on complex networks is lacking.In this paper,we focus on network evaluation and protocol deployment for complex DTNbased deep-space networks and apply the results to a novel complex deep-space network based on the Universal Interplanetary Communication Network(UNICON-CDSN)proposed by the National Space Science Center(NSSC)for simulation and verification.A network evaluation method based on network capacity and memory analysis is proposed.Based on a performance comparison between the Licklider Transmission Protocol(LTP)and the Transmission Control Protocol(TCP)with the Bundle Protocol(BP)in various communication scenarios,a transport protocol configuration proposal is developed and used to construct an LTP deployment scheme for UNICON-CDSN.For the LTP deployment scheme,a theoretical model of file delivery time over complex deep-space networks is built.A network evaluation with the method proposed in this paper proves that UNICONCDSN satisfies the requirements for the 2020 Mars exploration mission Curiosity.Moreover,simulation results from a universal space communication network testbed(USCNT)designed by us show that the LTP deployment scheme is suitable for UNICON-CDSN.
文摘In the absence of specialized encryption hardware,cryptographic operationsmust be performed in main memory.As such,it is common place for cybercriminals to examine the content of main memory with a view to retrievinghigh-value data in plaintext form and/or the associated decryption key.Inthis paper,the author presents a number of simple methods for identifyingand extracting crypfographic keys from memory dumps of softwareapplications that utilize the Microsoft.NET Framework,as well as source-code level countermeasures to protect against same.Given the EXE file ofan application and a basic knowledge of the cryptographic libraries utilizedin the NET Framework,the author shows how to create a memory dumpof a running application and how to extract cryptographic keys from sameusing WinDBG-without any prior knowledgel of the cryptographic keyutilized.Whilst the proof-of-concept application utilized as part of thispaper uses an implementation of the DES cipher,it should be noted that thesteps shown can be utilized against all three generations of symmetric andasymmetric ciphers supported within the NET Framework.
基金Supported by the National Natural Science Foundation of China(61272451,61572380,61772383 and 61702379)the Major State Basic Research Development Program of China(2014CB340600)
文摘The global growth of the Internet and the rapid expansion of social networks such as Facebook make multilingual sentiment analysis of social media content very necessary. This paper performs the first sentiment analysis on code-mixed Bambara-French Facebook comments. We develop four Long Short-term Memory(LSTM)-based models and two Convolutional Neural Network(CNN)-based models, and use these six models, Na?ve Bayes, and Support Vector Machines(SVM) to conduct experiments on a constituted dataset. Social media text written in Bambara is scarce. To mitigate this weakness, this paper uses dictionaries of character and word indexes to produce character and word embedding in place of pre-trained word vectors. We investigate the effect of comment length on the models and perform a comparison among them. The best performing model is a one-layer CNN deep learning model with an accuracy of 83.23 %.
基金Project supported by the Zhejiang Provincial Natural Science Foundation of China(No.LQ14F040001)the National Natural Science Foundation of China(Nos.61274132,61234002)the K.C.Wong Magna Fund in Ningbo University,China
文摘A power balance static random-access memory(SRAM) for resistance to differential power analysis(DPA) is proposed. In the proposed design, the switch power consumption and short-circuit power consumption are balanced by discharging and pre-charging the key nodes of the output circuit and adding an additional shortcircuit current path. Thus, the power consumption is constant in every read cycle. As a result, the DPA-resistant ability of the SRAM is improved. In 65 nm CMOS technology, the power balance SRAM is fully custom designed with a layout area of 5863.6 μm^2.The post-simulation results show that the normalized energy deviation(NED) and normalized standard deviation(NSD) are 0.099% and 0.04%, respectively. Compared to existing power balance circuits, the power balance ability of the proposed SRAM has improved 53%.
