Malware detection has become mission sensitive as its threats spread from computer systems to Internet of things systems.Modern malware variants are generally equipped with sophisticated packers,which allow them bypas...Malware detection has become mission sensitive as its threats spread from computer systems to Internet of things systems.Modern malware variants are generally equipped with sophisticated packers,which allow them bypass modern machine learning based detection systems.To detect packed malware variants,unpacking techniques and dynamic malware analysis are the two choices.However,unpacking techniques cannot always be useful since there exist some packers such as private packers which are hard to unpack.Although dynamic malware analysis can obtain the running behaviours of executables,the unpacking behaviours of packers add noisy information to the real behaviours of executables,which has a bad affect on accuracy.To overcome these challenges,in this paper,we propose a new method which first extracts a series of system calls which is sensitive to malicious behaviours,then use principal component analysis to extract features of these sensitive system calls,and finally adopt multi-layers neural networks to classify the features of malware variants and legitimate ones.Theoretical analysis and real-life experimental results show that our packed malware variants detection technique is comparable with the the state-of-art methods in terms of accuracy.Our approach can achieve more than 95.6\%of detection accuracy and 0.048 s of classification time cost.展开更多
A new classification model for host intrusion detection based on the unidentified short sequences and RIPPER algorithm is proposed. The concepts of different short sequences on the system call traces are strictly defi...A new classification model for host intrusion detection based on the unidentified short sequences and RIPPER algorithm is proposed. The concepts of different short sequences on the system call traces are strictly defined on the basis of in-depth analysis of completeness and correctness of pattern databases. Labels of short sequences are predicted by learned RIPPER rule set and the nature of the unidentified short sequences is confirmed by statistical method. Experiment results indicate that the classification model increases clearly the deviation between the attack and the normal traces and improves detection capability against known and unknown attacks.展开更多
This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on...This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.展开更多
This paper presents a new method based on a second-order stochastic model for computer intrusion detection.The results show that the performance of the second-order stochastic model is better than that of a first-orde...This paper presents a new method based on a second-order stochastic model for computer intrusion detection.The results show that the performance of the second-order stochastic model is better than that of a first-order stochastic model.In this study,different window sizes are also used to test the performance of the model.The detection results show that the second-order stochastic model is not so sensitive to the window size,comparing with the first-order stochastic model and other previous researches.The detection result of window sizes 6 and 10 is the same.展开更多
基金National Science foundation of China under Grant No.61772191,No.61472131.
文摘Malware detection has become mission sensitive as its threats spread from computer systems to Internet of things systems.Modern malware variants are generally equipped with sophisticated packers,which allow them bypass modern machine learning based detection systems.To detect packed malware variants,unpacking techniques and dynamic malware analysis are the two choices.However,unpacking techniques cannot always be useful since there exist some packers such as private packers which are hard to unpack.Although dynamic malware analysis can obtain the running behaviours of executables,the unpacking behaviours of packers add noisy information to the real behaviours of executables,which has a bad affect on accuracy.To overcome these challenges,in this paper,we propose a new method which first extracts a series of system calls which is sensitive to malicious behaviours,then use principal component analysis to extract features of these sensitive system calls,and finally adopt multi-layers neural networks to classify the features of malware variants and legitimate ones.Theoretical analysis and real-life experimental results show that our packed malware variants detection technique is comparable with the the state-of-art methods in terms of accuracy.Our approach can achieve more than 95.6\%of detection accuracy and 0.048 s of classification time cost.
文摘A new classification model for host intrusion detection based on the unidentified short sequences and RIPPER algorithm is proposed. The concepts of different short sequences on the system call traces are strictly defined on the basis of in-depth analysis of completeness and correctness of pattern databases. Labels of short sequences are predicted by learned RIPPER rule set and the nature of the unidentified short sequences is confirmed by statistical method. Experiment results indicate that the classification model increases clearly the deviation between the attack and the normal traces and improves detection capability against known and unknown attacks.
基金This project is funded by King Abdulaziz City for Science and Technology(KACST)under the National Science,Technology,and Innovation Plan(Project Number 11-INF1657-04).
文摘This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’behavior.Current security solutions rely on information coming from attackers.Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls.This article envisions creating an imbalance between attackers and defenders in favor of defenders.As such,we are proposing to flip the security game such that it will be led by defenders and not attackers.We are proposing a security system that does not observe the behavior of the attack.On the contrary,we draw,plan,and follow up our own protection strategy regardless of the attack behavior.The objective of our security system is to protect assets rather than protect against attacks.Virtual machine introspection is used to intercept,inspect,and analyze system calls.The system callbased approach is utilized to detect zero-day ransomware attacks.The core idea is to take advantage of Xen and DRAKVUF for system call interception,and leverage system calls to detect illegal operations towards identified critical assets.We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks.The obtained results are promising and indicate that our prototype will achieve its goals.
基金Supported by the National Natural Science Foundation of China (No.60473030).
文摘This paper presents a new method based on a second-order stochastic model for computer intrusion detection.The results show that the performance of the second-order stochastic model is better than that of a first-order stochastic model.In this study,different window sizes are also used to test the performance of the model.The detection results show that the second-order stochastic model is not so sensitive to the window size,comparing with the first-order stochastic model and other previous researches.The detection result of window sizes 6 and 10 is the same.
