A Smart Obfuscation Approach to Protect Software in Cloud

Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on the mechanisms,attackers can cover themselves behind the network and modify data undetected.Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks,when attackers intrude cloud server to access the source or binary codes.Therefore,we proposed a novel method to resist this kind of reverse engineering by breaking these rules.Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era.Our method is capable of(1)replacing theoriginal assembly codes of theprotectedprogramwithequivalent assembly instructions inan iteration way,(2)obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs,(3)encrypting data to confuse attackers.In addition,the approach can periodically and automatically modify the protected software binary codes,and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis.Furthermore,a simplified virtual machine is implemented to make the protected codes unreadable to attackers.Cloud game is one of the specific scenarios which needs low latency and strong data consistency.Cheat engine,Ollydbg,and Interactive Disassembler Professional(IDA)are used prevalently for games.Our improved methods can protect the software from the most vulnerable aspects.The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations.We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis.Experiments show that hidden dangers can be eliminated with efficient methods:Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.

Control Flow Obfuscation Based Protection Method for Android Applications

With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.

Layered obfuscation:a taxonomy of software obfuscation techniques for layered security

Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

Layered obfuscation:a taxonomy of software obfuscation techniques for layered security

Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

Are our clone detectors good enough?An empirical study of code effects by obfuscation

Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violation detection.To date,few studies have investigated the robustness of clone detectors,especially in-fashion deep learning-based ones,against obfuscation.Meanwhile,most of these studies only measure the difference between one code snippet and its obfuscation version.However,in reality,the attackers may modify the original code before obfuscating it.Then what we should evaluate is the detection of obfuscated code from cloned code,not the original code.For this,we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones.Regarding the data,we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators.We also collect 1424 non-clone pairs to evaluate the false positives.In sum,a benchmark of 524,148 code pairs(either clone or not)are generated,which are passed to clone detectors for evaluation.To automate the evaluation,we develop one uniform evaluation framework,integrating the clone detectors and obfuscators.The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors.In addition,we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.

Cryptographic obfuscation for smart contracts: Trustless bitcoin bridge and more

Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.We propose a cryptographic obfuscation scheme for smart contracts based on existing blockchain mechanisms,standard cryptographic assumptions,and witness encryption.In the proposed scheme,an obfuscated smart contract does not reveal its algorithm and hardcoded secrets and preserves encrypted states.Any user can provide it with encrypted inputs and allow an untrusted third party to execute it.Although multiparty computation(MPC)among dynamically changing users is necessary,its privacy is protected if at least one user is honest.If the MPC does not finish within a period of time,anyone can cancel and restart it.The proposed scheme also supports decentralized obfuscation where even the participants of the obfuscation process cannot learn secrets in the obfuscated smart contract unless all of them are malicious.As its applications,we present a new trustless bitcoin bridge mechanism that exposes no secret key and privacy-preserving anti-money laundering built into smart contracts.

Malware Attacks Detection in IoT Using Recurrent Neural Network(RNN)

IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable attack target for malware intended to infect specific IoT devices due to their growing use in a variety of applications and their increasing computational and processing power.In this study,we investigate the possibility of detecting IoT malware using recurrent neural networks(RNNs).RNNis used in the proposed method to investigate the execution operation codes of ARM-based Internet of Things apps(OpCodes).To train our algorithms,we employ a dataset of IoT applications that includes 281 malicious and 270 benign pieces of software.The trained model is then put to the test using 100 brand-new IoT malware samples across three separate LSTM settings.Model exposure was not previously conducted on these samples.Detecting newly crafted malware samples with 2-layer neurons had the highest accuracy(98.18%)in the 10-fold cross validation experiment.A comparison of the LSTMtechnique to other machine learning classifiers shows that it yields the best results.

Generic,efficient,and effective deobfuscation and semantic-aware attack detection for Power Shell scripts

In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.

Secure oblivious transfer protocol from indistinguishability obfuscation

A new secure oblivious transfer （OT） protocol from indistinguishability obfuscation （iO） is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg et al. introduced a candidate construction of iO in 2013. Following their steps, a new k-out-of-1 OT protocol is presented here, and its realization from decisional Diffie-Hellman （DDH） is described in this paper, in which iO was combined with the dual-mode cryptosystem. The security of the scheme mainly relies on the indistinguishability of the obf-branches （corresponding to the two modes in dual-mode model）. This paper explores a new way for the application of iO.

Deobfuscating Mobile Malware for Identifying Concealed Behaviors

The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.

High Performance Classification of Android Malware Using Ensemble Machine Learning

Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are essential.However,modern malware evades existing solutions by applying code obfuscation and native code.To resolve this problem,we introduce an ensemble-based malware classification algorithm using malware family grouping.The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number.It also adopts unified feature extraction technique for handling seamless both bytecode and native code.We propose a unique feature selection algorithm that improves classification performance and time simultaneously.2-gram based features are generated from the instructions and segments,and then selected by using multiple filters to choose most effective features.Through extensive simulation with many obfuscated and native code malware applications,we confirm that it can classify malwares with high accuracy and short processing time.Most existing approaches failed to achieve classification speed and detection time simultaneously.Therefore,the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.

Unified Detection of Obfuscated and Native Android Malware

The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection has increased significantly in recent years and many detection systems have been proposed.Despite these efforts,however,most systems can be thwarted by sophisticated Androidmalware adopting obfuscation or native code to avoid discovery by anti-virus tools.In this paper,we propose a new static analysis technique to address the problems of obfuscating and native malware applications.The proposed system provides a unified technique for extracting features from applications and native libraries using a selection algorithm that can extract a small set of unique and effective features for detecting malware applications rapidly and with a high detection rate.Evaluation using large Android malware detection datasets obtained from various sources confirmed that the proposed approach achieves very promising results in terms of improved accuracy,low false positive rate,and high detection rate.

AdaptiveMutate:a technique for privacy preservation

Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis.Since it is difficult to prevent the adversaries from accessing the network,providing secrecy in hostile environments becomes a serious concern.In this study,we propose AdaptiveMutate,a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps.First,we present a method for the identification of mobile apps using traffic analysis.Further,we propose a confusion system in which we obfuscate packet lengths,and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis.Our aim is to shape one class of app traffic to obscure its features with the minimum overhead.Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app.Also,AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate,depending on the type of apps analyzed and the classifier used,if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate.We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app.When applying the identification technique,we achieve a classification accuracy of 91.1%.Then,using our obfuscation technique,we are able to reduce this accuracy to 7%.Also,we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8%to 17.9%.Additionally,we analyze the tradeoff between the shaping cost and traffic privacy protection,specifically,the associated overhead and the feasibility for real-time implementation.

Measuring Whitespace Pattern Sequences as an Indication of Plagiarism

There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found that comparing the whitespace patterns was not precise enough to identify copying by itself. However, several possible methods for improving the precision of a whitespace pattern comparison were presented, the most promising of which was an examination of the sequences of lines with matching whitespace patterns. This paper demonstrates a method of evaluating the sequences of matching whitespace patterns and a detailed study of the method’s reliability.

A Comparison of Malware Detection Techniques Based on Hidden Markov Model

Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.

A User Proprietary Obfuscate System for Positions Sharing in Location-Aware Social Networks

A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An adversary infers user’s locations from the trajectories, and gleans user’s private information through them via location-aware social networking applications and public available geographic data. In this paper, we propose a user proprietary obfuscate system to suit situations for position sharing and location privacy preserving in location-aware social network. Users transform the public available geographic data into personal obfuscate region maps with pre-defined profile to prevent the location leaking in stationary status. Our obfuscation with size restricted regions method tunes user’s transformed locations fitting into natural movement and prevents unreasonable snapshot locations been recorded in the trajectory.

Malware Evasion Attacks Against IoT and Other Devices: An Empirical Study

The Internet of Things(loT)has grown rapidly due to artificial intelligence driven edge computing.While enabling many new functions,edge computing devices expand the vulnerability surface and have become the target of malware attacks.Moreover,attackers have used advanced techniques to evade defenses by transforming their malware into functionality-preserving variants.We systematically analyze such evasion attacks and conduct a large-scale empirical study in this paper to evaluate their impact on security.More specifically,we focus on two forms of evasion attacks:obfuscation and adversarial attacks.To the best of our knowledge,this paper is the first to investigate and contrast the two families of evasion attacks systematically.We apply 10 obfuscation attacks and 9 adversarial attacks to 2870 malware examples.The obtained findings are as follows.(1)Commercial Off-The-Shelf(COTS)malware detectors are vulnerable to evasion attacks.(2)Adversarial attacks affect COTS malware detectors slightly more effectively than obfuscated malware examples.(3)Code similarity detection approaches can be affected by obfuscated examples and are barely affected by adversarial attacks.(4)These attacks can preserve the functionality of original malware examples.

Complete Bipartite Anonymity for Location Privacy

Users are vulnerable to privacy risks when providing their location information to location-based services （LBS）. Existing work sacrifices the quality of LBS by degrading spatial and temporal accuracy for ensuring user privacy. In this paper, we propose a novel approach, Complete Bipartite Anonymity （CBA）, aiming to achieve both user privacy and quality of service. The theoretical basis of CBA is that： if the bipartite graph of k nearby users＇ paths can be transformed into a complete bipartite graph, then these users achieve k-anonymity since the set of ＂end points connecting to a specific start point in a graph＂ is an equivalence class. To achieve CBA, we design a Collaborative Path Confusion （CPC） protocol which enables nearby nsers to discover and authenticate each other without knowing their real identities or accurate locations, predict tile encounter location using users＇ moving pattern information, and generate fake traces obfuscating the real ones. We evaluate CBA using a real-world dataset, and compare its privacy performance with existing path confusion approach. The results show that CBA enhances location privacy by increasing the chance for a user confusing his/her path with others by 4 to 16 times in low user density areas. We also demonstrate that CBA is secure under the trace identification attack.

Research on location privacy protection method of sensor-cloud base station

In view of the privacy security issues such as location information leakage in the interaction process between the base station and the sensor nodes in the sensor-cloud system, a base station location privacy protection algorithm based on local differential privacy(LDP) is proposed. Firstly, through the local obfuscation algorithm(LOA), the base station can get the data of the real location and the pseudo location by flipping a coin, and then send the data to the fog layer, then the obfuscation location domain set is obtained. Secondly, in order to reconstruct the location distribution of the real location and the pseudo location in the base station, the location domain of the base station is divided into several decentralized sub-regions, and a privacy location reconstruction algorithm(PLRA) is performed in each sub-region. Finally, the base station correlates the location information of each sub-region, and then uploads the data information containing the disturbance location to the fog node layer. The simulation results show that compared with the existing base station location anonymity and security technique(BLAST) algorithm, the proposed method not only reduce the algorithm’s running time and network delay, but also improve the data availability. So the proposed method can protect the location privacy of the base station more safely and efficiently.

CCA1 secure FHE from PIO,revisited

Fully homomorphic encryption(FHE)is a powerful cryptographic primitive that allows anyone to compute on encrypted data using only public information.So far,most FHE schemes are CPA secure.In PKC 2017,Canetti et al.extended the generic transformation of Boneh,Canetti,Halevi and Katz to turn any multi-key identity-based FHE scheme into a CCA1-secure FHE scheme.Their main construction of multi-key identity-based FHE is from probabilistic indistinguishability obfuscation(PIO)and statistical trapdoor encryption.We show that the above multi-key identity-based FHE is not secure by giving an attack.Then we give a solution to avoid the attack and redesign a more succinct and efficient multi-key identity-based FHE scheme.Compared with the scheme of Canetti et al.,ours has smaller secret key of one identity and more efficient homomorphic operations.Thus we obtain a more efficient CCA1 secure FHE scheme.