Pub Date : 2013-07-29DOI: 10.1587/TRANSFUN.E97.A.1335
Kazuki Yoneyama
ID-based authenticated key exchange (ID-AKE) is a cryptographic tool to establish a common session key between parties with authentication based on their IDs. If IDs contain some hierarchical structure such as an email address, hierarchical ID-AKE (HID-AKE) is especially suitable because of scalability. However, most of existing HID-AKE schemes do not satisfy advanced security properties such as forward secrecy, and the only known strongly secure HID-AKE scheme is inefficient. In this paper, we propose a new HID-AKE scheme which achieves both strong security and efficiency. We prove that our scheme is eCK-secure (which ensures maximal-exposure-resilience including forward secrecy) without random oracles, while existing schemes is proved in the random oracle model. Moreover, the number of messages and pairing operations are independent of the hierarchy depth; that is, really scalable and practical for a large-system.
{"title":"Practical and exposure-resilient hierarchical ID-based authenticated key exchange without random oracles","authors":"Kazuki Yoneyama","doi":"10.1587/TRANSFUN.E97.A.1335","DOIUrl":"https://doi.org/10.1587/TRANSFUN.E97.A.1335","url":null,"abstract":"ID-based authenticated key exchange (ID-AKE) is a cryptographic tool to establish a common session key between parties with authentication based on their IDs. If IDs contain some hierarchical structure such as an email address, hierarchical ID-AKE (HID-AKE) is especially suitable because of scalability. However, most of existing HID-AKE schemes do not satisfy advanced security properties such as forward secrecy, and the only known strongly secure HID-AKE scheme is inefficient. In this paper, we propose a new HID-AKE scheme which achieves both strong security and efficiency. We prove that our scheme is eCK-secure (which ensures maximal-exposure-resilience including forward secrecy) without random oracles, while existing schemes is proved in the random oracle model. Moreover, the number of messages and pairing operations are independent of the hierarchy depth; that is, really scalable and practical for a large-system.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"150 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116337240","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004506404880493
J. Milliken, Valerio Selis, K. Yap, A. Marshall
The susceptibility of WiFi networks to Rogue Access Point attacks derives from the lack of identity for 802.11 devices. The most common means of detecting these attacks in current research is through tracking the credentials or the location of unauthorised and possibly malicious APs. In this paper, the authors outline a method of distinguishing WiFi Access Points using 802.11 MAC layer management frame traffic profiles. This system does not require location estimation or credential tracking techniques as used in current research techniques, which are known to be inaccurate. These characteristic management traffic profiles are shown to be unique for each device, tantamount to a MAC identity. The application of this technique to solving Rogue AP attacks under the constraints of an open access, public WiFi environment is discussed with the conclusion that the identity is practically very difficult to forge.
{"title":"Development of device identity using WiFi layer 2 management frames for combating Rogue APs","authors":"J. Milliken, Valerio Selis, K. Yap, A. Marshall","doi":"10.5220/0004506404880493","DOIUrl":"https://doi.org/10.5220/0004506404880493","url":null,"abstract":"The susceptibility of WiFi networks to Rogue Access Point attacks derives from the lack of identity for 802.11 devices. The most common means of detecting these attacks in current research is through tracking the credentials or the location of unauthorised and possibly malicious APs. In this paper, the authors outline a method of distinguishing WiFi Access Points using 802.11 MAC layer management frame traffic profiles. This system does not require location estimation or credential tracking techniques as used in current research techniques, which are known to be inaccurate. These characteristic management traffic profiles are shown to be unique for each device, tantamount to a MAC identity. The application of this technique to solving Rogue AP attacks under the constraints of an open access, public WiFi environment is discussed with the conclusion that the identity is practically very difficult to forge.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123535404","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004611305950602
M. A. Neri, M. Guarnieri, E. Magri, S. Mutti, S. Paraboschi
Current IT systems consist usually of several components and services that communicate and exchange data over the Internet. They have security requirements that aim at avoiding information disclosure and at showing compliance with government regulations. In order to effectively handle the security management of complex IT systems, techniques are needed to help the security administrator in the design and configuration of the security architecture. We propose a model-driven security approach for the design and generation of concrete security configurations for software architectures. In our approach the system architect models the architecture of the system by means of UML class diagrams, and then the security administrator adds security requirements to the model by means of Security4UML, a UML profile. From the model enriched with security requirements, the concrete security configuration is derived in a semi-automated way. We present a tool that supports this model-driven approach, and a case study that involves a distributed multi-user meeting scheduler application.
{"title":"A model-driven approach for securing software architectures","authors":"M. A. Neri, M. Guarnieri, E. Magri, S. Mutti, S. Paraboschi","doi":"10.5220/0004611305950602","DOIUrl":"https://doi.org/10.5220/0004611305950602","url":null,"abstract":"Current IT systems consist usually of several components and services that communicate and exchange data over the Internet. They have security requirements that aim at avoiding information disclosure and at showing compliance with government regulations. In order to effectively handle the security management of complex IT systems, techniques are needed to help the security administrator in the design and configuration of the security architecture. We propose a model-driven security approach for the design and generation of concrete security configurations for software architectures. In our approach the system architect models the architecture of the system by means of UML class diagrams, and then the security administrator adds security requirements to the model by means of Security4UML, a UML profile. From the model enriched with security requirements, the concrete security configuration is derived in a semi-automated way. We present a tool that supports this model-driven approach, and a case study that involves a distributed multi-user meeting scheduler application.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126141063","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004534304440452
Michael Clear, C. McGoldrick
We consider the problem of outsourced computation that operates on encrypted inputs supplied by multiple independent parties. To facilitate fine-grained access control, it would be desirable if each party could encrypt her input under an appropriate access policy. Moreover, a party should only be authorized to decrypt the result of a computation performed on a set of encrypted inputs if his credentials satisfy the composition of all input policies. There has been limited success so far achieving homomorphic encryption in the functional setting; that is, for primitives such as Ciphertext-Policy Attribute Based Encryption (CP-ABE) and Identity Based Encryption (IBE). We introduce a new primitive that captures homomorphic encryption with support for access policies and policy composition. We then present a generic construction using CP-ABE and multikey Fully-Homomorphic encryption (FHE). Furthermore, we show that a CP-ABE scheme that is homomorphic for circuits of polylogarithmic depth in some parameter m implies a CP-ABE scheme that is homomorphic for circuits of arity m and unbounded depth.
{"title":"Policy-based non-interactive outsourcing of computation using multikey FHE and CP-ABE","authors":"Michael Clear, C. McGoldrick","doi":"10.5220/0004534304440452","DOIUrl":"https://doi.org/10.5220/0004534304440452","url":null,"abstract":"We consider the problem of outsourced computation that operates on encrypted inputs supplied by multiple independent parties. To facilitate fine-grained access control, it would be desirable if each party could encrypt her input under an appropriate access policy. Moreover, a party should only be authorized to decrypt the result of a computation performed on a set of encrypted inputs if his credentials satisfy the composition of all input policies. There has been limited success so far achieving homomorphic encryption in the functional setting; that is, for primitives such as Ciphertext-Policy Attribute Based Encryption (CP-ABE) and Identity Based Encryption (IBE). We introduce a new primitive that captures homomorphic encryption with support for access policies and policy composition. We then present a generic construction using CP-ABE and multikey Fully-Homomorphic encryption (FHE). Furthermore, we show that a CP-ABE scheme that is homomorphic for circuits of polylogarithmic depth in some parameter m implies a CP-ABE scheme that is homomorphic for circuits of arity m and unbounded depth.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122377592","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004533502420253
Mehrdad Aliasgari, Marina Blanton
Hidden Markov Model (HMM) is a popular statistical tool with a large number of applications in pattern recognition. In some of such applications, including speaker recognition in particular, the computation involves personal data that can identify individuals and must be protected. For that reason, we develop privacy-preserving techniques for HMM and Gaussian mixture model (GMM) computation suitable for use in speaker recognition and other applications. Unlike prior work, our solution uses floating point arithmetic, which allows us to simultaneously achieve high accuracy, provable security guarantees, and reasonable performance. We develop techniques for both two-party HMM and GMM computation based on threshold homomorphic encryption and multi-party computation based on threshold linear secret sharing, which are suitable for secure collaborative computation as well as secure outsourcing.
{"title":"Secure computation of hidden Markov models","authors":"Mehrdad Aliasgari, Marina Blanton","doi":"10.5220/0004533502420253","DOIUrl":"https://doi.org/10.5220/0004533502420253","url":null,"abstract":"Hidden Markov Model (HMM) is a popular statistical tool with a large number of applications in pattern recognition. In some of such applications, including speaker recognition in particular, the computation involves personal data that can identify individuals and must be protected. For that reason, we develop privacy-preserving techniques for HMM and Gaussian mixture model (GMM) computation suitable for use in speaker recognition and other applications. Unlike prior work, our solution uses floating point arithmetic, which allows us to simultaneously achieve high accuracy, provable security guarantees, and reasonable performance. We develop techniques for both two-party HMM and GMM computation based on threshold homomorphic encryption and multi-party computation based on threshold linear secret sharing, which are suitable for secure collaborative computation as well as secure outsourcing.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"63 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133040169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004502104820487
Matt Henricksen, S. Kiyomoto
In this paper, we propose a hash function that takes advantage of the AES-NI and other Single-Instruction Multiple-Data operations on Intel x64 platforms to generate digests very efficiently. It is suitable for applications in which a server needs to securely hash electronic documents at a rate of several cycles/byte. This makes it much more efficient for certain applications than SHA-2, SHA-3 or any of the SHA-3 finalists. On the common Sandy Bridge micro-architecture, our hash function, AVON, has a throughput of 2.65 cycles per byte while retaining a high degree of security.
{"title":"AVON: A fast Hash function for Intel SIMD architectures","authors":"Matt Henricksen, S. Kiyomoto","doi":"10.5220/0004502104820487","DOIUrl":"https://doi.org/10.5220/0004502104820487","url":null,"abstract":"In this paper, we propose a hash function that takes advantage of the AES-NI and other Single-Instruction Multiple-Data operations on Intel x64 platforms to generate digests very efficiently. It is suitable for applications in which a server needs to securely hash electronic documents at a rate of several cycles/byte. This makes it much more efficient for certain applications than SHA-2, SHA-3 or any of the SHA-3 finalists. On the common Sandy Bridge micro-architecture, our hash function, AVON, has a throughput of 2.65 cycles per byte while retaining a high degree of security.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123752181","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004532605490554
H. Knospe
Audio hashes are compact and robust representations of audio data and allow the efficient identification of specific recordings and their transformations. Audio hashing for music identification is well established and similar algorithms can also be used for speech data. A possible application is the identification of replayed telephone spam. This contribution investigates the security and privacy issues of perceptual hashes and follows an information-theoretic approach. The entropy of the hash should be large enough to prevent the exposure of audio content. We propose a privacy-enhanced randomized audio hash and analyze its entropy as well as its robustness and discrimination power over a large number of hashes.
{"title":"Privacy-enhanced perceptual hashing of audio data","authors":"H. Knospe","doi":"10.5220/0004532605490554","DOIUrl":"https://doi.org/10.5220/0004532605490554","url":null,"abstract":"Audio hashes are compact and robust representations of audio data and allow the efficient identification of specific recordings and their transformations. Audio hashing for music identification is well established and similar algorithms can also be used for speech data. A possible application is the identification of replayed telephone spam. This contribution investigates the security and privacy issues of perceptual hashes and follows an information-theoretic approach. The entropy of the hash should be large enough to prevent the exposure of audio content. We propose a privacy-enhanced randomized audio hash and analyze its entropy as well as its robustness and discrimination power over a large number of hashes.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127259835","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004525801470157
B. Lang, Runhua Xu, Yawei Duan
Ciphertext-Policy Attribute Based Encryption (CP-ABE) is recognized as an important data protection mechanism in cloud computing environment for its flexible, scalable and fine-grained access control features. For enhancing its security, efficiency and policy flexibility, researchers have proposed different schemes of CP-ABE which have different kinds of access policy structures. However, as far as we know, most of these structures only support AND, OR and threshold attribute operations. In order to achieve more effective data self-protection mechanisms in open environments such as Cloud computing, CP-ABE needs to support more flexible attribute based policies, most of which are described using operators of NOT, <, ≤, >, ≥. This paper proposed an Extended CP-ABE(ECP-ABE) scheme based on the existing CP-ABE scheme. The ECP-ABE scheme can express any access policy represented by arithmetic comparison and logical expressions that involve NOT, <, ≤, >, ≥ operators in addition to AND, OR and threshold operators. We prove the Chosen-plaintext Attack (CPA) security of our scheme under the Decisional Bilinear Diffie-Hellman (DBDH) assumption in the standard model, and also discuss the experimental results of the efficiency of ECP-ABE.
基于密文策略属性的加密(cipher - policy Attribute Based Encryption, CP-ABE)以其灵活、可扩展、细粒度的访问控制特性,被认为是云计算环境下重要的数据保护机制。为了提高其安全性、效率和策略灵活性,研究人员提出了不同的CP-ABE方案,这些方案具有不同的访问策略结构。然而,据我们所知,这些结构中的大多数只支持AND、OR和阈值属性操作。为了在云计算等开放环境中实现更有效的数据自我保护机制,CP-ABE需要支持更灵活的基于属性的策略,这些策略大多使用NOT、、≥等运算符来描述。本文在现有CP-ABE方案的基础上,提出了一种扩展的CP-ABE(epc - abe)方案。ECP-ABE方案可以表示除and、OR和阈值运算符外,还包含NOT、、≥运算符的任何算术比较和逻辑表达式表示的访问策略。在标准模型下,在决策双线性Diffie-Hellman (DBDH)假设下证明了所提方案的选择明文攻击(CPA)安全性,并讨论了ECP-ABE效率的实验结果。
{"title":"Extending the ciphertext-policy attribute based encryption scheme for supporting flexible access control","authors":"B. Lang, Runhua Xu, Yawei Duan","doi":"10.5220/0004525801470157","DOIUrl":"https://doi.org/10.5220/0004525801470157","url":null,"abstract":"Ciphertext-Policy Attribute Based Encryption (CP-ABE) is recognized as an important data protection mechanism in cloud computing environment for its flexible, scalable and fine-grained access control features. For enhancing its security, efficiency and policy flexibility, researchers have proposed different schemes of CP-ABE which have different kinds of access policy structures. However, as far as we know, most of these structures only support AND, OR and threshold attribute operations. In order to achieve more effective data self-protection mechanisms in open environments such as Cloud computing, CP-ABE needs to support more flexible attribute based policies, most of which are described using operators of NOT, <, ≤, >, ≥. This paper proposed an Extended CP-ABE(ECP-ABE) scheme based on the existing CP-ABE scheme. The ECP-ABE scheme can express any access policy represented by arithmetic comparison and logical expressions that involve NOT, <, ≤, >, ≥ operators in addition to AND, OR and threshold operators. We prove the Chosen-plaintext Attack (CPA) security of our scheme under the Decisional Bilinear Diffie-Hellman (DBDH) assumption in the standard model, and also discuss the experimental results of the efficiency of ECP-ABE.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128452076","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004504502840295
S. Kiyomoto, André Rein, Yuto Nakano, C. Rudolph, Yutaka Miyake
On a cloud environment, the platform that runs a program is not fixed, and there is a possibility that a program runs on several servers in a cloud environment. Transferability of the license information by a valid user should be allowed, even though general requirements for license management have to be satisfied. In this paper, we consider software license management models for cloud environments, and discuss security functions for building secure license management schemes. We show four license management models and analyze the security requirements for the models. Then, we design a common component referred to as the license management module (LMM), and explain the security functions required for the LMM. Furthermore, we discuss how to realize the security functions and evaluate their performance using a prototype implementation.
{"title":"LMM: A common component for software license management on cloud","authors":"S. Kiyomoto, André Rein, Yuto Nakano, C. Rudolph, Yutaka Miyake","doi":"10.5220/0004504502840295","DOIUrl":"https://doi.org/10.5220/0004504502840295","url":null,"abstract":"On a cloud environment, the platform that runs a program is not fixed, and there is a possibility that a program runs on several servers in a cloud environment. Transferability of the license information by a valid user should be allowed, even though general requirements for license management have to be satisfied. In this paper, we consider software license management models for cloud environments, and discuss security functions for building secure license management schemes. We show four license management models and analyze the security requirements for the models. Then, we design a common component referred to as the license management module (LMM), and explain the security functions required for the LMM. Furthermore, we discuss how to realize the security functions and evaluate their performance using a prototype implementation.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129194785","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2013-07-29DOI: 10.5220/0004528201950206
S. Ravi, N. Balakrishnan, Bharath Venkatesh
In the area of malware analysis, static binary analysis techniques are becoming increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In these dynamic analysis systems, the malware samples are executed and monitored in a controlled environment using tools such as CWSandbox(Willems et al., 2007). In previous works, a number of clustering and classification techniques from machine learning and data mining have been used to classify the malwares into families and to identify even new malware families, from the behavior reports. In our work, we propose to use the Profile Hidden Markov Model to classify the malware files into families or groups based on their behavior on the host system. PHMM has been used extensively in the area of bioinformatics to search for similar protein and DNA sequences in a large database. We see that using this particular model will help us overcome the hurdle posed by polymorphism that is common in malware today. We show that the classification accuracy is high and comparable with the state-of-art-methods, even when using very few training samples for building models. The experiments were on a dataset with 24 families initially, and later using a larger dataset with close to 400 different families of malware. A fast clustering method to group malware with similar behaviour following the scoring on the PHMM profile database was used for the large dataset. We have presented the challenges in the evaluation methods and metrics of clustering on large number of malware files and show the effectiveness of using profile hidden model models for known malware families.
{"title":"Behavior-based Malware analysis using profile hidden Markov models","authors":"S. Ravi, N. Balakrishnan, Bharath Venkatesh","doi":"10.5220/0004528201950206","DOIUrl":"https://doi.org/10.5220/0004528201950206","url":null,"abstract":"In the area of malware analysis, static binary analysis techniques are becoming increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In these dynamic analysis systems, the malware samples are executed and monitored in a controlled environment using tools such as CWSandbox(Willems et al., 2007). In previous works, a number of clustering and classification techniques from machine learning and data mining have been used to classify the malwares into families and to identify even new malware families, from the behavior reports. In our work, we propose to use the Profile Hidden Markov Model to classify the malware files into families or groups based on their behavior on the host system. PHMM has been used extensively in the area of bioinformatics to search for similar protein and DNA sequences in a large database. We see that using this particular model will help us overcome the hurdle posed by polymorphism that is common in malware today. We show that the classification accuracy is high and comparable with the state-of-art-methods, even when using very few training samples for building models. The experiments were on a dataset with 24 families initially, and later using a larger dataset with close to 400 different families of malware. A fast clustering method to group malware with similar behaviour following the scoring on the PHMM profile database was used for the large dataset. We have presented the challenges in the evaluation methods and metrics of clustering on large number of malware files and show the effectiveness of using profile hidden model models for known malware families.","PeriodicalId":174026,"journal":{"name":"2013 International Conference on Security and Cryptography (SECRYPT)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117013082","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: