Pub Date : 2018-12-11DOI: 10.4108/eai.13-7-2018.156002
Aziz Mohaisen, Omar Alrawi, Jeman Park, Joongheon Kim, Daehun Nyang, Manar Mohaisen
Using runtime execution artifacts to identify malware and its associated family is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics are often circumvented by subsequent malware authors. In this work, we propose Chatter, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form, only network events are considered and eleven malware families are used. We show the technique achieves 83%-94% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of combined order features to reach an accuracy of up to 98.8%.
{"title":"Network-based Analysis and Classification of Malware using Behavioral Artifacts Ordering","authors":"Aziz Mohaisen, Omar Alrawi, Jeman Park, Joongheon Kim, Daehun Nyang, Manar Mohaisen","doi":"10.4108/eai.13-7-2018.156002","DOIUrl":"https://doi.org/10.4108/eai.13-7-2018.156002","url":null,"abstract":"Using runtime execution artifacts to identify malware and its associated family is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics are often circumvented by subsequent malware authors. In this work, we propose Chatter, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form, only network events are considered and eleven malware families are used. We show the technique achieves 83%-94% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of combined order features to reach an accuracy of up to 98.8%.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121209236","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-12-11DOI: 10.4108/eai.13-7-2018.156004
Tiago Antônio Rizzetti, B. Silva, A. Rodrigues, R. Milbradt, L. Canha
In the Smart Grids context, all communications must be handled in a secure way, including multicast traffic. The Application Layer Multicast (ALM) algorithms provide better flexibility and can employ security mechanisms, however, causes overhead to all nodes to build the multicast tree. In this work is proposed another approach to provide a secure multicast focusing on filtering packets on nodes without need an overlay protocol. It uses the multihop property of Wireless Mesh Networks (WMN) usually employed to bring connectivity to smart meters. Also, there is the support to message authentication code (MAC) using symmetric cryptography and presents an algorithm to provide a secure key distribution system. The results show that this approach is lightweight, secure, and assures multicast message delivery, even on failures caused by attacks on the key distribution system. The key management protocol used to provide authentication and integrity are evaluated using an automated test tool. Received on 08 September 2018, accepted on 27 November 2018, published on 03 December 2018
{"title":"A secure and lightweight multicast communication system for Smart Grids","authors":"Tiago Antônio Rizzetti, B. Silva, A. Rodrigues, R. Milbradt, L. Canha","doi":"10.4108/eai.13-7-2018.156004","DOIUrl":"https://doi.org/10.4108/eai.13-7-2018.156004","url":null,"abstract":"In the Smart Grids context, all communications must be handled in a secure way, including multicast traffic. The Application Layer Multicast (ALM) algorithms provide better flexibility and can employ security mechanisms, however, causes overhead to all nodes to build the multicast tree. In this work is proposed another approach to provide a secure multicast focusing on filtering packets on nodes without need an overlay protocol. It uses the multihop property of Wireless Mesh Networks (WMN) usually employed to bring connectivity to smart meters. Also, there is the support to message authentication code (MAC) using symmetric cryptography and presents an algorithm to provide a secure key distribution system. The results show that this approach is lightweight, secure, and assures multicast message delivery, even on failures caused by attacks on the key distribution system. The key management protocol used to provide authentication and integrity are evaluated using an automated test tool. Received on 08 September 2018, accepted on 27 November 2018, published on 03 December 2018","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"114 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115316453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-12-03DOI: 10.4108/eai.13-7-2018.156003
Maryem Ait El Hadj, A. Khoumsi, Yahya Benkaouz, M. Erradi
In big data environments with big number of users and high volume of data, we need to manage the corresponding huge number of security policies. Using Attribute-Based Access Control (ABAC) model to ensure access control might become complex and hard to manage. Moreover, ABAC policies may be aggregated from multiple parties. Therefore, they may contain several anomalies such as conflicts and redundancies, resulting in safety and availability problems. Several policy analysis and design methods have been proposed. However, most of these methods do not preserve the original policy semantics. In this paper, we present an ABAC anomaly detection and resolution method based on the access domain concept, while preserving the policy semantics. To make the suggested method scalable for large policies, we decompose the policy into clusters of rules, then the method is applied to each cluster. We prove correctness of the method and evaluate its computational complexity. Experimental results are given and discussed. Received on 11 October 2018; accepted on 16 November 2018; published on 03 December 2018
{"title":"Formal Approach to Detect and Resolve Anomalies while Clustering ABAC Policies","authors":"Maryem Ait El Hadj, A. Khoumsi, Yahya Benkaouz, M. Erradi","doi":"10.4108/eai.13-7-2018.156003","DOIUrl":"https://doi.org/10.4108/eai.13-7-2018.156003","url":null,"abstract":"In big data environments with big number of users and high volume of data, we need to manage the corresponding huge number of security policies. Using Attribute-Based Access Control (ABAC) model to ensure access control might become complex and hard to manage. Moreover, ABAC policies may be aggregated from multiple parties. Therefore, they may contain several anomalies such as conflicts and redundancies, resulting in safety and availability problems. Several policy analysis and design methods have been proposed. However, most of these methods do not preserve the original policy semantics. In this paper, we present an ABAC anomaly detection and resolution method based on the access domain concept, while preserving the policy semantics. To make the suggested method scalable for large policies, we decompose the policy into clusters of rules, then the method is applied to each cluster. We prove correctness of the method and evaluate its computational complexity. Experimental results are given and discussed. Received on 11 October 2018; accepted on 16 November 2018; published on 03 December 2018","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122879734","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-17DOI: 10.4108/eai.15-10-2018.155856
L. Maglaras, M. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, Stylianos Rallis
As Critical National Infrastructures are becoming more vulnerable to cyber attacks, their protection becomes a significant issue for any organization as well as a nation. Moreover, the ability to attribute is a vital element of avoiding impunity in cyberspace. In this article, we present main threats to critical infrastructures along with protective measures that one nation can take, and which are classified according to legal, technical, organizational, capacity building, and cooperation aspects. Finally we provide an overview of current methods and practices regarding cyber attribution and cyber peace keeping
{"title":"Threats, Countermeasures and Attribution of Cyber Attacks on Critical Infrastructures","authors":"L. Maglaras, M. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, Stylianos Rallis","doi":"10.4108/eai.15-10-2018.155856","DOIUrl":"https://doi.org/10.4108/eai.15-10-2018.155856","url":null,"abstract":"As Critical National Infrastructures are becoming more vulnerable to cyber attacks, their protection becomes a significant issue for any organization as well as a nation. Moreover, the ability to attribute is a vital element of avoiding impunity in cyberspace. In this article, we present main threats to critical infrastructures along with protective measures that one nation can take, and which are classified according to legal, technical, organizational, capacity building, and cooperation aspects. Finally we provide an overview of current methods and practices regarding cyber attribution and cyber peace keeping","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122464872","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-15DOI: 10.4108/eai.15-10-2018.155738
N. Rjaibi, Latifa Ben Arfa Rabai
A new predictive functional level security risk management model is proposed in order to quantify the security level perception and the level of risk involved. It helps in defining the assets, measuring economically the risk, managing the risk toward decisions making. It is out of implementation and based on a functional level architecture. The paper defines a simple predictive model, it relies on a few number of inputs which form the system’s security specifications and provides one output which is the average loss per unit of time ($/H) incurred by a stakeholder as a result of security threats. The obtained values represent how stakeholders perceived economically security risks and predict how it will change over time to implement in advance the needed security strategies. Our model is useful in any security context. We report it in practice originally to the level of e-Learning systems for current architectures because they lack a common measurable value and evidence of cyber security. Our model assists security experts from the early phases of system’s development to implement future safe and secure platforms.
{"title":"How Stakeholders Perceived Security Risks? A New Predictive Functional Level Model and its Application to E-Learning","authors":"N. Rjaibi, Latifa Ben Arfa Rabai","doi":"10.4108/eai.15-10-2018.155738","DOIUrl":"https://doi.org/10.4108/eai.15-10-2018.155738","url":null,"abstract":"A new predictive functional level security risk management model is proposed in order to quantify the security level perception and the level of risk involved. It helps in defining the assets, measuring economically the risk, managing the risk toward decisions making. It is out of implementation and based on a functional level architecture. The paper defines a simple predictive model, it relies on a few number of inputs which form the system’s security specifications and provides one output which is the average loss per unit of time ($/H) incurred by a stakeholder as a result of security threats. The obtained values represent how stakeholders perceived economically security risks and predict how it will change over time to implement in advance the needed security strategies. Our model is useful in any security context. We report it in practice originally to the level of e-Learning systems for current architectures because they lack a common measurable value and evidence of cyber security. Our model assists security experts from the early phases of system’s development to implement future safe and secure platforms.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"283 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116091990","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-15DOI: 10.4108/eai.15-10-2018.155739
V. Kamalakannan, S. Tamilselvan
Today’s developing era data and information security plays an important role in unsecured communication between Internet of Things (IoT) elements. In IoT, data are transmitted in plaintext for many reasons. One of the most common reason is the availability of hardware. Many IoT products are inexpensive components with limited memory and computational resources. Such devices might be unable to support the computationally intense cryptographic functions of asymmetrical cryptography. If designers considered the privacy implications of unencrypted data, they have limited options for encryption because of the hardware platform. Therefore the designers have to create their own security protocols or implement stripped-down versions of existing security protocols. The second option has a better chances. Evidence recommends such a modified protocol would run efficiently on small devices. Elliptic Curve Cryptography (ECC) is used to ensure complete protection against the security risks such as confidentiality, integrity, privacy and authentication by implementing an Elliptic Curve Cryptoprocessor. The work focuses on high-performance Elliptic Curve Cryptoprocessor design, optimized for Field Programmable Gate Array (FPGA) implementation, using the concept of asymmetric and hash algorithms. A novel cryptographic algorithm consisting of matrix mapping methodology and hidden generator point theory is to be applied for encryption/decryption between the sender and receiver whereas Elliptic Curve Digital Signature Algorithm (ECDSA) designed using Keccak Secured Hash Algorithm (SHA) algorithm is applied for the validation of the encrypted data. The proposed Cryptoprocessor operates at a minimum period of 6.980 ns and maximum frequency of 143.276 MHz. This work focuses on the practicability of public key cryptography implementation for devices connected in the perceptual layer of IoT.
{"title":"FPGA Implementation of Elliptic Curve Cryptoprocessor for Perceptual Layer of the Internet of Things","authors":"V. Kamalakannan, S. Tamilselvan","doi":"10.4108/eai.15-10-2018.155739","DOIUrl":"https://doi.org/10.4108/eai.15-10-2018.155739","url":null,"abstract":"Today’s developing era data and information security plays an important role in unsecured communication between Internet of Things (IoT) elements. In IoT, data are transmitted in plaintext for many reasons. One of the most common reason is the availability of hardware. Many IoT products are inexpensive components with limited memory and computational resources. Such devices might be unable to support the computationally intense cryptographic functions of asymmetrical cryptography. If designers considered the privacy implications of unencrypted data, they have limited options for encryption because of the hardware platform. Therefore the designers have to create their own security protocols or implement stripped-down versions of existing security protocols. The second option has a better chances. Evidence recommends such a modified protocol would run efficiently on small devices. Elliptic Curve Cryptography (ECC) is used to ensure complete protection against the security risks such as confidentiality, integrity, privacy and authentication by implementing an Elliptic Curve Cryptoprocessor. The work focuses on high-performance Elliptic Curve Cryptoprocessor design, optimized for Field Programmable Gate Array (FPGA) implementation, using the concept of asymmetric and hash algorithms. A novel cryptographic algorithm consisting of matrix mapping methodology and hidden generator point theory is to be applied for encryption/decryption between the sender and receiver whereas Elliptic Curve Digital Signature Algorithm (ECDSA) designed using Keccak Secured Hash Algorithm (SHA) algorithm is applied for the validation of the encrypted data. The proposed Cryptoprocessor operates at a minimum period of 6.980 ns and maximum frequency of 143.276 MHz. This work focuses on the practicability of public key cryptography implementation for devices connected in the perceptual layer of IoT.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127851794","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Encryption is the most important method to enhance security of network transmitting. SDN (Software Defined Networking) Security Transmission Service can provide multi-connection transmitting service, which scatters data to multiple network connections for transmission so that data on different connections is isolated from each other. Based on the service, encrypting the isolated data prevents overall data from intercepted and deciphered. In the above scenario, we propose an encryption algorithm that uses the data themselves as encryption keys, and use the data isolation effect of multi-connection transmission to distribute the encrypted ciphertext to different network transmission paths, which is equivalent to using a rather random sequence as an encryption key for each data fragment without sharp increase in transmitting data, so that data transmitted on every connection are ensured to be safe. After compared with other encryption algorithms such as DES, AES and RSA, it is proved that in the multi-connection transmitting scenario this algorithm has better encryption effect and operating efficiency, which provides an effective guarantee for network security.
加密是提高网络传输安全性的重要手段。SDN (Software Defined Networking)安全传输服务可以提供多连接传输服务,将数据分散到多个网络连接进行传输,使不同连接上的数据相互隔离。根据服务的不同,对隔离的数据进行加密可以防止整体数据被拦截和解密。在上述场景中,我们提出了一种以数据本身作为加密密钥的加密算法,利用多连接传输的数据隔离效应,将加密后的密文分发到不同的网络传输路径上,相当于在传输数据量没有急剧增加的情况下,对每个数据片段使用一个相当随机的序列作为加密密钥,从而保证在每个连接上传输的数据是安全的。通过与DES、AES、RSA等其他加密算法的比较,证明了该算法在多连接传输场景下具有更好的加密效果和运行效率,为网络安全提供了有效的保障。
{"title":"A Multi-connection Encryption Algorithm Applied in Secure Channel Service System","authors":"Fanhao Meng, Rongheng Lin, Zhuoran Wang, Hua Zou, Shiqi Zhou","doi":"10.4108/eai.15-5-2018.155167","DOIUrl":"https://doi.org/10.4108/eai.15-5-2018.155167","url":null,"abstract":"Encryption is the most important method to enhance security of network transmitting. SDN (Software Defined Networking) Security Transmission Service can provide multi-connection transmitting service, which scatters data to multiple network connections for transmission so that data on different connections is isolated from each other. Based on the service, encrypting the isolated data prevents overall data from intercepted and deciphered. In the above scenario, we propose an encryption algorithm that uses the data themselves as encryption keys, and use the data isolation effect of multi-connection transmission to distribute the encrypted ciphertext to different network transmission paths, which is equivalent to using a rather random sequence as an encryption key for each data fragment without sharp increase in transmitting data, so that data transmitted on every connection are ensured to be safe. After compared with other encryption algorithms such as DES, AES and RSA, it is proved that in the multi-connection transmitting scenario this algorithm has better encryption effect and operating efficiency, which provides an effective guarantee for network security.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"157 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132735283","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-15DOI: 10.4108/eai.15-10-2018.155740
Tim Niklas Witte
Keyloggers are serious threats for computer users both private and commercial. If an attacker is capable of installing this malware on the victim’s machine then he or she is able to monitor keystrokes of a user. This keylog contains login information. As a consequence, protection and detection techniques against keyloggers become increasingly better. This article presents the method of Mouse Underlaying for creating a new kind of software based keyloggers. This method is implemented in Java for testing countermeasures concerning keylogger protection, virtual keyboard, signatures and behavior detection by anti-virus programs. Products of various manufacturers are used for demonstration purposes. All of them failed without an exception. In addition, the reasons why these products failed are analyzed, and moreover, measures against Mouse Underlaying are developed based on the demonstration results. Received on 02 July 2018; accepted on 09 October 2018; published on 15 October 2018
{"title":"Mouse Underlaying: Global Key and Mouse Listener Based on an Almost Invisible Window with Local Listeners and Sophisticated Focus","authors":"Tim Niklas Witte","doi":"10.4108/eai.15-10-2018.155740","DOIUrl":"https://doi.org/10.4108/eai.15-10-2018.155740","url":null,"abstract":"Keyloggers are serious threats for computer users both private and commercial. If an attacker is capable of installing this malware on the victim’s machine then he or she is able to monitor keystrokes of a user. This keylog contains login information. As a consequence, protection and detection techniques against keyloggers become increasingly better. This article presents the method of Mouse Underlaying for creating a new kind of software based keyloggers. This method is implemented in Java for testing countermeasures concerning keylogger protection, virtual keyboard, signatures and behavior detection by anti-virus programs. Products of various manufacturers are used for demonstration purposes. All of them failed without an exception. In addition, the reasons why these products failed are analyzed, and moreover, measures against Mouse Underlaying are developed based on the demonstration results. Received on 02 July 2018; accepted on 09 October 2018; published on 15 October 2018","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"5 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123729831","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-10-09DOI: 10.4108/EAI.13-7-2018.155168
Tommy Chin, Kaiqi Xiong, M. Rahouti
Software-Defined Networking (SDN) has encountered serious Denial of Service (DoS) attacks. However, existing approaches cannot sufficiently address the serious attacks in the real world because they often present significant overhead and they require long detection and mitigation time. In this paper, we propose a lightweight kernel-level intrusion detection and prevention framework called KernelDetect, which leverages modular string searching and filtering mechanisms with SDN techniques. In KernelDetect, we sufficiently utilize the strengths of the Aho-Corasick and Bloom filter to design KernelDetect by using SDN. We further experimentally compare it with SNORT and BROS, two conventional and popular Intrusion Detection and Prevention System (IDPS) on the Global Environment for Networking Innovations (GENI), a real-world testbed. Our comprehensive studies through experimental data and analysis show that KernelDetect is more efficient and effective than SNORT and BROS. Received on 01 May 2018; accepted on 02 June 2018; published on 09 October 2018
{"title":"Kernel-Space Intrusion Detection Using Software-Defined Networking","authors":"Tommy Chin, Kaiqi Xiong, M. Rahouti","doi":"10.4108/EAI.13-7-2018.155168","DOIUrl":"https://doi.org/10.4108/EAI.13-7-2018.155168","url":null,"abstract":"Software-Defined Networking (SDN) has encountered serious Denial of Service (DoS) attacks. However, existing approaches cannot sufficiently address the serious attacks in the real world because they often present significant overhead and they require long detection and mitigation time. In this paper, we propose a lightweight kernel-level intrusion detection and prevention framework called KernelDetect, which leverages modular string searching and filtering mechanisms with SDN techniques. In KernelDetect, we sufficiently utilize the strengths of the Aho-Corasick and Bloom filter to design KernelDetect by using SDN. We further experimentally compare it with SNORT and BROS, two conventional and popular Intrusion Detection and Prevention System (IDPS) on the Global Environment for Networking Innovations (GENI), a real-world testbed. Our comprehensive studies through experimental data and analysis show that KernelDetect is more efficient and effective than SNORT and BROS. Received on 01 May 2018; accepted on 02 June 2018; published on 09 October 2018","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"82 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116447923","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many traditional machine learning and deep learning algorithms work as a black box and lack interpretability. Attention-based mechanisms can be used to address the interpretability of such models by providing insights into the features that a model uses to make its decisions. Recent success of attention-based mechanisms in natural language processing motivates us to apply the idea for security vetting of Android apps. An Android app’s code contains API-calls that can provide clues regarding the malicious or benign nature of an app. By observing the pattern of the API-calls being invoked, we can interpret the predictions of a model trained to separate benign apps from malicious apps. In this paper, using the attention mechanism, we aim to find the API-calls that are predictive with respect to the maliciousness of Android apps. More specifically, we target to identify a set of API-calls that malicious apps exploit, which might help the community discover new signatures of malware. In our experiment, we work with two attention-based models: Bi-LSTM Attention and Self-Attention. Our classification models achieve high accuracy in malware detection. Using the attention weights, we also extract the top 200 API-calls (that reflect the malicious behavior of the apps) from each of these two models, and we observe that there is significant overlap between the top 200 API-calls identified by the two models. This result increases our confidence that the top 200 API-calls can be used to improve the interpretability of the models. Received on 14 July 2021; accepted on 03 August 2021; published on 27 September 2021
{"title":"Leveraging attention-based deep neural networks for security vetting of Android applications","authors":"Prabesh Pathak, Prabesh Poudel, Sankardas Roy, Doina Caragea","doi":"10.4108/eai.27-9-2021.171168","DOIUrl":"https://doi.org/10.4108/eai.27-9-2021.171168","url":null,"abstract":"Many traditional machine learning and deep learning algorithms work as a black box and lack interpretability. Attention-based mechanisms can be used to address the interpretability of such models by providing insights into the features that a model uses to make its decisions. Recent success of attention-based mechanisms in natural language processing motivates us to apply the idea for security vetting of Android apps. An Android app’s code contains API-calls that can provide clues regarding the malicious or benign nature of an app. By observing the pattern of the API-calls being invoked, we can interpret the predictions of a model trained to separate benign apps from malicious apps. In this paper, using the attention mechanism, we aim to find the API-calls that are predictive with respect to the maliciousness of Android apps. More specifically, we target to identify a set of API-calls that malicious apps exploit, which might help the community discover new signatures of malware. In our experiment, we work with two attention-based models: Bi-LSTM Attention and Self-Attention. Our classification models achieve high accuracy in malware detection. Using the attention weights, we also extract the top 200 API-calls (that reflect the malicious behavior of the apps) from each of these two models, and we observe that there is significant overlap between the top 200 API-calls identified by the two models. This result increases our confidence that the top 200 API-calls can be used to improve the interpretability of the models. Received on 14 July 2021; accepted on 03 August 2021; published on 27 September 2021","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124878251","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: