Xueluan Gong,Yanjiao Chen,Huayang Huang,Weihan Kong,Ziyao Wang,Chao Shen,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2023.3286842

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep neural networks are vulnerable to backdoor attacks, where a specially-designed trigger will lead to misclassification of any benign samples. However, existing backdoor attacks usually impose conspicuous patch triggers on images, which are easily detected by humans and defense algorithms. Existing works on invisible triggers, however, either have reduced attack success rate or yield detectable patterns to visual inspections. In this article, we propose KerbNet, a kernel-based backdoor attack framework, which applies kernel operations to clean samples as the trigger to incur misclassification. The kernel-processed samples achieve a high attack success rate while appearing natural with high Quality-of-Experience (QoE). We carefully design the kernel trigger generation algorithm by exploiting the neural network structure to propagate the influence of the trigger to the target misclassification label under the QoE constraint. We conduct extensive experiments on five datasets, i.e., MNIST, GTSRB, CIFAR-10, CelebA, and ImageNette to evaluate the effectiveness and practicality of KerbNet under the impact of various factors, including neuron-residing layer, kernel size, base image, loss function, model structure, and so on. We also show that our proposed attacks can evade state-of-the-art defense strategies and visual inspections. Code will be available after publication.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

XU Ming,YANG Tong,ZHENG Lian-qing,ZHANG Chuan-rong

2011-01-01

Abstract:To reinforce network security and prevent Trojan horse attacks,a concealing technology by triple jump in load and thread guard is analyzed and implemented with an example,and a Trojan horse using the technology is programmed,and the hidden nature and survivability of the Trojan horse is enhanced by it.Finally,the corresponding cleaning method is put forward.Experimental results show that the Trojan horse completes the expected hidden features,and can penetrate the latest Rising anti-virus software,Rising Firewall and general hardware firewalls,which demonstrate the feasibility and effectiveness of the concealing technology.

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.

潘茂如,曹天杰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.18.047

2010-01-01

Abstract:The realization mechanism of the Direct Kernel Object Manipulation(DKOM) and call gate are analyzed and proposed.By using call gate,it can promote the program’s privilege to modify the kernel’s process list to hide the process without the driver.A Trojan program is designed and implemented,and the hidden and survival functions are verified in experimental conditions based on the proposal.The experiments have proved that the Trojan can hide the process effectively and escape the detection and killing of the common security software.It also analyzes the Trojan program’s detection method.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Yi Pang,Tao Yin

DOI: https://doi.org/10.1109/ICCT.2012.6511272

2012-01-01

Abstract:Most existing approaches for detecting Trojan are limited for obfuscation and encryption techniques. In this paper, we present a network behavior analysis designed to address the limitations of previously-proposed approaches. Our solution considered not only transport layer characteristics but also network layer characteristics. The approach in this paper exhibits two major advantages: (1) can better represent Trojan network behavior, and (2) performed at very low computational cost. Based on clustering technique, we proposed a detection model that detects Trojan communication with high accuracy. We implement the model on real-world traces. The experiments show that our model is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 90% accuracy and less than 3.5% false positive rate. We confidently consider that our detection approach is complementary to the existing techniques.

xuwei ye,jianhua feng,haoran gong,chunhua he,weilei feng

DOI: https://doi.org/10.1109/edssc.2015.7285146

2015-01-01

Abstract:Hardware Trojan, realized by malicious modification of design characteristics, has emerged as a major security concern. The recently proposed Trojan detection methods arc mainly classified into two categories: side-channel signal analysis and logic testing. Due to the stealthy nature of Trojan circuits, it's difficult to activate Trojans to perform logic testing. In this paper, an activation probability-based approach is proposed. A probability obfuscation scan chain (POSC) is presented aiming at increasing the difficulty of Trojan insertion and increasing the activation probability of the Trojan circuits. It proves to be very effective in detecting the presence of a Trojan in a circuit. Experimental results on ISCAS benchmark circuits show that this approach can effectively increase Trojan activation probability and make the detection of the Trojan more easily.

SHI Yong,XUE Zhi,LI Jianhua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.053

2005-01-01

Abstract:A new trojan horse on Windows operating system is presented. This technology combines SPI which is a new characteristic in Winsock 2 with remote thread injecting in Windows kernel and DLL(dynamic-link libraries) in Windows file system. And it uses some characteristics in filtration and interrupt of firewalls for reference. A new trojan horse hiding style is realized.

Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Ting Liu,Xiaohong Guan,Qinghua Zheng,Ke Lu,Yuanfeng Song,Weizhang Zhang

DOI: https://doi.org/10.1109/CCNC.2009.4785028

2010-01-01

Abstract:This paper presents a novel Trojan detection and defense system. The prototype searches the important files which contain users' confidential information on the disk. And then, these files will be monitored to find which processes will access them by capturing and analyzing the IRPs (I/O Request Packets). The processes of Trojans will be distinguished from regular ones by evaluating their API-calls with several machine-learning models, rather than traditional signature-based mechanism. Testing results show that this prototype could detect and defend the unknown Trojans quickly and accurately.

ZHANG Chen,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.023

2011-01-01

Abstract:Today's popular Trojans begin to use covert communication technology and bypass the detection of honeypot system.This paper first describes the common Trojan covert communication technologies and the growing popular kernel layer Rootkit covert communication technology,then discusses the current client honeypot detecting methods for malware.Aiming at the deficiency of Honeypot detection mechanisms for network communication,an effective improvement scheme is proposed,By using network traffic detection technology based on the NDIS intermediate driver,the Trojans date packets are acquired.This scheme could effectively detect Rootkit covert communication based on network driver and extract the key communication information for Trojan track and analysis.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

HAO Dong-bai,GUO Lin,HUANG Hao

DOI: https://doi.org/10.3321/j.issn:1002-8331.2007.24.040

2007-01-01

Abstract:According to the analysis of Trojan horse attack patterns,implant methods,the security model of windows and limitations of the Trojan horse detection technologies at present,A defense against Trojan horse system based on restricted token is stated in this paper.Combined with constructing the secure work environment,auditing the startup of applications and restraining the malicious action of Trojan horse.The design of process environment control module,service manager module,register monitoring and anomaly diagnose module are focused on.At last,the experiment result validates the feasibility and availability of this system.

Zhang Liyun,Xue Zhi,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.048

2006-01-01

Abstract:The kernel-level rootkit is an import technology for hackers to open backdoor after intruding systems successfully. The article analyzes the hiding and detection principle of kernel-level rootkit, and focuses on the module binary analysis method which based on symbolic execution to detect rootkit.

XU Xu-xu,XUE Zhi,WU Gang

DOI: https://doi.org/10.3969/j.issn.1009-2552.2012.02.041

2012-01-01

Abstract:This paper first introduced the basic conceptions about Trojan Horse and basic technologies of Trojan Horse,and then it introduced the common methods of Trojan Horse detection.And it expounds the current research condition and development trend of Trojan Horse detection.It analyzes and summarizes the behavioral characteristics of their installation,and puts forward an anti-trojan strategy based on behavior analysis.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

杨彦,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.11.015

2008-01-01

Abstract:Trojan is malicious program which is designed to obtain privilege and steal information; it seriously endangers the internet se- curity and information security. The rules of Trojan's attack actions are researched, a new Trojan horse detection method based on executable static analysis is proposed. The present attack tree model is improved, an extended attack tree model is designed to d escribe the sequences of threatening system calls Trojan commonly used. Matched the set of APIs used in PE file with the original extended attack tree, to predict the attack actions may appear in the implementation of the PE file and estimate whether the PE file is a Trojan.

XIE Jun,ZHANG Tao,ZHANG Shi-geng,HUANG Hao

2005-01-01

Abstract:In traditional monolithic kernel operating systems, all kernel codes run within a common and shared address space, and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system security. The development of a layered and separated secure kernel was described in this paper. Since the powers of kernel are partitioned, the vulnerabilities of kernel are confined, and arbitrarily tampering of kernel by malice codes was prevented. The prototype system is entirely developed from beginning for the i386 architecture.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

Mohammad Nadim,Wonjun Lee,David Akopian

2023-04-02

Abstract:One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

Cryptography and Security