XING Yun-dong,LIU Sheng-li

2010-01-01

Abstract:Aimed at the problems that malwares like Trojan horses are performing more and more harmfully to the network security,to improve the efficiency of Trojan horse detection by NIDS,the characteristics and network communication forms of Trojan horses are analyzed.Then combined a sequence alignment algorithm,a model for signatures automatic generation of Trojan horses is designed and implemented.Finally,this model is proved to be practical and effective by the experiments.

Jia Zhang,Haixin Duan,Lanjia Wang,Yuntao Guan

DOI: https://doi.org/10.1109/iccee.2008.33

2008-01-01

Abstract:With the development of polymorphic worms, worms do greater harm to networks. The content-based signature generation of polymorphic worms has been a challenge for network security. This paper presents a fast signature generation method for polymorphic worms. The main feature of this method is clustering network normal traffic to create a white list before carrying out a comprehensive analysis of malicious traffic. Compared with other methods, this approach avoids the large number of comparisons with normal network traffic pool because of the white list. It is proved by experiments that our approach has a good noise-tolerant capability and high efficiency, and signatures generated by our method have a high accuracy.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Jun Xiao,Yipeng Wang

DOI: https://doi.org/10.1109/NAS.2012.10

2012-01-01

Abstract:Because of the widespread Trojan, Internet users become more and more vulnerable to the threat of information leakage. Traditional techniques of Trojan detection were classified into two main categories: host-based and network-based. Unfortunately, existing techniques are insufficient and limited, because of the following reasons: (1)only uncover the known Trojan while inefficiently detecting novel samples, (2) should be adjusted in a timely fashion even a trivial change is applied, and (3)become computationally more expensive. In our work, we focus on a network behavior based method to address the limitations of previous network-based approaches. We analyze the profile of network behavior at two levels: (i)flow-level, (ii)IP-level. Our approach present two main advantages: (1)capture more detailed information to describe the network behavior profile, (2)consume lower computational overhead. We proposed a system, Manto, which detects Trojan communication with high accuracy using clustering technique. We implement Manto on real-world traces. The evaluation results exhibit that Manto is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 91% accuracy and less than 3.2% false positive ratio. We confidently regard our approach as a complementary way to the existing network-based techniques for we could address their main shortcomings.

Zhichun Li,Lanjia Wang,Yan Chen,Zhi Judy Fu

DOI: https://doi.org/10.1109/icnp.2007.4375847

2007-01-01

Abstract:It is crucial to detect zero-day polymorphic worms and to generate signatures at the edge network gateways or honeynets so that we can prevent the worms from propagating at their early phase. However, most existing network-based signatures generated are not vulnerability-based and can be easily evaded by attacks. In this paper, we propose generating vulnerability-based signatures on the network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based length-based signature generator (LESG) for worms based on buffer overflow vulnerabilities'. The signatures generated are intrinsic to buffer overflows, and are very hard for attackers to evade. We further prove the attack resilience bounds even under worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.

Zhang Xiaosong,Chen Ting,Chen Dapeng,Liu Zhi

DOI: https://doi.org/10.1108/03321641011014913

2013-01-01

Abstract:Purpose - The purpose of this paper is to propose a self-immune automated signature generation (SISG) for polymorphic worms which is able to work well, even while being attacked by any types of malicious adversary and produces global-suited signatures other than local-suited signatures for its distributed architecture. Through experimentations, the method is thereafter evaluated. Design/methodology/approach - The ideal worm signature exist in each copy of the corresponding worm, but never in other worm categories and normal network traffic. SISG compares each worm copy and extract the same components, then produces the worm signature from the components which must achieve low-false positive and low-false negative. SISG is immune from the most attacks by filtering the harmful noise made by malicious adversaries before signature generation. Findings - NOP sled, worm body and descriptor are not good to be signature because they can be confused intricately by polymorphic engines. Protocol frames may not suit to be signature for the anti-automated signature generation attacks. Exploit bytes is the essential part of an ideal worm signature and it can be extracted by SISG exactly. Originality/value - The paper proposes a SISG for polymorphic worms which is able to work well even while being attacked by any types of malicious adversary and produces global-suited signatures other than local-suited signatures for its distributed architecture.

Shicong Li,Xiaochun Yun,Yongzheng Zhang,Yi Pang,Tao Yin

DOI: https://doi.org/10.1109/ICCT.2012.6511272

2012-01-01

Abstract:Most existing approaches for detecting Trojan are limited for obfuscation and encryption techniques. In this paper, we present a network behavior analysis designed to address the limitations of previously-proposed approaches. Our solution considered not only transport layer characteristics but also network layer characteristics. The approach in this paper exhibits two major advantages: (1) can better represent Trojan network behavior, and (2) performed at very low computational cost. Based on clustering technique, we proposed a detection model that detects Trojan communication with high accuracy. We implement the model on real-world traces. The experiments show that our model is suitable for detecting Trojan communication amongst the vast amount of network traffic, with over 90% accuracy and less than 3.5% false positive rate. We confidently consider that our detection approach is complementary to the existing techniques.

Li Shicong,Yun Xiaochun,Zhang Yongzheng

2012-01-01

Journal of Computer Research and Development

Abstract:Trojan has become one of the most serious problems of Internet. Most of existed techniques are not effective enough to detect Trojan. They are suffered from three limitations: 1) unable to discover the samples of novel Trojan, 2) should be updated as soon as any change made in Trojan, and 3) consume a great many computational resources. According to aforementioned, we have analyzed the network communication behavior of real Trojan samples at two levels (network layer and transport layer) and selected four characteristics to describe Trojan network behavior. Then, we use hierarchical clustering method to generate the model and labeled it. To demonstrate the validity, we evaluate our method on real network traces. High accuracy and low false positive ratio have been attained together.

Zhichun Li,Manan Sanghi,Yan Chen,Ming-Yang Kao,Brian Chavez

DOI: https://doi.org/10.1109/SP.2006.18

2006-01-01

Abstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

Mofei Song,Zhengxing Sun

DOI: https://doi.org/10.1155/2014/324645

IF: 1.43

2014-01-01

Mathematical Problems in Engineering

Abstract:The collection of signature data for system development and evaluation generally requires significant time and effort. To overcome this problem, this paper proposes a detector generation based clonal selection algorithm for synthetic signature set generation. The goal of synthetic signature generation is to improve the performance of signature verification by providing more training samples. Our method uses the clonal selection algorithm to maintain the diversity of the overall set and avoid sparse feature distribution. The algorithm firstly generates detectors with a segmented r-continuous bits matching rule and P-receptor editing strategy to provide a more wider search space. Then the clonal selection algorithm is used to expand and optimize the overall signature set. We demonstrate the effectiveness of our clonal selection algorithm, and the experiments show that adding the synthetic training samples can improve the performance of signature verification.

Deguang Kong,Yoon-Chan Jhi,Tao Gong,Sencun Zhu,Peng Liu,Hongsheng Xi

DOI: https://doi.org/10.1007/s10207-011-0132-7

2010-01-01

Abstract:String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains a challenging problem. For example, attackers can freely manipulate byte distributions within the attack payloads and thus inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel S emantics A ware S tatistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a hidden Markov model (HMM) to the refined data to generate state-transition-graph-based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks compared to Polygraph and Hamsa.

涂浩,李之棠,柳斌

2009-01-01

Abstract:The fast spread of worm is a great challenge to Internet security.An effective worm detection and defense system is designed and implemented.A binary cluster algorithm is proposed to improve the front traffic filter,which reduce the traffic and enhance its purity.A method of position-aware signature generation based Bloom Filter is proposed to bring better performance and more accurate signature.Experiments show the system can effective detect worm traffic and generate accurate signature for content-based automatic defense.

TS Jiao,CS Zhang

DOI: https://doi.org/10.1117/12.441603

2001-01-01

Abstract:In on-line signature identification, it is usually difficult to get enough samples. This paper focuses on the work of generating some new signatures according to only a few samples collected advance. In the generating process, we used the knowledge concluded from the observation of lot's of signatures. The knowledge includes the relationship between the writing speed sequences of skilled signatures with different scales, that is to say: the relationship between speed and scale. The knowledge also includes the relationship between writing speed of adjacent points within a signature, which can be consider as the relationship of speed and local surrounding. By modeling the speed sequence of signature as conditional k-th step Markov chain, the relationship of speed and local surrounding is described as the transition probabilities of the Markov chain. The results of the generated signatures show that the method we proposed is useful. The results also prove that the relations we concluded are steady and can be used directly to signature identification.

Mingjiang Ye,Ke Xu,Jianping Wu,Hu Po

DOI: https://doi.org/10.1109/cit.2009.97

2009-01-01

Abstract:Classifying network traffic according to the applications is important to a broad range of network areas. Compared with the traditional method which classifies traffic using predefined well-known port numbers, the method using application signatures is more accurate. Unfortunately, analyzing signatures and maintaining up-to-date signatures for various applications is very difficult. To solve the problem, the paper proposes AutoSig which is an automatic application signature generation system. AutoSig extracts multiple common substring sequences from sample flows as application signature. First all possible common substrings in an application protocol are extracted and then a substring tree is constructed to generate the final signature of the application. The method is evaluated on campus traffic traces, and the experiment results show that AutoSig can generate effective application signatures with very high accuracy automatically.

Siyuan Pan,Yijun Wang,Zhi Xue,Xiang Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2018.04.058

2018-01-01

Abstract:With the increasing demand for network security,the requirements for the analysis of remote control Trojan in APT attacks are also constantly increasing.Correspondingly,various methods and tools for analyzing unknown network protocols appear.In this paper,we introduced several existing methods of unknown network protocol reverse,and draw on the advantages of the existing methods.An improved method based on message data Tokenization,multiple sequence alignment and agglomerative hierarchical clustering for APT Trojan network protocol is proposed.

MENG Lei,LIU Sheng-li,LIU Long,CHEN Jia-yong,SUN Hai-tao

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.14.004

2012-01-01

Abstract:Trojan detection algorithm based on behavior analysis of communication has high computational complexity.Addressing the problem,this paper proposes a Trojan rapid detection based on heartbeat behavior analysis.The method selects two session attributes to describe the difference between Trojan communication flow and normal communication flow on the basis of description of heartbeat behavior in the Trojan communication large numbers of analysis on Trojan samples.And then Trojan Rapid Detection System(TRDS) is built based on the method.Experimental results show that TRDS can detect the Trojan communication in the 100 Mbit/s network rapidly and efficiently.

Run Xie,Chunxiang Xu,Chanlian He,Xiaojun Zhang

DOI: https://doi.org/10.1504/ijesdf.2016.079446

2016-01-01

International Journal of Electronic Security and Digital Forensics

Abstract:Group signatures allow a group member to sign messages anonymously on behalf of the group. Generally, group signatures have anonymity, traceability and authentication. It has been well applied in practical distributed security communication environments. However, very few schemes can achieve the non-frameability and support dynamic membership management. In this paper, we propose a new group signature scheme. Our scheme achieves the non-frameability without the trusted issuer. Meanwhile, this scheme can support dynamic members join and revocation without incurring other secure threats. Furthermore, in our scheme, the size of group member's private key and the size of group public key are shorter than other schemes while the costs to be kept constant for signing and verifying. In particular, we prove that our scheme achieves anonymity, traceability and non-frameability under the random oracle model.

XIN Yi,FANG Bin-xing,HE Long-tao,YUN Xiao-chun,LI Zhi-dong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.001

2007-01-01

Abstract:Worm detection and signature extraction was presented based on analysis of similar communication character-istics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of commu-nication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and ex-tract signature quickly in the environment with high strength background noise.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,B. Liu

2010-01-01

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection or Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regexbased NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [8, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, when applying vulnerability signatures to high speed NIDS/NIPS with a large ruleset, how to efficiently match them is an untouched but challenging issue. This paper presents the design of NetShield, a vulnerability signature based NIDS/NIPS which achieves multigigabit throughput while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection (CS) algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we propose a automatic lightweight parsing transition state machine achieving fast protocol parsing; (iii) we implement the NetShield prototype. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core CPU for 794 HTTP vulnerability signatures.

Aftab Hussain,Md Rafiqul Islam Rabin,Mohammad Amin Alipour

2024-02-24

Abstract:Trojan signatures, as described by Fields et al. (2021), are noticeable differences in the distribution of the trojaned class parameters (weights) and the non-trojaned class parameters of the trojaned model, that can be used to detect the trojaned model. Fields et al. (2021) found trojan signatures in computer vision classification tasks with image models, such as, Resnet, WideResnet, Densenet, and VGG. In this paper, we investigate such signatures in the classifier layer parameters of large language models of source code. Our results suggest that trojan signatures could not generalize to LLMs of code. We found that trojaned code models are stubborn, even when the models were poisoned under more explicit settings (finetuned with pre-trained weights frozen). We analyzed nine trojaned models for two binary classification tasks: clone and defect detection. To the best of our knowledge, this is the first work to examine weight-based trojan signature revelation techniques for large-language models of code and furthermore to demonstrate that detecting trojans only from the weights in such models is a hard problem.

Machine Learning,Software Engineering,Cryptography and Security

Jie Wang,Yongquan Cai,Jingyang He

DOI: https://doi.org/10.1109/cis.2010.80

2010-01-01

Abstract:Aiming at the weakness of existing schemes, a new threshold signature scheme to withstand the conspiracy attack is proposed in this paper. In this scheme, any subset of t or more than t members of the group can execute a valid threshold signature on behalf of the whole but can't construct legal group signature through giving two specific equations contained each other, so this scheme can not only withstand conspiracy attacks effectively, but also provide traceability under the premise of group signature anonymity. In addition, a new conspiracy attack method is designed, which was adopted to test the existing schemes and the new scheme of this paper, the result shows new scheme has higher security than existing ones.