LU Lianhao,PING Lingdi,PAN Xuezeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.21.054

2006-01-01

Abstract:The research of covert channel analysis on Tuling SecOS2.0/4 is reported.A new covert channel identification method--modified semantic information flow method is proposed.It has less workload,can directly analyze the source code and exclude the false result,also helps the covert channel handling.It uses this method to identify the cover channels of the Tuling SecOS,computes the bandwidths accurately,and handles the covert channels according to different security policies.The result shows conform to the requirement of Level 4 security operating system in relevant national standards.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

HAN Yu-xiang,LIU Sheng-li,LIU Long,SU Xiao-yan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.18.076

2012-01-01

Abstract:Cisco IOS processes can not be dynamically analyzed,and it is difficult to intercept system abnormalities of communication process. A method based on virtualaization is proposed to analyze Cisco IOS communication process.Hardware abstraction layer virtual machine is constructed,and a dynamic analysis platform based on virtualization is designed for IOS.This paper introduces methods for extracting key instruction stream and communication features.The multiple instruction set architecture and multiple versions of Cisco IOS is proved.Experimental results show that this method can effectively intercept the designated communication process.

Kira Bobrovnikova,Sergii Lysenko,Bohdan Savenko,Piotr Gaj,Oleg Savenko

DOI: https://doi.org/10.32620/reks.2022.1.11

2022-02-23

RADIOELECTRONIC AND COMPUTER SYSTEMS

Abstract:The Internet of Things (IoT) refers to the millions of devices around the world that are connected to the Internet. Insecure IoT devices designed without proper security features are the targets of many Internet threats. The rapid integration of the Internet into the IoT infrastructure in various areas of human activity, including vulnerable critical infrastructure, makes the detection of malware in the Internet of Things increasingly important. Annual reports from IoT infrastructure cybersecurity companies and antivirus software vendors show an increase in malware attacks targeting IoT infrastructure. This demonstrates the failure of modern methods for detecting malware on the Internet of things. This is why there is an urgent need for new approaches to IoT malware detection and to protect IoT devices from IoT malware attacks. The subject of the research is the malware detection process on the Internet of Things. This study aims to develop a technique for malware detection based on the control flow graph analysis. Results. This paper presents a new approach for IoT malware detection based on control flow graph analysis. Control flow graphs were built for suspicious IoT applications. The control flow graph is represented as a directed graph, which contains information about the components of the suspicious program and the transitions between them. Based on the control flow graph, metrics can be extracted that describe the structure of the program. Considering that IoT applications are small due to the simplicity and limitations of the IoT operating system environment, malware detection based on control flow graph analysis seems to be possible in the IoT environment. To analyze the behavior of the IoT application for each control flow graph, the action graph is to be built. It shows an abstract graph and a description of the program. Based on the action graph for each IoT application, a sequence is formed. This allows for defining the program’s behavior. Thus, with the aim of IoT malware detection, two malware detection models based on control flow graph metrics and the action sequences are used. Since the approach allows you to analyze both the overall structure and behavior of each application, it allows you to achieve high malware detection accuracy. The proposed approach allows the detection of unknown IoT malware, which are the modified versions of known IoT malware. As the mean of conclusion-making concerning the malware presence, the set of machine learning classifiers was employed. The experimental results demonstrated the high accuracy of IoT malware detection. Conclusions. A new technique for IoT malware detection based on control flow graph analysis has been developed. It can detect IoT malware with high efficiency.

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

JingZheng Wu,Liping Ding,Yongji Wang,Wei Han

DOI: https://doi.org/10.1109/ssiri.2011.17

2011-01-01

Abstract:Covert channel analysis is an important requirement when building secure information systems, and identification is the most difficult task. Although some approaches were presented, they are either experimental or constrained to some particular systems. This paper presents a practical approach based on directed information flow graph taking advantage of the source code analysis. The approach divides the whole system into serval independent modules and analyzes them respectively. All the shared variables and their caller functions are found out from the source codes and modeled into directed information flow graphs. When the information flow branches are visible and modifiable to the external interface, a potential covert channel exists. Contributions made in this paper are as follows: a modularized analysis scheme is proved and reduces the workloads of identifying, a directed information flow graph algorithm is presented and used to model the covert channels, more than 30 covert channels have been identified in Linux kernel source code using this scheme, and a typical channel scenario is constructed.

Chun Lei Wang,Qing Miao,Lan Fang,Yi Qi Dai

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1936

2013-01-01

Advanced Materials Research

Abstract:industrial Control System (ICS) performs the tasks of supervisory control and data acquisition of critical infrastructures. With the widely application of computer and network techniques, ICS suffers serious security threats, and malicious codes are one of the most serious security problems. However, there is absent of analysis methods specific for ICS malicious code behaviors in current times. In this paper, a framework for ICS malicious code analysis is presented. Firstly, the ICS attack graph model is established based upon the hierarchical structure of industrial control system and the suffered security threats, which formalizes the attack process of ICS malicious code. Secondly, the runtime information of ICS malicious code is detected and collected for analyzing and assessing the attack behaviors and the resulted impacts. Finally, the ICS simulation environment for malicious code analysis is constructed based upon the framework and the experimental analysis of ICS malicious code is performed which preliminary validates the effectiveness of the proposed framework.

白莉莉,庞建民,张一弛,岳峰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.09.048

2010-01-01

Abstract:Aiming at the problem that malware detection method based on signature can be easily subverted by obfuscation techniques,this paper proposes a detection method based on Critical Application Programming Interface Graph(CAG).By statically extracting nodes with critical API calling from Control Flow Graph(CFG) for each malware,each malicious behavior can be presented by one CAG.A matching algorithm based on CAG is used to determine whether a suspicious executable programming has the same malicious behavior as a malware does.Experimental results show that the method can detect malware variants efficiently with low false negative rate.

Aleksey A. Galtsev,Andrei M. Sukhov

DOI: https://doi.org/10.1007/978-3-642-22875-9_30

2011-04-06

Abstract:In this paper, we propose a new method for detecting unauthorized network intrusions, based on a traffic flow model and Cisco NetFlow protocol application. The method developed allows us not only to detect the most common types of network attack (DDoS and port scanning), but also to make a list of trespassers' IP-addresses. Therefore, this method can be applied in intrusion detection systems, and in those systems which lock these IP-addresses.

Cryptography and Security

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

J. Visumathi,K. L. Shunmuganathan

DOI: https://doi.org/10.48550/arXiv.1005.0967

2010-05-06

Cryptography and Security

Abstract:nformation security is an issue of global concern. As the Internet is delivering great convenience and benefits to the modern society, the rapidly increasing connectivity and accessibility to the Internet is also posing a serious threat to security and privacy, to individuals, organizations, and nations alike. Finding effective ways to detect, prevent, and respond to intrusions and hacker attacks of networked computers and information systems. This paper presents a knowledge discovery frame work to detect DoS attacks at the boundary controllers (routers). The idea is to use machine learning approach to discover network features that can depict the state of the network connection. Using important network data (DoS relevant features), we have developed kernel machine based and soft computing detection mechanisms that achieve high detection accuracies. We also present our work of identifying DoS pertinent features and evaluating the applicability of these features in detecting novel DoS attacks. Architecture for detecting DoS attacks at the router is presented. We demonstrate that highly efficient and accurate signature based classifiers can be constructed by using important network features and machine learning techniques to detect DoS attacks at the boundary controllers.

Yuan Li,Mingzhe Wang,Chao Zhang,Xingman Chen,Songtao Yang,Ying Liu

DOI: https://doi.org/10.1145/3372297.3417867

2020-01-01

Abstract:Control-flow integrity (CFI) is a promising technique to mitigate control-flow hijacking attacks. In the past decade, dozens of CFI mechanisms have been proposed by researchers. Despite the claims made by themselves, the security promises of these mechanisms have not been carefully evaluated, and thus are questionable. In this paper, we present a solution to measure the gap between the practical security and the claimed theoretical security. First, we propose CScan to precisely measure runtime feasible targets of indirect control transfer (ICT) instructions protected by CFI, by enumerating all potential code addresses and testing whether ICTs are allowed to jump to them. Second, we propose CBench as a sanity check for verifying CFI solutions? effectiveness against typical attacks, by exploiting a comprehensive set of vulnerable programs protected by CFI and verifying the recognized feasible targets. We evaluated 12 most recent open-source CFI mechanisms and discovered 10 flaws in most CFI mechanisms or implementations. For some CFIs, their security policies or protected ICT sets do not match what they claimed. Some CFIs even expand the attack surface (e.g. introducing unintended targets). To facilitate a deeper understanding of CFI, we summarize the flaws into 7 common pitfalls which cover the whole lifetime of CFI mechanisms and reveal issues that affect CFI mechanisms in practical security.

XIA Nai,GUO Ming-song,Bing Mao,Li Xie

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.02.038

2007-01-01

Abstract:Attacks to program vulnerabilities is a severe problem nowadays.This paper puts forward a new simplified approach based on programs' runtime control flow monitoring.Compared to the methods based on system call sequence analysis,this approach has better granularity;Compared to the methods using whole call graph verification,it has the same effectiveness but more applicable.The results show that this approach can detect many kinds of known attacks to program vulnerabilities.

Hongying Tang,Bo Zhu,Kui Ren

DOI: https://doi.org/10.1007/978-3-642-02617-1_24

2010-01-01

Abstract:Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Xiao Cheng,Haoyu Wang,Jiayi Hua,Miao Zhang,Guoai Xu,Li Yi,Yulei Sui

DOI: https://doi.org/10.1109/ICECCS.2019.00012

2019-01-01

Abstract:Static vulnerability detection has shown its effectiveness in detecting well-defined low-level memory errors. However, high-level control-flow related (CFR) vulnerabilities, such as insufficient control flow management (CWE-691), business logic errors (CWE-840), and program behavioral problems (CWE-438), which are often caused by a wide variety of bad programming practices, posing a great challenge for existing general static analysis solutions. This paper presents a new deep-learning-based graph embedding approach to accurate detection of CFR vulnerabilities. Our approach makes a new attempt by applying a recent graph convolutional network to embed code fragments in a compact and low-dimensional representation that preserves high-level control-flow information of a vulnerable program. We have conducted our experiments using 8,368 real-world vulnerable programs by comparing our approach with several traditional static vulnerability detectors and state-of-the-art machine-learning-based approaches. The experimental results show the effectiveness of our approach in terms of both accuracy and recall. Our research has shed light on the promising direction of combining program analysis with deep learning techniques to address the general static analysis challenges.

Jianlei Gao,Jun Li,Hao Jiang,Yaobing Li,Hengzhi Quan

DOI: https://doi.org/10.1109/cac51589.2020.9327136

2020-01-01

Abstract:Measurement and control system integrating different software and hardware is used to measure parameters, monitor process and control operation, which has been widely applied in critical infrastructures and has adopted Ethernet for data exchange. The recent publications have indicated that measurement and control systems are very vulnerable when they are exposed to cyber-attacks due to various intrinsic security weakness. Fins protocol as one of the most popular protocols is built into a larger number of Ormon devices that are used in different kinds of measurement, and control systems and has been targeted as the desirable candidate for cyber-attack. However, the traditional detection method based on traffic analysis and function code compliance detection is unable to detect mode-switching attack that is consistent with the protocol syntax, and it is a very harmful network attack against industrial devices. In this paper, we analyze the defects of measurement and control system using Fins protocol, launch mode-switching attack against Ormon PLC devices and display how to defend against this attack by designing a detection rules insert into Snort. Then, this detection approach is carried out to protect the security of Ormon PLC. Finally, the experimental results show that our detection approach can distinguish and detect this malicious cyber-attack efficiently.

Joochan Lee,Hyunpyo Choi,Jiho Shin,Jung Taek Seo

DOI: https://doi.org/10.1145/3440943.3444742

2020-12-12

Abstract:In recent years, 1 a large number of studies have been conducted on cybersecurity for Programmable Logic Controllers (PLCs) to cope with cyberattacks on Industrial Control Systems(ICS). However, few studies have been conducted on ensuring cybersafety for control logics running inside PLCs. In this study, a technique for detecting an attack on PLC control logic change was proposed by analyzing the network protocol data and project file structure. Based on the analysis results for the proposed technique, a tool was implemented to detect an manipulation attack on control logic, and whether such attack was detected or not was verified through experiments.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Dalin He,Huanyu Wang,Tuo Deng,Jishi Liu,Junnian Wang

DOI: https://doi.org/10.1016/j.cose.2024.104135

IF: 5.105

2024-09-27

Computers & Security

Abstract:The widespread deployment of IIoT edge devices makes them attractive victims for malicious activities. Consequently, how to implement trustworthy operations becomes a realistic topic in embedded systems. While most current physical systems for detecting malicious activities primarily focus on identifying known intrusion codes at the block level, they ignore that even an unnoticeable injected function can result in system-wide loss of security. In this paper, we propose a framework called CNDSW built on deep-learning side-channel analysis for function-level industrial control flow integrity monitoring. By collaboratively utilizing correlation analysis and deep-learning techniques, the dual window sliding monitoring mechanism in the proposed CNDSW framework demonstrates a real-time code intrusion tracking capacity on embedded controllers with a 99% detection accuracy on average. Instead of focusing on known block-level intrusions, we experimentally show that our model is feasible to detect function-level code intrusions without knowing the potential threat type. Besides, we further explore how different configurations of the CNDSW framework can help the monitoring process with different emphases and to which extent the model can concurrently detect multiple code intrusion activities. All our experiments are conducted on 32-bit ARM Cortex-M4 and 8-bit RISC MCUs across five different control flow programs, providing a comprehensive evaluation of the framework's capabilities.

computer science, information systems