Ming Ni,Qianmu Li,Hong Zhang,Tao Li,Jun Hou

DOI: https://doi.org/10.1007/978-3-319-26187-4_12

2015-01-01

Abstract:The rapid development of malicious software programs has posed severe threats to Computer and Internet security. Therefore, it motivates anti-malware industry to develop novel methods which are capable of protecting users against new threats. Existing malware detectors mostly treat the file samples separately using supervised learning algorithms. However, ignoring of relationship among file samples limits the capability of malware detectors. In this paper, we present a new malware detection method based on file relation graph to detect newly developed malware samples. When constructing file relation graph, k-nearest neighbors are chosen as adjacent nodes for each file node. Files are connected with edges which represent the similarity between the corresponding nodes. Label propagation algorithm, which propagates label information from labeled file samples to unlabeled files, is used to learn the probability that one unknown file is classified as malicious or benign. We evaluate the effectiveness of our proposed method on a real and large dataset. Experimental results demonstrate that the accuracy of our method outperforms other existing detection approaches in classifying file samples.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Kai Lei,Qiuai Fu,Jiake Ni,Feiyang Wang,Min Yang,Kuai Xu

DOI: https://doi.org/10.1109/ICDCS.2019.00066

2019-01-01

Abstract:The last decade has witnessed the explosive growth of malicious Internet domains which serve as the fundamental infrastructure for establishing advanced persistent threat command and control communication channels or hosting phishing Web sites. Given the big data nature of Internet traffic data and the ability of algorithmically generating domains and acquiring and registering the domains in a near-automated fashion, detecting malicious domains in real-time is a daunting task for security analysts and network operators. In this paper, we introduce bipartite graphs to capture the interactions between end hosts and domains, identify associated IP addresses of domains, and characterize time-series patterns of DNS queries for domains, and explore one-mode projections of these bipartite graphs for modeling the behavioral, IP-structural, and temporal similarities between domains. We employ graph embedding technique to automatically learn dynamic and discriminative feature representations for over 10,000 labeled domains, and develop an SVM-based classification algorithm for predicting malicious or benign domains. Our model makes the progress towards adapting to the changing and evolving strategies of malicious domains. The experimental results have shown that our proposed algorithm achieves an area under the curve (AUC) of 0.94 based on k-fold cross-validation. To the best of our knowledge, this is the first effort to apply the combination of behavioral modeling and graph embedding for effectively and accurately detecting malicious domains.

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

Hongjun Dai,Huabo Liu,Zhiping Jia,Tianzhou Chen

DOI: https://doi.org/10.1109/trustcom.2012.42

2012-01-01

Abstract:WSN is a distributed network exposed to an open environment, which is vulnerable to malicious nodes. To find out malicious nodes among a WSN with mass sensor nodes, this paper presents a malicious detection method based on multi-variate classification. Given the types of a few sensor nodes, it extracts sensor nodes' preferences related with the known types of malicious node, establishes the sample space of all sensor nodes that participate in network activities. Then, according to the study on the type-known sensor nodes' samples based on the multivariate classification algorithm, a classifier is generated, and all of the unknown-type sensor nodes are classified. The experiment results show that as long as the value of sensor nodes preferences and the number of active sensor nodes is stable, the false detection rate is stabilized under 0.5%.

Furqan Rustam,Ali Raza,Muhammad Qasim,Sarath Kumar Posa,Anca Delia Jurcut

DOI: https://doi.org/10.1109/access.2024.3375878

IF: 3.9

2024-03-22

IEEE Access

Abstract:Modern networks are crucial for seamless connectivity but face various threats, including disruptive network attacks, which can result in significant financial and reputational risks. To counter these challenges, AI-based techniques are being explored for network protection, requiring high-quality datasets for training. In this study, we present a novel methodology utilizing a Ubuntu Base Server to simulate a virtual network environment for real-time collection of network attack datasets. By employing Kali Linux as the attacker machine and Wireshark for data capture, we compile the Server-based Network Attack (SNA) dataset, showcasing UDP, SYN, and HTTP flood network attacks. Our primary goal is to provide a publicly accessible, server-focused dataset tailored for network attack research. Additionally, we leverage advanced AI methods for real-time detection of network attacks. Our proposed meta-RF-GNB (MRG) model combines Gaussian Naive Bayes and Random Forest techniques for predictions, achieving an impressive accuracy score of 99.99%. We validate the efficiency of MRG using cross-validation, obtaining a notable mean accuracy of 99.94% with a minimal standard deviation of 0.00002. Furthermore, we conducted a statistical t-test to evaluate the significance of MRG compared to other top-performing models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wangyan Feng,Shuning Wu,Xiaodan Li,Kevin Kunkle

DOI: https://doi.org/10.48550/arXiv.1801.00025

2017-12-29

Cryptography and Security

Abstract:To assure cyber security of an enterprise, typically SIEM (Security Information and Event Management) system is in place to normalize security event from different preventive technologies and flag alerts. Analysts in the security operation center (SOC) investigate the alerts to decide if it is truly malicious or not. However, generally the number of alerts is overwhelming with majority of them being false positive and exceeding the SOC's capacity to handle all alerts. There is a great need to reduce the false positive rate as much as possible. While most previous research focused on network intrusion detection, we focus on risk detection and propose an intelligent Deep Belief Network machine learning system. The system leverages alert information, various security logs and analysts' investigation results in a real enterprise environment to flag hosts that have high likelihood of being compromised. Text mining and graph based method are used to generate targets and create features for machine learning. In the experiment, Deep Belief Network is compared with other machine learning algorithms, including multi-layer neural network, random forest, support vector machine and logistic regression. Results on real enterprise data indicate that the deep belief network machine learning system performs better than other algorithms for our problem and is six times more effective than current rule-based system. We also implement the whole system from data collection, label creation, feature engineering to host score generation in a real enterprise production environment.

Yueping Hong,Qi Li,Yanqing Yang,Meng Shen

DOI: https://doi.org/10.1016/j.ins.2023.119229

IF: 8.1

2023-06-02

Information Sciences

Abstract:At present, the TLS cryptographic protocol is widely deployed. While protecting the security and integrity of transmitted information, it also makes the detection of malicious behavior more difficult. In recent years, researchers have proposed many encrypted malicious traffic detection methods. However, the existing approaches have some shortcomings. Firstly, although researchers have extracted multi-view features from different aspects, which can be divided into vectorized features based on feature engineering and image features based on original data, existing methods cannot fully integrate the features of different forms of expression. Secondly, most of the existing methods do not fully analyze the correlation between different encrypted traffic. Thirdly, the existing methods based on correlation analysis have low processing efficiency and cannot be applied to real networks. In the paper, we present MalDiscovery , a novel technique to discover encrypted malicious traffic to address all the above issues. For encrypted malicious traffic, MalDiscovery constructs an attribute KNN graph, in which encrypted sessions are used as nodes to construct a KNN graph according to the similarity of image features, and vectorized features are used as attributes of corresponding nodes. After that, the GraphSAGE model is used to collect relevant node information through correlation analysis to enrich the embeddings of each node. Finally, we achieve the accurate binary classification of nodes in the graph based on richer embeddings. We use extensive experiments to evaluate the proposed method, and the experiment results show that MalDiscovery can achieve an accuracy of about 99.9%, significantly outperforming all compared methods.

computer science, information systems

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Xihe Jiang,Dan Meng,Fucheng Liu,Dongxue Zhang,Yu Wen,Xinyu Xing

DOI: https://doi.org/10.1145/3319535.3363224

2019-11-06

Abstract:Conventional attacks of insider employees and emerging APT are both major threats for the organizational information system. Existing detections mainly concentrate on users' behavior and usually analyze logs recording their operations in an information system. In general, most of these methods consider sequential relationship among log entries and model users' sequential behavior. However, they ignore other relationships, inevitably leading to an unsatisfactory performance on various attack scenarios. We propose log2vec, a heterogeneous graph embedding based modularized method. First, it involves a heuristic approach that converts log entries into a heterogeneous graph in the light of diverse relationships among them. Next, it utilizes an improved graph embedding appropriate to the above heterogeneous graph, which can automatically represent each log entry into a low-dimension vector. The third component of log2vec is a practical detection algorithm capable of separating malicious and benign log entries into different clusters and identifying malicious ones. We implement a prototype of log2vec. Our evaluation demonstrates that log2vec remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM). Besides, log2vec shows its capability to detect malicious events in various attack scenarios.

Computer Science

Weixuan Mao,Zhongmin Cai,Yuan Yang,Xiaohong Shi,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2017.12.005

IF: 5.105

2018-01-01

Computers & Security

Abstract:The deployment of endpoint protection has been gradually migrated from individual clients to remote cloud servers, which is termed as cloud based security service. The new paradigm of security defense produces a large amount of data and log files, and motivates data-driven techniques for detecting malicious software. This paper conducts an empirical study on the log of a real cloud based security service to characterize the occurrence of executable files in end hosts, which concerns 124,782 benign and 113,305 malicious executable files occurred in 165,549,417 end hosts. The end hosts and the timestamps that an executable file occurs in provide insights into the distribution of software in wild from spatial and temporal perspectives, respectively. Meanwhile, we investigate the strategies behind the characterizations, and observe the preferential attachment process and the periodicity of file occurrence in end hosts. The observed different occurrence patterns of benign and malicious files in end hosts inspire us a new scalable approach to malware detection. We learn from the characterizations that, the associated files shared more spatial and temporal information in common are more likely to be same in their labels, either benign or malicious. Thus, we devise a graph based semi-supervised learning algorithm for real-time malware detection by taking into account the spatio-temporal information of the distribution of executable files. Experimental results demonstrate that our approach increases the performance on malware detection by 14.7% over previous techniques on average.

Huiling Shi,Wei Zhang,Lei Zhang,Kuichao Zhang,Hongyang Sun

DOI: https://doi.org/10.1109/NaNA60121.2023.00051

2023-08-01

Abstract:Detecting malicious attacks in normal network traffic is critical to network security. Traditional traffic identification methods often struggle to capture the complex communication patterns in network traffic, hindering their effectiveness. We introduce GraphMal, a framework utilizing Graph Neural Networks (GNNs) for the identification of malicious traffic. This approach effectively exploits network topology and traffic characteristics to improve performance. We first apply Pearson's correlation coefficient and random forest approaches to effectively reduce the dimensionality of the dataset. Then, the E-GraphSAGE algorithm is used to extract salient features from the traffic topology graph and construct a robust graph classifier. Additionally, the focal loss function is used to solve the data imbalance problem. Experiments conducted on the UNSW-NB15 dataset demonstrate GraphMal's remarkable performance in both binary and multi-class classification tasks, while improving the learning efficiency of GNNs.

Computer Science

Zhuoqun Fu,Mingxuan Liu,Yue Qin,Jia Zhang,Yuan Zou,Qilei Yin,Qi Li,Haixin Duan

DOI: https://doi.org/10.1145/3545948.3545983

2022-01-01

Abstract:Malicious activities on the Internet continue to grow in volume and damage, posing a serious risk to society. Malware with remote control capabilities is considered one of the most threatening malicious activities, as it can enable arbitrary types of cyber-attacks. As a countermeasure, many malware detection methods are proposed to identify malicious behaviours based on traffic characteristics. However, the emerging encryption and evasion techniques pose substantial barriers to the full exploitation of network information. This significantly impairs the effectiveness of existing malware detection methods relying on a singular type of characteristics. In this paper, we propose ST-Graph to resolve this issue. In addition to traditional stream attributes, ST-Graph explores spatial and temporal characteristics of network behaviours based on a graph representation learning algorithm and integrates all available information to boost the detection decision. To illustrate the effectiveness of ST-Graph, we evaluate it on two datasets. Experimental results demonstrate that ST-Graph outperforms state-of-the-art malware detection systems and also shows good performance in efficiency, generalizability, and robustness. Specifically, it achieves over 99% precision and recall, and its False Positive Rate is even two orders of magnitude lower than (nearly 0.02 times) that of baseline models. Meanwhile, the deployment of ST-Graph in two real network scenarios for around one year shows an outstanding efficiency with only 160 seconds time cost for 5-minute traffic in 1.7 Gbps bandwidth.

Suyi Li,Yong Cheng,Wei Wang,Yang Liu,Tianjian Chen

DOI: https://doi.org/10.48550/arXiv.2002.00211

IF: 5.414

2020-02-01

Machine Learning

Abstract:Federated learning systems are vulnerable to attacks from malicious clients. As the central server in the system cannot govern the behaviors of the clients, a rogue client may initiate an attack by sending malicious model updates to the server, so as to degrade the learning performance or enforce targeted model poisoning attacks (a.k.a. backdoor attacks). Therefore, timely detecting these malicious model updates and the underlying attackers becomes critically important. In this work, we propose a new framework for robust federated learning where the central server learns to detect and remove the malicious model updates using a powerful detection model, leading to targeted defense. We evaluate our solution in both image classification and sentiment analysis tasks with a variety of machine learning models. Experimental results show that our solution ensures robust federated learning that is resilient to both the Byzantine attacks and the targeted model poisoning attacks.

Heyu Li,Zhangmeizhi Li,Shuyan Zhang,Xiao Pu

DOI: https://doi.org/10.1038/s41598-024-81189-1

IF: 4.6

2024-12-06

Scientific Reports

Abstract:With the widespread application of the Internet, network security issues have become increasingly prominent. As an important infrastructure of the Internet, the domain name server has been attacked in various forms. Traditional methods for detecting malicious domain servers are usually based on rules or feature engineering, requiring a large amount of manual participation and rule library updates. These methods cannot adapt to the constantly changing threat environment. In response to these issues, this study first improves the Transformer by adjusting its attention head and encoding method. Then, the model is combined with convolutional neural networks. Finally, a block-based ensemble classifier is used for classification detection. The relevant outcomes showed that the average accuracy score of the proposed method was as high as 95.8 points, the average detection time score was 96.8 points, the average feature extraction ability score of the model was 96.3 points, and the overall performance score was 97.6 points. This method has significant advantages over traditional methods in terms of accuracy and detection time, providing a new tool for detecting malicious domain servers.

multidisciplinary sciences

Peng Hui Li,Jie Xu,Zhong Yi Xu,Su Chen,Bo Wei Niu,Jie Yin,Xiao Feng Sun,Hao Liang Lan,Lu Lu Chen

DOI: https://doi.org/10.32604/cmc.2022.029969

2022-01-01

Abstract:At present, the severe network security situation has put forward high requirements for network security defense technology. In order to automate botnet threat warning, this paper researches the types and characteristics of Botnet. Botnet has special characteristics in attributes such as packets, attack time interval, and packet size. In this paper, the attack data is annotated by means of string recognition and expert screening. The attack features are extracted from the labeled attack data, and then use K-means for cluster analysis. The clustering results show that the same attack data has its unique characteristics, and the automatic identification of network attacks is realized based on these characteristics. At the same time, based on the collection and attribute extraction of Botnet attack data, this paper uses RF, GBM, XGBOOST and other machine learning models to test the warning results, and automatically analyzes the attack by importing attack data. In the early warning analysis results, the accuracy rates of different models are obtained. Through the descriptive values of the three accuracy rates of Accuracy, Precision, and F1_Score, the early warning effect of each model can be comprehensively displayed. Among the five algorithms used in this paper, three have an accuracy rate of over 90%. The three models with the highest accuracy are used in the early warning model. The research shows that cyberattacks can be accurately predicted. When this technology is applied to the protection system, accurate early warning can be given before a network attack is launched.

computer science, information systems,materials science, multidisciplinary

Sankalp Bagaria,R. Balaji,B. S. Bindhumadhava

DOI: https://doi.org/10.48550/arXiv.1705.09044

2017-05-25

Cryptography and Security

Abstract:TLS uses X.509 certificates for server authentication. A X.509 certificate is a complex document and various innocent errors may occur while creating/ using it. Also, many certificates belong to malicious websites and should be rejected by the client and those web servers should not be visited. Usually, when a client finds a certificate that is doubtful using the traditional tests, it asks for human intervention. But, looking at certificates, most people can't differentiate between malicious and non-malicious websites. Thus, once traditional certificate validation has failed, instead of asking for human intervention, we use machine learning techniques to enable a web browser to decide whether the server to which the certificate belongs to is malignant or not ie, whether the website should be visited or not. Once a certificate has been accepted in the above phase, we observe that the website may still turn out to be malicious. So, in the second phase, we download a part of the website in a sandbox without decrypting it and observe the TLS encrypted traffic (encrypted malicious data captured in a sandbox cannot harm the system). As the traffic is encrypted after Handshake is completed, traditional pattern-matching techniques cannot be employed. Thus we use flow features of the traffic along with the features used in the above first phase. We couple these features with the unencrypted TLS header information obtained during TLS Handshake and use these in a machine learning classifier to identify whether the traffic is malicious or not.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Simon Mandlik,Tomas Pevny,Vaclav Smidl,Lukas Bajer

2024-08-07

Abstract:Detection of malicious behavior in a large network is a challenging problem for machine learning in computer security, since it requires a model with high expressive power and scalable inference. Existing solutions struggle to achieve this feat -- current cybersec-tailored approaches are still limited in expressivity, and methods successful in other domains do not scale well for large volumes of data, rendering frequent retraining impossible. This work proposes a new perspective for learning from graph data that is modeling network entity interactions as a large heterogeneous graph. High expressivity of the method is achieved with neural network architecture HMILnet that naturally models this type of data and provides theoretical guarantees. The scalability is achieved by pursuing local graph inference, i.e., classifying individual vertices and their neighborhood as independent samples. Our experiments exhibit improvement over the state-of-the-art Probabilistic Threat Propagation (PTP) algorithm, show a further threefold accuracy improvement when additional data is used, which is not possible with the PTP algorithm, and demonstrate the generalization capabilities of the method to new, previously unseen entities.

Machine Learning,Cryptography and Security

Tun Li,Ya Luo,Xin Wan,Qian Li,Qilie Liu,Rong Wang,Chaolong Jia,Yunpeng Xiao

DOI: https://doi.org/10.1016/j.eswa.2023.123109

IF: 8.5

2024-01-16

Expert Systems with Applications

Abstract:The proliferation of malware in recent years has posed a significant threat to the security of computers and mobile devices . Detecting malware, especially on the Android platform, has become a growing concern for researchers and the software industry. This paper proposes a new method for detecting Android malware based on unbalanced heterogeneous graph embedding. First of all, most malware datasets contain an imbalance of malicious and benign samples, since some types of malware are scarce and difficult to collect. Thus, as a result of this problem, the classification algorithm is unable to analyze the minority samples through sufficient data, resulting in poor downstream classifier performance, in light of the fact that adversarial generation networks possess the characteristic of completing data, an algorithm for generating graph structure data is presented, in which nodes are generated to simulate the distribution of minority nodes within a network topology . Then, considering that heterogeneous information networks have the characteristics of retaining rich node semantic features and mining implicit relationships, heterogeneous graphs are used to construct models for different types of entities (i.e. Apps, APIs, permissions, intents, etc.) and different meta-paths. Finally, a new method is introduced to alleviate the over-smoothing phenomenon of node information in the propagation of deep network. In the deep GCN, we first sample the leader nodes of each layer node, and then add a residual connection and an identity map in order to determine the characteristics of the high-order leader. In this paper, a self-attention-based semantic fusion method is also applied to adaptively fuse embedded representations of software nodes under different meta-paths. The test results demonstrate that the proposed IHODroid model effectively detects malicious software. In the DREBIN dataset, which consists of 123,453 Android applications and 5,560 malicious samples, the IHODroid model achieves an accuracy of 0.9360 and an F1 score of 0.9360, outperforming other state-of-the-art baseline methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science