Yinan Zhong,Mingyu Pan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.3390/sym16040443

2024-01-01

Abstract:The past few years have witnessed a wider adoption of Internet of Things (IoT) devices. Since IoT devices are usually deployed in an open and uncertain environment, device authentication is of great importance. However, traditional device fingerprint (DF) extraction methods have several disadvantages. First, existing DF extraction methods need private information from devices to compute DFs, which puts the privacy of devices at stake. Second, the manually designing features-based methods suffer from poor performance. To tackle these limitations, we propose a Linear Residual Neural Network-based DF extraction method, Res-DFNN, which utilizes network packet data in the pcap file to generate DF. The key block is designed according to symmetry, and it is verified by simulation that our method achieves better performance in both non-private and privacy-preserving scenarios.

Se Eun Oh,Saikrishna Sunkam,Nicholas Hopper

DOI: https://doi.org/10.48550/arXiv.1711.03656

2017-11-10

Cryptography and Security

Abstract:Recent advances in learning Deep Neural Network (DNN) architectures have received a great deal of attention due to their ability to outperform state-of-the-art classifiers across a wide range of applications, with little or no feature engineering. In this paper, we broadly study the applicability of deep learning to website fingerprinting. We show that unsupervised DNNs can be used to extract low-dimensional feature vectors that improve the performance of state-of-the-art website fingerprinting attacks. When used as classifiers, we show that they can match or exceed performance of existing attacks across a range of application scenarios, including fingerprinting Tor website traces, fingerprinting search engine queries over Tor, defeating fingerprinting defenses, and fingerprinting TLS-encrypted websites. Finally, we show that DNNs can be used to predict the fingerprintability of a website based on its contents, achieving 99% accuracy on a data set of 4500 website downloads.

Yu Weimin,Xue Ye,Knoops Rob,Yu Danyuan,Balmashnova Evgeniya,Kang Xiaodong,Falgari Pietro,Zheng Dongyun,Liu Pengfei,Chen Hui,Shi He

DOI: https://doi.org/10.1007/s00414-020-02392-z

2020-01-01

International Journal of Legal Medicine

Abstract:Forensic diatom test has been widely accepted as a way of providing supportive evidences in the diagnosis of drowning. The current workflow is primarily based on the observation of diatoms by forensic pathologists under a microscopy, and this process can be very time-consuming. In this paper, we demonstrate a deep learning-based approach for automatically searching diatoms in scanning electron microscopic images. Cross-validation studies were performed to evaluate the influence of magnification on performance. Moreover, various training strategies were tested to improve the performance of detection. The conclusion shows that our approach can satisfy the necessary requirements to be integrated as part of an automatic forensic diatom test.

Ruiting Shao,Edward J. Delp

DOI: https://doi.org/10.48550/arXiv.2002.02079

2020-02-06

Abstract:Due to the increasing availability and functionality of image editing tools, many forensic techniques such as digital image authentication, source identification and tamper detection are important for forensic image analysis. In this paper, we describe a machine learning based system to address the forensic analysis of scanner devices. The proposed system uses deep-learning to automatically learn the intrinsic features from various scanned images. Our experimental results show that high accuracy can be achieved for source scanner identification. The proposed system can also generate a reliability map that indicates the manipulated regions in an scanned image.

Computer Vision and Pattern Recognition

Weizhong Qiang,Kunlun Ren,Yueming Wu,Deqing Zou,Hai Jin

DOI: https://doi.org/10.1109/tr.2024.3355233

IF: 5.883

2024-01-01

IEEE Transactions on Reliability

Abstract:Browser fingerprinting is a stateless tracking technique that poses a significant security threat to users' privacy. However, the distinction between fingerprinting and nonfingerprinting scripts is far from well-defined, making the detection of fingerprinting scripts very challenging. Existing methods for detecting browser fingerprinting are based on heuristics or machine learning, and thus either require strictly defined rules or are not able to learn the features of fingerprinting scripts comprehensively, failing to detect a significant fraction of fingerprinting scripts. To detect browser fingerprinting more effectively, we propose a deep learning-based detection method, DeepFPD, in which multiple script modalities including tokens, abstract syntax trees, and control flow graphs are learned by using different specific neural networks to obtain lexical, syntax, and control flow information of the script code. Moreover, the attention mechanism is introduced to enhance the effectiveness of DeepFPD. The experimental results on the training dataset and test dataset constructed based on real-world scripts show that DeepFPD outperforms the state-of-the-art work with an F1-measure improvement of 8.3% and 18.7%, respectively.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Guowen Xu,Xingshuo Han,Anguo Zhang,Tianwei Zhang

DOI: https://doi.org/10.48550/arXiv.2207.04668

2022-09-05

Abstract:The deep learning (DL) technology has been widely used for image classification in many scenarios, e.g., face recognition and suspect tracking. Such a highly commercialized application has given rise to intellectual property protection of its DL model. To combat that, the mainstream method is to embed a unique watermark into the target model during the training process. However, existing efforts focus on detecting copyright infringement for a given model, while rarely consider the problem of traitors tracking. Moreover, the watermark embedding process can incur privacy issues for the training data in a distributed manner. In this paper, we propose SECUREMARK-DL, a novel fingerprinting framework to address the above two problems in a distributed learning environment. It embeds a unique fingerprint into the target model for each customer, which can be extracted and verified from any suspicious model once a dispute arises. In addition, it adopts a new privacy partitioning technique in the training process to protect the training data privacy. Extensive experiments demonstrate the robustness of SECUREMARK-DL against various attacks, and its high classification accuracy (> 95%) even if a long-bit (304-bit) fingerprint is embedded into an input image.

Cryptography and Security

Tianyao Pan,Zejia Tang,Dawei Xu

DOI: https://doi.org/10.3390/math11194078

IF: 2.4

2023-09-26

Mathematics

Abstract:Website fingerprinting attacks attempt to apply deep learning technology to identify websites corresponding to encrypted traffic data. Unfortunately, to the best of our knowledge, once the total number of encrypted traffic data becomes insufficient, the identification accuracy in most existing works will drop dramatically. This phenomenon grows worse because the statistical features of the encrypted traffic data are not always stable but irregularly varying in different time periods. Even a deep learning model requires good performance to capture the statistical features, its accuracy usually diminishes in a short period of time because the changes of the statistical features technically put the training and testing data into two non-identical distributions. In this paper, we first propose a convolutional neural network-based website fingerprinting attack (CWFA) scheme. This scheme integrates packet direction with the timing sequence from the encrypted traffic data to improve the accuracy of analysis as much as possible on few data samples. We then design a new fine-tuning mechanism for the CWFA (FM-CWFA) scheme based on transfer learning. This mechanism enables the proposed FM-CWFA scheme to support the changes in the statistical patterns. The experimental results in closed-world and open-world settings show that the effectiveness of the CWFA scheme is better than previous researches, with the slowest performance degradation when the number of data decreases, and the FM-CWFA scheme can remain effective when the statistical features change.

mathematics

Lian Yu,Lihao Chen,Jingtao Dong,Mengyuan Li,Lijun Liu,Bai Zhao,Chen Zhang

DOI: https://doi.org/10.1109/compsac48688.2020.0-167

2020-01-01

Abstract:This paper proposes an approach that combines a deep learning-based method and a traditional machine learning-based method to efficiently detect malicious requests Web servers received. The first few layers of Convolutional Neural Network for Text Classification (TextCNN) are used to automatically extract powerful semantic features and in the meantime transferable statistical features are defined to boost the detection ability, specifically Web request parameter tampering. The semantic features from TextCNN and transferable statistical features from artificially-designing are grouped together to be fed into Support Vector Machine (SVM), replacing the last layer of TextCNN for classification. To facilitate the understanding of abstract features in form of numerical data in vectors extracted by TextCNN, this paper designs trace-back functions that map max-pooling outputs back to words in Web requests. After investigating the current available datasets for Web attack detection, HTTP Dataset CSIC 2010 is selected to test and verify the proposed approach. Compared with other deep learning models, the experimental results demonstrate that the approach proposed in this paper is competitive with the state-of-the-art.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic

Qilei Yin,Zhuotao Liu,Qi Li,Tao Wang,Qian Wang,Chao Shen,Yixiao Xu

DOI: https://doi.org/10.1109/tdsc.2021.3104869

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In Website Fingerprinting (WF) attack, a local passive eavesdropper utilizes network flow information to identify which web pages a user is browsing. Previous researchers have demonstrated the feasibility and effectiveness of WF attacks under a strong Single Page Assumption: the network flow extracted by the adversary belongs to a single web page. In reality, the assumption may not hold because users tend to open multiple tabs simultaneously (or within a short period of time) so that their network traffic is mixed. In this article, we propose an automated multi-tab Website Fingerprinting attack that is able to accurately classify websites regardless of the number of simultaneously opened pages. Our design is powered by two innovative designs. First, we develop a split point classification method to dynamically identify the split point between the first page and its subsequent pages. As a result, the network traffic before the split point is solely generated for the first page. Then, we propose a new chunk-based WF classifier to infer the websites based on the initial chunk of clean traffic. For both classifiers, we apply automated feature selection to select a concise yet representative feature set. We implement a prototype of our design and perform extensive evaluations using SSH and Tor-based datasets to demonstrate the effectiveness of both our system components individually and the integrated system as a whole.

S. Bharathiraja,B. Rajesh Kanna,M. Hariharan

DOI: https://doi.org/10.1007/s13369-022-06743-3

IF: 2.807

2022-03-22

Arabian Journal for Science and Engineering

Abstract:The main aim of digital image forensics is to validate the authenticity of images by identifying the camera that captured the image and finding traces of any alteration in the spatial content. The majority of the existing literature focuses on manual extraction of intrinsic camera features such as lens aberration, sensor imperfections, pixel non-uniformity, color filter array type, and so on. These handcrafted features are analyzed and characterized as a unique signature for detecting the camera and authenticating the image which is recorded from the device. To facilitate an end-to-end automated forensics analysis, the current research explores the ability of a novel deep learning framework to learn the intrinsic signature of a selected camera model. The proposed deep convolutional network performs source camera identification (SCI). It contains two functional blocks, namely, esidual noise feature extractor (RNFE) and Feature Modulator (FM). To extract the noise pattern from camera images, the RNFE module analyses the debayered image using a U-Net. The generated noise residue is then modulated through a CNN pipeline to an embedding vector. Triplet loss function is used to train the proposed SCI network such that, the images captured from the source cameras are located closer to each other than images from different cameras. Experimental results demonstrate that the CNN achieves a 97.59% F-score and 97.01% recall, on par with state-of-the-art. Hence, the unified architectural representation of the proposed deep-net could be treated as a generic deep net framework in learning the sensor pattern noise (SPN) fingerprint of a camera model.

multidisciplinary sciences

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shihao Wang,Liangmin Wang,Shangnan Yin,Hui Zhao,Hao Shentu

DOI: https://doi.org/10.1109/nana51271.2020.00020

2020-01-01

Abstract:Website Fingerprinting (WF) attacks aim to identify the website label of anonymous website traffic trace. WF attacks are suitable for anonymous network scenario because it only needs to analyze the information contained in the packet header without analyzing the content of the packet payload. WF attacks are important means to combat anonymous cyber-crimes. However, with anonymous networks are widely deployed on different devices such as PC and mobile devices, the sources of anonymous website traffic have become more diverse, and differences in devices will cause differences in anonymous website traffic. Existing WF attacks only use anonymous website traffic collected from the same device to train the classifier, and the performance will be significantly reduced while it is trying to identify the mixed anonymous website traffic generated by different devices. In this study, we propose cross-platform website fingerprinting (CPWF) attack based on multi-similarity loss. First, we use the multi-similarity loss to train a deep learning-based website fingerprint extraction model. The model is able to extract a feature set for anonymous website traffic classification, ignoring the differences caused by different devices, so that attackers can use the anonymous website traffic collected from the single terminal device to train the classifier, the classifier capable of identifying anonymous website traffic collected from all devices effectively.

Jinghong Lan,Xudong Liu,Bo Li,Yanan Li,Tongtong Geng

DOI: https://doi.org/10.1016/j.cose.2022.102663

2022-05-01

Abstract:Darknet traffic classification is crucial for identifying anonymous network applications and defensing cyber crimes. Although notable research efforts have been dedicated to classifying darknet traffic by combining machine learning algorithms and elaborately designed features, current methods either heavily depend on hand-crafted features or overlook the global intrinsic relationships among the local features automatically extracted from different data positions, leading to limited classification performance. To tackle this issue, we propose DarknetSec, a novel self-attentive deep learning method for darknet traffic classification and application identification. Concretely, DarknetSec utilizes a cascaded model with a 1-dimensional Convolutional Neural Network (1D CNN) and a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture local spatial-temporal features from the payload content of packets, while the self-attention mechanism is integrated into the abovementioned feature extraction network to mine the intrinsic relationships and hidden connections among the previously extracted content features. In addition, DarknetSec extracts side-channel features from payload statistics to enhance its classification performance. We evaluate DarknetSec on the CICDarknet2020 dataset, which is a representative of darknet traffic covering both Virtual Private Network (VPN) and The Onion Router (Tor) applications. Thorough experiments show that DarknetSec is superior to other state-of-the-art methods, achieving a multiclass accuracy of 92.22% and a macro-F1-score of 92.10%. Additionally, DarknetSec maintains its high accuracy when applied to other encrypted traffic classification tasks.

computer science, information systems

Shiyi Yang,Hui Guo,Nour Moustafa

DOI: https://doi.org/10.48550/arXiv.2105.09157

2021-09-01

Abstract:Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate.

Cryptography and Security

Vera Rimmer,Davy Preuveneers,Marc Juarez,Tom Van Goethem,Wouter Joosen

DOI: https://doi.org/10.14722/ndss.2018.23105

2017-12-06

Abstract:Several studies have shown that the network traffic that is generated by a visit to a website over Tor reveals information specific to the website through the timing and sizes of network packets. By capturing traffic traces between users and their Tor entry guard, a network eavesdropper can leverage this meta-data to reveal which website Tor users are visiting. The success of such attacks heavily depends on the particular set of traffic features that are used to construct the fingerprint. Typically, these features are manually engineered and, as such, any change introduced to the Tor network can render these carefully constructed features ineffective. In this paper, we show that an adversary can automate the feature engineering process, and thus automatically deanonymize Tor traffic by applying our novel method based on deep learning. We collect a dataset comprised of more than three million network traces, which is the largest dataset of web traffic ever used for website fingerprinting, and find that the performance achieved by our deep learning approaches is comparable to known methods which include various research efforts spanning over multiple years. The obtained success rate exceeds 96% for a closed world of 100 websites and 94% for our biggest closed world of 900 classes. In our open world evaluation, the most performant deep learning model is 2% more accurate than the state-of-the-art attack. Furthermore, we show that the implicit features automatically learned by our approach are far more resilient to dynamic changes of web content over time. We conclude that the ability to automatically construct the most relevant traffic features and perform accurate traffic recognition makes our deep learning based approach an efficient, flexible and robust technique for website fingerprinting.

Cryptography and Security,Machine Learning

Yuming Feng,Yu Zhang,Hui He,Weizhe Zhang,Desheng Wang

DOI: https://doi.org/10.1109/TDSC.2024.3383159

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:With the widespread deployment and application of various types of IoT devices, preventing illegal intrusion and impersonation attacks of IoT devices has become an important security challenge. Device identification helps to limit the behavior of suspicious devices and enhances the security of the device access process. In this paper, we propose a novel deep learning-based automatic fingerprint extraction model that addresses low efficiency and complexity of traditional feature engineering process, which are often rely on expert experience. The proposed model integrates advanced modules such as Depthwise Separable Convolution (DSC) and Gated Recurrent Unit (GRU), as well as architectures of inverted residuals and linear bottlenecks to enhance the performance of fingerprint extraction. After converting the raw device traffic into the sequence of traffic grayscale images, the model can analyze spatial and temporal features from them to generate highly distinguishable device fingerprints automatically. Additionally, we also achieve fast fingerprint search based on Hierarchical Navigable Small World (HNSW) to support device identification. Our proposed method can not only indicate deviations in device behavior from expected specifications, but also identify unknown and unreliable IoT devices. The experimental results show that our method has excellent performance and more comprehensive identification capabilities in multiple dimensions.

Chi-Kuan Chiu,Hsiao-Hsien Chang,Ching-Hao Mao,Te-En Wei

DOI: https://doi.org/10.1109/desec.2018.8625111

2018-12-01

Abstract:Malware and backdoor usually hide their malicious activities to communicate with C&C server through HTTP protocol. Various techniques for stealth are developed which directly leads security system's failure to detect hacker's activities. This paper focuses on profiling fingerprints of browsers running on different client-side host to detect anomaly among outbound HTTP traffics at behavioral and semantic level. Patterns describing fake header are also elaborately designed using graph structure and become significant features in the proposed method for the subsequent detection. Performance of proposed approach are evaluated with data from realistic environment and compare to state-of-the-art. Results show that the proposed method delivers accuracy up to 99%, also for the counterfeit fingerprint's detection it even achieve 100% recall, while the alternative approach totally failed under this scenario.

Xiaodong Zang,Jianbo Cao,Xinchang Zhang,Jian Gong,Guiqing Li

DOI: https://doi.org/10.1007/s11235-023-01073-7

2024-01-01

Telecommunication Systems

Abstract:Botnets are one of the major threats to network security nowadays. To carry out malicious actions remotely, they heavily rely on Command and Control channels. DGA-based botnets use a domain generation algorithm to generate a significant number of domain names. By analyzing the linguistic distinctions between legitimate and DGA-based domain names, traditional machine learning schemes obtain great benefits. However, it is difficult to identify the ones based on wordlists or pseudo-random generated. Accordingly, this paper proposes an efficient CNN-LSTM-based detection model (BotDetector) that uses only a set of simple-to-compute, easy-to-compute character features. We evaluate our model with two open-source benchmark datasets (360 netlab, Bambenek) and real DNS traffic from the China Education and Research Network. Experimental results demonstrate that our algorithm improves by 1.6 % in terms of accuracy and F1-score and reduces the computation time by 9.4 % compared to other state-of-the-art alternatives. Remarkably, our work can identify botnet’s covert communication channels that use domain names based on word lists or pseudo-random generation without any help of reverse engineering.

Victor Adewopo,Bilal Gonen,Nelly Elsayed,Murat Ozer,Zaghloul Saad Elsayed

DOI: https://doi.org/10.48550/arXiv.2202.01448

2022-02-03

Cryptography and Security

Abstract:In our current society, the inter-connectivity of devices provides easy access for netizens to utilize cyberspace technology for illegal activities. The deep web platform is a consummative ecosystem shielded by boundaries of trust, information sharing, trade-off, and review systems. Domain knowledge is shared among experts in hacker's forums which contain indicators of compromise that can be explored for cyberthreat intelligence. Developing tools that can be deployed for threat detection is integral in securing digital communication in cyberspace. In this paper, we addressed the use of TOR relay nodes for anonymizing communications in deep web forums. We propose a novel approach for detecting cyberthreats using a deep learning algorithm Long Short-Term Memory (LSTM). The developed model outperformed the experimental results of other researchers in this problem domain with an accuracy of 94\% and precision of 90\%. Our model can be easily deployed by organizations in securing digital communications and detection of vulnerability exposure before cyberattack.