Chaoyuan Cui,Yun Wu,Ping Li,Rujing Wang

DOI: https://doi.org/10.2991/ccis-13.2013.59

2013-01-01

Abstract:With the development of the Cloud computing, more and more people are accustomed to resource sharing or online shopping. And malware has become a major threat to the Cloud safety. Process hiding is a powerful technique commonly used by stealthy malware to evade detection by anti-malware. In this paper, we present a novel approach called VMPmonitor-an efficient modularity approach for hidden process detection. With the help of the guest OS register information (mainly the ESP) collected by virtual machine monitor, VMPmonitor can implicitly capture the hidden process information of target guest OS. Compared to other approaches, VMPmonitor obtains guest process information implicitly. Using implicit information reduces its susceptibility to guest evasion attack. Experimental result shows that VMPmonitor has better reliability and accuracy.

Sha‐Yuan Zhou,Shu‐Qing Wang

DOI: https://doi.org/10.1002/apj.5500130322

2005-01-01

Developments in Chemical Engineering and Mineral Processing

Abstract:AbstractFor many on‐line fault diagnosis schemes based on process data, a moving time window is an indispensable technique to track dynamic data. In this paper, a novel approach combining variable moving window and hidden Markov model (HMM) for on‐line identification of abnormal operating conditions is proposed. The main feature of this method is that the window length can be changed with time. Before fault diagnosis, some process measurements are used for fault alarm. As a tool for feature extraction, principal component analysis (PCA) is employed in order to reduce the large number of correlated variables. The effectiveness of the approach is illustrated by case studies from the Tennessee Eastman process.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Lin Wang,Chunjie Yang,Youxian Sun

DOI: https://doi.org/10.1021/acs.iecr.7b03600

2017-01-01

Industrial & Engineering Chemistry Research

Abstract:Due to the existence of multiple operating modes, traditional fault detection techniques are ill-suited for complex industrial processes. Although there are more and more literature studies concerning this problem, only a few of them are based on the hidden Markov model (HMM). However, there is no exploration to concern the unknown mode in the industrial process based on it. This article proposes a novel process monitoring approach based on moving window HMM (MVHMM) for real-time multimode process monitoring with unknown mode. First, a hidden Markov model is built by training set. Instead of just considering the posterior probability of one single sample, the moving window is introduced to utilize the independence of samples for improving the accuracy of online mode identification. In addition, an MVHMM-based threshold statistic is defined to identify the unknown mode. Also, various known modes which include stable modes and transitions are separated on the basis of the Viterbi algorithm. Second, a new monitoring scheme is developed for fault detection of each mode. The effectiveness of the proposed approach is validated by the Tennessee Eastman (TE) chemical process and a numerical simulation example.

Yuehan Chi,Yushi Cheng,Xiaoyu Ji

DOI: https://doi.org/10.1088/1742-6596/2242/1/012038

2022-01-01

Journal of Physics Conference Series

Abstract:The application of information technology in many fields is becoming more and more popular, but while bringing about a rapid increase in productivity, it also brings some safety issues, especially in industrial control systems. Since the industrial control system often uses a computer as the control center of some devices, once this computer is attacked, it will cause serious harm. The use of additional security software for security monitoring is not completely credible, after all, security monitoring software will also be attacked and become invalid. Therefore, the method of using some side channels and machine learning is very popular recently, especially the power consumption side channels. However, the power consumption will change with the running time of the device. If the model trained by supervised learning will fail after a few days, this paper proposes a self-learning method based on the power consumption side channel, which can be stable for a long time with a high accuracy of 97%.

Le Zhou,Lixinqian Yu,Beiping Hou,Hongbo Zheng,Zheng-Guang Wu

DOI: https://doi.org/10.1109/ticps.2023.3320090

2023-01-01

Abstract:Although remarkable studies on dynamic process modeling and monitoring in cyber-physical systems have been conducted, there are still several limitations to these approaches, rendering them unsuitable for practical applications. Firstly, the common dynamic models are built based on complete data, which means that their modeling performance usually deteriorates when there are missing measurements. Secondly, practical data often exhibits more complex characteristics, such as non-stationary and non-Gaussian noises. Therefore, a robust dynamic latent variable model is proposed to address the challenges of dynamic process modeling and monitoring in complex measurement environments with missing values. The proposed method effectively handles non-Gaussian noises and recursively estimates missing values, thus enhancing the monitoring performance within the dynamic latent variable modeling framework. Finally, the feasibility and superiority of the proposed method are evaluated through a numerical example and a real wastewater treatment case, demonstrating its effectiveness and practicality in real-world scenarios.

Qi Wang,Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Junghwan Rhee,Zhengzhang Chen,Wei Cheng,Carl A. Gunter,Haifeng Chen

DOI: https://doi.org/10.14722/ndss.2020.24167

2020-01-01

Abstract:To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average Fl score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

蔡忠闽,彭勤科,管晓宏,孙国基

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.028

2002-01-01

Abstract:In this paper we present a multi-layer and defense-in-depth intrusion detection model for networked computer systems with a prototype. In this model, the operations on the protected computer system are monitored by four sensors from different viewpoints. The final judgement is made by combining the results of the individual sensors using information fusion techniques. It is demonstrated that an anomaly behavior can be more easily discovered and false alarms can be effectively reduced using our detection model. The methods to detect intrusions at different layers are also discussed using the experience gained in prototype realization.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Ronny Chevalier,Maugan Villatel,David Plaquin,Guillaume Hiet

DOI: https://doi.org/10.1145/3134600.3134622

2018-03-07

Abstract:Highly privileged software, such as firmware, is an attractive target for attackers. Thus, BIOS vendors use cryptographic signatures to ensure firmware integrity at boot time. Nevertheless, such protection does not prevent an attacker from exploiting vulnerabilities at runtime. To detect such attacks, we propose an event-based behavior monitoring approach that relies on an isolated co-processor. We instrument the code executed on the main CPU to send information about its behavior to the monitor. This information helps to resolve the semantic gap issue. Our approach does not depend on a specific model of the behavior nor on a specific target. We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime. We model the behavior of SMM using invariants of its control-flow and relevant CPU registers (CR3 and SMBASE). We instrument two open-source firmware implementations: EDK II and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor. The results show that our solution detects intrusions from the state of the art, without any false positives, while remaining acceptable in terms of performance overhead in the context of the SMM (i.e., less than the 150 $\mu$s threshold defined by Intel).

Cryptography and Security

Chao Ning,Maoyin Chen,Donghua Zhou

DOI: https://doi.org/10.1021/ie5002394

2014-01-01

Industrial & Engineering Chemistry Research

Abstract:Multiple operating modes pose a challenge for process monitoring in industry. Although many monitoring approaches have achieved quite success, most of them neglected the dependency of sampled data and only dealt with samples in a separate fashion. This paper proposes a sequential framework for multimode process monitoring with hidden Markov model-based statistics pattern analysis (HMM-SPA). To begin with, a hidden Markov model is trained on the basis of the historical data. Statistics pattern analysis mixture models (SPAMM) are constructed to characterize the distinctive statistical pattern of each operating mode. Then, during online monitoring period, the mode vector is obtained using the Viterbi algorithm, and the differential mode vector is calculated. At last, the proposed method switches to an appropriate monitoring index automatically, according to the norm of the differential mode vector. The effectiveness of the proposed method is demonstrated by a numerical simulation, a continuous stirred tank heater (CSTH) process, and the Tennessee Eastman process.

Fan Wang,Shuai Tan,Yong Yang,Hongbo Shi

DOI: https://doi.org/10.1021/acs.iecr.5b04777

2016-01-01

Industrial & Engineering Chemistry Research

Abstract:Many industrial processes possess multiple operational modes and transitions because of various production factors, which pose a challenge to conventional fault detection methods. In this article, a novel fault detection scheme based on a hidden Markov model (HMM) is presented for multimode processes with transitions. To begin with, measurement data of stable modes and transitional modes are separated. Then, hidden state probability integration strategy is developed to combine local monitoring results into two global indices in a probabilistic manner. These two indications work together for stable mode process monitoring. Further a new HMM is built for transition process modeling. The Bayesian information criterion (BIC) is responsible for model evaluation. After an appropriate model is acquired, an index named negative log likelihood probability is employed for transition process fault detection. In the end, a numerical simulation example and the Tennessee Eastman chemical process is utilized to show that our proposed approach is effective.

Xiaobin Tan,Hongsheng Xi

DOI: https://doi.org/10.1016/j.amc.2008.05.028

IF: 4.397

2008-01-01

Applied Mathematics and Computation

Abstract:In this paper, hidden semi-Markov model (HSMM) is introduced into intrusion detection. Hidden Markov model (HMM) has been applied in intrusion detection systems several years, but it has a major weakness: the inherent duration probability density of a state in HMM is exponential, which may be inappropriate for the modeling of audit data of computer systems. We can handle this problem well by developing an HSMM for perfect normal processes of computer systems. Based on this HSMM, an algorithm of anomaly detection is presented in this paper, which computes the distance between the processes monitored by intrusion detection system and the perfect normal processes. In this algorithm, we use the average information entropy (AIE) of fixed-length observed sequence as the anomaly detection metric based on maximum entropy principle (MEP). To improve accuracy, the segmental K-means algorithm is applied as training algorithm for the HSMM. By comparing the accurate rate with the experimental results of previous research, it shows that our method can perform a more accurate detection.

Fan Wang,Shuai Tan,Hongbo Shi

DOI: https://doi.org/10.1016/j.chemolab.2015.08.025

IF: 4.175

2015-01-01

Chemometrics and Intelligent Laboratory Systems

Abstract:Many industrial processes have multiple operating modes due to various factors, such as alterations of feedstock and compositions, different manufacturing strategies, fluctuations in the external environment, and various product specifications. There are just a few literatures concerning hidden Markov model in multimode process monitoring. And HMM has not been explored to deal with transitional modes. Besides, those monitoring methods fail to take advantage of internal elements of HMM. In this article, a novel monitoring scheme based on hidden Markov mode (HMM) is proposed for multimode process with transitions. To begin with, a hidden Markov model is trained on the basis of the measurement data. Then a probability ratio strategy based on HMM is developed to identify stable modes and transitional modes. Further, the Viterbi algorithm classifies samples into various modes and a new monitoring indication is built based on the elements of HMM in each mode for fault detection. At last, the effectiveness of the proposed method is demonstrated through a numerical simulation and the Tennessee Eastman process.

Brian Delgado,Karen L. Karavanic

DOI: https://doi.org/10.48550/arXiv.1805.03755

2018-05-09

Cryptography and Security

Abstract:Runtime integrity measurements identify unexpected changes in operating systems and hypervisors during operation, enabling early detection of persistent threats. System Management Mode, a privileged x86 CPU mode, has the potential to effectively perform such rootkit detection. Previously proposed SMM-based approaches demonstrated effective detection capabilities, but at a cost of performance degradation and software side effects. In this paper we introduce our solution to these problems, an SMM-based Extensible, Performance Aware Runtime Integrity Measurement Mechanism called EPA-RIMM. The EPA-RIMM architecture features a performance-sensitive design that decomposes large integrity measurements and schedules them to control perturbation and side effects. EPA-RIMM's decomposition of long-running measurements into shorter tasks, extensibility, and use of SMM complicates the efforts of malicious code to detect or avoid the integrity measurements. Using a Minnowboard-based prototype, we demonstrate its detection capabilities and performance impacts. Early results are promising, and suggest that EPA-RIMM will meet production-level performance constraints while continuously monitoring key OS and hypervisor data structures for signs of attack.

Cheng JIA,Yuezhi ZHOU

DOI: https://doi.org/10.3969/j.issn.1000-3428.2017.09.032

2017-01-01

Abstract:This paper researches the existing implementation methods and detection techniques of hidden processes,and proposes a method of getting process information by retrieving memory.The relationship between process structure and handle structure can be used as a memory retrieval flag to retrieve memory.This method avoids the problem of existing memory retrieval methods that the destroyed retrieval flag can lead to failure of detecting hidden process.This paper designs and implements a hidden process detection system by using cross-view matching technology.Experimental results show that the detection system can realize functions to detect and distinguish hidden processes.

Wu Bing,Yun Xiaochun

2012-01-01

Abstract:We present the dynamic information security theory model: P2DR to deal with malware epidemics. The model includes the following stages: detection of a malware epidemic by detection system, establishment of countermeasure strategy in strategy coordination center, activation of protection and response system, defense system activation for real-time protection and response. The process is a periodic one in which the strategy is adjusted dynamically. In the model we propose, the detection system is considered to be the key component. Based on our analysis of traditional IDS architecture, we think that it is not suitable for inspecting high speed network traffic and monitoring multivariant malware epidemics. Therefore, we propose a parallel detection model which can be applied to the backbone network matched with appropriate protocol parsing. Normalized taxonomy is also presented for the detection rules of malware. Five detection rule sets are covered, namely, match rules based on deep content pre-processing, special algorithms, binary level, binary level requiring network information checks, and pure network information. A Virus Detection System is realized based on the framework above.

Radu Marian Portase,Andrei Marius Muntea,Andrei Mermeze,Adrian Colesa,Gheorghe Sebestyen

DOI: https://doi.org/10.3390/s24165118

2024-08-07

Abstract:Behavioral malware detection is based on attributing malicious actions to processes. Malicious processes may try to hide by changing the behavior of other benign processes to achieve their goals. We showcase how Component Object Model (COM) and Windows Management Instrumentation (WMI) can be used to create such spoofing attacks. We discuss the internals of COM and WMI and Asynchronous Local Procedure Call (ALPC). We present multiple functional monitoring techniques to identify the spoofing and discuss the strong and weak points of each technique. We create a robust process monitoring system that can correctly identify the source of malicious actions spoofed via COM, WMI and ALPC with a low performance impact. Finally, we discuss how malicious actors use COM, WMI and ALPC by examining real-world malware detected by our monitoring system.

YongGang Li,ChaoYuan Cui,BingYu Sun,WenBo Li

DOI: https://doi.org/10.3966/160792642018091905011

2018-01-01

Abstract:With the spread of malwares, the security of virtual machine (VM) is suffering severe challenges recent years. Rootkits and their variants can hide themselves and other kernel objects such as processes, files, and modules making malicious activity hard to be detected. The existed solutions are either coarse-grained, monitoring at virtual machine level, or non-universal, only supporting specific operating system with specific modification. In this paper, we propose a fine-grained approach called HODetector based on static semantic information library (SSIL) to detect the hidden objects outside VM. We have deployed HODetector prototype on Xen virtualization platform and used it to detect the processes, files, and modules hidden by rootkits. The experiment results show that HODetector is effective for different rootkits and general for Linux operating system with various kernels.

曹继邦,吴庆涛,郑瑞娟,张聚伟

DOI: https://doi.org/10.1049/cp.2012.1290

2012-01-01

Abstract:Aiming at the defect of passive detection mechanism in traditional intrusion detection systems, a proactive intrusion detection model with autonomic characteristic is proposed in this paper. This model is based on autonomic manager and integrates multi-attribute Auction Mechanism into Agent coordination layer for perceiving the changing of the systems environment, adapting configuration management. Experimental results show that given an appropriate setting, the model can enhance the system~ s self-adaptive performance and obtain higher detection accuracy