Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Jian Xu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00039

2019-01-01

Abstract:The emergence of information theft apps poses a serious threat to smartphone users. Most of information theft apps rely on network interfaces to steal users' privacy and use short message service (SMS) to implement command and control. In this paper, we propose an available and effective user-role identification model, MURITE-detector (Mobile User-Role in Information Theft Events detector), by using network flows and call detail records (CDRs) with convolutional neural network (CNN) algorithm. Firstly, we generate network flow vectors and CDR vectors from raw data sets, and then match them into node vectors. Subsequently, we use CNN to classify user-roles into: Sourcer, Transferer, Victim and Other. Because of command-and-control server invalidation and system version incompatibility, etc., most of the collected information theft apps can't run properly in reality. So we extract code modules from some of these apps, and then recode and compile them into ITM-capsule (Information Theft Modules capsule) to generate information theft network traffic. Finally, we obtain 37,384 information theft network flows, 61,635 benign network flows and 200,522 short message CDRs. We match these data through labels and construct two node vector sets A and B randomly. In addition, we also compare CNN with other machine learning algorithms, and the result shows that CNN performs better. In an evaluation of MURITE-detector, it gets an accuracy of 92.17%, a precision of 93.18% and a recall of 94.68%. Therefore, our model is suitable for identifying user-role in mobile network information theft events.

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Yafei Sang

DOI: https://doi.org/10.1109/nas.2017.8026853

2017-01-01

Abstract:With the widespread use of smartphones, more and more malicious attacks happen with information leakage from apps installed on users' devices. The adversary always uses a malware as the client to take remote control of smartphones, and leverages the vulnerability of operation systems to send back the collected information without users' permissions. All the information has to be transferred by network traffic. In this paper, we consider that different apps maybe generate different network flows by different operations, and the "shapes" of the benign flows and malicious ones will be diverse. Thus we propose a detection model based on the analysis of relationships between behavior patterns and network flows, which achieves our goal by using the Random Forest machine learning algorithm to classify the network flows into benign or malicious. To further improve the controllability of the experiment, we design an app called Moledroid to simulate malwares by uploading the user's privacy without authorization, in addition, we can change the behavior pattern of the app to complete our evaluation. Finally, we run this app and several benign apps to generate traffic to detect the malicious network flows, and it shows that our detection model can achieve precision and accuracy higher than 95%, which demonstrates that our model is suitable for detecting the network flows of information theft.

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Jian Xu

DOI: https://doi.org/10.1007/978-3-030-12981-1_23

2018-01-01

Abstract:Nowadays people save a lot of privacy information in mobile devices. These information can be theft by adversaries through suspicious apps installed in smartphones, and protecting users’ privacy has become a great challenge. So developing a method to identify if there are apps thieving users’ personal information in smartphones is important and necessary. Through the analysis of apps’ network traffic data, we observe that general apps generate regular network flows with the users’ normal operations. But information theft apps’ network flows have no relationship with users’ operations. In this paper we propose a model MUI-defender (Mobile Users’ Information defender), which is based on analyzing the relationship between users’ operation patterns and network flows with CNN (Convolutional Neural Network), can efficiently detect information theft. Because of Cu0026C (Command-and-Control) server invalidation [33] and system version incompatibility [25], etc., most of the collected information theft apps can’t run properly in reality. So we extract information theft code modules from some of these apps, and then recode and compile them into the ITM-capsule (Information Theft Modules capsule) for verification. Finally, we run the ITM-capsule and several normal apps to detect the network flows, which shows our detection model can achieve an accuracy higher than 94%. Therefore, MUI-defender is suitable for detecting the network flows of information theft.

Hangyu Hu,Xuemeng Zhai,Mingda Wang,Guangmin Hu

DOI: https://doi.org/10.1007/978-3-030-24268-8_7

2019-01-01

Abstract:With the continuous development and wide application of various network technologies, such as the mobile, wireless and sensors network, network services are becoming more and more high-speed, diversified and complex. Also, network attacks and infrequent events have emerged, making the promotion of network anomaly detection more and more significant. In order to control and manage the networks and establish a credible network environment, it is critical to facilitate an accurate behavioral characteristic analysis for networks, proactively identify abnormal events associated with network behavior, and improve the capacity of responding to abnormal events. In this paper, we use Network Connection Graphs (NCGs) to model flow activities during network operation. After we construct a NCG in a time-bin, then we can extract graph metric features for quantitative or semi-quantitative analysis of flow activities. And we also could build a series of NCGs to describe the evolution process of network operation. During these NCGs, we have conducted dynamic analysis to find out the outlier points of graph metric features by using Z-score analysis method so that we can detect the hidden abnormal events. The experiment results based on real network traces have demonstrated that the effectiveness of our method in network flow behavior analysis and abnormal event identification.

Ke Li,Hong Li,Hongsong Zhu,Limin Sun,Hui Wen

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958775

2019-01-01

Abstract:Instant Messaging has been widely applied for both corporate use and personal use in recent years. Major Instant Messaging service providers adopt the Push Technology to ensure the immediacy of message forwarding, which efficiently provides a great convenience for user. However, the immediacy feature causes side-channel information leakage even if some protection measures has been implemented, such as information encryption strategy. In particular, we observe that senders' traffic flows have a strong temporal correlation with those of corresponding recipients, since the messages are forwarded to recipients as soon as they are received by servers. Based on the observation, attackers can infer real-time communications between pairwise users and even the social connections of users. In this paper, we present a methodology framework to validate this side-channel information leakage, which identifies users of real-time communications by matching the pairwise time sequences of traffic flows. We evaluate the method on the collected real-world data. The experimental results show that users' communications can be identified with a high accuracy, and 6 groups of users are inferred to have strong connections based on the data collected from a local area networks.

Cheng Mian,Tang Yong,Su Jinshu,Chen Shuhui

DOI: https://doi.org/10.3969/j.issn.1009-6833.2012.09.006

2012-01-01

Abstract:In order to satisfy the requirements of data distribution based on user before parallel processing in intrusion detection system.A new approach of data distribution based on user terminal IP was proposed,which incorporated the three steps: estimated the messages forward or reverse status,and then identified terminal IP address in the user data,finally distributed the user data according to user terminal IP.The experimental results show that this data distribution method can satisfy the requirements of load balancing and data integrity.So all packets belongs to the same user will diverted to the same intrusion detection system accurately and completely.

Guanghan Duan,Hongwu Lv,Huiqiang Wang,Guangsheng Feng,Xiaoli Li

DOI: https://doi.org/10.1109/tifs.2024.3385321

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:Deep learning (DL) greatly enhances cyber anomaly detection capabilities through effective statistical network characteristic. However, previous methods have not fully addressed two real-world scenario-driven challenges. 1) Frequent node access and disconnection sourced from free-bounded 5G/B5G cyberspace introduce unfamiliar communication behavior patterns, reducing the detection ability of the pre-trained DL model. 2) Low-frequency or sporadic communication behaviors lack stable patterns, posing a challenge for existing AI-driven models, including DL-based detection methods. To address these issues, we propose a cyber anomaly detection framework based on Continuous Temporal Graph (CTG) neural network from a new interaction-centered perspective. The proposed framework refines the concrete information interaction between network entities into the CTG evolution process, thereby naturally incorporating new node access behaviors into feature extraction on CTG neural network. We furthermore present a message aggregation scheme on CTG with fusion of spatio-temporal neighborhood, the actual time distribution and the historical state, thus transforming communication into a more stable pattern for the learning of low-frequency interactions. Extensive experiments on 4 novel datasets, including ToN-IoT, UNSWNB15, CIC-Dark2020, J.P. Morgan payment, demonstrate that our approach outperforms state-of-the-art methods, particularly in detecting new access and low-frequency behaviors.

computer science, theory & methods,engineering, electrical & electronic

Kai Xing,Xiuzhen Cheng

DOI: https://doi.org/10.1109/infcom.2010.5461977

2010-01-01

Abstract:A common vulnerability of wireless networks, in particular, the mobile ad hoc network (MANET), is their susceptibility to node compromise/physical capture attacks since the wireless devices are often not protected by tamper-resistant hardware due to small form factors and low cost, and can be easily stolen/lost or temporarily controlled by unauthorized entities due to their harsh working environments. A serious consequence of the device capture attack is the node replication attacks in which adversaries deploy a large number of replicas of the compromised/captured nodes throughout the network. Replicated nodes have all legitimate security credentials and therefore can launch various insider attacks or even take over the network easily. They are indeed ``attack multipliers'' and therefore are extremely destructive to the network. Detecting replication attacks is a nontrivial problem in MANETs due to the challenges resulted from node mobility, cloned/compromised node collusion, and the large number and wide spread of the replicas. Existing approaches either fail in mobile environments due to the limitations caused by local views or their dependence on invariant claims such as location and neighbor list, or are constrained by the number, distribution, and colluding activities of the replicas. In this paper, we propose two replication detection schemes (TDD and SDD) to tackle all these challenges from both the time domain and the space domain. Our theoretical analysis indicates that TDD and SDD provide high detection accuracy and excellent resilience against smart and colluding replicas, have no restriction on the number and distribution of replicas, and incur low communication/computation overhead. To our best knowledge, TDD and SDD are the only approaches that support mobile networks while place no restrictions on the number and distribution of the cloned frauds and on whether the replicas collude or not.

Qing Shi,Minyu Feng,Xinyu Li,Shiyuan Wang,Feng Chen

DOI: https://doi.org/10.1109/tcsi.2020.2997677

2020-01-01

Abstract:Recently there were research works on multi-task estimation. However, there exists an issue that nodes may suffer from malicious attacks when sending data in the adversarial multi-task network environment. To address this issue, we propose a secure distributed information sharing algorithm based on attack detection. In our work, via determining an adaptive threshold, a distributed detection algorithm based on the correlation between tasks and a safe multi-task diffusion least mean square (SM-DLMS) algorithm are proposed, which not only reduce communication costs but also effectively decrease the impact of attacks. We also theoretically analyze the stability performance of the proposed SM-DLMS algorithm. Meanwhile, the robustness and effectiveness of the proposed algorithm under network-attacks are illustrated through numerical simulations.

Gaoxiang Li,Yuzhong Ye,Yangfei Shi,Jinlin Chen,Dexing Chen,Anyang Li

DOI: https://doi.org/10.1007/978-981-16-9229-1_10

2022-01-01

Abstract:Abstract With the increasing of the telecom network fraud in China, SMS (Short Message Service) has became an important channel exploited by the criminals to contact victims. Due to the tiny amount compared with normal SMS, the high proportion of malicious adversarial characters, and the lack of knowledge to specific fraud types, it is still challenging to identify the fraud SMS efficiently. In this paper, we firstly conduct a measurement study to explore the characteristics of the fraud SMS. Based on the exploration, we propose a two-stage algorithm called TFC. TFC can quickly filter out normal SMS in the first stage with two indicator functions, and then easily identifies the category of fraud SMS in the second stage by combining the semantic deep features and the domain-knowledge based artificial features. We conduct two real-world SMS datasets for extensive experiments, and the results show that TFC successfully reduces calculation cost and achieves better performance in distinguishing various categories of fraud SMS.

Likun Liu,Jiantao Shi,Hongli Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1109/globecom38437.2019.9013952

2019-01-01

Abstract:In order to protect intranet security, the enterprises or organizations usually deploy one or multiple NIDS at ingress points. Each works independently and monitors the complete TCP flow. That said, a malicious signature to be detected can only be obtained from a TCP flow. Drawing on the feature, an attacker can split malicious signature into multiple substrings and transfer them in different flows to evade detection, which is named multi-path routing attack. In particular, the emerging new technology Multi-Path TCP (MPTCP) offers a hotbed for such attacks. To monitor multi-path routing attacks, this literature proposed a distributed asynchronous NIDS detection model (DANDM) which consists of three algorithms. In this model, each NIDS scans its own received data packets independently and the adjacent contents between two data packets with consecutive sequence numbers. For the latter, all NIDS scans cooperatively through broadcast state information. To demonstrate the validity of our model, we take attack density and number of segmented signatures as parameters to compare with Ma's algorithm. The results show that the performance of our DANDM is significantly better than that of Ma's, especially in the case of large number of segmented signatures.

Yiguo Pu,Xiaojun Chen,Xu Cui,Jinqiao Shi,Li Guo,Cheng Qi

DOI: https://doi.org/10.1016/j.procs.2013.05.106

2013-01-01

Procedia Computer Science

Abstract:It is well known that data loss caused by data stolen Trojans is huge as it could upload privacy or secret data to hackers who controls it remotely. Most of current security tools monitor Trojans by scanning the signature code that is distinguished from normal software. However, this method can only recognize known Trojan except up-to-date malicious software that has unknown signature code. Some other security tools requiring preinstalled on hosts detects Trojans by program behaviors. This paper proposes a novel medel to detect data stolen Trojans based on their network behaviors. It consists of three detectors: 1) keep-alive detector detects keep-alive packets or connections; 2) master-slave-connection detector tries to find master and slave connections and 3) mistake detector analyses the rate of download vs. upload and connection time for different protocol. The experiments show that this method is efficient in recognizing data stolen Trojans. This protyped system proves the possibility of detection Trojans from network. (C) 2013 The Authors. Published by Elsevier B.V.

Xinxin Hu,Haotian Chen,Hongchang Chen,Shuxin Liu,Xing Li,Shibo Zhang,Yahui Wang,Xiangyang Xue

DOI: https://doi.org/10.48550/arXiv.2303.17486

2023-03-28

Social and Information Networks

Abstract:With the rapid development of mobile networks, the people's social contacts have been considerably facilitated. However, the rise of mobile social network fraud upon those networks, has caused a great deal of distress, in case of depleting personal and social wealth, then potentially doing significant economic harm. To detect fraudulent users, call detail record (CDR) data, which portrays the social behavior of users in mobile networks, has been widely utilized. But the imbalance problem in the aforementioned data, which could severely hinder the effectiveness of fraud detectors based on graph neural networks(GNN), has hardly been addressed in previous work. In this paper, we are going to present a novel Cost-Sensitive Graph Neural Network (CSGNN) by creatively combining cost-sensitive learning and graph neural networks. We conduct extensive experiments on two open-source realworld mobile network fraud datasets. The results show that CSGNN can effectively solve the graph imbalance problem and then achieve better detection performance than the state-of-the-art algorithms. We believe that our research can be applied to solve the graph imbalance problems in other fields. The CSGNN code and datasets are publicly available at https://github.com/xxhu94/CSGNN.

Likun Liu,Hongli Zhang,Xiangzhan Yu,Yi Xin,Muhammad Shafiq,Mengmeng Ge

DOI: https://doi.org/10.1155/2018/9809345

2018-01-01

Wireless Communications and Mobile Computing

Abstract:During the last decade, rapid development of mobile devices and applications has produced a large number of mobile data which hide numerous cyber-attacks. To monitor the mobile data and detect the attacks, NIDS/NIPS plays important role for ISP and enterprise, but now it still faces two challenges, high performance for super large patterns and detection of the latest attacks. High performance is dominated by Deep Packet Inspection (DPI) mechanism, which is the core of security devices. A new TTL attack is just put forward to escape detecting, such that the adversary inserts packet with short TTL to escape from NIDS/NIPS. To address the above-mentioned problems, in this paper, we design a security system to handle the two aspects. For efficient DPI, a new two-step partition of pattern set is demonstrated and discussed, which includes first set-partition and second set-partition. For resisting TTL attacks, we set reasonable TTL threshold and patch TCP protocol stack to detect the attack. Compared with recent produced algorithm, our experiments show better performance and the throughput increased 27% when the number of patterns is 106. Moreover, the success rate of detection is 100%, and while attack intensity increased, the throughput decreased.

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kedi Zheng,Qixin Chen,Yi Wang,Chongqing Kang,Qing Xia

DOI: https://doi.org/10.1109/TII.2018.2873814

2024-11-11

Abstract:The two-way flow of information and energy is an important feature of the Energy Internet. Data analytics is a powerful tool in the information flow that aims to solve practical problems using data mining techniques. As the problem of electricity thefts via tampering with smart meters continues to increase, the abnormal behaviors of thefts become more diversified and more difficult to detect. Thus, a data analytics method for detecting various types of electricity thefts is required. However, the existing methods either require a labeled dataset or additional system information which is difficult to obtain in reality or have poor detection accuracy. In this paper, we combine two novel data mining techniques to solve the problem. One technique is the Maximum Information Coefficient (MIC), which can find the correlations between the non-technical loss (NTL) and a certain electricity behavior of the consumer. MIC can be used to precisely detect thefts that appear normal in shapes. The other technique is the clustering technique by fast search and find of density peaks (CFSFDP). CFSFDP finds the abnormal users among thousands of load profiles, making it quite suitable for detecting electricity thefts with arbitrary shapes. Next, a framework for combining the advantages of the two techniques is proposed. Numerical experiments on the Irish smart meter dataset are conducted to show the good performance of the combined method.

Systems and Control,Machine Learning,Signal Processing

Yuwei Yang,Yijie Xun,Yumeng Yan,Jiajia Liu,Ziteng Jin

DOI: https://doi.org/10.1109/iwcmc58020.2023.10182412

2023-01-01

Abstract:The near field communication (NFC), as one of the most widely used radio frequency identification (RFID) technologies, has been applied to intelligent devices to replace the traditional key, bringing convenience to people's lives. While the appearance of NFC keys facilitates users' lifestyles, it also increases the risk of being stolen for intelligent devices. So, it is urgently needed to take action to protect the NFC security of equipment. There are abundant researches on NFC security, which can be divided to protocols authentication and data analysis two main defense methods. However, the way of protocols authentication is limited by the space available and real-time communication of devices. The way of data analysis can not identify the malicious NFC devices from outside. Thus, we propose an intrusion detection system (IDS) based on radio frequency (RF) signals for NFC security, called NFC-IDS. We use the random forests algorithm to select the four most important feature extracted from RF signals and compare random forests, support vector machine (SVM), and k-Nearest Neighbor (k-NN) algorithms to detect intrusions. The experimental results on two real electric motorcycles show that every NFC device has its unique physical signal characteristics, which can be used to detect intrusions with high accuracy and robustness.

Linke Guo,Chi Zhang,Hao Yue,Yuguang Fang

DOI: https://doi.org/10.1109/INFCOM.2013.6567034

2013-01-01

Abstract:Mobile content dissemination is very useful for many mobile applications in delay tolerant networks (DTNs), like instant messaging, file sharing, and advertisement dissemination, etc. Recently, social-based approaches, which attempt to exploit social behaviors of DTN users to forward time-insensitive data, such as family photos and friends' sightseeing video clips, have attracted intensive attentions in designing routing schemes in DTNs. Most social-based schemes leverage users' contact history and social information (e. g., community and friendship) as metrics to improve the dissemination performance. In these schemes, users need to obtain others' social information to determine their dissemination strategy, which apparently compromises others users' privacy. Moreover, the owner of mobile contents may only want to disclose his/her data to a particular group of users rather than revealing it to the public. In this paper, we propose a privacy-preserving social-assisted mobile content dissemination scheme in DTNs. We apply users' verifiable attributes to establish their potential social relationships in terms of identical attributes in a privacy-preserving way. Besides, to provide the confidentiality of mobile contents, our approach enables users to encrypt contents before the dissemination process, and only allows users who have particular attributes to decrypt them. By trace-driven simulations and experiments, we show the security and efficiency of our proposed scheme.

Duhoe Kim,Dongil Shin,Dongkyoo Shin,Yong-Hyun Kim

DOI: https://doi.org/10.1007/s11036-018-1012-4

2018-01-20

Mobile Networks and Applications

Abstract:Recently, the use of smart phones has greatly increased because of the development of cheap high-performance hardware. The biggest threat to a smart phone user is the loss of his/her personal information by an attacker. To protect a user’s information from these threats, an attack detection application for the Android OS is proposed and developed, in which the detection system is comprised of two phases: the mobile detection system pre-phase and post-phase. The pre-phase includes the steps performed before an attack occurs for the comparison and analysis step of the post-phase, and the post-phase includes the steps performed to detect malware using an attack tree with level assignments from the post-phase. Three classes, interception, modification, and system damage, are defined to classify attacks to determine the attacker’s purpose. When an attack occurs, the application can recognize what kind of route the mobile attack goes through by comparing and analyzing the attack tree from the pre-phase and current attack data in the post-phase. Attack trees are used to easily extract attack scenarios and determine when an attack is occurring. We expect that using the proposed application will protect a user’s personal information on a mobile system.

computer science, information systems,telecommunications, hardware & architecture

Chenyang Qiu,Yingsheng Geng,Junrui Lu,Kaida Chen,Shitong Zhu,Ya Su,Guoshun Nan,Can Zhang,Junsong Fu,Qimei Cui,Xiaofeng Tao

DOI: https://doi.org/10.1145/3580305.3599238

2023-07-02

Abstract:Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS by a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Social and Information Networks