书目名称 | Information and Communications Security | 副标题 | 21st International C | 编辑 | Jianying Zhou,Xiapu Luo,Zhen Xu | 视频video | | 丛书名称 | Lecture Notes in Computer Science | 图书封面 |  | 描述 | .This book constitutes the refereed proceedings of the 21th International Conference on Information and Communications Security, ICICS 2019, held in Beijing, China, in December 2019. The 47 revised full papers were carefully selected from 199 submissions. The papers are organized in topics on malware analysis and detection, IoT and CPS security enterprise network security, software security, system security, authentication, applied cryptograph internet security, machine learning security, machine learning privacy, Web security, steganography and steganalysis.. | 出版日期 | Conference proceedings 2020 | 关键词 | artificial intelligence; authentication; communication systems; computer crime; computer networks; comput | 版次 | 1 | doi | https://doi.org/10.1007/978-3-030-41579-2 | isbn_softcover | 978-3-030-41578-5 | isbn_ebook | 978-3-030-41579-2Series ISSN 0302-9743 Series E-ISSN 1611-3349 | issn_series | 0302-9743 | copyright | Springer Nature Switzerland AG 2020 |
1 |
Front Matter |
|
|
Abstract
|
2 |
|
|
|
Abstract
|
3 |
Prototype-Based Malware Traffic Classification with Novelty Detection |
Lixin Zhao,Lijun Cai,Aimin Yu,Zhen Xu,Dan Meng |
|
Abstract
Automated malware classification using deep learning techniques has been widely researched in recent years. However, existing studies addressing this problem are always based on the assumption of closed world, where all the categories are known and fixed. Thus, they lack robustness and do not have the ability to recognize novel malware instances. In this paper, we propose a prototype-based approach to perform robust malware traffic classification with novel class detection. We design a new objective function where a distance based cross entropy (DCE) loss term and a metric regularization (MR) term are included. The DCE term ensures the discrimination of different classes, and the MR term improves the within-class compactness and expands the between-class separateness in the deeply learned feature space, which enables the robustness of novel class detection. Extensive experiments have been conducted on datasets with real malware traffic. The experimental results demonstrate that our proposed approach outperforms the existing methods and achieves state-of-the-art results.
|
4 |
Evading API Call Sequence Based Malware Classifiers |
Fenil Fadadu,Anand Handa,Nitesh Kumar,Sandeep Kumar Shukla |
|
Abstract
In this paper, we present a mimicry attack to transform malware binary, which can evade detection by API call sequence based malware classifiers. While original malware was detectable by malware classifiers, transformed malware, when run, with modified API call sequence without compromising the payload of the original, is effectively able to avoid detection. Our model is effective against a large set of malware classifiers which includes linear models such as Random Forest (RF), Decision Tree (DT) and XGBoost classifiers and fully connected NNs, CNNs and RNNs and its variants. Our implementation is easy to use (i.e., a malware transformation only requires running a couple of commands) and generic (i.e., works for any malware without requiring malware specific changes). We also show that adversarial retraining can make malware classifiers robust against such evasion attacks.
|
5 |
UBER: Combating Sandbox Evasion via User Behavior Emulators |
Pengbin Feng,Jianhua Sun,Songsong Liu,Kun Sun |
|
Abstract
Sandbox-enabled dynamic malware analysis has been widely used by cyber security teams to handle the threat of malware. Correspondingly, malware authors have developed various anti-sandbox techniques to evade the analysis. Most of those evasion techniques are well studied and can be defeated with appropriate mitigation strategies. However, one particular technique is usually overlooked and can be extremely effective in defeating sandbox-based malware analysis, i.e., usage artifacts analysis. This technique leverages a variety of system artifacts that are expected to exist in a real system as a result of typical user activities for sandbox environment identification. To tackle this drawback of lacking authentic system artifacts in existing sandbox designs, in this paper we propose a novel system UBER for automatic artifact generation based on the emulation of real user behavior. Instead of cloning real usage artifacts or directly simulating user behaviors, UBER generalizes the user’s computer usage pattern with an abstract behavior profile, employs the profile to guide the simulation of user actions and the generation of artifacts, and then clones the system with generated artifacts
|
6 |
|
|
|
Abstract
|
7 |
: A Noise-Robust Anomaly Detection Framework for Industrial Control Systems |
Maged Abdelaty,Roberto Doriguzzi-Corin,Domenico Siracusa |
|
Abstract
Deep Neural Networks are emerging as effective techniques to detect sophisticated cyber-attacks targeting Industrial Control Systems (ICSs). In general, these techniques focus on learning a “normal” behavior of the system, to be then able to label noteworthy deviations from it as anomalies. However, during operations, ICSs inevitably and continuously evolve their behavior, due to e.g., replacement of devices, workflow modifications, or other reasons. As a consequence, the quality of the anomaly detection process may be dramatically affected with a considerable amount of false alarms being generated. This paper presents . (Adaptive Anomaly Detection in industrial control Systems), a novel framework based on neural networks and greedy-algorithms that tailors the learning-based anomaly detection process to the changing nature of ICSs. . efficiently adapts a pre-trained model to learn new changes in the system behavior with a small number of data samples (i.e., time steps) and a few gradient updates. The performance of . is evaluated using the Secure Water Treatment (SWaT) dataset, and its sensitivity to additive noise is investigated. Our results show an increased detection rate compa
|
8 |
Characterizing Internet-Scale ICS Automated Attacks Through Long-Term Honeypot Data |
Jianzhou You,Shichao Lv,Yichen Hao,Xuan Feng,Ming Zhou,Limin Sun |
|
Abstract
Industrial control system (ICS) devices with IP addresses are accessible on the Internet and become an essential part of critical infrastructures. The adoption of ICS devices also yields cyber-attacks targeted specific port based on proprietary industrial protocols. However, there is a lack of comprehensive understanding of these ICS threats in cyberspace. To this end, this paper uniquely exploits active interaction on ICS-related ports and analysis of long-term multi-port traffic in a first attempt ever to capture and comprehend ICS automated attacks based on private protocols. Specially, we first propose a minimal-interaction scheme for ICS honeypot(MirrorPot), which can listen on any port and respond automatically without understanding the protocol format. Then, we devise a preprocessing algorithm to extract requests payload and classify them from long-term honeypot-captured data. Finally, to better characterize the ICS attacks based on private industrial protocols, we propose a Markov state transition model for describing their attack complexity. Our experiments show that there are several unknown probing methods have not been observed by previous works. We concur that our work
|
9 |
Cloning Vulnerability Detection in Driver Layer of IoT Devices |
WeiPeng Jiang,Bin Wu,Zhou Jiang,ShaoBo Yang |
|
Abstract
With the spread of the Internet of Things (IoT), the IoT operating systems have correspondingly increased and brought more potential security risks. For instance, it is not hard to find that many driver layer codes in IoT operating systems could come directly from open source projects, where the vulnerabilities would also be propagated. These vulnerabilities could leak sensitive information and even lead to arbitrary code execution. However, existing clone detecting tools have limitations, especially for clones with minor modifications. In this paper, we propose a method that can detect not only exact clones, but also clones with additions, deletions, and partial modifications. The proposed method uses code patches and program slicing to get precisely fingerprint of the restructured clones. Then the fingerprint matching is achieved through a greedy-based optimization algorithm. Afterwards, the detecting tool called RCVD is implemented based on the proposed method. Finally, the experimental results indicate that the method has a significant effect on detecting restructured cloning vulnerabilities. By this means, the Orange Pi and WisCam have been detected dozens of clone-caused vuln
|
10 |
Impact of Multiple Reflections on Secrecy Capacity of Indoor VLC System |
Jian Chen,Tao Shu |
|
Abstract
While visible light communication (VLC) is expected to have a wide range of applications in the near future, the security vulnerabilities of this technology have not been well understood so far. In particular, due to the extremely short wavelength of visible light, the VLC channel presents several unique characteristics than its radio frequency counterparts, which impose new features on the VLC security. Taking a physical-layer security perspective, this paper studies the intrinsic secrecy capacity of VLC as induced by its special channel characteristics. Different from existing models that only consider the specular reflection in the VLC channel, a modified Monte Carlo ray tracing model is proposed to account for both the specular and the diffusive reflections, which is unique to VLC. Based on this model the upper and the lower bounds of the VLC secrecy capacity are derived, which allow us to evaluate the VLC communication confidentiality against a comprehensive set of factors, including the locations of the transmitter, receiver, and eavesdropper, the VLC channel bandwidth, the ratio between the specular and diffusive reflections, and the reflection coefficient. Our results revea
|
11 |
Road Context-Aware Intrusion Detection System for Autonomous Cars |
Jingxuan Jiang,Chundong Wang,Sudipta Chattopadhyay,Wei Zhang |
|
Abstract
Security is of primary importance to vehicles. The viability of performing remote intrusions to the in-vehicle network has been manifested. For unmanned autonomous cars, limited work has been done to detect such intrusions, while existing intrusion detection systems (IDSs) embrace limitations against strong adversaries. We hence consider the very nature of autonomous car and leverage the . to design a novel IDS, named .oad context-.ware . (RAIDS). Given an autonomous car driving along continuous roads, road contexts and genuine frames transmitted on the car’s in-vehicle network should resemble a regular and intelligible pattern. RAIDS employs a lightweight machine learning model to extract road contexts from sensory information (e.g., camera images and sensor values) used to control the car. With the road context, RAIDS validates corresponding frames observed on the in-vehicle network. Anomalous frames that substantially deviate from road context will be discerned as intrusions. We have built a prototype of RAIDS with neural networks, and done experiments on a Raspberry Pi with extensive datasets and meaningful intrusion cases. Evaluations show that RAIDS significantly outperforms
|
12 |
|
|
|
Abstract
|
13 |
Automated Cyber Threat Intelligence Reports Classification for Early Warning of Cyber Attacks in Nex |
Wenzhuo Yang,Kwok-Yan Lam |
|
Abstract
Serving as a facility to collect and analyze security data, monitor anomaly activities, Security Operation Center (SOC) provides defense measures to protect the enterprise and government system from malicious intrusion. As the cyber attacks are increasingly sophisticated and harmful, it becomes a global trend to share cyber threat intelligence (CTI) between SOCs and other security departments. Security analysts can get a comprehensive understanding of diverse cyber attacks’ features and make early warning and quick response for potential attacks by CTI analysis. More CTI reports generation and frequent CTI sharing cause an urgent need for much higher analysis efficiency capacity that traditional SOC does not have. Facing the big data challenge and limited professional security analysts resources, next generation SOC (NG-SOC) should emphasize greatly on processing security data like CTI reports automatically and efficiently through data mining and machine learning techniques. This paper presents a practical and efficient approach for gathering the large quantities of CTI sources into high-quality data and enhancing the CTI analysis ability of NG-SOC. Specifically, we first propose a
|
14 |
HeteroUI: A Framework Based on Heterogeneous Information Network Embedding for User Identification i |
Meng Li,Lijun Cai,Aimin Yu,Haibo Yu,Dan Meng |
|
Abstract
User identification process is an important security guard towards discovering insider threat and preventing unauthorized access in enterprise networks. However, most existing user identification approaches based on behavior analysis fail to capture latent correlations between multi-domain behavior records due to the lack of a panoramic view or the disability of dealing with heterogeneous data. In light of this, this paper presents HeteroUI, a framework based on heterogeneous information network embedding for user identification in enterprise networks. In our model, multi-domain heterogeneous behavior records are first transformed into a heterogeneous information network, then the embeddings of entities will be trained iteratively according to a joint objective combining with local and global components for more accurate user identification. Experimental results on the CERT insider threat dataset r4.2 demonstrate that HeteroUI exhibits excellent performance in discovering user identities with the mean average precision reaching over 98%. Besides, HeteroUI has a certain contribution to inferring potential insiders in a multi-user and multi-domain environment.
|
15 |
CTLMD: Continuous-Temporal Lateral Movement Detection Using Graph Embedding |
Suya Zhao,Renzheng Wei,Lijun Cai,Aimin Yu,Dan Meng |
|
Abstract
Lateral movement technology is widely used in complex network attacks, especially in advanced persistent threats (APT). In order to evade the detection of security tools, attackers usually use the legal credentials retained on the compromised hosts to move laterally between computers across the enterprise intranet for searching valuable information. However, attackers cannot acquire the information about the normal action patterns of intranet users. So even the savviest attacker will “blindly move” in the intranet, making his lateral movement usually different from the typical users’ behavior. In order to identify this potential malicious lateral movement, we proposes a Continuous-Temporal Lateral Movement Detection framework .. The remote and local authentication events are represented as a . and a . respectively. We extract normal lateral movement paths with time constraints while abnormal lateral movement paths are generated based on several attack scenarios. Finally, we define multiple path features using graph embedding methods to complete the follow-up classification task. We evaluate our framework by using injected attack data in real enterprise network dataset (LANL). Our e
|
16 |
|
|
|
Abstract
|
17 |
VulHunter: An Automated Vulnerability Detection System Based on Deep Learning and Bytecode |
Ning Guo,Xiaoyong Li,Hui Yin,Yali Gao |
|
Abstract
The automatic detection of software vulnerability is undoubtedly an important research problem. However, existing solutions heavily rely on human experts to extract features and many security vulnerabilities may be missed (i.e., high false negative rate). In this paper, we propose a deep learning and bytecode based vulnerability detection system called .nerability . (VulHunter) to relieve human experts from the tedious and subjective task of manually defining features. To the best of knowledge, we are the first to leverage bytecode features to represent vulnerabilities. VulHunter uses the bytecode, which is the intermediate representation output by the source code, as input to the neural networks and then calculate the similarity between the target program and vulnerability templates to determine whether it is vulnerable. We detect SQL injection and Cross Site Scripting (XSS) vulnerabilities in PHP software to evaluate the effectiveness of VulHunter. Experimental results show that VulHunter achieves more than 88% (SQL injection) and 95% (XSS) F1-measure when detecting a single type of vulnerability, as well as more than 90% F1-measure when detecting mixed types of vulnerabilities.
|
18 |
Deep Learning-Based Vulnerable Function Detection: A Benchmark |
Guanjun Lin,Wei Xiao,Jun Zhang,Yang Xiang |
|
Abstract
The application of Deep Learning (DL) technique for code analysis enables the rich and latent patterns within software code to be revealed, facilitating various downstream tasks such as the software defect and vulnerability detection. Many DL architectures have been applied for identifying vulnerable code segments in recent literature. However, the proposed studies were evaluated on self-constructed/-collected datasets. There is a lack of unified performance criteria, acting as a baseline for measuring the effectiveness of the proposed DL-based approaches. This paper proposes a benchmarking framework for building and testing DL-based vulnerability detectors, providing six built-in mainstream neural network models with three embedding solutions available for selection. The framework also offers easy-to-use APIs for integration of new network models and embedding methods. In addition, we constructed a real-world vulnerability ground truth dataset containing manually labelled 1,471 vulnerable functions and 1,320 vulnerable files from nine open-source software projects. With the proposed framework and the ground truth dataset, researchers can conveniently establish a vulnerability dete
|
19 |
Automatic Demirci-Selçuk Meet-in-the-Middle Attack on SKINNY with Key-Bridging |
Qiu Chen,Danping Shi,Siwei Sun,Lei Hu |
|
Abstract
Demirci-Selçuk meet-in-the-middle (.-.) attack is an effective and generic method for analyzing iterative block ciphers. It reaches the best results on attacking AES in the single-key model. In ASIACRYPT 2018, a tool for finding .-. attack automatically based on general constraint programming was put forward, which can not only enumerate .-. distinguishers, but also partly automate the key-recovery process. However, the constraint programming models generated by this tool do not consider the key-bridging technique, which has been shown to be effective in reducing the complexities of many cryptanalytic attacks. In this work, we build a general constraint model for SKINNY-128–384 (the same target as the ASIACRYPT 2018 paper) integrated with the key-bridging technique. As a result, the time complexity of the key-recovery attack on SKINNY-128–384 is significantly reduced from . to ..
|
20 |
|
|
|
Abstract
|
|
|