The increasingly complex and interconnected train control information network is vulnerable to a variety of malicious traffic attacks,and the existing malicious traffic detection methods mainly rely on machine learnin...The increasingly complex and interconnected train control information network is vulnerable to a variety of malicious traffic attacks,and the existing malicious traffic detection methods mainly rely on machine learning,such as poor robustness,weak generalization,and a lack of ability to learn common features.Therefore,this paper proposes a malicious traffic identification method based on stacked sparse denoising autoencoders combined with a regularized extreme learning machine through particle swarm optimization.Firstly,the simulation environment of the Chinese train control system-3,was constructed for data acquisition.Then Pearson coefficient and other methods are used for pre-processing,then a stacked sparse denoising autoencoder is used to achieve nonlinear dimensionality reduction of features,and finally regularization extreme learning machine optimized by particle swarm optimization is used to achieve classification.Experimental data show that the proposed method has good training performance,with an average accuracy of 97.57%and a false negative rate of 2.43%,which is better than other alternative methods.In addition,ablation experiments were performed to evaluate the contribution of each component,and the results showed that the combination of methods was superior to individual methods.To further evaluate the generalization ability of the model in different scenarios,publicly available data sets of industrial control system networks were used.The results show that the model has robust detection capability in various types of network attacks.展开更多
With the growth of the Internet of Things(IoT)comes a flood of malicious traffic in the IoT,intensifying the challenges of network security.Traditional models operate with independent layers,limiting their effectivene...With the growth of the Internet of Things(IoT)comes a flood of malicious traffic in the IoT,intensifying the challenges of network security.Traditional models operate with independent layers,limiting their effectiveness in addressing these challenges.To address this issue,we propose a cross-layer cooperative Feature Subset-Based Malicious Traffic Detection(FSMMTD)model for detecting malicious traffic.Our approach begins by applying an enhanced random forest method to adaptively filter and retain highly discriminative first-layer features.These processed features are then input into an improved state-space model that integrates the strengths of recurrent neural networks(RNNs)and transformers,enabling superior processing of complex patterns and global information.This integration allows the FSMMTD model to enhance its capability in identifying intricate data relationships and capturing comprehensive contextual insights.The FSMMTD model monitors IoT data flows in real-time,efficiently detecting anomalies and enabling rapid response to potential intrusions.We validate our approach using the publicly available ToN_IoT dataset for IoT traffic analysis.Experimental results demonstrate that our method achieves superior performance with an accuracy of 98.37%,precision of 96.28%,recall of 95.36%,and F1-score of 96.79%.These metrics indicate that the FSMMTD model outperforms existing methods in detecting malicious traffic,showcasing its effectiveness and reliability in enhancing IoT network security.展开更多
In the upcoming large-scale Internet of Things(Io T),it is increasingly challenging to defend against malicious traffic,due to the heterogeneity of Io T devices and the diversity of Io T communication protocols.In thi...In the upcoming large-scale Internet of Things(Io T),it is increasingly challenging to defend against malicious traffic,due to the heterogeneity of Io T devices and the diversity of Io T communication protocols.In this paper,we propose a semi-supervised learning-based approach to detect malicious traffic at the access side.It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side,and also is free of labeled traffic data in model training.Specifically,we design a coarse-grained behavior model of Io T devices by self-supervised learning with unlabeled traffic data.Then,we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data.Experimental results show that our method can achieve the accuracy of 99.52%and the F1-score of 99.52%with only 1%of the labeled training data based on the CICDDoS2019 dataset.Moreover,our method outperforms the stateof-the-art supervised learning-based methods in terms of accuracy,precision,recall and F1-score with 1%of the training data.展开更多
Malicious traffic detection over the internet is one of the challenging areas for researchers to protect network infrastructures from any malicious activity.Several shortcomings of a network system can be leveraged by...Malicious traffic detection over the internet is one of the challenging areas for researchers to protect network infrastructures from any malicious activity.Several shortcomings of a network system can be leveraged by an attacker to get unauthorized access through malicious traffic.Safeguard from such attacks requires an efficient automatic system that can detect malicious traffic timely and avoid system damage.Currently,many automated systems can detect malicious activity,however,the efficacy and accuracy need further improvement to detect malicious traffic from multi-domain systems.The present study focuses on the detection of malicious traffic with high accuracy using machine learning techniques.The proposed approach used two datasets UNSW-NB15 and IoTID20 which contain the data for IoT-based traffic and local network traffic,respectively.Both datasets were combined to increase the capability of the proposed approach in detecting malicious traffic from local and IoT networks,with high accuracy.Horizontally merging both datasets requires an equal number of features which was achieved by reducing feature count to 30 for each dataset by leveraging principal component analysis(PCA).The proposed model incorporates stacked ensemble model extra boosting forest(EBF)which is a combination of tree-based models such as extra tree classifier,gradient boosting classifier,and random forest using a stacked ensemble approach.Empirical results show that EBF performed significantly better and achieved the highest accuracy score of 0.985 and 0.984 on the multi-domain dataset for two and four classes,respectively.展开更多
The continuously booming of information technology has shed light on developing a variety of communication networks,multimedia,social networks and Internet of Things applications.However,users inevitably suffer from t...The continuously booming of information technology has shed light on developing a variety of communication networks,multimedia,social networks and Internet of Things applications.However,users inevitably suffer from the intrusion of malicious users.Some studies focus on static characteristics of malicious users,which is easy to be bypassed by camouflaged malicious users.In this paper,we present a malicious user detection method based on ensemble feature selection and adversarial training.Firstly,the feature selection alleviates the dimension disaster problem and achieves more accurate classification performance.Secondly,we embed features into the multidimensional space and aggregate it into a feature map to encode the explicit content preference and implicit interaction preference.Thirdly,we use an effective ensemble learning which could avoid over-fitting and has good noise resistance.Finally,we propose a datadriven neural network detection model with the regularization technique adversarial training to deeply analyze the characteristics.It simplifies the parameters,obtaining more robust interaction features and pattern features.We demonstrate the effectiveness of our approach with numerical simulation results for malicious user detection,where the robustness issues are notable concerns.展开更多
Power Shell has been widely deployed in fileless malware and advanced persistent threat(APT)attacks due to its high stealthiness and live-off-theland technique.However,existing works mainly focus on deobfuscation and ...Power Shell has been widely deployed in fileless malware and advanced persistent threat(APT)attacks due to its high stealthiness and live-off-theland technique.However,existing works mainly focus on deobfuscation and malicious detection,lacking the malicious Power Shell families classification and behavior analysis.Moreover,the state-of-the-art methods fail to capture fine-grained features and semantic relationships,resulting in low robustness and accuracy.To this end,we propose Power Detector,a novel malicious Power Shell script detector based on multimodal semantic fusion and deep learning.Specifically,we design four feature extraction methods to extract key features from character,token,abstract syntax tree(AST),and semantic knowledge graph.Then,we intelligently design four embeddings(i.e.,Char2Vec,Token2Vec,AST2Vec,and Rela2Vec) and construct a multi-modal fusion algorithm to concatenate feature vectors from different views.Finally,we propose a combined model based on transformer and CNN-Bi LSTM to implement Power Shell family detection.Our experiments with five types of Power Shell attacks show that PowerDetector can accurately detect various obfuscated and stealth PowerShell scripts,with a 0.9402 precision,a 0.9358 recall,and a 0.9374 F1-score.Furthermore,through singlemodal and multi-modal comparison experiments,we demonstrate that PowerDetector’s multi-modal embedding and deep learning model can achieve better accuracy and even identify more unknown attacks.展开更多
The potential of text analytics is revealed by Machine Learning(ML)and Natural Language Processing(NLP)techniques.In this paper,we propose an NLP framework that is applied to multiple datasets to detect malicious Unif...The potential of text analytics is revealed by Machine Learning(ML)and Natural Language Processing(NLP)techniques.In this paper,we propose an NLP framework that is applied to multiple datasets to detect malicious Uniform Resource Locators(URLs).Three categories of features,both ML and Deep Learning(DL)algorithms and a ranking schema are included in the proposed framework.We apply frequency and prediction-based embeddings,such as hash vectorizer,Term Frequency-Inverse Dense Frequency(TF-IDF)and predictors,word to vector-word2vec(continuous bag of words,skip-gram)from Google,to extract features from text.Further,we apply more state-of-the-art methods to create vectorized features,such as GloVe.Additionally,feature engineering that is specific to URL structure is deployed to detect scams and other threats.For framework assessment,four ranking indicators are weighted:computational time and performance as accuracy,F1 score and type error II.For the computational time,we propose a new metric-Feature Building Time(FBT)as the cutting-edge feature builders(like doc2vec or GloVe)require more time.By applying the proposed assessment step,the skip-gram algorithm of word2vec surpasses other feature builders in performance.Additionally,eXtreme Gradient Boost(XGB)outperforms other classifiers.With this setup,we attain an accuracy of 99.5%and an F1 score of 0.99.展开更多
Dear Editor,Industrial Internet of things(IIoT) is a typical application of cyberphysical system(CPS). In the IIoT, wireless communication is an inevitable trend to replace the deployment-limited wired transmission fo...Dear Editor,Industrial Internet of things(IIoT) is a typical application of cyberphysical system(CPS). In the IIoT, wireless communication is an inevitable trend to replace the deployment-limited wired transmission for cases with large-scale and mobile devices. However, wireless communication gives rise to critical issues related to physical security, such as malicious detections and attacks [1].展开更多
Nowadays,the malicious MS-Office document has already become one of the most effective attacking vectors in APT attacks.Though many protection mechanisms are provided,they have been proved easy to bypass,and the exist...Nowadays,the malicious MS-Office document has already become one of the most effective attacking vectors in APT attacks.Though many protection mechanisms are provided,they have been proved easy to bypass,and the existed detection methods show poor performance when facing malicious documents with unknown vulnerabilities or with few malicious behaviors.In this paper,we first introduce the definition of im-documents,to describe those vulnerable documents which show implicitly malicious behaviors and escape most of public antivirus engines.Then we present GLDOC—a GCN based framework that is aimed at effectively detecting im-documents with dynamic analysis,and improving the possible blind spots of past detection methods.Besides the system call which is the only focus in most researches,we capture all dynamic behaviors in sandbox,take the process tree into consideration and reconstruct both of them into graphs.Using each line to learn each graph,GLDOC trains a 2-channel network as well as a classifier to formulate the malicious document detection problem into a graph learning and classification problem.Experiments show that GLDOC has a comprehensive balance of accuracy rate and false alarm rate−95.33%and 4.33%respectively,outperforming other detection methods.When further testing in a simulated 5-day attacking scenario,our proposed framework still maintains a stable and high detection accuracy on the unknown vulnerabilities.展开更多
Large-scale neural networks-based federated learning(FL)has gained public recognition for its effective capabilities in distributed training.Nonetheless,the open system architecture inherent to federated learning syst...Large-scale neural networks-based federated learning(FL)has gained public recognition for its effective capabilities in distributed training.Nonetheless,the open system architecture inherent to federated learning systems raises concerns regarding their vulnerability to potential attacks.Poisoning attacks turn into a major menace to federated learning on account of their concealed property and potent destructive force.By altering the local model during routine machine learning training,attackers can easily contaminate the global model.Traditional detection and aggregation solutions mitigate certain threats,but they are still insufficient to completely eliminate the influence generated by attackers.Therefore,federated unlearning that can remove unreliable models while maintaining the accuracy of the global model has become a solution.Unfortunately some existing federated unlearning approaches are rather difficult to be applied in large neural network models because of their high computational expenses.Hence,we propose SlideFU,an efficient anti-poisoning attack federated unlearning framework.The primary concept of SlideFU is to employ sliding window to construct the training process,where all operations are confined within the window.We design a malicious detection scheme based on principal component analysis(PCA),which calculates the trust factors between compressed models in a low-cost way to eliminate unreliable models.After confirming that the global model is under attack,the system activates the federated unlearning process,calibrates the gradients based on the updated direction of the calibration gradients.Experiments on two public datasets demonstrate that our scheme can recover a robust model with extremely high efficiency.展开更多
Accurate time synchronization is fundamental to the correct and efficient operation of Wireless Sensor Networks(WSNs),especially in security-critical,time-sensitive applications.However,most existing protocols degrade...Accurate time synchronization is fundamental to the correct and efficient operation of Wireless Sensor Networks(WSNs),especially in security-critical,time-sensitive applications.However,most existing protocols degrade substantially under malicious interference.We introduce iSTSP,an Intelligent and Secure Time Synchronization Protocol that implements a four-stage defense pipeline to ensure robust,precise synchronization even in hostile environments:(1)trust preprocessing that filters node participation using behavioral trust scoring;(2)anomaly isolation employing a lightweight autoencoder to detect and excise malicious nodes in real time;(3)reliability-weighted consensus that prioritizes high-trust nodes during time aggregation;and(4)convergence-optimized synchronization that dynamically adjusts parameters using theoretical stability bounds.We provide rigorous convergence analysis including a closed-form expression for convergence time,and validate the protocol through both simulations and realworld experiments on a controlled 16-node testbed.Under Sybil attacks with five malicious nodes within this testbed,iSTSP maintains synchronization error increases under 12%and achieves a rapid convergence.Compared to state-ofthe-art protocols like TPSN,SE-FTSP,and MMAR-CTS,iSTSP offers 60%faster detection,broader threat coverage,and more than 7 times lower synchronization error,with a modest 9.3%energy overhead over 8 h.We argue this is an acceptable trade-off for mission-critical deployments requiring guaranteed security.These findings demonstrate iSTSP’s potential as a reliable solution for secure WSN synchronization and motivate future work on large-scale IoT deployments and integration with energy-efficient communication protocols.展开更多
By maliciously manipulating the synchrophasors produced by phasor measurement units in power systems,cyber attackers can mislead the control center into taking wrong actions.From the viewpoint of machine learning,norm...By maliciously manipulating the synchrophasors produced by phasor measurement units in power systems,cyber attackers can mislead the control center into taking wrong actions.From the viewpoint of machine learning,normal and malicious synchrophasors may exhibit different spatial distribution characteristics when mapped into a latent space.Hence,a malicious synchrophasor detector can be acquired by training a classification model with instances derived from historical operational synchrophasor data.However,malicious synchrophasors occur infrequently in practice.It is likely to incur a great deal of effort and may even introduce inevitable experience errors when extracting and labeling a sufficient number of malicious synchrophasors from historical operational data for training.For most existing detectors,if they are directly trained with highly imbalanced datasets,their performances may severely deteriorate.In this paper,a novel type of malicious synchrophasor detector is developed based on a combinatorial use of data rebalancing,Bagging-based ensemble learning,and the widely recognized eXtreme Gradient Boosting(XGBoost)classifier.Experiments show that although fewer malicious instances are provided,the proposed detector is still capable of detecting malicious synchrophasors.展开更多
Domain name system(DNS),as one of the most critical internet infrastructure,has been abused by various cyber attacks.Current malicious domain detection capabilities are limited by insufficient credible label informati...Domain name system(DNS),as one of the most critical internet infrastructure,has been abused by various cyber attacks.Current malicious domain detection capabilities are limited by insufficient credible label information,severe class imbalance,and incompact distribution of domain samples in different malicious activities.This paper proposes a malicious domain detection framework named PUMD,which innovatively introduces Positive and Unlabeled(PU)learning solution to solve the problem of insuffcient label information,adopts customized sample weight to improve the impact of class imbalance,and effectively constructs evidence features based on resource overlapping to reduce the intra-class distance of malicious samples.Besides,a feature selection strategy based on permutation importance and binning is proposed to screen the most informative detection features.Finally,we conduct experiments on the open source real DNS traffic dataset provided by QI-ANXIN Technology Group to evaluate the PUMD framework's abil-ity to capture potential command and control(C&C)domains for malicious activities.The experimental results prove that PUMD can achieve the best detection performance under different label frequencies and class imbalance ratios.展开更多
The Internet of Medical Things(IoMT)is an online device that senses and transmits medical data from users to physicians within a time interval.In,recent years,IoMT has rapidly grown in the medicalfield to provide heal...The Internet of Medical Things(IoMT)is an online device that senses and transmits medical data from users to physicians within a time interval.In,recent years,IoMT has rapidly grown in the medicalfield to provide healthcare services without physical appearance.With the use of sensors,IoMT applications are used in healthcare management.In such applications,one of the most important factors is data security,given that its transmission over the network may cause obtrusion.For data security in IoMT systems,blockchain is used due to its numerous blocks for secure data storage.In this study,Blockchain-assisted secure data management framework(BSDMF)and Proof of Activity(PoA)protocol using malicious code detection algorithm is used in the proposed data security for the healthcare system.The main aim is to enhance the data security over the networks.The PoA protocol enhances high security of data from the literature review.By replacing the malicious node from the block,the PoA can provide high security for medical data in the blockchain.Comparison with existing systems shows that the proposed simulation with BSD-Malicious code detection algorithm achieves higher accuracy ratio,precision ratio,security,and efficiency and less response time for Blockchain-enabled healthcare systems.展开更多
In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels...In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.展开更多
文摘The increasingly complex and interconnected train control information network is vulnerable to a variety of malicious traffic attacks,and the existing malicious traffic detection methods mainly rely on machine learning,such as poor robustness,weak generalization,and a lack of ability to learn common features.Therefore,this paper proposes a malicious traffic identification method based on stacked sparse denoising autoencoders combined with a regularized extreme learning machine through particle swarm optimization.Firstly,the simulation environment of the Chinese train control system-3,was constructed for data acquisition.Then Pearson coefficient and other methods are used for pre-processing,then a stacked sparse denoising autoencoder is used to achieve nonlinear dimensionality reduction of features,and finally regularization extreme learning machine optimized by particle swarm optimization is used to achieve classification.Experimental data show that the proposed method has good training performance,with an average accuracy of 97.57%and a false negative rate of 2.43%,which is better than other alternative methods.In addition,ablation experiments were performed to evaluate the contribution of each component,and the results showed that the combination of methods was superior to individual methods.To further evaluate the generalization ability of the model in different scenarios,publicly available data sets of industrial control system networks were used.The results show that the model has robust detection capability in various types of network attacks.
基金funded by the National Natural Science Foundation of China,grant numbers 61876189,61703426,and 61273275.
文摘With the growth of the Internet of Things(IoT)comes a flood of malicious traffic in the IoT,intensifying the challenges of network security.Traditional models operate with independent layers,limiting their effectiveness in addressing these challenges.To address this issue,we propose a cross-layer cooperative Feature Subset-Based Malicious Traffic Detection(FSMMTD)model for detecting malicious traffic.Our approach begins by applying an enhanced random forest method to adaptively filter and retain highly discriminative first-layer features.These processed features are then input into an improved state-space model that integrates the strengths of recurrent neural networks(RNNs)and transformers,enabling superior processing of complex patterns and global information.This integration allows the FSMMTD model to enhance its capability in identifying intricate data relationships and capturing comprehensive contextual insights.The FSMMTD model monitors IoT data flows in real-time,efficiently detecting anomalies and enabling rapid response to potential intrusions.We validate our approach using the publicly available ToN_IoT dataset for IoT traffic analysis.Experimental results demonstrate that our method achieves superior performance with an accuracy of 98.37%,precision of 96.28%,recall of 95.36%,and F1-score of 96.79%.These metrics indicate that the FSMMTD model outperforms existing methods in detecting malicious traffic,showcasing its effectiveness and reliability in enhancing IoT network security.
基金supported in part by the National Key R&D Program of China under Grant 2018YFA0701601part by the National Natural Science Foundation of China(Grant No.U22A2002,61941104,62201605)part by Tsinghua University-China Mobile Communications Group Co.,Ltd.Joint Institute。
文摘In the upcoming large-scale Internet of Things(Io T),it is increasingly challenging to defend against malicious traffic,due to the heterogeneity of Io T devices and the diversity of Io T communication protocols.In this paper,we propose a semi-supervised learning-based approach to detect malicious traffic at the access side.It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side,and also is free of labeled traffic data in model training.Specifically,we design a coarse-grained behavior model of Io T devices by self-supervised learning with unlabeled traffic data.Then,we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data.Experimental results show that our method can achieve the accuracy of 99.52%and the F1-score of 99.52%with only 1%of the labeled training data based on the CICDDoS2019 dataset.Moreover,our method outperforms the stateof-the-art supervised learning-based methods in terms of accuracy,precision,recall and F1-score with 1%of the training data.
文摘Malicious traffic detection over the internet is one of the challenging areas for researchers to protect network infrastructures from any malicious activity.Several shortcomings of a network system can be leveraged by an attacker to get unauthorized access through malicious traffic.Safeguard from such attacks requires an efficient automatic system that can detect malicious traffic timely and avoid system damage.Currently,many automated systems can detect malicious activity,however,the efficacy and accuracy need further improvement to detect malicious traffic from multi-domain systems.The present study focuses on the detection of malicious traffic with high accuracy using machine learning techniques.The proposed approach used two datasets UNSW-NB15 and IoTID20 which contain the data for IoT-based traffic and local network traffic,respectively.Both datasets were combined to increase the capability of the proposed approach in detecting malicious traffic from local and IoT networks,with high accuracy.Horizontally merging both datasets requires an equal number of features which was achieved by reducing feature count to 30 for each dataset by leveraging principal component analysis(PCA).The proposed model incorporates stacked ensemble model extra boosting forest(EBF)which is a combination of tree-based models such as extra tree classifier,gradient boosting classifier,and random forest using a stacked ensemble approach.Empirical results show that EBF performed significantly better and achieved the highest accuracy score of 0.985 and 0.984 on the multi-domain dataset for two and four classes,respectively.
基金supported in part by projects of National Natural Science Foundation of China under Grant 61772406 and Grant 61941105supported in part by projects of the Fundamental Research Funds for the Central Universitiesthe Innovation Fund of Xidian University under Grant 500120109215456.
文摘The continuously booming of information technology has shed light on developing a variety of communication networks,multimedia,social networks and Internet of Things applications.However,users inevitably suffer from the intrusion of malicious users.Some studies focus on static characteristics of malicious users,which is easy to be bypassed by camouflaged malicious users.In this paper,we present a malicious user detection method based on ensemble feature selection and adversarial training.Firstly,the feature selection alleviates the dimension disaster problem and achieves more accurate classification performance.Secondly,we embed features into the multidimensional space and aggregate it into a feature map to encode the explicit content preference and implicit interaction preference.Thirdly,we use an effective ensemble learning which could avoid over-fitting and has good noise resistance.Finally,we propose a datadriven neural network detection model with the regularization technique adversarial training to deeply analyze the characteristics.It simplifies the parameters,obtaining more robust interaction features and pattern features.We demonstrate the effectiveness of our approach with numerical simulation results for malicious user detection,where the robustness issues are notable concerns.
基金This work was supported by National Natural Science Foundation of China(No.62172308,No.U1626107,No.61972297,No.62172144,and No.62062019).
文摘Power Shell has been widely deployed in fileless malware and advanced persistent threat(APT)attacks due to its high stealthiness and live-off-theland technique.However,existing works mainly focus on deobfuscation and malicious detection,lacking the malicious Power Shell families classification and behavior analysis.Moreover,the state-of-the-art methods fail to capture fine-grained features and semantic relationships,resulting in low robustness and accuracy.To this end,we propose Power Detector,a novel malicious Power Shell script detector based on multimodal semantic fusion and deep learning.Specifically,we design four feature extraction methods to extract key features from character,token,abstract syntax tree(AST),and semantic knowledge graph.Then,we intelligently design four embeddings(i.e.,Char2Vec,Token2Vec,AST2Vec,and Rela2Vec) and construct a multi-modal fusion algorithm to concatenate feature vectors from different views.Finally,we propose a combined model based on transformer and CNN-Bi LSTM to implement Power Shell family detection.Our experiments with five types of Power Shell attacks show that PowerDetector can accurately detect various obfuscated and stealth PowerShell scripts,with a 0.9402 precision,a 0.9358 recall,and a 0.9374 F1-score.Furthermore,through singlemodal and multi-modal comparison experiments,we demonstrate that PowerDetector’s multi-modal embedding and deep learning model can achieve better accuracy and even identify more unknown attacks.
基金supported by a grant of the Ministry of Research,Innovation and Digitization,CNCS-UEFISCDI,Project Number PN-Ⅲ-P4-PCE-2021-0334,within PNCDI Ⅲ.
文摘The potential of text analytics is revealed by Machine Learning(ML)and Natural Language Processing(NLP)techniques.In this paper,we propose an NLP framework that is applied to multiple datasets to detect malicious Uniform Resource Locators(URLs).Three categories of features,both ML and Deep Learning(DL)algorithms and a ranking schema are included in the proposed framework.We apply frequency and prediction-based embeddings,such as hash vectorizer,Term Frequency-Inverse Dense Frequency(TF-IDF)and predictors,word to vector-word2vec(continuous bag of words,skip-gram)from Google,to extract features from text.Further,we apply more state-of-the-art methods to create vectorized features,such as GloVe.Additionally,feature engineering that is specific to URL structure is deployed to detect scams and other threats.For framework assessment,four ranking indicators are weighted:computational time and performance as accuracy,F1 score and type error II.For the computational time,we propose a new metric-Feature Building Time(FBT)as the cutting-edge feature builders(like doc2vec or GloVe)require more time.By applying the proposed assessment step,the skip-gram algorithm of word2vec surpasses other feature builders in performance.Additionally,eXtreme Gradient Boost(XGB)outperforms other classifiers.With this setup,we attain an accuracy of 99.5%and an F1 score of 0.99.
基金partly supported by the National Natural Science Foundation of China(62273298,62273295)Hebei Natural Science Foundation(F2023203063,F2022203025)+1 种基金China Scholarship Council(CSC)(202308130180)Provincial Key Laboratory Performance Subsidy Project(22567612H)
文摘Dear Editor,Industrial Internet of things(IIoT) is a typical application of cyberphysical system(CPS). In the IIoT, wireless communication is an inevitable trend to replace the deployment-limited wired transmission for cases with large-scale and mobile devices. However, wireless communication gives rise to critical issues related to physical security, such as malicious detections and attacks [1].
基金supported by the National Natural Science Foundation of China(General Program,NO.62176264).
文摘Nowadays,the malicious MS-Office document has already become one of the most effective attacking vectors in APT attacks.Though many protection mechanisms are provided,they have been proved easy to bypass,and the existed detection methods show poor performance when facing malicious documents with unknown vulnerabilities or with few malicious behaviors.In this paper,we first introduce the definition of im-documents,to describe those vulnerable documents which show implicitly malicious behaviors and escape most of public antivirus engines.Then we present GLDOC—a GCN based framework that is aimed at effectively detecting im-documents with dynamic analysis,and improving the possible blind spots of past detection methods.Besides the system call which is the only focus in most researches,we capture all dynamic behaviors in sandbox,take the process tree into consideration and reconstruct both of them into graphs.Using each line to learn each graph,GLDOC trains a 2-channel network as well as a classifier to formulate the malicious document detection problem into a graph learning and classification problem.Experiments show that GLDOC has a comprehensive balance of accuracy rate and false alarm rate−95.33%and 4.33%respectively,outperforming other detection methods.When further testing in a simulated 5-day attacking scenario,our proposed framework still maintains a stable and high detection accuracy on the unknown vulnerabilities.
基金supported in part by the National Social Science Foundation of China under Grant 20BTQ058in part by the Natural Science Foundation of Hunan Province under Grant 2023JJ50033.
文摘Large-scale neural networks-based federated learning(FL)has gained public recognition for its effective capabilities in distributed training.Nonetheless,the open system architecture inherent to federated learning systems raises concerns regarding their vulnerability to potential attacks.Poisoning attacks turn into a major menace to federated learning on account of their concealed property and potent destructive force.By altering the local model during routine machine learning training,attackers can easily contaminate the global model.Traditional detection and aggregation solutions mitigate certain threats,but they are still insufficient to completely eliminate the influence generated by attackers.Therefore,federated unlearning that can remove unreliable models while maintaining the accuracy of the global model has become a solution.Unfortunately some existing federated unlearning approaches are rather difficult to be applied in large neural network models because of their high computational expenses.Hence,we propose SlideFU,an efficient anti-poisoning attack federated unlearning framework.The primary concept of SlideFU is to employ sliding window to construct the training process,where all operations are confined within the window.We design a malicious detection scheme based on principal component analysis(PCA),which calculates the trust factors between compressed models in a low-cost way to eliminate unreliable models.After confirming that the global model is under attack,the system activates the federated unlearning process,calibrates the gradients based on the updated direction of the calibration gradients.Experiments on two public datasets demonstrate that our scheme can recover a robust model with extremely high efficiency.
基金this project under Geran Putra Inisiatif(GPI)with reference of GP-GPI/2023/976210。
文摘Accurate time synchronization is fundamental to the correct and efficient operation of Wireless Sensor Networks(WSNs),especially in security-critical,time-sensitive applications.However,most existing protocols degrade substantially under malicious interference.We introduce iSTSP,an Intelligent and Secure Time Synchronization Protocol that implements a four-stage defense pipeline to ensure robust,precise synchronization even in hostile environments:(1)trust preprocessing that filters node participation using behavioral trust scoring;(2)anomaly isolation employing a lightweight autoencoder to detect and excise malicious nodes in real time;(3)reliability-weighted consensus that prioritizes high-trust nodes during time aggregation;and(4)convergence-optimized synchronization that dynamically adjusts parameters using theoretical stability bounds.We provide rigorous convergence analysis including a closed-form expression for convergence time,and validate the protocol through both simulations and realworld experiments on a controlled 16-node testbed.Under Sybil attacks with five malicious nodes within this testbed,iSTSP maintains synchronization error increases under 12%and achieves a rapid convergence.Compared to state-ofthe-art protocols like TPSN,SE-FTSP,and MMAR-CTS,iSTSP offers 60%faster detection,broader threat coverage,and more than 7 times lower synchronization error,with a modest 9.3%energy overhead over 8 h.We argue this is an acceptable trade-off for mission-critical deployments requiring guaranteed security.These findings demonstrate iSTSP’s potential as a reliable solution for secure WSN synchronization and motivate future work on large-scale IoT deployments and integration with energy-efficient communication protocols.
基金This work was supported in part by the National Natural Science Foundation of China(No.51777081).
文摘By maliciously manipulating the synchrophasors produced by phasor measurement units in power systems,cyber attackers can mislead the control center into taking wrong actions.From the viewpoint of machine learning,normal and malicious synchrophasors may exhibit different spatial distribution characteristics when mapped into a latent space.Hence,a malicious synchrophasor detector can be acquired by training a classification model with instances derived from historical operational synchrophasor data.However,malicious synchrophasors occur infrequently in practice.It is likely to incur a great deal of effort and may even introduce inevitable experience errors when extracting and labeling a sufficient number of malicious synchrophasors from historical operational data for training.For most existing detectors,if they are directly trained with highly imbalanced datasets,their performances may severely deteriorate.In this paper,a novel type of malicious synchrophasor detector is developed based on a combinatorial use of data rebalancing,Bagging-based ensemble learning,and the widely recognized eXtreme Gradient Boosting(XGBoost)classifier.Experiments show that although fewer malicious instances are provided,the proposed detector is still capable of detecting malicious synchrophasors.
基金This research is supported by National Key Research and Development Program of China(Nos.2021YFF0307203,2019QY1300)Youth Innovation Promotion Association CAS(No.2021156),the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDC02040100)National Natural Science Foundation of China(No.61802404).
文摘Domain name system(DNS),as one of the most critical internet infrastructure,has been abused by various cyber attacks.Current malicious domain detection capabilities are limited by insufficient credible label information,severe class imbalance,and incompact distribution of domain samples in different malicious activities.This paper proposes a malicious domain detection framework named PUMD,which innovatively introduces Positive and Unlabeled(PU)learning solution to solve the problem of insuffcient label information,adopts customized sample weight to improve the impact of class imbalance,and effectively constructs evidence features based on resource overlapping to reduce the intra-class distance of malicious samples.Besides,a feature selection strategy based on permutation importance and binning is proposed to screen the most informative detection features.Finally,we conduct experiments on the open source real DNS traffic dataset provided by QI-ANXIN Technology Group to evaluate the PUMD framework's abil-ity to capture potential command and control(C&C)domains for malicious activities.The experimental results prove that PUMD can achieve the best detection performance under different label frequencies and class imbalance ratios.
基金Taif University Researchers Supporting Project Number(TURSP-2020/98),Taif University,Taif,Saudi Arabia.
文摘The Internet of Medical Things(IoMT)is an online device that senses and transmits medical data from users to physicians within a time interval.In,recent years,IoMT has rapidly grown in the medicalfield to provide healthcare services without physical appearance.With the use of sensors,IoMT applications are used in healthcare management.In such applications,one of the most important factors is data security,given that its transmission over the network may cause obtrusion.For data security in IoMT systems,blockchain is used due to its numerous blocks for secure data storage.In this study,Blockchain-assisted secure data management framework(BSDMF)and Proof of Activity(PoA)protocol using malicious code detection algorithm is used in the proposed data security for the healthcare system.The main aim is to enhance the data security over the networks.The PoA protocol enhances high security of data from the literature review.By replacing the malicious node from the block,the PoA can provide high security for medical data in the blockchain.Comparison with existing systems shows that the proposed simulation with BSD-Malicious code detection algorithm achieves higher accuracy ratio,precision ratio,security,and efficiency and less response time for Blockchain-enabled healthcare systems.
基金supported by the National Natural Science Foundation of China(No.U1936215)。
文摘In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.
