Code obfuscation is a crucial technique for protecting software against reverse engineering and security attacks.Among various obfuscation methods,opaque predicates,which are recognized as flexible and promising,are w...Code obfuscation is a crucial technique for protecting software against reverse engineering and security attacks.Among various obfuscation methods,opaque predicates,which are recognized as flexible and promising,are widely used to increase control-flow complexity.However,traditional opaque predicates are increasingly vulnerable to Dynamic Symbolic Execution(DSE)attacks,which can efficiently identify and eliminate them.To address this issue,this paper proposes a novel approach for anti-DSE opaque predicates that effectively resists symbolic execution-based deobfuscation.Our method introduces two key techniques:single-way function opaque predicates,which leverage hash functions and logarithmic transformations to prevent constraint solvers from generating feasible inputs,and path-explosion opaque predicates,which generate an excessive number of execution paths,overwhelming symbolic execution engines.To evaluate the effectiveness of our approach,we implemented a prototype obfuscation tool and tested it against prominent symbolic execution engines.Experimental results demonstrate that our approach signifi-cantly increases resilience against symbolic execution attacks while maintaining acceptable performance overhead.This paper provides a robust and scalable obfuscation technique,contributing to the enhancement of software protection strategies in adversarial environments.展开更多
With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted...With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.展开更多
Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on t...Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on the mechanisms,attackers can cover themselves behind the network and modify data undetected.Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks,when attackers intrude cloud server to access the source or binary codes.Therefore,we proposed a novel method to resist this kind of reverse engineering by breaking these rules.Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era.Our method is capable of(1)replacing theoriginal assembly codes of theprotectedprogramwithequivalent assembly instructions inan iteration way,(2)obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs,(3)encrypting data to confuse attackers.In addition,the approach can periodically and automatically modify the protected software binary codes,and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis.Furthermore,a simplified virtual machine is implemented to make the protected codes unreadable to attackers.Cloud game is one of the specific scenarios which needs low latency and strong data consistency.Cheat engine,Ollydbg,and Interactive Disassembler Professional(IDA)are used prevalently for games.Our improved methods can protect the software from the most vulnerable aspects.The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations.We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis.Experiments show that hidden dangers can be eliminated with efficient methods:Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.展开更多
Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software econom...Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.展开更多
Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software econom...Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.展开更多
In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels...In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.展开更多
A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg e...A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg et al. introduced a candidate construction of iO in 2013. Following their steps, a new k-out-of-1 OT protocol is presented here, and its realization from decisional Diffie-Hellman (DDH) is described in this paper, in which iO was combined with the dual-mode cryptosystem. The security of the scheme mainly relies on the indistinguishability of the obf-branches (corresponding to the two modes in dual-mode model). This paper explores a new way for the application of iO.展开更多
Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violatio...Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violation detection.To date,few studies have investigated the robustness of clone detectors,especially in-fashion deep learning-based ones,against obfuscation.Meanwhile,most of these studies only measure the difference between one code snippet and its obfuscation version.However,in reality,the attackers may modify the original code before obfuscating it.Then what we should evaluate is the detection of obfuscated code from cloned code,not the original code.For this,we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones.Regarding the data,we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators.We also collect 1424 non-clone pairs to evaluate the false positives.In sum,a benchmark of 524,148 code pairs(either clone or not)are generated,which are passed to clone detectors for evaluation.To automate the evaluation,we develop one uniform evaluation framework,integrating the clone detectors and obfuscators.The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors.In addition,we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.展开更多
Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.W...Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.We propose a cryptographic obfuscation scheme for smart contracts based on existing blockchain mechanisms,standard cryptographic assumptions,and witness encryption.In the proposed scheme,an obfuscated smart contract does not reveal its algorithm and hardcoded secrets and preserves encrypted states.Any user can provide it with encrypted inputs and allow an untrusted third party to execute it.Although multiparty computation(MPC)among dynamically changing users is necessary,its privacy is protected if at least one user is honest.If the MPC does not finish within a period of time,anyone can cancel and restart it.The proposed scheme also supports decentralized obfuscation where even the participants of the obfuscation process cannot learn secrets in the obfuscated smart contract unless all of them are malicious.As its applications,we present a new trustless bitcoin bridge mechanism that exposes no secret key and privacy-preserving anti-money laundering built into smart contracts.展开更多
IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable att...IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable attack target for malware intended to infect specific IoT devices due to their growing use in a variety of applications and their increasing computational and processing power.In this study,we investigate the possibility of detecting IoT malware using recurrent neural networks(RNNs).RNNis used in the proposed method to investigate the execution operation codes of ARM-based Internet of Things apps(OpCodes).To train our algorithms,we employ a dataset of IoT applications that includes 281 malicious and 270 benign pieces of software.The trained model is then put to the test using 100 brand-new IoT malware samples across three separate LSTM settings.Model exposure was not previously conducted on these samples.Detecting newly crafted malware samples with 2-layer neurons had the highest accuracy(98.18%)in the 10-fold cross validation experiment.A comparison of the LSTMtechnique to other machine learning classifiers shows that it yields the best results.展开更多
The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability t...The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability to virus attacks.Further,the study suggests using an advanced approach that utilizes machine learning,specifically the Wide Residual Network(WRN),to identify hidden malware in IoT systems.The research intends to improve privacy protection by accurately identifying malicious software that undermines the security of IoT devices,using the MalMemAnalysis dataset.Moreover,thorough experimentation provides evidence for the effectiveness of the WRN-based strategy,resulting in exceptional performance measures such as accuracy,precision,F1-score,and recall.The study of the test data demonstrates highly impressive results,with a multiclass accuracy surpassing 99.97%and a binary class accuracy beyond 99.98%.The results emphasize the strength and dependability of using advanced deep learning methods such as WRN for identifying hidden malware risks in IoT environments.Furthermore,a comparison examination with the current body of literature emphasizes the originality and efficacy of the suggested methodology.This research builds upon previous studies that have investigated several machine learning methods for detecting malware on IoT devices.However,it distinguishes itself by showcasing exceptional performance metrics and validating its findings through thorough experimentation with real-world datasets.Utilizing WRN offers benefits in managing the intricacies of malware detection,emphasizing its capacity to enhance the security of IoT ecosystems.To summarize,this work proposes an effective way to address privacy concerns on IoT devices by utilizing advanced machine learning methods.The research provides useful insights into the changing landscape of IoT cybersecurity by emphasizing methodological rigor and conducting comparative performance analysis.Future research could focus on enhancing the recommended approach by adding more datasets and leveraging real-time monitoring capabilities to strengthen IoT devices’defenses against new cybersecurity threats.展开更多
The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the wid...The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.展开更多
Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure ...Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis.Since it is difficult to prevent the adversaries from accessing the network,providing secrecy in hostile environments becomes a serious concern.In this study,we propose AdaptiveMutate,a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps.First,we present a method for the identification of mobile apps using traffic analysis.Further,we propose a confusion system in which we obfuscate packet lengths,and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis.Our aim is to shape one class of app traffic to obscure its features with the minimum overhead.Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app.Also,AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate,depending on the type of apps analyzed and the classifier used,if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate.We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app.When applying the identification technique,we achieve a classification accuracy of 91.1%.Then,using our obfuscation technique,we are able to reduce this accuracy to 7%.Also,we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8%to 17.9%.Additionally,we analyze the tradeoff between the shaping cost and traffic privacy protection,specifically,the associated overhead and the feasibility for real-time implementation.展开更多
Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are e...Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are essential.However,modern malware evades existing solutions by applying code obfuscation and native code.To resolve this problem,we introduce an ensemble-based malware classification algorithm using malware family grouping.The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number.It also adopts unified feature extraction technique for handling seamless both bytecode and native code.We propose a unique feature selection algorithm that improves classification performance and time simultaneously.2-gram based features are generated from the instructions and segments,and then selected by using multiple filters to choose most effective features.Through extensive simulation with many obfuscated and native code malware applications,we confirm that it can classify malwares with high accuracy and short processing time.Most existing approaches failed to achieve classification speed and detection time simultaneously.Therefore,the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.展开更多
In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are ...In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is caught by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes.展开更多
The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection...The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection has increased significantly in recent years and many detection systems have been proposed.Despite these efforts,however,most systems can be thwarted by sophisticated Androidmalware adopting obfuscation or native code to avoid discovery by anti-virus tools.In this paper,we propose a new static analysis technique to address the problems of obfuscating and native malware applications.The proposed system provides a unified technique for extracting features from applications and native libraries using a selection algorithm that can extract a small set of unique and effective features for detecting malware applications rapidly and with a high detection rate.Evaluation using large Android malware detection datasets obtained from various sources confirmed that the proposed approach achieves very promising results in terms of improved accuracy,low false positive rate,and high detection rate.展开更多
There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found...There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found that comparing the whitespace patterns was not precise enough to identify copying by itself. However, several possible methods for improving the precision of a whitespace pattern comparison were presented, the most promising of which was an examination of the sequences of lines with matching whitespace patterns. This paper demonstrates a method of evaluating the sequences of matching whitespace patterns and a detailed study of the method’s reliability.展开更多
Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and ne...Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.展开更多
A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An advers...A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An adversary infers user’s locations from the trajectories, and gleans user’s private information through them via location-aware social networking applications and public available geographic data. In this paper, we propose a user proprietary obfuscate system to suit situations for position sharing and location privacy preserving in location-aware social network. Users transform the public available geographic data into personal obfuscate region maps with pre-defined profile to prevent the location leaking in stationary status. Our obfuscation with size restricted regions method tunes user’s transformed locations fitting into natural movement and prevents unreasonable snapshot locations been recorded in the trajectory.展开更多
To achieve sustainable agriculture and food security there is an urgent need to share agricultural data with a range of relevant stakeholders;however,to reduce the risk of identification,spatial data must be obfuscate...To achieve sustainable agriculture and food security there is an urgent need to share agricultural data with a range of relevant stakeholders;however,to reduce the risk of identification,spatial data must be obfuscated prior to sharing.To-date,most obfuscation methods that have been developed do not consider a)the areal nature of field-level data and b)the differing environmental conditions at the original and obfuscated sites.To address these issues,we developed the Polygon-based Environmental Similarity Obfuscation Method(PESOM)to provide geoprivacy protection and guarantee that obfuscated data will retain the same environmental conditions as the original data.PESOM was developed using an unsupervised clustering algorithm and seasonal climate data,before being applied to the Nutrient Management Plan(NMP)online in Ireland.PESOM satisfied high level of geoprivacy protection and absolute environmental clustering preservation,with no false-identification and non-unique obfuscation risk.It provided a low level of distribution preservation and correlation preservation,large location displacement and subsequently low local analytical accuracy.PESOM is a significant advance on existing obfuscation techniques in agriculture data and will allow the sharing of data to be used widely for agri-environmental purposes,a current limitation of existing methods.The results of this research should be of wide interest to those working in agri-environmental research and computer science,and be of relevance to researchers,data managers,and practitioners.展开更多
基金supported byOpen Foundation of Key Laboratory of Cyberspace Security,Ministry of Education of China(No.KLCS20240211)Henan Science and Technology Major Project No.241110210100.
文摘Code obfuscation is a crucial technique for protecting software against reverse engineering and security attacks.Among various obfuscation methods,opaque predicates,which are recognized as flexible and promising,are widely used to increase control-flow complexity.However,traditional opaque predicates are increasingly vulnerable to Dynamic Symbolic Execution(DSE)attacks,which can efficiently identify and eliminate them.To address this issue,this paper proposes a novel approach for anti-DSE opaque predicates that effectively resists symbolic execution-based deobfuscation.Our method introduces two key techniques:single-way function opaque predicates,which leverage hash functions and logarithmic transformations to prevent constraint solvers from generating feasible inputs,and path-explosion opaque predicates,which generate an excessive number of execution paths,overwhelming symbolic execution engines.To evaluate the effectiveness of our approach,we implemented a prototype obfuscation tool and tested it against prominent symbolic execution engines.Experimental results demonstrate that our approach signifi-cantly increases resilience against symbolic execution attacks while maintaining acceptable performance overhead.This paper provides a robust and scalable obfuscation technique,contributing to the enhancement of software protection strategies in adversarial environments.
基金supported by National Natural Science Foundation of China (CN) Project (U153610079,61401038, 61762086)
文摘With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.
基金supported by grants from Natural Science Foundation of Inner Mongolia Autonomous Region(No.2022MS06024)NSFC(No.61962040)+3 种基金Hainan Province Key R&D Program(ZDYF2022GXJS007,ZDYF2022GXJS010)Hainan Natural Science Foundation(620RC561)Hainan Province Higher Education and Teaching Reform Research Project(Hnjg2021ZD-3)Hainan Province Key Laboratory of Meteorological Disaster Prevention and Mitigation in the South China Sea,Open Fund Project(SCSF202210).
文摘Cloud computing and edge computing brought more software,which also brought a new danger of malicious software attacks.Data synchronization mechanisms of software can further help reverse data modifications.Based on the mechanisms,attackers can cover themselves behind the network and modify data undetected.Related knowledge of software reverse engineering can be organized as rules to accelerate the attacks,when attackers intrude cloud server to access the source or binary codes.Therefore,we proposed a novel method to resist this kind of reverse engineering by breaking these rules.Our method is based on software obfuscations and encryptions to enhance the security of distributed software and cloud services in the 5G era.Our method is capable of(1)replacing theoriginal assembly codes of theprotectedprogramwithequivalent assembly instructions inan iteration way,(2)obfuscating the control flow of the protected program to confuse attackers meanwhile keeps the program producing the same outputs,(3)encrypting data to confuse attackers.In addition,the approach can periodically and automatically modify the protected software binary codes,and the binary codes of the protected software are encrypted to resist static analysis and dynamic analysis.Furthermore,a simplified virtual machine is implemented to make the protected codes unreadable to attackers.Cloud game is one of the specific scenarios which needs low latency and strong data consistency.Cheat engine,Ollydbg,and Interactive Disassembler Professional(IDA)are used prevalently for games.Our improved methods can protect the software from the most vulnerable aspects.The improved dynamic code swapping and the simplified virtual machine technologies for cloud games are the main innovations.We inductively learned that our methods have been working well according to the security mechanisms and time complexity analysis.Experiments show that hidden dangers can be eliminated with efficient methods:Execution time and file sizes of the target codes can be multiple times than that of the original program codes which depend on specific program functions.
基金The work described in this paper was supported by the Research Grants Council of the Hong Kong Special Administrative Region,China(No.CUHK 14210717 of the General Research Fund).
文摘Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.
基金supported by the Research Grants Council of the Hong Kong Special Administrative Region,China(No.CUHK 14210717 of the General Research Fund).
文摘Software obfuscation has been developed for over 30 years.A problem always confusing the communities is what security strength the technique can achieve.Nowadays,this problem becomes even harder as the software economy becomes more diversified.Inspired by the classic idea of layered security for risk management,we propose layered obfuscation as a promising way to realize reliable software obfuscation.Our concept is based on the fact that real-world software is usually complicated.Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity.Layered obfuscation,on the other hand,aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution.In the paper,we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques.Following our taxonomy hierarchy,the obfuscation strategies under different branches are orthogonal to each other.In this way,it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.
基金supported by the National Natural Science Foundation of China(No.U1936215)。
文摘In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.
基金supported by Opening Project of State Key Laboratory of Cryptology, Scientific Research and Postgraduate Training Cooperation Project-Scientific Research Base-New Theory of Block Cipher and Obfuscation and their Application Research, and Information Management and Professional Building of Information System
文摘A new secure oblivious transfer (OT) protocol from indistinguishability obfuscation (iO) is proposed in this paper. The candidate iO and a dual-mode cryptosystem are the main technical tools of this scheme. Garg et al. introduced a candidate construction of iO in 2013. Following their steps, a new k-out-of-1 OT protocol is presented here, and its realization from decisional Diffie-Hellman (DDH) is described in this paper, in which iO was combined with the dual-mode cryptosystem. The security of the scheme mainly relies on the indistinguishability of the obf-branches (corresponding to the two modes in dual-mode model). This paper explores a new way for the application of iO.
基金IIE authors are supported in part by the National Key R&D Program of China(2020AAA0140001)NSFC U1836211,Beijing Natural Science Foundation(No.M22004),the Anhui Department of Science and Technology under Grant 202103a05020009Youth Innovation Promotion Association CAS,Beijing Academy of Artificial Intelligence(BAAI)and a research grant from Huawei.
文摘Clone detection has received much attention in many fields such as malicious code detection,vulnerability hunting,and code copyright infringement detection.However,cyber criminals may obfuscate code to impede violation detection.To date,few studies have investigated the robustness of clone detectors,especially in-fashion deep learning-based ones,against obfuscation.Meanwhile,most of these studies only measure the difference between one code snippet and its obfuscation version.However,in reality,the attackers may modify the original code before obfuscating it.Then what we should evaluate is the detection of obfuscated code from cloned code,not the original code.For this,we conduct a comprehensive study evaluating 3 popular deep-learning based clone detectors and 6 commonly used traditional ones.Regarding the data,we collect 6512 clone pairs of five types from the dataset BigCloneBench and obfuscate one program of each pair via 64 strategies of 6 state-of-art commercial obfuscators.We also collect 1424 non-clone pairs to evaluate the false positives.In sum,a benchmark of 524,148 code pairs(either clone or not)are generated,which are passed to clone detectors for evaluation.To automate the evaluation,we develop one uniform evaluation framework,integrating the clone detectors and obfuscators.The results bring us interesting findings on how obfuscation affects the performance of clone detection and what is the difference between traditional and deep learning-based clone detectors.In addition,we conduct manual code reviews to uncover the root cause of the phenomenon and give suggestions to users from different perspectives.
基金supported by the Mohammed bin Salman Center for Future Science and Technology for Saudi-Japan Vision 2030 at The University of Tokyo(MbSC2030).
文摘Privacy protection for smart contracts is currently inadequate.Existing solutions for privacy-preserving smart contracts either support only a limited class of smart contracts or rely on noncryptographic assumptions.We propose a cryptographic obfuscation scheme for smart contracts based on existing blockchain mechanisms,standard cryptographic assumptions,and witness encryption.In the proposed scheme,an obfuscated smart contract does not reveal its algorithm and hardcoded secrets and preserves encrypted states.Any user can provide it with encrypted inputs and allow an untrusted third party to execute it.Although multiparty computation(MPC)among dynamically changing users is necessary,its privacy is protected if at least one user is honest.If the MPC does not finish within a period of time,anyone can cancel and restart it.The proposed scheme also supports decentralized obfuscation where even the participants of the obfuscation process cannot learn secrets in the obfuscated smart contract unless all of them are malicious.As its applications,we present a new trustless bitcoin bridge mechanism that exposes no secret key and privacy-preserving anti-money laundering built into smart contracts.
文摘IoT(Internet of Things)devices are being used more and more in a variety of businesses and for a variety of tasks,such as environmental data collection in both civilian and military situations.They are a desirable attack target for malware intended to infect specific IoT devices due to their growing use in a variety of applications and their increasing computational and processing power.In this study,we investigate the possibility of detecting IoT malware using recurrent neural networks(RNNs).RNNis used in the proposed method to investigate the execution operation codes of ARM-based Internet of Things apps(OpCodes).To train our algorithms,we employ a dataset of IoT applications that includes 281 malicious and 270 benign pieces of software.The trained model is then put to the test using 100 brand-new IoT malware samples across three separate LSTM settings.Model exposure was not previously conducted on these samples.Detecting newly crafted malware samples with 2-layer neurons had the highest accuracy(98.18%)in the 10-fold cross validation experiment.A comparison of the LSTMtechnique to other machine learning classifiers shows that it yields the best results.
基金The authors would like to thank Princess Nourah bint Abdulrahman University for funding this project through the researchers supporting project(PNURSP2024R435)and this research was funded by the Prince Sultan University,Riyadh,Saudi Arabia.
文摘The widespread adoption of Internet of Things(IoT)devices has resulted in notable progress in different fields,improving operational effectiveness while also raising concerns about privacy due to their vulnerability to virus attacks.Further,the study suggests using an advanced approach that utilizes machine learning,specifically the Wide Residual Network(WRN),to identify hidden malware in IoT systems.The research intends to improve privacy protection by accurately identifying malicious software that undermines the security of IoT devices,using the MalMemAnalysis dataset.Moreover,thorough experimentation provides evidence for the effectiveness of the WRN-based strategy,resulting in exceptional performance measures such as accuracy,precision,F1-score,and recall.The study of the test data demonstrates highly impressive results,with a multiclass accuracy surpassing 99.97%and a binary class accuracy beyond 99.98%.The results emphasize the strength and dependability of using advanced deep learning methods such as WRN for identifying hidden malware risks in IoT environments.Furthermore,a comparison examination with the current body of literature emphasizes the originality and efficacy of the suggested methodology.This research builds upon previous studies that have investigated several machine learning methods for detecting malware on IoT devices.However,it distinguishes itself by showcasing exceptional performance metrics and validating its findings through thorough experimentation with real-world datasets.Utilizing WRN offers benefits in managing the intricacies of malware detection,emphasizing its capacity to enhance the security of IoT ecosystems.To summarize,this work proposes an effective way to address privacy concerns on IoT devices by utilizing advanced machine learning methods.The research provides useful insights into the changing landscape of IoT cybersecurity by emphasizing methodological rigor and conducting comparative performance analysis.Future research could focus on enhancing the recommended approach by adding more datasets and leveraging real-time monitoring capabilities to strengthen IoT devices’defenses against new cybersecurity threats.
基金This work was supported as part of Military Crypto Research Center(UD210027XD)funded by Defense Acquisition Program Administration(DAPA)and Agency for Defense Development(ADD).
文摘The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.
文摘Mobile apps are known to be rich sources for gathering privacy-sensitive information about smartphone users.Despite the presence of encryption,passive network adversaries who have access to the network infrastructure can eavesdrop on the traffic and therefore fingerprint a user’s app by means of packet-level traffic analysis.Since it is difficult to prevent the adversaries from accessing the network,providing secrecy in hostile environments becomes a serious concern.In this study,we propose AdaptiveMutate,a privacy-leak thwarting technique to defend against the statistical traffic analysis of apps.First,we present a method for the identification of mobile apps using traffic analysis.Further,we propose a confusion system in which we obfuscate packet lengths,and/or inter-arrival time information leaked by the mobile traffic to make it hard for intruders to differentiate between the altered app traffic and the actual one using statistical analysis.Our aim is to shape one class of app traffic to obscure its features with the minimum overhead.Our system strives to dynamically maximize its efficiency by matching each app with the corresponding most dissimilar app.Also,AdaptiveMutate has an adaptive capability that allows it to choose the most suitable feature to mutate,depending on the type of apps analyzed and the classifier used,if known.We evaluate the efficiency of our model by conducting a comprehensive simulation analysis that mutates different apps to each other using AdaptiveMutate.We conclude that our algorithm is most efficient when we mutate a feature of one app to its most dissimilar one in another app.When applying the identification technique,we achieve a classification accuracy of 91.1%.Then,using our obfuscation technique,we are able to reduce this accuracy to 7%.Also,we test our algorithm against a recently published approach for mobile apps classification and we are able to reduce its accuracy from 94.8%to 17.9%.Additionally,we analyze the tradeoff between the shaping cost and traffic privacy protection,specifically,the associated overhead and the feasibility for real-time implementation.
基金This work was supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT)(NRF-2019R1F1A1062320).
文摘Although Android becomes a leading operating system in market,Android users suffer from security threats due to malwares.To protect users from the threats,the solutions to detect and identify the malware variant are essential.However,modern malware evades existing solutions by applying code obfuscation and native code.To resolve this problem,we introduce an ensemble-based malware classification algorithm using malware family grouping.The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number.It also adopts unified feature extraction technique for handling seamless both bytecode and native code.We propose a unique feature selection algorithm that improves classification performance and time simultaneously.2-gram based features are generated from the instructions and segments,and then selected by using multiple filters to choose most effective features.Through extensive simulation with many obfuscated and native code malware applications,we confirm that it can classify malwares with high accuracy and short processing time.Most existing approaches failed to achieve classification speed and detection time simultaneously.Therefore,the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.
文摘In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted fie to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is caught by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes.
基金This work was supported in part by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT)(NRF-2019R1F1A1062320)the Information Technology Research Center(ITRC)Support Program supervised by the Institute for Information and Communications Technology Planning and Evaluation(IITP)(IITP-2021-2016-0-00313).
文摘The Android operating system has become a leading smartphone platform for mobile and other smart devices,which in turn has led to a diversity of malware applications.The amount of research on Android malware detection has increased significantly in recent years and many detection systems have been proposed.Despite these efforts,however,most systems can be thwarted by sophisticated Androidmalware adopting obfuscation or native code to avoid discovery by anti-virus tools.In this paper,we propose a new static analysis technique to address the problems of obfuscating and native malware applications.The proposed system provides a unified technique for extracting features from applications and native libraries using a selection algorithm that can extract a small set of unique and effective features for detecting malware applications rapidly and with a high detection rate.Evaluation using large Android malware detection datasets obtained from various sources confirmed that the proposed approach achieves very promising results in terms of improved accuracy,low false positive rate,and high detection rate.
文摘There are several methods and technologies for comparing the statements, comments, strings, identifiers, and other visible elements of source code in order to efficiently identify similarity. In a prior paper we found that comparing the whitespace patterns was not precise enough to identify copying by itself. However, several possible methods for improving the precision of a whitespace pattern comparison were presented, the most promising of which was an examination of the sequences of lines with matching whitespace patterns. This paper demonstrates a method of evaluating the sequences of matching whitespace patterns and a detailed study of the method’s reliability.
文摘Malware is a software which is designed with an intent to damage a network or computer resources. Today, the emergence of malware is on boom letting the researchers develop novel techniques to protect computers and networks. The three major techniques used for malware detection are heuristic, signature-based, and behavior based. Among these, the most prevalent is the heuristic based malware detection. Hidden Markov Model is the most efficient technique for malware detection. In this paper, we present the Hidden Markov Model as a cutting edge malware detection tool and a comprehensive review of different studies that employ HMM as a detection tool.
文摘A user’s trajectory can be maliciously monitored by adversaries when they share the positions in location-aware social networking applications which require users to update their own locations continuously. An adversary infers user’s locations from the trajectories, and gleans user’s private information through them via location-aware social networking applications and public available geographic data. In this paper, we propose a user proprietary obfuscate system to suit situations for position sharing and location privacy preserving in location-aware social network. Users transform the public available geographic data into personal obfuscate region maps with pre-defined profile to prevent the location leaking in stationary status. Our obfuscation with size restricted regions method tunes user’s transformed locations fitting into natural movement and prevents unreasonable snapshot locations been recorded in the trajectory.
基金funded by Teagasc(The Agriculture and Food Development Authority),Ireland,Walsh Scholarship Scheme.A joint project between Teagasc and UCC(Walsh Scholarships Ref Number 2018034).
文摘To achieve sustainable agriculture and food security there is an urgent need to share agricultural data with a range of relevant stakeholders;however,to reduce the risk of identification,spatial data must be obfuscated prior to sharing.To-date,most obfuscation methods that have been developed do not consider a)the areal nature of field-level data and b)the differing environmental conditions at the original and obfuscated sites.To address these issues,we developed the Polygon-based Environmental Similarity Obfuscation Method(PESOM)to provide geoprivacy protection and guarantee that obfuscated data will retain the same environmental conditions as the original data.PESOM was developed using an unsupervised clustering algorithm and seasonal climate data,before being applied to the Nutrient Management Plan(NMP)online in Ireland.PESOM satisfied high level of geoprivacy protection and absolute environmental clustering preservation,with no false-identification and non-unique obfuscation risk.It provided a low level of distribution preservation and correlation preservation,large location displacement and subsequently low local analytical accuracy.PESOM is a significant advance on existing obfuscation techniques in agriculture data and will allow the sharing of data to be used widely for agri-environmental purposes,a current limitation of existing methods.The results of this research should be of wide interest to those working in agri-environmental research and computer science,and be of relevance to researchers,data managers,and practitioners.
