The limited labeled sample data in the field of advanced security threats detection seriously restricts the effective development of research work.Learning the sample labels from the labeled and unlabeled data has rec...The limited labeled sample data in the field of advanced security threats detection seriously restricts the effective development of research work.Learning the sample labels from the labeled and unlabeled data has received a lot of research attention and various universal labeling methods have been proposed.However,the labeling task of malicious communication samples targeted at advanced threats has to face the two practical challenges:the difficulty of extracting effective features in advance and the complexity of the actual sample types.To address these problems,we proposed a sample labeling method for malicious communication based on semi-supervised deep neural network.This method supports continuous learning and optimization feature representation while labeling sample,and can handle uncertain samples that are outside the concerned sample types.According to the experimental results,our proposed deep neural network can automatically learn effective feature representation,and the validity of features is close to or even higher than that of features which extracted based on expert knowledge.Furthermore,our proposed method can achieve the labeling accuracy of 97.64%~98.50%,which is more accurate than the train-then-detect,kNN and LPA methodsin any labeled-sample proportion condition.The problem of insufficient labeled samples in many network attack detecting scenarios,and our proposed work can function as a reference for the sample labeling tasks in the similar real-world scenarios.展开更多
The shortest path is a widely studied network science problem and has attracted great attention.Nevertheless,it draws little attention in temporal networks,in which temporal edges determine information dissemination.I...The shortest path is a widely studied network science problem and has attracted great attention.Nevertheless,it draws little attention in temporal networks,in which temporal edges determine information dissemination.In this paper,we propose an information spreading-based method to calculate the shortest paths distribution in temporal networks.We verify our method on both artificial and real-world temporal networks and obtain a good agreement.We further generalize our method to identify influential nodes and found an effective method.Finally,we verify the influential nodes identifying method on four networks.展开更多
Due to its partly open-source architecture,which allows for application analysis and repackaging,along with its large market share,the Android operating system is a main target for malware.In recent years,researchers ...Due to its partly open-source architecture,which allows for application analysis and repackaging,along with its large market share,the Android operating system is a main target for malware.In recent years,researchers have widely adopted neural network-based methods for detecting Android malware,achieving impressive results but without interpretability.Interpretability is crucial for showing how models behave and identifying biases in their predictions,which helps in validating and improving them.Additionally,in urgent malware analysis situations,interpretability lets analysts quickly assess harmful behaviors and aids in future malware development and investigation.Therefore,interpretability is vital for ensuring that neural network-based malware detection models are trustworthy,predictable,and strong.To address these issues,we propose an interpretable Graph Attention Network(GAT)-based framework for Android malware detection.This framework includes data flow analysis of Android applications to identify malicious behaviors,providing clarity through the attention mechanism of GAT.Analysts and researchers can access detailed information,such as the names and execution order of the involved Android APIs,allowing for better validation and security checks.Experimental results show that our framework achieves a precision of 97.4%.Additionally,case studies highlight the insights that researchers can gain by using this framework.展开更多
Botnets based on the Domain Generation Algorithm(DGA) mechanism pose great challenges to the main current detection methods because of their strong concealment and robustness. However, the complexity of the DGA family...Botnets based on the Domain Generation Algorithm(DGA) mechanism pose great challenges to the main current detection methods because of their strong concealment and robustness. However, the complexity of the DGA family and the imbalance of samples continue to impede research on DGA detection. In the existing work, the sample size of each DGA family is regarded as the most important determinant of the resampling proportion;thus,differences in the characteristics of various samples are ignored, and the optimal resampling effect is not achieved.In this paper, a Long Short-Term Memory-based Property and Quantity Dependent Optimization(LSTM.PQDO)method is proposed. This method takes advantage of LSTM to automatically mine the comprehensive features of DGA domain names. It iterates the resampling proportion with the optimal solution based on a comprehensive consideration of the original number and characteristics of the samples to heuristically search for a better solution around the initial solution in the right direction;thus, dynamic optimization of the resampling proportion is realized.The experimental results show that the LSTM.PQDO method can achieve better performance compared with existing models to overcome the difficulties of unbalanced datasets;moreover, it can function as a reference for sample resampling tasks in similar scenarios.展开更多
This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (laaS). The security of such VMs is cri...This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (laaS). The security of such VMs is critical to laaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed--leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.展开更多
An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users.However,HTTPS encryption makes it very difficult to identify the service over HTTPS flows,which poses...An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users.However,HTTPS encryption makes it very difficult to identify the service over HTTPS flows,which poses challenges to network security management.In this paper we present DTA-HOC,a novel DNS-based two-level association HTTPS traffic online service identification method for large-scale networks,which correlates HTTPS flows with DNS flows using big data stream processing and association technologies to label the service in an HTTPS flow with a specific associated domain name.DTA-HOC has been specifically designed to address three practical challenges in the service identification process:domain name ambiguity,domain name query invisibility,and data association time window size contradictions.Several experiments on datasets collected from a 10-Gbps campus network are conducted alongside offline and online testing.Results show that DTA-HOC can achieve an average online association rate on HTTPS traffic of 83%and a generic accuracy of 86.16%.Its processing time for one minute of data is less than 20 seconds.These results indicate that DTA-HOC is an efficient method for online identification of services in HTTPS flows for large-scale networks.Moreover,our proposed method can contribute to the identification of other applications which make a Domain Name System(DNS)communication before establishing a connection.展开更多
基金partially funded by the National Natural Science Foundation of China (Grant No. 61272447)National Entrepreneurship & Innovation Demonstration Base of China (Grant No. C700011)Key Research & Development Project of Sichuan Province of China (Grant No. 2018G20100)
文摘The limited labeled sample data in the field of advanced security threats detection seriously restricts the effective development of research work.Learning the sample labels from the labeled and unlabeled data has received a lot of research attention and various universal labeling methods have been proposed.However,the labeling task of malicious communication samples targeted at advanced threats has to face the two practical challenges:the difficulty of extracting effective features in advance and the complexity of the actual sample types.To address these problems,we proposed a sample labeling method for malicious communication based on semi-supervised deep neural network.This method supports continuous learning and optimization feature representation while labeling sample,and can handle uncertain samples that are outside the concerned sample types.According to the experimental results,our proposed deep neural network can automatically learn effective feature representation,and the validity of features is close to or even higher than that of features which extracted based on expert knowledge.Furthermore,our proposed method can achieve the labeling accuracy of 97.64%~98.50%,which is more accurate than the train-then-detect,kNN and LPA methodsin any labeled-sample proportion condition.The problem of insufficient labeled samples in many network attack detecting scenarios,and our proposed work can function as a reference for the sample labeling tasks in the similar real-world scenarios.
基金Project supported by the National Natural Science Foundation of China(Grant No.61903266)China Postdoctoral Science Foundation(Grant No.2018M631073)+2 种基金China Postdoctoral Science Special Foundation(Grant No.2019T120829)the Fundamental Research Funds for the Central Universities,ChinaSichuan Science and Technology Program,China(Grant No.20YYJC4001)。
文摘The shortest path is a widely studied network science problem and has attracted great attention.Nevertheless,it draws little attention in temporal networks,in which temporal edges determine information dissemination.In this paper,we propose an information spreading-based method to calculate the shortest paths distribution in temporal networks.We verify our method on both artificial and real-world temporal networks and obtain a good agreement.We further generalize our method to identify influential nodes and found an effective method.Finally,we verify the influential nodes identifying method on four networks.
基金supported in part by the National Science and Technology Council of Taiwan under Grant NSTC 114-2634-F-110-001-MBKin part by the Information Security Research Center at National Sun Yat-sen University,Taiwan+1 种基金This work was also supported in part by the Ministry of Education,Science,Sports,and Culture,Grant-in-Aid for Scientific Research(C)22K12038Japan and in part by the Telecommunications Advancement Foundation(TAF)of Japan.
文摘Due to its partly open-source architecture,which allows for application analysis and repackaging,along with its large market share,the Android operating system is a main target for malware.In recent years,researchers have widely adopted neural network-based methods for detecting Android malware,achieving impressive results but without interpretability.Interpretability is crucial for showing how models behave and identifying biases in their predictions,which helps in validating and improving them.Additionally,in urgent malware analysis situations,interpretability lets analysts quickly assess harmful behaviors and aids in future malware development and investigation.Therefore,interpretability is vital for ensuring that neural network-based malware detection models are trustworthy,predictable,and strong.To address these issues,we propose an interpretable Graph Attention Network(GAT)-based framework for Android malware detection.This framework includes data flow analysis of Android applications to identify malicious behaviors,providing clarity through the attention mechanism of GAT.Analysts and researchers can access detailed information,such as the names and execution order of the involved Android APIs,allowing for better validation and security checks.Experimental results show that our framework achieves a precision of 97.4%.Additionally,case studies highlight the insights that researchers can gain by using this framework.
基金partially funded by the National Natural Science Foundation of China (No. 61272447)the National Entrepreneurship&Innovation Demonstration Base of China (No. C700011)the Key Research&Development Project of Sichuan Province of China (No.2018G20100)。
文摘Botnets based on the Domain Generation Algorithm(DGA) mechanism pose great challenges to the main current detection methods because of their strong concealment and robustness. However, the complexity of the DGA family and the imbalance of samples continue to impede research on DGA detection. In the existing work, the sample size of each DGA family is regarded as the most important determinant of the resampling proportion;thus,differences in the characteristics of various samples are ignored, and the optimal resampling effect is not achieved.In this paper, a Long Short-Term Memory-based Property and Quantity Dependent Optimization(LSTM.PQDO)method is proposed. This method takes advantage of LSTM to automatically mine the comprehensive features of DGA domain names. It iterates the resampling proportion with the optimal solution based on a comprehensive consideration of the original number and characteristics of the samples to heuristically search for a better solution around the initial solution in the right direction;thus, dynamic optimization of the resampling proportion is realized.The experimental results show that the LSTM.PQDO method can achieve better performance compared with existing models to overcome the difficulties of unbalanced datasets;moreover, it can function as a reference for sample resampling tasks in similar scenarios.
基金supported by the National Natural Science Foundation of China (No.61272447)the National Key Technologies Research and Development Program of China (No.2012BAH18B05)
文摘This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines (VMs) are one of the key components of cloud Infrastructure as a Service (laaS). The security of such VMs is critical to laaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed--leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks (SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.
基金funded by the National Natural Science Foundation of China (No.61802270)National Entrepreneurship & Innovation Demonstration Base of China (No.C700011)+1 种基金Key Research & Development Project of Sichuan Province of China (No.2018GZ0100)Fundamental Research Business Fee Basic Research Project of Central Universities (No.2017SCU11065)
文摘An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users.However,HTTPS encryption makes it very difficult to identify the service over HTTPS flows,which poses challenges to network security management.In this paper we present DTA-HOC,a novel DNS-based two-level association HTTPS traffic online service identification method for large-scale networks,which correlates HTTPS flows with DNS flows using big data stream processing and association technologies to label the service in an HTTPS flow with a specific associated domain name.DTA-HOC has been specifically designed to address three practical challenges in the service identification process:domain name ambiguity,domain name query invisibility,and data association time window size contradictions.Several experiments on datasets collected from a 10-Gbps campus network are conducted alongside offline and online testing.Results show that DTA-HOC can achieve an average online association rate on HTTPS traffic of 83%and a generic accuracy of 86.16%.Its processing time for one minute of data is less than 20 seconds.These results indicate that DTA-HOC is an efficient method for online identification of services in HTTPS flows for large-scale networks.Moreover,our proposed method can contribute to the identification of other applications which make a Domain Name System(DNS)communication before establishing a connection.
