Visible to the public Information Flow Analysis and Security, 2014

SoS Newsletter- Advanced Book Block


SoS Logo

Information Flow Analysis and Security


One key to computer security is the notion of information flow.  It occurs either explicitly or implicitly in a system. The works cited here cover a range of issues and approaches.  All were presented in 2014.

Vance, A., “Flow Based Analysis of Advanced Persistent Threats Detecting Targeted Attacks in Cloud Computing,” Infocommunications Science and Technology, 2014 First International Scientific-Practical Conference Problems of, vol. no.,
pp. 173,176, 14-17 Oct. 2014. doi:10.1109/INFOCOMMST.2014.6992342
Abstract: Cloud computing provides industry, government, and academic users’ convenient and cost-effective access to distributed services and shared data via the Internet. Due to its distribution of diverse users and aggregation of immense data, cloud computing has increasingly been the focus of targeted attacks. Meta-analysis of industry studies and retrospective research involving cloud service providers reveal that cloud computing is demonstrably vulnerable to a particular type of targeted attack, Advanced Persistent Threats (APTs). APTs have proven to be difficult to detect and defend against in cloud based infocommunication systems. The prevalent use of polymorphic malware and encrypted covert communication channels make it difficult for existing packet inspecting and signature based security technologies such as; firewalls, intrusion detection sensors, and anti-virus systems to detect APTs. In this paper, we examine the application of an alternative security approach which applies an algorithm derived from flow based monitoring to successfully detect APTs. Results indicate that statistical modeling of APT communications can successfully develop deterministic characteristics for detection is a more effective and efficient way to protect against APTs.
Keywords: cloud computing; security of data; statistical analysis; APT; Internet; advanced persistent threats; cloud based infocommunication systems; flow based analysis; flow based monitoring; packet inspection; signature based security technologies; statistical modeling; targeted attack detection; Cloud computing; Computer security; Logic gates; Telecommunication traffic; Vectors; Advanced Persistent Threats; Cloud Computing; Cyber Security; Flow Based Analysis; Threat Detection (ID#: 15-6650)

Lokhande, B.; Dhavale, S., “Overview of Information Flow Tracking Techniques Based on Taint Analysis for Android,” Computing for Sustainable Global Development (INDIACom), 2014 International Conference on, vol. no., pp. 749, 753, 5-7 March 2014. doi:10.1109/IndiaCom.2014.6828062
Abstract: Smartphones today are ubiquitous source of sensitive information. Information leakage instances on the smartphones are on the rise because of exponential growth in smartphone market. Android is the most widely used operating system on smartphones. Many information flow tracking and information leakage detection techniques are developed on Android operating system. Taint analysis is commonly used data flow analysis technique which tracks the flow of sensitive information and its leakage. This paper provides an overview of existing Information flow tracking techniques based on the Taint analysis for android applications. It is observed that static analysis techniques look at the complete program code and all possible paths of execution before its run, whereas dynamic analysis looks at the instructions executed in the program-run in the real time. We provide in depth analysis of both static and dynamic taint analysis approaches.
Keywords: Android (operating system); data flow analysis; smart phones; Android; Information leakage instances; data flow analysis technique; dynamic analysis; dynamic taint analysis approaches; exponential smartphone market growth; information flow tracking techniques; information leakage detection techniques; program code; program-run; static analysis techniques; static taint analysis approaches; Androids; Humanoid robots; Operating systems; Privacy; Real-time systems; Security; Smart phones; Android Operating System; Mobile Security; static and dynamic taint analysis (ID#: 15-6651)

Zhifei Chen; Lin Chen; Baowen Xu, “Hybrid Information Flow Analysis for Python Bytecode,” Web Information System and Application Conference (WISA), 2014 11th, vol. no., pp. 95, 100, 12-14 Sept. 2014. doi:10.1109/WISA.2014.26
Abstract: Python is widely used to create and manage complex, database-driven websites. However, due to dynamic features such as dynamic typing of variables, Python programs pose a serious security risk to web applications. Most security vulnerabilities result from the fact that unsafe data input reaches security-sensitive operations. To address this problem, information flow analysis for Python programs is proposed to enforce this property. Information flow can capture the fact that a particular value affects another value in the program. In this paper, we present a novel approach for analyzing information flow in Python byte code which is a low-level language and is more widely broadcast. Our approach performs a hybrid of static and dynamic control/data flow analysis. Static analysis is used to study implicit flow, while dynamic analysis efficiently tracks execution information and determines definition-use pair. To the best of our knowledge, it is the first one for Python byte code.
Keywords: authoring languages; data flow analysis; security of data; Python bytecode; Python programs; dynamic analysis; hybrid information flow analysis; low-level language; security risk; static analysis; Buildings; Educational institutions; Loading; Performance analysis; Runtime; Security; Upper bound; Python; information flow; security vulnerabilities; web applications (ID#: 15-6652)

Haddadi, F.; Morgan, J.; Filho, E.G.; Zincir-Heywood, A.N., “Botnet Behaviour Analysis Using IP Flows: With HTTP Filters Using Classifiers,” Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, vol. no., pp. 7,12, 13-16 May 2014. doi:10.1109/WAINA.2014.19
Abstract: Botnets are one of the most destructive threats against the cyber security. Recently, HTTP protocol is frequently utilized by botnets as the Command and Communication (C&C) protocol. In this work, we aim to detect HTTP based botnet activity based on botnet behaviour analysis via machine learning approach. To achieve this, we employ flow-based network traffic utilizing NetFlow (via Softflowd). The proposed botnet analysis system is implemented by employing two different machine learning algorithms, C4.5 and Naive Bayes. Our results show that C4.5 learning algorithm based classifier obtained very promising performance on detecting HTTP based botnet activity.
Keywords: Bayes methods; IP networks; computer network security; hypermedia; learning (artificial intelligence); telecommunication traffic; transport protocols; C&C protocol; C4.5 learning algorithm based classifier; HTTP filters; HTTP protocol; IP flows; NetFlow; Softflowd; botnet behaviour analysis; command and communication protocol; cyber security; destructive threats; flow-based network traffic; machine learning algorithms; machine learning approach; naive Bayes algorithm; Classification algorithms; Complexity theory; Decision trees; Feature extraction; IP networks; Payloads; Protocols; botnet detection; machine learning based analysis; traffic IP-flow analysis (ID#: 15-6653)

Rezvani, M.; Ignjatovic, A.; Bertino, E.; Jha, S., “Provenance-Aware Security Risk Analysis for Hosts and Network Flows,” Network Operations and Management Symposium (NOMS), 2014 IEEE, vol. no., pp. 1, 8, 5-9 May 2014. doi:10.1109/NOMS.2014.6838250
Abstract: Detection of high risk network flows and high risk hosts is becoming ever more important and more challenging. In order to selectively apply deep packet inspection (DPI) one has to isolate in real time high risk network activities within a huge number of monitored network flows. To help address this problem, we propose an iterative methodology for a simultaneous assessment of risk scores for both hosts and network flows. The proposed approach measures the risk scores of hosts and flows in an interdependent manner; thus, the risk score of a flow influences the risk score of its source and destination hosts, and also the risk score of a host is evaluated by taking into account the risk scores of flows initiated by or terminated at the host. Our experimental results show that such an approach not only effective in detecting high risk hosts and flows but, when deployed in high throughput networks, is also more efficient than PageRank based algorithms.
Keywords: computer network security; risk analysis; deep packet inspection; high risk hosts; high risk network flows; provenance aware security risk analysis; risk score; Computational modeling; Educational institutions; Iterative methods; Monitoring; Ports (Computers); Risk management; Security (ID#: 15-6654)

Wenmin Xiao; Jianhua Sun; Hao Chen; Xianghua Xu, “Preventing Client Side XSS with Rewrite Based Dynamic Information Flow,” Parallel Architectures, Algorithms and Programming (PAAP), 2014 Sixth International Symposium on, vol. no., pp. 238, 243, 13-15 July 2014. doi:10.1109/PAAP.2014.10
Abstract: This paper presents the design and implementation of an information flow tracking framework based on code rewrite to prevent sensitive information leaks in browsers, combining the ideas of taint and information flow analysis. Our system has two main processes. First, it abstracts the semantic of JavaScript code and converts it to a general form of intermediate representation on the basis of JavaScript abstract syntax tree. Second, the abstract intermediate representation is implemented as a special taint engine to analyze tainted information flow. Our approach can ensure fine-grained isolation for both confidentiality and integrity of information. We have implemented a proof-of-concept prototype, named JSTFlow, and have deployed it as a browser proxy to rewrite web applications at runtime. The experiment results show that JSTFlow can guarantee the security of sensitive data and detect XSS attacks with about 3x performance overhead. Because it does not involve any modifications to the target system, our system is readily deployable in practice.
Keywords: Internet; Java; data flow analysis; online front-ends; security of data; JSTFlow; JavaScript abstract syntax tree; JavaScript code; Web applications; XSS attacks; abstract intermediate representation; browser proxy; browsers; client side XSS; code rewrite; fine-grained isolation; information flow tracking framework; performance overhead; rewrite based dynamic information flow; sensitive information leaks; taint engine; tainted information flow; Abstracts; Browsers; Data models; Engines; Security; Semantics; Syntactics; JavaScript; cross-site scripting; information flow analysis; information security; taint model (ID#: 15-6655)

Ki-Jin Eom; Choong-Hyun Choi; Joon-Young Paik; Eun-Sun Cho, “An Efficient Static Taint-Analysis Detecting Exploitable-Points on ARM Binaries,” Reliable Distributed Systems (SRDS), 2014 IEEE 33rd International Symposium on, vol. no., pp. 345, 346, 6-9 Oct. 2014. doi:10.1109/SRDS.2014.66
Abstract: This paper aims to differentiate benign vulnerabilities from those used by cyber-attacks, based on STA (Static TaintAnalysis.) To achieve this goal, the proposed STA determines if a crash is from severe vulnerabilities, after analyzing related exploitable-points in ARM binaries. We envision that the proposed analysis would reduce the complexity of analysis, by making use of CPA (Constant Propagation Analysis) and runtime information of crash points.
Keywords: program diagnostics; security of data; ARM binaries; CPA; STA; benign vulnerabilities; constant propagation analysis; cyber-attacks; exploitable-points detection; runtime information; static taint-analysis; Reliability; ARM binary; IDA Pro plug-in; crash point; data flow analysis; exploitable; reverse engineering; taint Analysis (ID#: 15-6656)

Alam, S.; Horspool, R.N.; Traore, I., “MARD: A Framework for Metamorphic Malware Analysis and Real-Time Detection,” Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on, vol. no., pp. 480, 489,
13-16 May 2014. doi:10.1109/AINA.2014.59
Abstract: Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6% and a false positive rate of 4%.
Keywords: binary codes; digital signatures; encoding; invasive software; real-time systems; MARD; behavioral signature; dynamic binary code; malware analysis process automation; malware industry; metamorphic malware analysis and real-time detection; metamorphism encoding; obfuscation techniques; opcode; Malware; Optimization; Pattern matching; Postal services; Real-time systems; Runtime; Software; Automation; Control Flow Analysis; End Point Security; Malware Analysis and Detection; Metamorphism (ID#: 15-6657)

Buiras, P.; Stefan, D.; Russo, A., “On Dynamic Flow-Sensitive Floating-Label Systems,” Computer Security Foundations Symposium (CSF), 2014 IEEE 27th, vol. no., pp. 65, 79, 19-22 July 2014. doi:10.1109/CSF.2014.13
Abstract: Flow-sensitive analysis for information-flow control (IFC) allows data structures to have mutable security labels, i.e., labels that can change over the course of the computation. This feature is often used to boost the permissiveness of the IFC monitor, by rejecting fewer programs, and to reduce the burden of explicit label annotations. However, when added naively, in a purely dynamic setting, mutable labels can expose a high bandwidth covert channel. In this work, we present an extension for LIO-a language-based floating-label system-that safely handles flow-sensitive references. The key insight to safely manipulating the label of a reference is to not only consider the label on the data stored in the reference, i.e., the reference label, but also the label on the reference label itself. Taking this into consideration, we provide an upgrade primitive that can be used to change the label of a reference in a safe manner. To eliminate the burden of determining when a reference should be upgraded, we additionally provide a mechanism for automatic upgrades. Our approach naturally extends to a concurrent setting, not previously considered by dynamic flow-sensitive systems. For both our sequential and concurrent calculi, we prove non-interference by embedding the flow-sensitive system into the flow-insensitive LIO calculus, a surprising result on its own.
Keywords: data structures; security of data; IFC; LIO language; concurrent calculus; data structures; dynamic flow-sensitive floating-label systems; flow-sensitive analysis; flow-sensitive reference handling; information flow control; security labels; sequential calculus; Calculus; Context; Monitoring; Security; Semantics; Standards; Syntactics; Flow-sensitivity analysis; Haskell; concurrency; dynamic monitors; floating-label systems (ID#: 15-6658)

Jinxin Ma; Guowei Dong; Puhan Zhang; Tao Guo, “SymWalker: Symbolic Execution in Routines of Binary Code,” Computational Intelligence and Security (CIS), 2014 Tenth International Conference on, vol. no., pp. 694, 698, 15-16 Nov. 2014. doi:10.1109/CIS.2014.16
Abstract: Detecting vulnerabilities in binary codes is one of the most difficult problems due to the lack of type information and symbols. We propose a novel tool to perform symbolic execution inside the routines of binary codes, providing easy static analysis for vulnerability detection. Compared with existing systems, our tool has four properties: first, it could work on binary codes without source codes, second, it employs the VEX language for program analysis, thus having no side effects, third, it could deliver high coverage by statically executing on control flow graphs of disassembly codes, fourth, two security property rules are summarized to detect the corresponding vulnerabilities, based on which a convenient interface is provided for developers to detecting vulnerabilities, such as buffer overflow, improper memory access, and etc. Experimental results on real software binary files show that our tool could efficiently detect different types of vulnerabilities.
Keywords: binary codes; flow graphs; program diagnostics; programming languages; symbol manipulation; SymWalker; VEX language; binary code routines; binary code vulnerability detection; control flow graphs; disassembly codes; program analysis; security property rules; software binary files; source codes; static analysis; symbolic execution; Binary codes; Computer bugs; Computer languages; Computers; Registers; Security; Software; Symbolic execution; control flow analysis; security property; vulnerabilities (ID#: 15-6659)

Junhyoung Kim; TaeGuen Kim; Eul Gyu Im, “Survey of Dynamic Taint Analysis,” Network Infrastructure and Digital Content
(IC-NIDC), 2014 4th IEEE International Conference on
, vol. no., pp. 269, 272, 19-21 Sept. 2014. doi:10.1109/ICNIDC.2014.7000307
Abstract: Dynamic taint analysis (DTA) is to analyze execution paths that an attacker may use to exploit a system. Dynamic taint analysis is a method to analyze executable files by tracing information flow without source code. DTA marks certain inputs to program as tainted, and then propagates values operated with tainted inputs. Due to the increased popularity of dynamic taint analysis, there have been a few recent research approaches to provide a generalized tainting infrastructure. In this paper, we introduce some approaches of dynamic taint analysis, and analyze their approaches. Lam and Chiueh's approach proposed a method that instruments code to perform taint marking and propagation. DYTAN considers three dimensions: taint source, propagation policies, taint sink. These dimensions make DYTAN to be more general framework for dynamic taint analysis. DTA++ proposes an idea to vanilla dynamic taint analysis that propagates additional taints along with targeted control dependencies. Control dependency causes results of taint analysis to have decreased accuracies. To improve accuracies, DTA++ showed that data transformation containing implicit flows should propagate properly to avoid under-tainting.
Keywords: data flow analysis; security of data; system monitoring; DTA++; DYTAN; attacker; control dependency; data transformation; dynamic taint analysis; executable files; execution paths; generalized tainting infrastructure; information flow tracing; propagation policies; taint marking; taint propagation; taint sink; taint source; Accuracy; Computer security; Instruments; Performance analysis; Software; Testing; dynamic taint analysis (ID#: 15-6660)

Siyuan Jiang; Santelices, R.; Haipeng Cai; Grechanik, M., “How Accurate Is Dynamic Program Slicing? An Empirical Approach to Compute Accuracy Bounds,” Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on, vol. no., pp. 3, 4, June 30 2014–July 2 2014. doi:10.1109/SERE-C.2014.14
Abstract: Dynamic program slicing attempts to find runtime dependencies among statements to support security, reliability, and quality tasks such as information-flow analysis, testing, and debugging. However, it is not known how accurately dynamic slices identify statements that really affect each other. We propose a new approach to estimate the accuracy of dynamic slices. We use this approach to obtain bounds on the accuracy of multiple dynamic slices in Java software. Early results suggest that dynamic slices suffer from some imprecision and, more critically, can have a low recall whose upper bound we estimate to be 60% on average.
Keywords: Java; data flow analysis; program debugging; program slicing; program testing; Java software; dynamic program slicing; information-flow analysis; quality tasks; reliability; runtime dependencies; security; software debugging; software testing; Accuracy; Reliability; Runtime; Security; Semantics; Software; Upper bound; dynamic slicing; program slicing; semantic dependence; sensitivity analysis (ID#: 15-6661)

Yin XiaoHong, “The Research on Data Flow Technology in Computer Network Security Monitoring,” Advanced Research and Technology in Industry Applications (WARTIA), 2014 IEEE Workshop on, vol. no., pp. 787, 789, 29-30 Sept. 2014. doi:10.1109/WARTIA.2014.6976389
Abstract: With the rapid development of computer technology and application of Internet is becoming more and more widely, the Internet plays a more and more important role in people's life. At the same time, all kinds of network security events emerge in endlessly, seriously threaten the application and development of the Internet. With the purpose of safety, network monitoring, have more and more important significance in the maintenance of normal efficiently network run, key facilities, information system security, etc.,. How to realize effective network transmission and efficient online analysis to a huge number of distributed network security monitoring data so as to provide further support for a variety of applications become a major challenge in the field of network security and data processing.
Keywords: Internet; computer network security; data flow analysis; query processing; Internet; computer network security monitoring; data flow technology; distributed network security monitoring; network transmission; Communication networks; Data models; Data processing; Distributed databases; Monitoring; Real-time systems; Security; Cost Efficient Processing; Distributed Data Stream; Multi-query Optimization; Network Security Monitoring; Stream Cube (ID#: 15-6662)

Li Feng; McMillin, B., “Quantification of Information Flow in a Smart Grid,” Computer Software and Applications Conference Workshops (COMPSACW), 2014 IEEE 38th International, vol. no., pp. 140,145, 21-25 July 2014. doi:10.1109/COMPSACW.2014.27
Abstract: The key to computer security is the notion of information flow. Information flow occurs either explicitly or implicitly in a system. In cyber-physical systems (CPSs), complicated interactions occur frequently between computational components and physical components. Thus, detecting and quantifying information flow in these systems is more difficult than it is in purely cyber systems. In CPSs, failures and attacks are either from the physical infrastructure, or from cyber part of data management and communication protocol, or a combination of both. As the physical infrastructure is inherently observable, aggregated physical observations can lead to unintended cyber information leakage. The computational portion of a CPS is driven by algorithms. Within algorithmic theory, the online problem considers input that arrives one by one and deals with extracting the algorithmic solution through an advice tape without knowing some parts of input. In this paper, a smart grid CPS is examined from an information flow perspective, physical values constitute an advice tape. As such, system confidentiality is violated through cyber to physical information flow. An approach is generalized to quantify the information flow in a CPS.
Keywords: data flow analysis; power engineering computing; security of data; smart power grids; computer security; cyber-physical systems; cyber-to-physical information flow; information flow quantification; smart grid CPS; system confidentiality; Algorithm design and analysis; Entropy; Load management; Observers; Security; Smart grids; Uncertainty; Advice Tape; Information Flow; Online Problem; Quantification (ID#: 15-6663)

Lovat, E.; Kelbert, F., “Structure Matters — A New Approach for Data Flow Tracking,” Security and Privacy Workshops (SPW), 2014 IEEE, vol. no., pp. 39, 43, 17-18 May 2014. doi:10.1109/SPW.2014.15
Abstract: Usage control (UC) is concerned with how data may or may not be used after initial access has been granted. UC requirements are expressed in terms of data (e.g. a picture, a song) which exist within a system in forms of different technical representations (containers, e.g. files, memory locations, windows). A model combining UC enforcement with data flow tracking across containers has been proposed in the literature, but it exhibits a high false positives detection rate. In this paper we propose a refined approach for data flow tracking that mitigates this over approximation problem by leveraging information about the inherent structure of the data being tracked. We propose a formal model and show some exemplary instantiations.
Keywords: data flow analysis; data flow computing; UC enforcement; containers; data access; data flow tracking; false positive detection rate; formal model; information leveraging; inherent data structure; over-approximation problem mitigation; technical representations; usage control; Containers; Data models; Discrete Fourier transforms; Operating systems; Postal services; Security; Semantics; data structure (ID#: 15-6664)

Hossen, K.; Groz, R.; Oriat, C.; Richier, J.-L., “Automatic Model Inference of Web Applications for Security Testing,” Software Testing, Verification and Validation Workshops (ICSTW), 2014 IEEE Seventh International Conference on, vol. no., pp. 22, 23, March 31 2014–April 4 2014. doi:10.1109/ICSTW.2014.47
Abstract: In the Internet of services (IoS), web applications are the most common way to provide resources to the users. The complexity of these applications grew up with the number of different development techniques and technologies used. Model-based testing (MBT) has proved its efficiency in software testing but retrieving the corresponding model of an application is still a complex task. In this paper, we propose an automatic and vulnerability-driven model inference approach to model the relevant aspects of a web applications by combining deep web crawling and model inference based on input sequences.
Keywords: Internet; data flow analysis; Inference mechanisms; program testing; security of data; Internet of services; IoS; MBT; Web applications; automatic model inference approach; deep Web crawling; input sequences; model-based testing; security testing; software testing; vulnerability-driven model inference approach; Automata; Conferences; Inference algorithms; Machine learning algorithms; Modeling; Security; Testing; Control Flow Inference; Data-Flow Inference; Reverse-Engineering; Security; Web Application (ID#: 15-6665)

Tsigkanos, C.; Pasquale, L.; Menghi, C.; Ghezzi, C.; Nuseibeh, B., “Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime,” Requirements Engineering Conference (RE), 2014 IEEE 22nd International, vol. no., pp. 203, 212, 25-29 Aug. 2014. doi:10.1109/RE.2014.6912262
Abstract: Adaptive security systems aim to protect critical assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment's topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach focuses on physical topologies; it maintains at runtime a live representation of the topology which is updated when assets or agents move, or when the structure of the physical space is altered. When the topology changes, we look ahead at a subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment — including location of assets and agents — as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.
Keywords: authorisation; data flow analysis; formal specification; temporal logic; access control; adaptive security systems; ambient calculus; computation tree logic; encoding spatial properties; potentially harmful agents; propositional temporal logic; requirements violation prevention; security controls; security requirements; topology aware adaptive security engineering; Aerospace electronics; Buildings; Calculus; Runtime; Security; Servers; Topology (ID#: 15-6666)

Zhang Puhan; Wu Jianxiong; Wang Xin; Wu Zehui, “Decrypted Data Detection Algorithm Based on Dynamic Dataflow Analysis,” Computer, Information and Telecommunication Systems (CITS), 2014 International Conference on, vol. no., pp. 1,4, 7-9 July 2014. doi:10.1109/CITS.2014.6878965
Abstract: Cryptographic algorithm detection has received a lot of attentions in these days, whereas the method to detect decrypted data remains further research. A decrypted memory detection method using dynamic dataflow analysis is proposed in this paper. Based on the intuition that decrypted data is generated in the cryptographic function and the unique feature of decrypted data, by analyzing the parameter sets of cryptographic function, we propose a model based on the input and output of cryptographic function. Experimental results demonstrate that our approach can effectively detect decrypted memory.
Keywords: cryptography; data flow analysis; cryptographic algorithm detection; decrypted data; decrypted memory detection method; dynamic dataflow analysis; Algorithm design and analysis; Encryption; Heuristic algorithms; Software; Software algorithms; Cryptographic; Dataflow analysis; Decrypted memory; Taint analysis (ID#: 15-6667)

Pena, E.H.M.; Barbon, S.; Rodrigues, J.J.P.C.; Lemes Proenca Junior, M., “Anomaly Detection Using Digital Signature of Network Segment with Adaptive ARIMA Model and Paraconsistent Logic,” Computers and Communication (ISCC), 2014 IEEE Symposium on, vol. no., pp. 1, 6, 23-26 June 2014. doi:10.1109/ISCC.2014.6912503
Abstract: Detecting anomalies accurately in network traffic behavior is essential for a variety of network management and security tasks. This paper presents an anomaly detection approach employing Digital Signature of Network Segment using Flow Analysis (DSNSF), generated with an ARIMA model. Also, a functional algorithm based on a non-classical logic called Paraconsistent Logic is proposed aiming to avoid high false alarms rates. The key idea of the proposed approach is to characterize the normal behavior of network traffic and then identify the traffic patterns behavior that might harm networks services. Experimental results on a real network demonstrate the effectiveness the proposed approach. The results are promising, showing that the flow analysis performed is able to detect anomalous traffic with precision, sensitivity and good performance.
Keywords: autoregressive moving average processes; digital signatures; DSNSF; adaptive ARIMA model; anomaly detection; digital signature of network segment using flow analysis; network management; network traffic behavior; paraconsistent logic; traffic patterns behavior; Analytical models; Autoregressive processes; Correlation; Data models; Digital signatures; Equations; Mathematical model (ID#: 15-6668)

Camacho, J.; Macia-Fernandez, G.; Diaz-Verdejo, J.; Garcia-Teodoro, P., “Tackling the Big Data 4 Vs for Anomaly Detection,” Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, vol. no., pp. 500, 505,
April 27 2014–May 2 2014. doi:10.1109/INFCOMW.2014.6849282
Abstract: In this paper, a framework for anomaly detection and forensics in Big Data is introduced. The framework tackles the Big Data 4 Vs: Variety, Veracity, Volume and Velocity. The varied nature of the data sources is treated by transforming the typically unstructured data into a highly dimensional and structured data set. To overcome both the uncertainty (low veracity) and high dimension introduced, a latent variable method, in particular Principal Component Analysis (PCA), is applied. PCA is well known to present outstanding capabilities to extract information from highly dimensional data sets. However, PCA is limited to low size, thought highly multivariate, data sets. To handle this limitation, a kernel computation of PCA is employed. This avoids computational problems due to the size (number of observations) in the data sets and allows parallelism. Also, hierarchical models are proposed if dimensionality is extreme. Finally, to handle high velocity in analyzing time series data flows, the Exponentially Weighted Moving Average (EWMA) approach is employed. All these steps are discussed in the paper, and the VAST 2012 mini challenge 2 is used for illustration.
Keywords: Big Data; digital forensics; firewalls; moving average processes; principal component analysis; time series; Big Data 4 Vs; EWMA approach; PCA; anomaly detection; computational problems; data sources; exponentially weighted moving average approach; forensics; hierarchical models; highly-dimensional structured data set; information extraction; kernel computation; latent variable method; parallelism; principal component analysis; time series data flow analysis; uncertainty problem; unstructured data transformation; variety; velocity; veracity; volume; Big data; Computational modeling; Conferences; Data privacy; Data visualization; Principal component analysis; Security (ID#: 15-6669)

Stevanovic, M.; Pedersen, J.M., “An Efficient Flow-Based Botnet Detection Using Supervised Machine Learning,” Computing, Networking and Communications (ICNC), 2014 International Conference on, vol. no., pp. 797, 801, 3-6 Feb. 2014. doi:10.1109/ICCNC.2014.6785439
Abstract: Botnet detection represents one of the most crucial prerequisites of successful botnet neutralization. This paper explores how accurate and timely detection can be achieved by using supervised machine learning as the tool of inferring about malicious botnet traffic. In order to do so, the paper introduces a novel flow-based detection system that relies on supervised machine learning for identifying botnet network traffic. For use in the system we consider eight highly regarded machine learning algorithms, indicating the best performing one. Furthermore, the paper evaluates how much traffic needs to be observed per flow in order to capture the patterns of malicious traffic. The proposed system has been tested through the series of experiments using traffic traces originating from two well-known P2P botnets and diverse non-malicious applications. The results of experiments indicate that the system is able to accurately and timely detect botnet traffic using purely flow-based traffic analysis and supervised machine learning. Additionally, the results show that in order to achieve accurate detection traffic flows need to be monitored for only a limited time period and number of packets per flow. This indicates a strong potential of using the proposed approach within a future on-line detection framework.
Keywords: computer network security; invasive software; learning (artificial intelligence); peer-to-peer computing; telecommunication traffic; P2P botnets; botnet neutralization; flow-based botnet detection; flow-based traffic analysis; malicious botnet network traffic identification; nonmalicious applications; packet flow; supervised machine learning; Accuracy; Bayes methods; Feature extraction; Protocols; Support vector machines; Training; Vegetation; Botnet; Botnet detection; Machine learning; Traffic analysis; Traffic classification (ID#: 15-6670)

Cui Baojiang; Long Baolian; Hou Tingting, “Reverse Analysis Method of Static XSS Defect Detection Technique Based on Database Query Language,” P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on, vol. no., pp. 487, 491, 8-10 Nov. 2014. doi:10.1109/3PGCIC.2014.99
Abstract: Along with the wide use of web application, XSS vulnerability has become one of the most common security problems and caused many serious losses. In this paper, on the basis of database query language technique, we put forward a static analysis method of XSS defect detection of java web application by analyzing data flow reversely. This method first converts the JSP file to a Servlet file, and then uses the mock test method to generate calls for all Java code automatically for comprehensive analysis. Originated from the methods where XSS security defect may occur, we analyze the data flow reversely to detect XSS defect by judging whether it can be introduced by user input without filter. This reverse method has effectively reduced analyzing tasks which are necessary in forward ways. It was proved by experiments on artificially constructed Java web project with XSS flaws and some open source Java web projects, this method not only improved the efficiency of detection, but also improved the detection accuracy for XSS defect.
Keywords: Internet; Java; query languages; query processing; security of data; JSP file; Java Web application; Servlet file; XSS vulnerability; data flow reverse analysis method; database query language; mock test method; static XSS defect detection technique; Accuracy; Browsers; Context; Databases; Educational institutions; Security; XSS defect; reverse analysis; static analysis; web application (ID#: 15-6671)

Xin Xie; Fenlin Liu; Bin Lu; Fei Xiang, “Mixed Obfuscation of Overlapping Instruction and Self-Modify Code Based on Hyper-Chaotic Opaque Predicates,” Computational Intelligence and Security (CIS), 2014 Tenth International Conference on, vol. no.,
pp. 524, 528, 15-16 Nov. 2014. doi:10.1109/CIS.2014.45
Abstract: Static disassembly is used to analyze program control flow that is the key process of reverse analysis. Aiming at the problem that attackers are always using static disassembly to analyze control transfer instructions and control flow graph, a mixed obfuscation of overlapping instruction and self-modify code based on hyper-chaotic opaque predicates is proposed, jump offsets in overlapping instructions and data offsets in self-modify code are constructed with opaque predicates. Control transfer instructions are modified into control transfer unrelated ones with the combination of characteristics of overlapping instruction and self-modify code. Experiments and analysis show that control flow graph can be obfuscated by mixed obfuscation due to the difficulty of hyper-chaotic opaque predicates for attackers to analyze.
Keywords: program control structures; safety-critical software; software engineering; code obfuscation; control flow graph; control transfer instructions; hyper-chaotic opaque predicates; program control flow analyze; reverse analysis; self-modify code; Chaos; Flow graphs; Resistance; Resists; Software; Watermarking; code obfuscation; hyper-chaotic opaque predicate; overlapping instruction; self-modify code (ID#: 15-6672)

Ippoliti, D.; Xiaobo Zhou, “Online Adaptive Anomaly Detection for Augmented Network Flows,” Modelling, Analysis & Simulation of Computer and Telecommunication Systems (MASCOTS), 2014 IEEE 22nd International Symposium on, vol. no.,
pp. 433, 442, 9-11 Sept. 2014. doi:10.1109/MASCOTS.2014.60
Abstract: Traditional network anomaly detection involves developing models that rely on packet inspection. Increasing network speeds and use of encrypted protocols make per-packet inspection unsuited for today's networks. One method of overcoming this obstacle is flow based analysis. Many existing approaches are special purpose, i.e., limited to detecting specific behavior. Also, the data reduction inherent in identifying anomalous flows hinders alert correlation. In this paper we propose a dynamic anomaly detection approach for augmented flows. We sketch network state during flow creation enabling general purpose threat detection. We design and develop a support vector machine based adaptive anomaly detection and correlation mechanism capable of aggregating alerts without a-priori alert classification and evolving models online. We develop a confidence forwarding mechanism identifying a small percentage predictions for additional processing. We show effectiveness of our methods on both enterprise and backbone traces. Experimental results demonstrate the ability to maintain high accuracy without the need for offline training.
Keywords: computer network security; support vector machines; alert aggregation; alert correlation; anomalous flow identification; augmented flows; augmented network flows; backbone traces; confidence forwarding mechanism; data reduction; dynamic anomaly detection approach; enterprise traces; flow based analysis; flow creation; general purpose threat detection; network anomaly detection; network state; online adaptive anomaly detection; packet inspection; support vector machine based adaptive anomaly detection mechanism; support vector machine based adaptive correlation mechanism; Adaptation models; Correlation; Detectors; Inspection; Support vector machines; Training; Vectors (ID#: 15-6673)

Sen, S.; Guha, S.; Datta, A.; Rajamani, S.K.; Tsai, J.; Wing, J.M., “Bootstrapping Privacy Compliance in Big Data Systems,” Security and Privacy (SP), 2014 IEEE Symposium on, vol. no., pp. 327, 342, 18-21 May 2014. doi:10.1109/SP.2014.28
Abstract: With the rapid increase in cloud services collecting and using user data to offer personalized experiences, ensuring that these services comply with their privacy policies has become a business imperative for building user trust. However, most compliance efforts in industry today rely on manual review processes and audits designed to safeguard user data, and therefore are resource intensive and lack coverage. In this paper, we present our experience building and operating a system to automate privacy policy compliance checking in Bing. Central to the design of the system are (a) Legal ease-a language that allows specification of privacy policies that impose restrictions on how user data is handled, and (b) Grok-a data inventory for Map-Reduce-like big data systems that tracks how user data flows among programs. Grok maps code-level schema elements to data types in Legal ease, in essence, annotating existing programs with information flow types with minimal human input. Compliance checking is thus reduced to information flow analysis of Big Data systems. The system, bootstrapped by a small team, checks compliance daily of millions of lines of ever-changing source code written by several thousand developers.
Keywords: Big Data; Web services; cloud computing; computer bootstrapping; conformance testing; data privacy; parallel programming; search engines; source code (software); Bing; Grok data inventory; Legal ease language; Map-Reduce-like Big Data systems; automatic privacy policy compliance checking; business imperative privacy policies; cloud services; code-level schema element mapping; datatypes; information flow types; minimal human input; personalized user experiences; privacy compliance bootstrapping; privacy policy specification; program annotation; source code; user data handling; user trust; Advertising; Big data; Data privacy; IP networks; Lattices; Privacy; Semantics; big data; bing; compliance; information flow; policy; privacy; program analysis (ID#: 15-6674)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.