Visible to the public Biblio

Filters: Keyword is defense  [Clear All Filters]
2021-06-24
Lee, Dongseop, Kim, Hyunjin, Ryou, Jaecheol.  2020.  Poisoning Attack on Show and Tell Model and Defense Using Autoencoder in Electric Factory. 2020 IEEE International Conference on Big Data and Smart Computing (BigComp). :538–541.
Recently, deep neural network technology has been developed and used in various fields. The image recognition model can be used for automatic safety checks at the electric factory. However, as the deep neural network develops, the importance of security increases. A poisoning attack is one of security problems. It is an attack that breaks down by entering malicious data into the training data set of the model. This paper generates adversarial data that modulates feature values to different targets by manipulating less RGB values. Then, poisoning attacks in one of the image recognition models, the show and tell model. Then use autoencoder to defend adversarial data.
2021-03-04
Nugraha, B., Nambiar, A., Bauschert, T..  2020.  Performance Evaluation of Botnet Detection using Deep Learning Techniques. 2020 11th International Conference on Network of the Future (NoF). :141—149.

Botnets are one of the major threats on the Internet. They are used for malicious activities to compromise the basic network security goals, namely Confidentiality, Integrity, and Availability. For reliable botnet detection and defense, deep learning-based approaches were recently proposed. In this paper, four different deep learning models, namely Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), hybrid CNN-LSTM, and Multi-layer Perception (MLP) are applied for botnet detection and simulation studies are carried out using the CTU-13 botnet traffic dataset. We use several performance metrics such as accuracy, sensitivity, specificity, precision, and F1 score to evaluate the performance of each model on classifying both known and unknown (zero-day) botnet traffic patterns. The results show that our deep learning models can accurately and reliably detect both known and unknown botnet traffic, and show better performance than other deep learning models.

Abedin, N. F., Bawm, R., Sarwar, T., Saifuddin, M., Rahman, M. A., Hossain, S..  2020.  Phishing Attack Detection using Machine Learning Classification Techniques. 2020 3rd International Conference on Intelligent Sustainable Systems (ICISS). :1125—1130.

Phishing attacks are the most common form of attacks that can happen over the internet. This method involves attackers attempting to collect data of a user without his/her consent through emails, URLs, and any other link that leads to a deceptive page where a user is persuaded to commit specific actions that can lead to the successful completion of an attack. These attacks can allow an attacker to collect vital information of the user that can often allow the attacker to impersonate the victim and get things done that only the victim should have been able to do, such as carry out transactions, or message someone else, or simply accessing the victim's data. Many studies have been carried out to discuss possible approaches to prevent such attacks. This research work includes three machine learning algorithms to predict any websites' phishing status. In the experimentation these models are trained using URL based features and attempted to prevent Zero-Day attacks by using proposed software proposal that differentiates the legitimate websites and phishing websites by analyzing the website's URL. From observations, the random forest classifier performed with a precision of 97%, a recall 99%, and F1 Score is 97%. Proposed model is fast and efficient as it only works based on the URL and it does not use other resources for analysis, as was the case for past studies.

Hashemi, M. J., Keller, E..  2020.  Enhancing Robustness Against Adversarial Examples in Network Intrusion Detection Systems. 2020 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). :37—43.

The increase of cyber attacks in both the numbers and varieties in recent years demands to build a more sophisticated network intrusion detection system (NIDS). These NIDS perform better when they can monitor all the traffic traversing through the network like when being deployed on a Software-Defined Network (SDN). Because of the inability to detect zero-day attacks, signature-based NIDS which were traditionally used for detecting malicious traffic are beginning to get replaced by anomaly-based NIDS built on neural networks. However, recently it has been shown that such NIDS have their own drawback namely being vulnerable to the adversarial example attack. Moreover, they were mostly evaluated on the old datasets which don't represent the variety of attacks network systems might face these days. In this paper, we present Reconstruction from Partial Observation (RePO) as a new mechanism to build an NIDS with the help of denoising autoencoders capable of detecting different types of network attacks in a low false alert setting with an enhanced robustness against adversarial example attack. Our evaluation conducted on a dataset with a variety of network attacks shows denoising autoencoders can improve detection of malicious traffic by up to 29% in a normal setting and by up to 45% in an adversarial setting compared to other recently proposed anomaly detectors.

Hajizadeh, M., Afraz, N., Ruffini, M., Bauschert, T..  2020.  Collaborative Cyber Attack Defense in SDN Networks using Blockchain Technology. 2020 6th IEEE Conference on Network Softwarization (NetSoft). :487—492.

The legacy security defense mechanisms cannot resist where emerging sophisticated threats such as zero-day and malware campaigns have profoundly changed the dimensions of cyber-attacks. Recent studies indicate that cyber threat intelligence plays a crucial role in implementing proactive defense operations. It provides a knowledge-sharing platform that not only increases security awareness and readiness but also enables the collaborative defense to diminish the effectiveness of potential attacks. In this paper, we propose a secure distributed model to facilitate cyber threat intelligence sharing among diverse participants. The proposed model uses blockchain technology to assure tamper-proof record-keeping and smart contracts to guarantee immutable logic. We use an open-source permissioned blockchain platform, Hyperledger Fabric, to implement the blockchain application. We also utilize the flexibility and management capabilities of Software-Defined Networking to be integrated with the proposed sharing platform to enhance defense perspectives against threats in the system. In the end, collaborative DDoS attack mitigation is taken as a case study to demonstrate our approach.

Sejr, J. H., Zimek, A., Schneider-Kamp, P..  2020.  Explainable Detection of Zero Day Web Attacks. 2020 3rd International Conference on Data Intelligence and Security (ICDIS). :71—78.

The detection of malicious HTTP(S) requests is a pressing concern in cyber security, in particular given the proliferation of HTTP-based (micro-)service architectures. In addition to rule-based systems for known attacks, anomaly detection has been shown to be a promising approach for unknown (zero-day) attacks. This article extends existing work by integrating outlier explanations for individual requests into an end-to-end pipeline. These end-to-end explanations reflect the internal working of the pipeline. Empirically, we show that found explanations coincide with manually labelled explanations for identified outliers, allowing security professionals to quickly identify and understand malicious requests.

Gorbenko, A., Popov, V..  2020.  Abnormal Behavioral Pattern Detection in Closed-Loop Robotic Systems for Zero-Day Deceptive Threats. 2020 International Conference on Industrial Engineering, Applications and Manufacturing (ICIEAM). :1—6.

In recent years, attacks against cyber-physical systems have become increasingly frequent and widespread. The inventiveness of such attacks increases significantly. In particular, zero-day attacks are widely used. The rapid development of the industrial Internet of things, the expansion of the application areas of service robots, the advent of the Internet of vehicles and the Internet of military things have led to a significant increase of attention to deceptive attacks. Especially great threat is posed by deceptive attacks that do not use hiding malicious components. Such attacks can naturally be used against robotic systems. In this paper, we consider an approach to the development of an intrusion detection system for closed-loop robotic systems. The system is based on an abnormal behavioral pattern detection technique. The system can be used for detection of zero-day deceptive attacks. We provide an experimental comparison of our approach and other behavior-based intrusion detection systems.

Tang, R., Yang, Z., Li, Z., Meng, W., Wang, H., Li, Q., Sun, Y., Pei, D., Wei, T., Xu, Y. et al..  2020.  ZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks. IEEE INFOCOM 2020 - IEEE Conference on Computer Communications. :2479—2488.

Zero-day Web attacks are arguably the most serious threats to Web security, but are very challenging to detect because they are not seen or known previously and thus cannot be detected by widely-deployed signature-based Web Application Firewalls (WAFs). This paper proposes ZeroWall, an unsupervised approach, which works with an existing WAF in pipeline, to effectively detecting zero-day Web attacks. Using historical Web requests allowed by an existing signature-based WAF, a vast majority of which are assumed to be benign, ZeroWall trains a self-translation machine using an encoder-decoder recurrent neural network to capture the syntax and semantic patterns of benign requests. In real-time detection, a zero-day attack request (which the WAF fails to detect), not understood well by self-translation machine, cannot be translated back to its original request by the machine, thus is declared as an attack. In our evaluation using 8 real-world traces of 1.4 billion Web requests, ZeroWall successfully detects real zero-day attacks missed by existing WAFs and achieves high F1-scores over 0.98, which significantly outperforms all baseline approaches.

Wang, H., Sayadi, H., Kolhe, G., Sasan, A., Rafatirad, S., Homayoun, H..  2020.  Phased-Guard: Multi-Phase Machine Learning Framework for Detection and Identification of Zero-Day Microarchitectural Side-Channel Attacks. 2020 IEEE 38th International Conference on Computer Design (ICCD). :648—655.

Microarchitectural Side-Channel Attacks (SCAs) have emerged recently to compromise the security of computer systems by exploiting the existing processors' hardware vulnerabilities. In order to detect such attacks, prior studies have proposed the deployment of low-level features captured from built-in Hardware Performance Counter (HPC) registers in modern microprocessors to implement accurate Machine Learning (ML)-based SCAs detectors. Though effective, such attack detection techniques have mainly focused on binary classification models offering limited insights on identifying the type of attacks. In addition, while existing SCAs detectors required prior knowledge of attacks applications to detect the pattern of side-channel attacks using a variety of microarchitectural features, detecting unknown (zero-day) SCAs at run-time using the available HPCs remains a major challenge. In response, in this work we first identify the most important HPC features for SCA detection using an effective feature reduction method. Next, we propose Phased-Guard, a two-level machine learning-based framework to accurately detect and classify both known and unknown attacks at run-time using the most prominent low-level features. In the first level (SCA Detection), Phased-Guard using a binary classification model detects the existence of SCAs on the target system by determining the critical scenarios including system under attack and system under no attack. In the second level (SCA Identification) to further enhance the security against side-channel attacks, Phased-Guard deploys a multiclass classification model to identify the type of SCA applications. The experimental results indicate that Phased-Guard by monitoring only the victim applications' microarchitectural HPCs data, achieves up to 98 % attack detection accuracy and 99.5% SCA identification accuracy significantly outperforming the state-of-the-art solutions by up to 82 % in zero-day attack detection at the cost of only 4% performance overhead for monitoring.

Jeong, J. H., Choi, S. G..  2020.  Hybrid System to Minimize Damage by Zero-Day Attack based on NIDPS and HoneyPot. 2020 International Conference on Information and Communication Technology Convergence (ICTC). :1650—1652.

This paper presents hybrid system to minimize damage by zero-day attack. Proposed system consists of signature-based NIDPS, honeypot and temporary queue. When proposed system receives packet from external network, packet which is known for attack packet is dropped by signature-based NIDPS. Passed packets are redirected to honeypot, because proposed system assumes that all packets which pass NIDPS have possibility of zero-day attack. Redirected packet is stored in temporary queue and if the packet has possibility of zero-day attack, honeypot extracts signature of the packet. Proposed system creates rule that match rule format of NIDPS based on extracted signatures and updates the rule. After the rule update is completed, temporary queue sends stored packet to NIDPS then packet with risk of attack can be dropped. Proposed system can reduce time to create and apply rule which can respond to unknown attack packets. Also, it can drop packets that have risk of zero-day attack in real time.

2021-01-25
Chen, J., Lin, X., Shi, Z., Liu, Y..  2020.  Link Prediction Adversarial Attack Via Iterative Gradient Attack. IEEE Transactions on Computational Social Systems. 7:1081–1094.
Increasing deep neural networks are applied in solving graph evolved tasks, such as node classification and link prediction. However, the vulnerability of deep models can be revealed using carefully crafted adversarial examples generated by various adversarial attack methods. To explore this security problem, we define the link prediction adversarial attack problem and put forward a novel iterative gradient attack (IGA) strategy using the gradient information in the trained graph autoencoder (GAE) model. Not surprisingly, GAE can be fooled by an adversarial graph with a few links perturbed on the clean one. The results on comprehensive experiments of different real-world graphs indicate that most deep models and even the state-of-the-art link prediction algorithms cannot escape the adversarial attack, such as GAE. We can benefit the attack as an efficient privacy protection tool from the link prediction of unknown violations. On the other hand, the adversarial attack is a robust evaluation metric for current link prediction algorithms of their defensibility.
2021-01-22
Ayoade, G., Akbar, K. A., Sahoo, P., Gao, Y., Agarwal, A., Jee, K., Khan, L., Singhal, A..  2020.  Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Learning. 2020 IEEE Conference on Communications and Network Security (CNS). :1—9.

Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis-similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3 % and increases True positive rate (TPR) on average by 18.3 %.

2020-12-01
Di, A., Ruisheng, S., Lan, L., Yueming, L..  2019.  On the Large-Scale Traffic DDoS Threat of Space Backbone Network. 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). :192—194.

Satellite networks play an important role in realizing the combination of the space networks and ground networks as well as the global coverage of the Internet. However, due to the limitation of bandwidth resource, compared with ground network, space backbone networks are more likely to become victims of DDoS attacks. Therefore, we hypothesize an attack scenario that DDoS attackers make reflection amplification attacks, colluding with terminal devices accessing space backbone network, and exhaust bandwidth resources, resulting in degradation of data transmission and service delivery. Finally, we propose some plain countermeasures to provide solutions for future researchers.

2020-09-11
Mendes, Lucas D.P., Aloi, James, Pimenta, Tales C..  2019.  Analysis of IoT Botnet Architectures and Recent Defense Proposals. 2019 31st International Conference on Microelectronics (ICM). :186—189.
The rise in the number of devices joining the Internet of Things (IoT) has created a huge potential for distributed denial of service (DDoS) attacks, especially due to the lack of security in these computationally limited devices. Malicious actors have realized that and managed to turn large sets of IoT devices into botnets under their control. Given this scenario, this work studies botnet architectures identified so far and assesses how they are considered in the few recent defense proposals that consider botnet architectures.
2020-04-20
Lecuyer, Mathias, Atlidakis, Vaggelis, Geambasu, Roxana, Hsu, Daniel, Jana, Suman.  2019.  Certified Robustness to Adversarial Examples with Differential Privacy. 2019 IEEE Symposium on Security and Privacy (SP). :656–672.
Adversarial examples that fool machine learning models, particularly deep neural networks, have been a topic of intense research interest, with attacks and defenses being developed in a tight back-and-forth. Most past defenses are best effort and have been shown to be vulnerable to sophisticated attacks. Recently a set of certified defenses have been introduced, which provide guarantees of robustness to norm-bounded attacks. However these defenses either do not scale to large datasets or are limited in the types of models they can support. This paper presents the first certified defense that both scales to large networks and datasets (such as Google's Inception network for ImageNet) and applies broadly to arbitrary model types. Our defense, called PixelDP, is based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism, that provides a rigorous, generic, and flexible foundation for defense.
2020-02-18
Huang, Yonghong, Verma, Utkarsh, Fralick, Celeste, Infantec-Lopez, Gabriel, Kumar, Brajesh, Woodward, Carl.  2019.  Malware Evasion Attack and Defense. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). :34–38.

Machine learning (ML) classifiers are vulnerable to adversarial examples. An adversarial example is an input sample which is slightly modified to induce misclassification in an ML classifier. In this work, we investigate white-box and grey-box evasion attacks to an ML-based malware detector and conduct performance evaluations in a real-world setting. We compare the defense approaches in mitigating the attacks. We propose a framework for deploying grey-box and black-box attacks to malware detection systems.

2018-12-10
Kwon, Hyun, Yoon, Hyunsoo, Choi, Daeseon.  2018.  POSTER: Zero-Day Evasion Attack Analysis on Race Between Attack and Defense. Proceedings of the 2018 on Asia Conference on Computer and Communications Security. :805–807.

Deep neural networks (DNNs) exhibit excellent performance in machine learning tasks such as image recognition, pattern recognition, speech recognition, and intrusion detection. However, the usage of adversarial examples, which are intentionally corrupted by noise, can lead to misclassification. As adversarial examples are serious threats to DNNs, both adversarial attacks and methods of defending against adversarial examples have been continuously studied. Zero-day adversarial examples are created with new test data and are unknown to the classifier; hence, they represent a more significant threat to DNNs. To the best of our knowledge, there are no analytical studies in the literature of zero-day adversarial examples with a focus on attack and defense methods through experiments using several scenarios. Therefore, in this study, zero-day adversarial examples are practically analyzed with an emphasis on attack and defense methods through experiments using various scenarios composed of a fixed target model and an adaptive target model. The Carlini method was used for a state-of-the-art attack, while an adversarial training method was used as a typical defense method. We used the MNIST dataset and analyzed success rates of zero-day adversarial examples, average distortions, and recognition of original samples through several scenarios of fixed and adaptive target models. Experimental results demonstrate that changing the parameters of the target model in real time leads to resistance to adversarial examples in both the fixed and adaptive target models.

Mathas, Christos M., Segou, Olga E., Xylouris, Georgios, Christinakis, Dimitris, Kourtis, Michail-Alexandros, Vassilakis, Costas, Kourtis, Anastasios.  2018.  Evaluation of Apache Spot's Machine Learning Capabilities in an SDN/NFV Enabled Environment. Proceedings of the 13th International Conference on Availability, Reliability and Security. :52:1–52:10.

Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are transforming modern networks towards a service-oriented architecture. At the same time, the cybersecurity industry is rapidly adopting Machine Learning (ML) algorithms to improve detection and mitigation of complex attacks. Traditional intrusion detection systems perform signature-based detection, based on well-known malicious traffic patterns that signify potential attacks. The main drawback of this method is that attack patterns need to be known in advance and signatures must be preconfigured. Hence, typical systems fail to detect a zero-day attack or an attack with unknown signature. This work considers the use of machine learning for advanced anomaly detection, and specifically deploys the Apache Spot ML framework on an SDN/NFV-enabled testbed running cybersecurity services as Virtual Network Functions (VNFs). VNFs are used to capture traffic for ingestion by the ML algorithm and apply mitigation measures in case of a detected anomaly. Apache Spot utilises Latent Dirichlet Allocation to identify anomalous traffic patterns in Netflow, DNS and proxy data. The overall performance of Apache Spot is evaluated by deploying Denial of Service (Slowloris, BoNeSi) and a Data Exfiltration attack (iodine).

Yan, Hua, Sui, Yulei, Chen, Shiping, Xue, Jingling.  2018.  Spatio-temporal Context Reduction: A Pointer-analysis-based Static Approach for Detecting Use-after-free Vulnerabilities. Proceedings of the 40th International Conference on Software Engineering. :327–337.

Zero-day Use-After-Free (UAF) vulnerabilities are increasingly popular and highly dangerous, but few mitigations exist. We introduce a new pointer-analysis-based static analysis, CRed, for finding UAF bugs in multi-MLOC C source code efficiently and effectively. CRed achieves this by making three advances: (i) a spatio-temporal context reduction technique for scaling down soundly and precisely the exponential number of contexts that would otherwise be considered at a pair of free and use sites, (ii) a multi-stage analysis for filtering out false alarms efficiently, and (iii) a path-sensitive demand-driven approach for finding the points-to information required. We have implemented CRed in LLVM-3.8.0 and compared it with four different state-of-the-art static tools: CBMC (model checking), Clang (abstract interpretation), Coccinelle (pattern matching), and Supa (pointer analysis) using all the C test cases in Juliet Test Suite (JTS) and 10 open-source C applications. For the ground-truth validated with JTS, CRed detects all the 138 known UAF bugs as CBMC and Supa do while Clang and Coccinelle miss some bugs, with no false alarms from any tool. For practicality validated with the 10 applications (totaling 3+ MLOC), CRed reports 132 warnings including 85 bugs in 7.6 hours while the existing tools are either unscalable by terminating within 3 days only for one application (CBMC) or impractical by finding virtually no bugs (Clang and Coccinelle) or issuing an excessive number of false alarms (Supa).

Ross, Kevin, Moh, Melody, Moh, Teng-Sheng, Yao, Jason.  2018.  Multi-source Data Analysis and Evaluation of Machine Learning Techniques for SQL Injection Detection. Proceedings of the ACMSE 2018 Conference. :1:1–1:8.

SQL Injection continues to be one of the most damaging security exploits in terms of personal information exposure as well as monetary loss. Injection attacks are the number one vulnerability in the most recent OWASP Top 10 report, and the number of these attacks continues to increase. Traditional defense strategies often involve static, signature-based IDS (Intrusion Detection System) rules which are mostly effective only against previously observed attacks but not unknown, or zero-day, attacks. Much current research involves the use of machine learning techniques, which are able to detect unknown attacks, but depending on the algorithm can be costly in terms of performance. In addition, most current intrusion detection strategies involve collection of traffic coming into the web application either from a network device or from the web application host, while other strategies collect data from the database server logs. In this project, we are collecting traffic from two points: at the web application host, and at a Datiphy appliance node located between the webapp host and the associated MySQL database server. In our analysis of these two datasets, and another dataset that is correlated between the two, we have been able to demonstrate that accuracy obtained with the correlated dataset using algorithms such as rule-based and decision tree are nearly the same as those with a neural network algorithm, but with greatly improved performance.

Wang, Dong, Ming, Jiang, Chen, Ting, Zhang, Xiaosong, Wang, Chao.  2018.  Cracking IoT Device User Account via Brute-force Attack to SMS Authentication Code. Proceedings of the First Workshop on Radical and Experiential Security. :57–60.

IoT device usually has an associated application to facilitate customers' interactions with the device, and customers need to register an account to use this application as well. Due to the popularity of mobile phone, a customer is encouraged to register an account with his own mobile phone number. After binding the device to his account, the customer can control his device remotely with his smartphone. When a customer forgets his password, he can use his mobile phone to receive a verification code that is sent by the Short Message Service (SMS) to authenticate and reset his password. If an attacker gains this code, he can steal the victim's account (reset password or login directly) to control the IoT device. Although IoT device vendors have already deployed a set of security countermeasures to protect account such as setting expiration time for SMS authentication code, HTTP encryption, and application packing, this paper shows that existing IoT account password reset via SMS authentication code are still vulnerable to brute-force attacks. In particular, we present an automatic brute-force attack to bypass current protections and then crack IoT device user account. Our preliminary study on popular IoT devices such as smart lock, smart watch, smart router, and sharing car has discovered six account login zero-day vulnerabilities.

Potteiger, Bradley, Zhang, Zhenkai, Koutsoukos, Xenofon.  2018.  Integrated Instruction Set Randomization and Control Reconfiguration for Securing Cyber-physical Systems. Proceedings of the 5th Annual Symposium and Bootcamp on Hot Topics in the Science of Security. :5:1–5:10.

Cyber-Physical Systems (CPS) have been increasingly subject to cyber-attacks including code injection attacks. Zero day attacks further exasperate the threat landscape by requiring a shift to defense in depth approaches. With the tightly coupled nature of cyber components with the physical domain, these attacks have the potential to cause significant damage if safety-critical applications such as automobiles are compromised. Moving target defense techniques such as instruction set randomization (ISR) have been commonly proposed to address these types of attacks. However, under current implementations an attack can result in system crashing which is unacceptable in CPS. As such, CPS necessitate proper control reconfiguration mechanisms to prevent a loss of availability in system operation. This paper addresses the problem of maintaining system and security properties of a CPS under attack by integrating ISR, detection, and recovery capabilities that ensure safe, reliable, and predictable system operation. Specifically, we consider the problem of detecting code injection attacks and reconfiguring the controller in real-time. The developed framework is demonstrated with an autonomous vehicle case study.

Ndichu, S., Ozawa, S., Misu, T., Okada, K..  2018.  A Machine Learning Approach to Malicious JavaScript Detection using Fixed Length Vector Representation. 2018 International Joint Conference on Neural Networks (IJCNN). :1–8.

To add more functionality and enhance usability of web applications, JavaScript (JS) is frequently used. Even with many advantages and usefulness of JS, an annoying fact is that many recent cyberattacks such as drive-by-download attacks exploit vulnerability of JS codes. In general, malicious JS codes are not easy to detect, because they sneakily exploit vulnerabilities of browsers and plugin software, and attack visitors of a web site unknowingly. To protect users from such threads, the development of an accurate detection system for malicious JS is soliciting. Conventional approaches often employ signature and heuristic-based methods, which are prone to suffer from zero-day attacks, i.e., causing many false negatives and/or false positives. For this problem, this paper adopts a machine-learning approach to feature learning called Doc2Vec, which is a neural network model that can learn context information of texts. The extracted features are given to a classifier model (e.g., SVM and neural networks) and it judges the maliciousness of a JS code. In the performance evaluation, we use the D3M Dataset (Drive-by-Download Data by Marionette) for malicious JS codes and JSUPACK for benign ones for both training and test purposes. We then compare the performance to other feature learning methods. Our experimental results show that the proposed Doc2Vec features provide better accuracy and fast classification in malicious JS code detection compared to conventional approaches.

Lobato, A. G. P., Lopez, M. A., Sanz, I. J., Cárdenas, A. A., Duarte, O. C. M. B., Pujolle, G..  2018.  An Adaptive Real-Time Architecture for Zero-Day Threat Detection. 2018 IEEE International Conference on Communications (ICC). :1–6.

Attackers create new threats and constantly change their behavior to mislead security systems. In this paper, we propose an adaptive threat detection architecture that trains its detection models in real time. The major contributions of the proposed architecture are: i) gather data about zero-day attacks and attacker behavior using honeypots in the network; ii) process data in real time and achieve high processing throughput through detection schemes implemented with stream processing technology; iii) use of two real datasets to evaluate our detection schemes, the first from a major network operator in Brazil and the other created in our lab; iv) design and development of adaptive detection schemes including both online trained supervised classification schemes that update their parameters in real time and learn zero-day threats from the honeypots, and online trained unsupervised anomaly detection schemes that model legitimate user behavior and adapt to changes. The performance evaluation results show that proposed architecture maintains an excellent trade-off between threat detection and false positive rates and achieves high classification accuracy of more than 90%, even with legitimate behavior changes and zero-day threats.

Kumar, S., Singh, C. Bhim Bhan.  2018.  A Zero-Day Resistant Malware Detection Method for Securing Cloud Using SVM and Sandboxing Techniques. 2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT). :1397–1402.

Cloud nowaday has become the backbone of the IT infrastructure. Whole of the infrastructure is now being shifted to the clouds, and as the cloud involves all of the networking schemes and the OS images, it inherits all of the vulnerabilities too. And hence securing them is one of our very prior concerns. Malwares are one of the many other problems that have ever growing and hence need to be eradicated from the system. The history of mal wares go long back in time since the advent of computers and hence a lot of techniques has also been already devised to tackle with the problem in some or other way. But most of them fall short in some or other way or are just too heavy to execute on a simple user machine. Our approach devises a 3 - phase exhaustive technique which confirms the detection of any kind of malwares from the host. It also works for the zero-day attacks that are really difficult to cover most times and can be of really high-risk at times. We have thought of a solution to keep the things light weight for the user.