Applications and Techniques in Information Security

As the existing Android operating system doesn’t grant users the permission to manage system hardware. A system-level permission management mechanism of android device is proposed to solve this problem. This mechanism is based on the existing system. The existing Android system framework layer and application layer are modified and extended by using  a control terminal application to control hardware and authorization, the system boot process, SystemProperty and Camera class to implement new system-level permission management mechanism of Android device. Via the mechanism, the security of Android system is improved, a new layer of protection is increased, the control function of hardware resource access is attached, and security threat for the platform is reduced from the system level. Experimental results show that the feasibility of this system privilege management mechanism is high.

The recent trend towards interconnection of all networked objects lets smartphones consolidates its position as a global interface between user and Internet. Smartphones are getting closer to our daily life, and at the same time security threats to privacy of smartphone users continue to proliferate at a rapid rate. Android is the most popular target of attackers among other mobile platforms. Although the Android provides permission based security model, there are still many security weak points which may lead to invasion of smartphone user’s privacy. In this paper, we propose multi-level security model for enhancing Android security. Our security framework assigns security level to application at installation and performs runtime monitoring. We describe an implementation of our security framework, and finally evaluate the security and performance.

The reduction of size of ensemble classifiers is important for various security applications. The majority of known pruning algorithms belong to the following three categories: ranking based, clustering based, and optimization based methods. The present paper introduces and investigates a new pruning technique. It is called a Three-Level Pruning Technique, TLPT, because it simultaneously combines all three approaches in three levels of the process. This paper investigates the TLPT method combining the state-of-the-art ranking of the Ensemble Pruning via Individual Contribution ordering, EPIC, the clustering of the K-Means Pruning, KMP, and the optimisation method of Directed Hill Climbing Ensemble Pruning, DHCEP, for a phishing dataset. Our new experiments presented in this paper show that the TLPT is competitive in comparison to EPIC, KMP and DHCEP, and can achieve better outcomes. These experimental results demonstrate the effectiveness of the TLPT technique in this example of information security application.

Predicting the popularity of online social networks information is an important task for studying the principle of the information diffusion. We here propose a popularity prediction model based on user behavior and historical information given by early popularity. Our approach is validated on datasets consisting of posts on Tianya BBS. Our experimental results show that the prediction accuracy is significantly improved with existing methods. We also analyze the influence of the temporal waveform of information diffusion for the linear prediction model.

The network user behaviors analysis under the big data environment is attractive to network security recently for that it can discover the abnormal user behaviors to prevent the potential threats. However, the user behaviors are dynamic which is difficult to capture the users’ comprehensive behaviors in a single device by capturing or collecting the static dataset. More specially, the increase of the network users, network traffic and network services bring many challenges such as fast data collection, processing and storage. Therefore, we propose and implement a network user behaviors analysis system in this paper, which is based on the Hadoop distribution platform to capture the traffic and analyze the user behaviors in terms of the search keywords, user shopping trends, website posts and replies, and web visited history to acquire the uses’ dynamic behaviors. To evaluate our system, we capture the packets in the campus networks, and the results show that our system can capture the users’ long-term behaviors and acquire the user behaviors in detail.

The chest bitmap is the most widely used in live-firing. The target surface information extraction is the chief question need to be solved for automatic target-scoring system. Therefore, this paper proposes a new low-complexity algorithm for target surface feature information extraction according to the characteristics of the chest ring image. Based on the pre-processing for image, background interference of the image is eliminated by using regional feature elimination algorithm. Besides, target’s eye position is determined by employing gray two-way clipping projection, and all of the effective feature information of the target surface is extracted. The result of simulation shows that the target surface information extraction algorithm for chest bitmap is characterized by low-complexity, short time-consuming and high efficiency, and meets the real-time requirement.

With the development of Trojan horse detection technology, the survivability of the Trojan hidden in the space of operating systems becomes more and more weak. As a result, more kernel hidden and hardware hidden techniques have been proposed and applied to the design of new Trojans. Because of the complexity and diversity of kernel hiding technologies and the emergence of hardware Trojans, detection becomes more and more difficult. We propose a black-box model to simplify the communication processing system of a computer. The modules of complex communication processing in the kernel of the operating system and the hardware are reduced to a black box with two end points. Hidden traffic can be easily extracted regardless of the Trojan hidden technologies. After this, a special-Trojan detection system based on the extraction of the hidden traffic is present. The experimental result has demonstrated the usage of the traffic extract model.

With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize the challenges and recent advances in encrypted traffic classification research. Finally, the paper is ended with some conclusions.

The Internet Water Army (IWA) brings a great threat on cyber security. How to accurately recognize the IWA has become a challenging research issue. Most work exploits the behavioral analysis to distinguish IWA and non-IWA. These approaches are mainly divided into categories: direct compute method and training learning method. The direct calculation method mainly relies on crawler, and makes multidimensional eigenvector to detect IWA. Nevertheless, it did not consider the behavior rules based on the time sequence, and just determine the user behavior by feather vector, so the results are not very accurate. The recognition rate also needs to be improved. The second method mainly relies on cluster approaches. However, cluster approaches require pre-determined the number of clustering, which will directly lead to the model over fitting and owe fitting because of inadequate unit number. In this paper we propose a sequential pattern approach based on DPMM for IWA identification. Firstly, we analyze the user behavior of potential IWA and get a feature vector of user behavior. Secondly, we use DPMM to get effective and accurate clustering results. Finally, we use the sequential pattern mining algorithms to detect navy accounts. Our clustering results with datasets come from Tianya forum show a very ideal consequence.

Survivability of networks has emerged as a fundamental concern for network design and operation. The network physical infrastructures are vulnerable to correlated faults from the natural disasters and malicious attack. Particularly, malicious attacks attract more attention rather than natural disasters recently. This paper investigates network survivability in the presence of network attack propagation. Especially, a continuous-time Markov chain model is used to characterize the network survivability performance during the transient period that starts from the attack occurrence, in the subsequent attack propagation, and until the network has been full recovery. On the basis of the model, we compare two different schemes with the transient reward measures. Furthermore, network survivability of each scheme is exemplified for four propagation and repair strategies. The numerical results indicate the scheme with immunized state is more survivable than the scheme without immunized state, which is not only helpful to the survivability of network design but also useful to choose the suitable repair strategies.

Software vulnerability has long been considered an important threat to the system safety. A vulnerability often gets reproduced due to the frequent code reuse by programmers. Security patches are often not propagated to all code clones, however they could be leveraged to discover unknown vulnerabilities. Static auditing approaches are frequently proposed to scan code for security flaws, unfortunately, they often generate too many false positives. While dynamic execution analysis can precisely report vulnerabilities, they are in effective in path exploration which limits them to scale to large programs. In this paper, we propose a scalable approach to discover vulnerabilities in real world programs based on released security patches. We use a fast and scalable syntax-based way to find code clones and then, we verify the code clones using concolic testing to dramatically decrease the false positives. Besides, we mitigate the path explosion problem by backward data tracing in concolic execution. We conducted experiments with real world open source projects (Linux Ubuntu OS distributions and program packages) and we reported 7 real vulnerabilities out of 63 code clones found in Ubuntu 14.04 LTS. In one step further, we have confirmed more code clone vulnerabilities in various versions of programs including Apache and Rsyslog. Meanwhile, we also tested the effectiveness of vulnerability verification with test cases from Juliet Test Suite. The result showed that our verification method achieved 98% accuracy with 0 false positives.

Addressing the problem overlooked by those continuous time worm propagation models, namely it must take each worm instance a certain period of time delay to completely infect a targeted vulnerable host after it has scanned the host, the paper analyzes in depth the reasons which cause the well-known discrete time AAWP model also overestimating the spread speed of active worm propagations. Then the paper puts forward a more proper states transition of vulnerable hosts during active worm propagations. Last but the most important, a new model named Optimized-AAWP is proposed with more reasonable understanding of this time delay, i.e. infection time of a worm, in each round of worm infection. The simulation results show that the Optimized-AAWP model can reflect the important effect of infection time on active worm propagations more accurately.

With the increase use of location-based services, location privacy has recently raised serious concerns. To protect a user from being identified, a cloaked spatial region that contains other k-1 nearest neighbors of the user is used to replace the accurate position. In this paper, we consider location-aware applications that services are different among regions. To search nearest neighbors, we define a novel distance measurement that combines the semantic distance and the Euclidean distance to address the privacy preserving issue in the above-mentioned applications. We also propose an algorithm kNNH to implement our proposed method. The experimental results further suggest that the proposed distance metric and the algorithm can successfully retain the utility of the location services while preserving users’ privacy.

This work presents a novel protocol for privacy preserving network communications, using homomorphic cryptography. The malleability properties of homomorphic encryption allows routing without ever disclosing the sender or receiver of a message, while resisting against basic end-to-end attacks. We first present our protocol in an abstract network model, and instantiate it for ad-hoc networks as a use-case example.

The Knapsack Cryptosystem of Merkle and Hellman, 1978, is one of the earliest public-key cryptography schemes. The security of the method relies on the difficulty in solving Subset Sum Problems (also known as Knapsack Problems). In this paper, we first provide a brief history of knapsack-based cryptosystems and their cryptanalysis attacks. Following that, we review the advances in integer programming approaches to 0 − 1 Knapsack Problems, with a focus on the polyhedral studies of the convex hull of the integer set. Last of all, we discuss potential future research directions in applying integer programming in the cryptanalysis of knapsack ciphers.

This paper reports the increasing popularity of outsourcing academic works by university students motivated by the lure of lucrative dividends and visa opportunities. Due to a lack of formal methods in detecting such transactions, freelance websites are thriving in facilitating the trade of outsourced assignments. This is compounded by the fact that many university staff have neither the time nor training to perform complex media analysis and forensic investigations. This paper proposes a method to aid in the identification of those who outsource assignment works on the most popular site freelancer.com . We include a recent real-world case study to demonstrate the relevancy and applicability of our methodology. In this case study, a suspect attempts to evade detection via use of anti-forensics which demonstrates the capability and awareness of evasion techniques used by students.

Images published on online social sites such as Facebook are increasingly prone to be misused for malicious purposes. However, existing image forensic research assumes that the investigator can confiscate every piece of evidence and hence overlooks the fact that the original image is difficult to obtain. Because Facebook applies a Discrete Cosine Transform (DCT)-based compression on uploaded images, we are able to detect the modified images which are re-uploaded to Facebook. Specifically, we propose a novel method to effectively detect the presence of double compression via the spatial domain of the image: We select small image patches from a given image, define a distance metric to measure the differences between compressed images, and propose an algorithm to infer whether the given image is double compressed without referring to the original image. To demonstrate the correctness of our algorithm, we correctly predict the number of compressions being applied to a Facebook image.

There has been considerable research and use of similarity digests and Locality Sensitive Hashing (LSH) schemes - those hashing schemes where small changes in a file result in small changes in the digest. These schemes are useful in security and forensic applications. We examine how well three similarity digest schemes (Ssdeep, Sdhash and TLSH) work when exposed to random change. Various file types are tested by randomly manipulating source code, Html, text and executable files. In addition, we test for similarities in modified image files that were generated by cybercriminals to defeat fuzzy hashing schemes (spam images). The experiments expose shortcomings in the Sdhash and Ssdeep schemes that can be exploited in straight forward ways. The results suggest that the TLSH scheme is more robust to the attacks and random changes considered.

Password recovery of RAR encrypted file is an important problem in computer forensics. It is difficult to deal with this problem by the traditional methods such as guess, dictionary, rainbow table and brute force. We give a new method based on parallel random search. The new method use a parallel stochastic approach on word selection in the dictionary attack. It can greatly improve the success rate of password recovery. And the experiment shows that the new approach is effective in the password recovery of RAR file.

It is relatively easier for an insider attacker to steal the password of a colleague or use an unattended machine (logged in by other users) within a trusted domain to launch an attack. A simple real-time authentication by password may not work if they have the password. By comparing the stored mouse behavioral profile of the valid user, the system automatically authenticates the user. However, long verification time in existing approaches based on mouse dynamics which mostly last dozens of minutes and probably make masquerader escaped from detection mechanism. In this paper, we proposed a system called PAITS (Practical Authentication with Identity Tracing System) to do re-authentication via comparison of mouse behavior under a short-lived interventional scenario. Mouse movements under the special scenario where the cursor is a bit out of control can capture the user’s unconscious reaction, and then be used for behavioral comparison and detection of malicious masquerader. Our experiments on PAITS demonstrate best result with a FRR of 2.86% and a FAR of 3.23% under probability neural network with 71 features. That is a comparative result against the previous research results, but at the same time significantly shorten the verification time from dozens of minutes to five seconds.

Social engineering attacks the weakest organizational security link – the human. The influx of employees using social media throughout the working environment has presented information security professionals with an extensive array of challenges facing people, process and technology. These challenges also show enormous impact on the confidentiality, integrity and availability of information assets residing within the organization. This paper aims to provide an in-depth insight into classification and mitigation of social engineering security issues faced by enterprises in adopting social media for business use.

The Internet of Things is imposing an evolution of the capabilities of wireless sensor networks. The new IP-based 6LoWPAN standard for low power sensor networks allows an almost seamless connection of local sensor networks to the Internet. On the other hand, the connection to the Internet also opens doors for unauthorized nodes to become part of the local network. The most important challenge in preventing this, is the implementation of a key management architecture, keeping in mind that the sensor nodes are constrained in power consumption and data storage capacity. This paper builds on a previously proposed symmetric key management scheme for 6LoWPAN networks presented by Smeets et al.in [1]. The original scheme is based on wired bootstrapping for the enrollment of new nodes, while the paper at hand proposes a wireless method. We analyze the original wired scheme and propose an improved wireless scheme, elaborating on the practical implementation on Zolertia Z1 nodes running Contiki-OS. We show that it is possible to provide end-to-end security using wireless bootstrapping within the constraints of the tiny nodes at hand.