International Conference on Security and Privacy in Communication Networks

Enterprise networks are migrating to the public cloud to acquire computing resources for promising benefits in terms of efficiency, expense, and flexibility. Except for some public services, the enterprise network islands in cloud are expected to be absolutely isolated from each other. However, some “stealthy bridges” may be created to break such isolation due to two features of the public cloud: virtual machine image sharing and virtual machine co-residency. This paper proposes to use cross-layer Bayesian networks to infer the stealthy bridges existing between enterprise network islands. Prior to constructing cross-layer Bayesian networks, cloud-level attack graphs are built to capture the potential attacks enabled by stealthy bridges and reveal hidden possible attack paths. The result of the experiment justifies the cross-layer Bayesian network’s capability of inferring the existence of stealthy bridges given supporting evidence from other intrusion steps in a multi-step attack.

Virtual machine migration is an important tool that can be used in cloud computing environment for load balancing, disaster recovery, server consolidation, hardware maintenance, etc. Currently a few techniques have been proposed to secure the virtual machine migration process. However, these techniques have number of limitations e.g. lack of standard access control, mutual authentication, confidentiality, non-repudiation and integrity of VM data. Some of the techniques provide security services such as mutual authentication using TPM (Trusted Platform Module), however, not all the hardware platforms yet possess the TPM capability. This limits the deployment of such solutions in legacy systems. The architecture, presented in this paper, attempts to overcome these limitations with existing hardware support. In particular, we designed a secure and efficient protocol that migrates virtual machine from source cloud domain to destination cloud domain by considering fundamental security services such as confidentiality, integrity, standard access control and non-repudiation.

Cloud computing is growing exponentially, whereby there are now hundreds of cloud service providers (CSPs) of various sizes. While the cloud consumers may enjoy cheaper data storage and computation offered in this multi-cloud environment, they are also in face of more complicated reliability issues and privacy preservation problems of their outsourced data. In this paper, we propose a privacy-preserving STorage and REtrieval (STRE) mechanism that not only ensures security and privacy but also provides reliability guarantees for the outsourced searchable encrypted data. The STRE mechanism enables the cloud users to distribute and search their encrypted data in multiple cloud service providers (CSPs), and is robust even when a certain number of CSPs crash. Besides the reliability, STRE also offers the benefit of partially hidden search pattern.

With the increasing popularity of cloud computing, more and more sensitive or private information is being outsourced to cloud server. For protecting data privacy, sensitive data are always encrypted before being outsourced. Although the existing searchable encryption schemes enable users to search over encrypted data, these schemes support only exact keyword search, which greatly affects data usability. Moreover, these schemes do not support verifiability of search result. To tackle the challenge, a smart semantic search scheme is proposed in this paper, which returns not only the result of keyword-based exact match, but also the result of keyword-based semantic match. At the same time, the proposed scheme supports the verifiability of search result.

The MapReduce framework has been widely adopted for processing Big Data in the cloud. While efficient, MapReduce offers very complicated (if any) means for users to request nodes that satisfy certain security and privacy requirements to process their data.In this paper, we propose a novel approach to seamlessly integrate node selection control to the MapReduce framework for increasing data security. We define a succinct yet expressive policy language for MapReduce environments, according to which users can specify their security and privacy concerns over their data. Then, we propose corresponding data preprocessing techniques and node verification protocols to achieve strong policy enforcement. Our experimental study demonstrates that, compared to the traditional MapReduce framework, our policy control mechanism allows to achieve data privacy without introducing significant overhead.

Despite their widespread usage, text-based passwords are vulnerable to password cracking as users tend to choose weak passwords. This is mainly because the more secure a password is, the harder it is for a user to remember it. As a promising alternative, various graphical password systems, which take advantage of the fact that humans are more sensitive to visual information than verbal text, have been proposed over the past decade. However, graphical passwords come with their own vulnerabilities, such as high susceptibility to shoulder surfing and hotspots. In this paper, we develop a new cued-recall graphical password system called GridMap by exploring (1) the use of grids with variable input entered through the keyboard, and (2) the use of geopolitical maps as background images. As a result, GridMap is able to achieve high keyspace and resistance to shoulder surfing attacks. To validate the efficacy of GridMap in practice, we conduct a user study with 50 participants. Our experimental results show that GridMap works well in domains in which a user logs in on a regular basis, and provides a memorability benefit if the chosen map has a personal significance to the user.

In this paper we present UAuth, a two-layer authentication framework that provides more security assurances than two-factor authentication while offering a simpler authentication experience. When authenticating, users first verified their static credentials (such as password, fingerprint, etc.) in the local layer, then submit the OTP-signed response generated by their device to the server to complete the server-layer authentication. We also propose the three-level account association mechanism, which completes the association of devices, users and services, establishing a mapping from a user’s device to the user’s accounts in the Internet. Users can easily gain access to different service via a single personal device. Our goal is to provide a quick and convenient SSO-like login process on the basis of security authentication. To meet the goal, we implement our UAuth, and evaluate our designs.

Hadoop is an open source distributed system for data storage and parallel computations that is widely used. It is essential to ensure the security, authenticity, and integrity of all Hadoop’s entities. The current secure implementations of Hadoop rely on Kerberos, which suffers from many security and performance issues including single point of failure, online availability requirement, and concentration of authentication credentials. Most importantly, these solutions do not guard against malicious and privileged insiders. In this paper, we design and implement an authentication framework for Hadoop systems based on Trusted Platform Module (TPM) technologies. The proposed protocol not only overcomes the shortcomings of the state-of-the-art protocols, but also provides additional significant security guarantees that guard against insider threats. We analyze and compare the security features and overhead of our protocol with the state-of-the-art protocols, and show that our protocol provides better security guarantees with lower optimized overhead.

Recently, wireless sensor networks have attracted the attention of research comunity due to its numerous applications especially in mobility scenarios. However it also increases the security threats against confidentiality, integrity and privacy of the information as well as against their connectivity. Hence a proper key management scheme needs to be proposed to secure both information and connectivity as well as provide better authentication in mobility enabled applications. In this paper, we present an authentication and key management scheme supporting node mobility in a heterogeneous sensor networks that consists of several low capabilities sensor nodes and few high capabilities sensor nodes. We analyze our proposed solution agaist a well know attacks (sybil attacks) to show that it has good resilience against attacks compared to some existing schemes. We also propose two levels of secure authentication methods for the mobile sensor nodes for secure authentication and key establishment.

Rumors and defamation are now becoming a main threat to Online Social Networks (OSNs). To prevent them, Real Name System (RNS) was proposed, but has been proved vulnerable by the data leakage in South Korea. In this paper, we propose a new identity model, Social Authentication Identity (SAI), to trace rumor-makers. In SAI, only a small number of users (called roots) are required to be authenticated by RNS. And the others are authenticated by vouching of friends, called social authentication. We evaluate factors that affect the efficiency of SAI. Results show that selecting roots in communities are the best strategy, comparing with random and maximum degree strategies. We also provide an social tracing mechanism to trace down rumor-makes. Analysis shows our social tracing is robust enough to defend Sybil attacks.

Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Secure search query routing is a long-standing problem in distributed networks, which has often been addressed using “all-or-nothing” approaches, that require either full anonymity and encrypted routing or full trust on the routing nodes. An important problem with secure routing is how to guarantee the search query is transmitted in an expected way. In this paper, we tackle the problem of secure routing by considering a generic policy-driven routing approach, and focus on the steps required to verify in a fully distributed manner that a search query is routed in accordance to a requester’s preferences and detect cheating nodes. We present an efficient and effective verification method for query routes, that is agnostic to the specific routing algorithm being used and achieves strong security guarantees. We cast our approach in the context of content dissemination networks (CDN) and show through experimental evaluations the performance of our approach.

We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.

Sybil attack is one of the major threats in distributed systems. A number of colluded Sybil peers can pollute and disrupt the system’s key functions. The main idea of defense against Sybil attack is to distinguish the Sybils according to specific rules. Prior works are all limited by attack edges, the connections between normal and Sybil peers. The problem is that the number of attack edges could be huge, resulting in low accuracies. Besides, Sybil peers always present in groups and bring about the bridge problem, which is always ignored. In this paper, we propose KFOut, a light weighted framework for Sybil detection. At the heart of KFOut lie a trust model of social relations and a security mechanism of path notification of K-different paths, which can conquer the bridge problem effectively. We prove through experiments that KFOut can accept normal peers and reject Sybil peers both with high accuracies.

Publish-subscribe protocols offer a unique means of data distribution, that has many applications for distributed systems. These protocols enable message delivery based on subscription rather than specific addressing; meaning a message is addressed by a subject string rather than to a specific recipient. Recipients may then subscribe to subjects they are interested in receiving using a variety of parameters, and receive these messages immediately without having to poll for them. This format is a natural match for anonymous delivery systems: systems that enable users to send messages without revealing their identity. These systems are an area of great interest, ranging from messaging relays like Tor, to publication systems like FreeHaven. However, existing systems do not allow delivery based on topics, a mechanism which is a natural match for anonymous communication since it is not addressed based on identity. We concretely describe the properties of and propose a system that allows publish-subscribe based delivery, while protecting the identities of both the publishers and subscribers from each other, from outside parties, and from entities that handle the implementation of the system.

In this paper we explore the prospect of using friendly jamming for the secure localization of vehicles. In friendly jamming confidential information is obscured from eavesdroppers through the use of opportunistic jamming on the part of the parties engaged in communication. We analyze the effectiveness of friendly jamming and compare it to the traditional localization approaches of distance bounding and verifiable trilateration for similar highway infrastructures. We present our results in terms of the probability of spoofing a given position by maliciously-controlled vehicles.

Wireless sensor networks (WSNs) are gaining more and more interest in the research community due to their unique characteristics. In addition to energy consumption considerations, security has emerged as an equally important aspect in their network design. This is because WSNs are vulnerable to various types of attacks and to node compromises that threaten the security, integrity, and availability of data that resides in these networked systems. This paper develops a powerful, anomaly detection system that relies on visual analytics to monitor and promptly detect a particularly devastating form of attack, the wormhole attack. Wormhole attacks can severely deteriorate the network performance and compromise the security by disrupting the routing protocols. The proposed system, called VA-WAD, efficiently utilizes the routing dynamics to expose an adversary conducting a wormhole attack. Then, the output of the anomaly detection engine feeds the radial visualization engine of VA-WAD, which further assists the understanding and analysis of the network topology improving the detection accuracy. By employing an outer ring, VA-WAD also records the network security events occurring in the WSN on a 24 h basis. The obtained simulation results demonstrate the system’s visual and anomaly detection efficacy in exposing concurrent wormhole attacks.

Recently revealed information on secret agencies eavesdropping on the politicians’ phone calls all over the world, have shown how common practice it is. Although the insecurity of the mobile telecommunication system GSM has been known in the scientific community, these events made it clear to the public. Particularly, the extent and usage of such techniques demonstrates its relevance in the current society. In this paper, we will demonstrate techniques used to intercept mobile calls and analyze the feasibility of man-in-the-middle attacks in real-life scenarios. We show how to build an affordable and effective IMSI catcher which works even when mutual authentication between phone and a network is enforced. The methods to detect it and other potential countermeasures are discussed as well.

Exploit kits have become a major cyber threat over the last few years. They are widely used in both massive and highly targeted cyber attack operations. The exploit kits make use of multiple exploits for major web browsers like Internet Explorer and popular browser plugins such as Adobe Flash and Reader. In this paper, a proactive approach to preventing this prevalent cyber threat from triggering their exploits is proposed. The suggested new technique called AFFAF proactively protects vulnerable systems using a fundamental characteristic of the exploit kits. Specifically, it utilises version information of web browsers and browser plugins. AFFAF is a zero-configuration solution, which means that users do not need to configure anything after installing it. In addition, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype and have shown that AFFAF enabled vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also demonstrated that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.

As information systems become more complex and dynamic, Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) follow the same trend. It becomes thus increasingly important to model the capabilities of these PDPs and PEPs, both in terms of coverage, dependencies and scope.In this paper, we focus on Policy Enforcement Points to model the objects on which they may enforce security constraints. This model, called the PEP Responsibility Domain (RD(PEP)), is build based on the configuration of the PEP following a bottom-up approach. This model can then be applied to multiple use cases, three of them are shown as examples in this paper, including policy evaluation and intrusion detection assessment and alert correlation.

Concolic testing is widely regarded as the state-of-the-art technique in dynamic discovering and analyzing trigger-based behavior in software programs. It uses symbolic execution and an automatic theorem prover to generate new concrete test cases to maximize code coverage for scenarios like software verification and malware analysis. While malicious developers usually try their best to hide malicious executions, there are also circumstances in which legitimate reasons are presented for a program to conceal trigger-based conditions and the corresponding behavior, which leads to the demand of control flow obfuscation techniques. We propose a novel control flow obfuscation design based on the incomprehensibility of artificial neural networks to fight against reverse engineering tools including concolic testing. By training neural networks to simulate conditional behaviors of a program, we manage to precisely replace essential points of a program’s control flow with neural network computations. Evaluations show that since the complexity of extracting rules from trained neural networks easily goes beyond the capability of program analysis tools, it is infeasible to apply concolic testing on code obfuscated with our method. Our method also incorporates only basic integer operations and simple loops, thus can be hard to be distinguished from regular programs.

Byzantine fault tolerant (BFT) protocols enhance system safety and availability in asynchronous networks, despite the arbitrary faults at both servers and clients. A practical BFT system should be efficient in both contention-free and contending cases, and fault scalable (i.e., efficiently tolerating the increasing number of server faults). However, few existing BFT systems completely satisfy this robustness requirement of efficiency. In this paper, we propose EFS, the first BFT solution that provides good efficiency and fault-scalability, in various cases (i.e. faulty or not, contending or not). EFS is a hybrid BFT system consisting of an efficient and fault scalable quorum protocol for the contention-free case and a fast agreement protocol to resolve contention in a fault-scalable manner. More importantly, its server-directed mode switch does not rely on digital signature nor introduce any extra communication overhead. This lightweight switch counters the vulnerability in the existing hybrid BFT systems, where faulty clients can simply send contending requests to degrade the performance significantly. The experiment results on the EFS prototype demonstrate robust fault tolerance.

Despite the fact that protection mechanisms like StackGuard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this paper, we present a compiler-level protection called SCADS: Separated Control- and Data-Stacks. In our approach, we protect return addresses and saved frame pointers on a separate stack, called the Control-Stack (CS). In common computer programs, a single user mode stack is used to store control information next to data buffers. By separating control information from the Data-Stack (DS), we protect sensitive pointers of a program’s control flow from being overwritten by buffer overflows. As we make control flow information simply unreachable for buffer overflows, many exploits are stopped at an early stage of progression with only little performance overhead. To substantiate the practicability of our approach, we provide SCADS as an open source patch for the LLVM compiler infrastructure for AMD64 hosts.

The full Perfect Forward Secrecy (PFS) is an important security property for Authenticated Key Exchange (AKE) protocols. Unfortunately, Krawczyk has claimed that any one-round implicitly authenticated key exchange protocol could not achieve full PFS but only weak PFS. Although some solutions are proposed in the literature, their protocols maintain secure only in the cases of additional authentication and a constrained adversary. In this paper, we investigate the question of whether tamper-proof hardware can circumvent the full PFS deficiency of one-round implicitly authenticated key exchange protocols. We answer this question in the affirmative by formally proving that the most efficient one-round implicitly authenticated key exchange protocol, HMQV, achieves full PFS under the physical assumption of regarding the existence of tamper-proof hardware.

In this paper we find that a random sequence is expected to obey a new interesting distribution, and the coefficient of variation of this distribution approximates the value of golden section ratio, the difference between these two numbers is only 0.000797. As this interesting property, this newfound distribution is derived from Coupon Collector’s Problem and founded by the uniformity of frequency. Based on this distribution a new method is proposed to evaluate the randomness of a given sequence. Through the new method, the binary and decimal expansions of e, $$\pi $$π, $$\sqrt{2}$$2, $$\sqrt{3}$$3 and the bits generated by Matlab are concluded to be random. These sequences can pass NIST tests and also pass our test. At the same time, we test some sequences generated by a physical random number generator WNG8. However, these sequences can pass the NIST tests but cannot pass our test. In particular, the new test is easy to be implemented, very fast and thus well suited for practical applications. We hope this test method could be a supplement of other test methods.

With searchable encryption, a data user is able to perform meaningful search on encrypted data stored in the public cloud without revealing data privacy. Besides handling simple queries (e.g., keyword queries), complex search functions, such as multi-dimensional (conjunctive) range queries, have also been studied in several approaches to provide search functionalities over multi-dimensional data. However, current works supporting multi-dimensional range queries either only achieve linear search complexity or reveal additional private information to the public cloud. In this paper, we propose a tree-based symmetric-key searchable encryption to support multi-dimensional range queries on encrypted data. Besides protecting data privacy, our proposed scheme is able to achieve faster-than-linear search, query privacy and single-dimensional privacy simultaneously compared to previous solutions. More specifically, we formally define the security of our proposed scheme, prove that it is selectively secure, and demonstrate its faster-than-linear efficiency with experiments over a real-world dataset.

A hardware implementation of novel hash generator, namely LDHG, is proposed in this paper which is based on a spatiotemporal chaos algorithm. The proposed hash generator includes a spatiotemporal chaos algorithm computing module, message input/output port, data cache and hash code generation module. The hardware design process, security and performance evaluation are presented. Using the message authorization in smart grid as an application example, experimental results show that the proposed hash generator is irreversible, sensitive to the message and chaos parameters. It can efficiently defend the attack of invasion and forgery and the hardware area overhead is relatively low.

Privacy protection has become a crucial issue in the information era. In recent years, many protocols have been developed to accomplish computational tasks collaboratively without revealing the participants’ private data. However, developing protocols for each individual application would not be practical. The more natural and efficient approach would be utilizing basic protocols as building blocks for the construction of complex protocol.In this paper, we proposed the concept of t-certified protocols, which are protocols that are secure when t parties are under the influence of a semi-honest adversary. A composition theorem is given to specify the conditions for secure composition of t-certified protocols, and a framework for constructing complex protocols is developed.We have adopted an information theoretical approach, and believe that it will be a viable alternative to the classic simulator approach, which is based on the concept of indistinguishability between the ideal model and the real model.

Recently, there is a great attention on the smartphones security and privacy due to their increasing number of users and wide range of apps. Mobile operating systems such as Android, provide mechanisms for data protection by restricting the communication between apps within the device. However, malicious apps can still overcome such restrictions via various means such as exploiting the software vulnerability in systems or using covert channels for data transferring. In this paper, we aim to systematically analyze various resources available on Android for the possible use of covert channels between two malicious apps. From our systematized analysis, we identify two new hardware resources, namely battery and phone call, that can also be used as covert channels. We also find new features to enrich the existing approaches for better covert channel such as using the audio volume and screen brightness. Our experimental results show that high throughput data transmission can be achieved using these resources for the covert channel attacks.

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly plagiarize Android applications (e.g., through code reuse and repackaging) boosting the amount of malware on the markets and consequently the infection rate.In this paper, we present DroidKin, a robust approach for the detection of Android apps similarity. Based on a set of characteristics derived from binary and meta data accompanying it, DroidKin is able to detect similarity among applications under various levels of obfuscation. DroidKin performs analysis pinpointing similarities between applications and identifying their relationships. We validated our approach on a set of manually prepared Android applications and evaluated it with datasets made available by three recent studies: The Android Malware Genome project, Drebin, DroidAnalytics. This data sets showed that several relations exists between the samples. Finally, we performed a large-scale study of over 8,000 Android applications from Google play and Virus Total service.

Recently, the security problem of Android applications has been increasingly prominent. In this paper, we propose a novel approach to detect malicious behaviors in loosely-coupled repackaged Android apps. We extract and modify the FCG of an app based on its loosely-coupled property, and divide it into several sub-graphs to identify primary module and its related modules. In each remaining sub-graph, API calls are added and sensitive API paths are extracted for dynamic instrumentation on top of APIMonitor. The experiments are conducted with 438 malwares and 1529 apps from two third-party Android markets. Through manual verification, we confirm 5 kinds of malwares in 16 apps detected by our approach. And the detection rate of collected malwares reaches 99.77 %. The reduction rate of monitored functions reaches 42.95 % with 98.79 % of malicious functions being successfully saved. The time spent on static and dynamic analysis is 74.9 s and 16.0 s on average.

Software Defined Networking (SDN) provides a new network solution by decoupling control plane and data plane from the closed and proprietary implementations of traditional network devices. With its promisingly advanced architecture, SDN represents the future development trend of network. In its typical structure, collaborative interaction between one controller and multiple switches forms a centralized network topology. As playing a key role in this network architecture, the controller in SDN is very vulnerable to single point of failure. What is worse, the emergence of Blind DDoS attack against SDN’s special structure increases its risks. To address this challenge, we introduce a Moving Target Defense(MTD) system to defend Blind DDoS attack. The approach adopts a multi-controller pool to solve the saturation problem, and it can dynamically shift controllers connecting to switches according to the density of flood flow. By randomly delaying the scanning packets and filtering the flood with route-map, this MTD system can effectively resist the Blind DDoS attack and protect the availability and reliability of SDN.

The prevalence of smartphone makes it more important in people’s business and personal life which also helps it to be a target of the malware. In this paper, we introduce a new kind of attack called Function Escalation Attack which obtains functions locally or remotely. We present three threat models: Steganography, Collusion Attack and Code Abusing. A vulnerability in Android filesystem which is used in code abusing threat model is exposed as well. Three proof-of-concept malicious apps are implemented for each threat model. They could bypass static analysis and dynamic analysis. The result shows that function escalation attack could successfully perform malicious tasks such as taking pictures, recording audio and so on.

The relevance of malicious software targeting mobile devices has been increasing in recent years. Smartphones, tablet computers or embedded devices in general represent one of the most spread computing platform worldwide and an unsecure usage can cause unprecedented damage to private users, companies and public institutions. To help in identifying malicious software on mobile platforms, we propose RAMSES, an approach based on the static content stored as strings within an application. First we extract the contents of strings, transforming applications into documents, then using information retrieval techniques, we select the most relevant features based on frequency metrics, and finally we classify applications using machine learning algorithms relying on such features. We evaluate our methods using real datasets of Android applications and show promising results for detection.

With the rapid development of Android devices, mobile malware in Android becomes more prevalent. Therefore, it is rather important to develop an effective model for malware detection. Permissions, system calls, and control flow graphs have been proved to be important features in detection. In this paper, we utilize both static and dynamic strategies with a text classification method, TMSVM, to identify the mobile malware in these three aspects. At first, features have to be selected. Since the sum of control flow graphs is very large, Chi-Square method is used to get the key graphs. Then features are transformed into vectors and TMSVM is subsequently applied to get the classification result. In the static method, we firstly analyze permissions and control flow graphs respectively and then think of the combination of them. In the dynamic method, the system calls are considered. At last, based on the results of the static method and dynamic method, a hybrid classification model of three layers classification is proposed. Compared with the other methods, our method increases the TPR and decreases the FPR.

The digital works, as a particular commodity in the trading process,which faces with difficulties in counting, content providers can not accurately obtain the actual sales data and even more cannot guarantee the integrity of trading data. This paper presents a trading data management model with a trusted third party of copyright protection. The trusted third-party management platform hedge the uploaded data from authority party and seller party to facilitate to supervise the trading, and effectively resolve credibility and non-repudiation of trading, and then providing the basis proof for the trading count to resolve disputes, at the same time, it make these invisible digital products can be measured. For this reason, it can protect the legitimate interests of publishers and copyright owner.

To avoid improper responses against attacks, current systems rely on Attack Likelihood metric. Referring to NIST, Attack Likelihood considers: the attack’s complexity, the attackers’ motivation, and potential responses. Previous work on Likelihood assessment are limited to individual attacks, missing thereby coordination and concurrency aspects between attackers. Moreover, they do not fulfill all NIST factors. Hence, we propose in this paper a new framework to properly assess the Likelihood of Individual, Coordinated, and Concurrent Attack Scenarios (LICCAS). We are first based on a coordination aware-Game Theoric approach to derive an Attack Likelihood equation. Then, we propose an algorithm to assess the Scenario Likelihood of each attack scenario, considering the concurrency between attackers. We finally experiment LICCAS on a VoIP use case to demonstrate its relevance.

To detect domains used by botnet and generated by algorithms, a new technique is proposed to analyze the query difference between algorithmically generated domain and legal domain based on a fact that every domain name in the domain group generated by one botnet has similar live time and query style. We look for suspicious domains in DNS traffic, and use change distance to verify these suspicious domains used by botnet. Then we tried to describe botnet change rate and change scope using domain change distance. Through deploying our system at operators’ RDNS, experiments were carried to validate the effectiveness of detection method. The experiment result shows that the method can detect algorithmically generated domains used by botnet.

Along with the rapid development of Internet, accessibility has become one of the most basic and important requirements for Internet service. Service resource, the knowledge that can help users get access to the service finally, is the focus of accessibility confrontation between the adversary and Internet services. Most of current resource distribution strategies adopt the “many access points” design and limit the number of service resources distributed to any user. However, current design is vulnerable to enumeration attack where an adversary can enumerate many service resources under the disguise of many pseudonyms (Sybil identities). To mitigate this challenge, an adaptive resource distribution strategy based on trust management is proposed in this paper. Under this strategy, user’s trust is adjusted according to his behavior. Both client puzzle and the resources assigned to the user are dynamically generated according to his trust value. Simulation result indicates that, this strategy can distinguish honest users from adversary Sybils, thus increasing the difficulty for an attacker to enumerate service resources while ensuring access to service for honest users.

The growth of malicious applications poses a great threat to the Android platform. In order to detect Android malware, this paper proposes a hybrid detection method based on permission. Firstly, applications are detected according to their permissions so that benign and malicious applications can be discriminated. Secondly, suspicious applications are run in order to collect the function calls related to sensitive permissions. Then suspicious applications are represented in a vector space model and their feature vectors are calculated by TF-IDF algorithm. Finally, the detection of suspicious applications is completed via security detection techniques adopting Euclidean distance and cosine similarity. At the end of this paper, an experiment including 982 samples is used as an empirical validation. The result shows that our method has a true positive rate at 91.2 % and a false positive rate at 2.1 %.

Content Centric Networking (CCN) is a recently proposed internet paradigm that is based on content abstraction rather than host abstraction. People nowadays are interested in content and it does not matter from which locations they get the required content. Content requesting node has to make sure while receiving content from content publisher that whether the publisher and its content is trustable or not. To validate the authenticity of content on each node, an effective security scheme should be developed. In this paper we propose a content security scheme for CCN. We analyzed the performance of proposed scheme using ccnSim simulator and its security validation using AVISPA tool.

Nowadays, the problems of food safety are more and more serious. This paper focuses on network topic detection of food safety problems, which is difficult because of several reasons, such as various description of a same problem and sparseness of the data. In this paper, a novel method based on Single-pass in LDA space is proposed to detect the food safety problems from various sources, such as microblog and news reports. The experiments show that the method could detect food safety topics efficiently. The F-measure value of clustering almost increases from 56.03 % to 87.21 %, compared with Single-Pass based on traditional VSM. In addition, experiments about the influence of similarity parameter to models’ performance demonstrate that our method has a better robustness.

In this paper, we propose an automated, scalable, and dynamic analysis framework incorporating static anti anti-analysis techniques to detect the analysis environment aware Android malware and Resource Hogger apps. The proposed framework can automatically trigger malicious execution by sending simulated User-Interface (UI) events and Intent broadcasts. The Proposed approach is scalable and platform invarient for different Android OS versions.

Anonymity systems such as Tor are being blocked by many countries, as they are increasingly being used to circumvent censorship systems. As a response, several pluggable transport (proxy) systems have been developed that obfuscate the first hop of the Tor circuit (i.e., the connection between the Tor client and the bridge node). In this paper, we tackle a common challenge faced by all web-based pluggable transports – the need to perfectly emulate the complexities of a web-browser and web-server. To that end, we propose a new system called the JumpBox that readily integrates with existing pluggable transports and avoids emulation by forwarding the HTTP/HTTPS requests through a real browser and webserver. We evaluate our system using multiple pluggable transports and demonstrate that it imposes minimal additional overhead.

Add-on JavaScript originating from users’ inputs to the browser brings new functionalities such as debugging and entertainment, however it also leads to a new type of cross-site scripting attack (defined as add-on XSS by us), which consists of two parts: a snippet of JavaScript in clear text, and a spamming sentence enticing benign users to input the previous JavaScript. In this paper, we focus on the most common add-on XSS, the one caused by browser address bar JavaScript. To measure the severity, we conduct three experiments: (i) analysis on real-world traces from two large social networks, (ii) a user study by means of recruiting Amazon Mechanical Turks [4], and (iii) a Facebook experiment with a fake account. We believe as the first systematic and scientific study, our paper can ring a bell for all the browser vendors and shed a light for future researchers to find an appropriate solution for add-on XSS.

Google Hacking continues to be abused by attackers to find vulnerable websites on current Internet. Through searching specific terms of vulnerabilities in search engines, attackers can easily and automatically find a lot of vulnerable websites in a large scale. However, less work has been done to study the characteristics of vulnerabilities targeted by Google Hacking (e.g., what kind of vulnerabilities are typically targeted by Google Hacking? What kind of vulnerabilities usually have a large victim population? What is the impact of Google Hacking and how easy to defend against Google Hacking?).In this paper, we conduct the first quantitative characterization study of Google Hacking. Starting from 997 Google Dorks used in Google Hacking, we collect a total of 305,485 potentially vulnerable websites, and 6,301 verified vulnerable websites. From these vulnerabilities and potentially vulnerable websites, we study the characteristics of vulnerabilities targeted by Google Hacking from different perspectives. We find that web-related CVE vulnerabilities may not fully reflect the tastes of Google Hacking. Our results show that only a few specially chosen vulnerabilities are exploited in Google Hacking. Specifically, attackers only target on certain categories of vulnerabilities and prefer vulnerabilities with high severity score but low attack complexity. Old vulnerabilities are also preferred in Google Hacking. To defend against the Google Hacking, simply modifying few keywords in web pages can defeat 65.5 % of Google Hacking attacks.

Almost any malware attack involves data communication between the infected host and the attacker host/server allowing the latter to remotely control the infected host. The remote control is achieved through opening different types of sessions such as remote desktop, webcam video streaming, file transfer, etc. In this paper, we present a traffic analysis based malware detection technique using Hidden Markov Model (HMM). The main contribution is that the proposed system does not only detect malware infections but also identifies with precision the type of malicious session opened by the attacker. The empirical analysis shows that the proposed detection system has a stable identification precision of 90 % and that it allows to identify between 40 % and 75 % of all malicious sessions in typical network traffic.