Malicious Behavior Detection Research Articles

A resilient control strategy for networked multi-agent systems subject to covert attacks

In this paper, a resilient distributed control scheme against covert attacks for multi-agent networked systems subject to input and state constraints is developed. The idea consists in a clever deployment of predictive arguments with a twofold aim: detection of malicious agent behaviors affecting the normal system operations and consequent specific control actions implementation to mitigate as much as possible undesirable knock-on effects resulting from adversary actions. Specifically, the multi-agent system is organized in terms of a grid topology and set-theoretic receding horizon control ideas are exploited to develop a distributed algorithm capable to recognize the attacked agent. In essence, the resulting solution relies on the combined use of predictive control and set-invariance ideas that are exploited to generate redundant control sequences randomly selected on the actuator side such that the malicious agent is never aware about the effective control action indeed exploited. As a consequence, countermeasures on the sensor-to-controller channel could lead to significantly erroneous data not complying with the expected evolution of the system modeling. Finally, numerical simulations are carried out to show benefits and effectiveness of the proposed approach.

Edge-centric trust management in vehicular networks

A major objective of vehicular networking is to improve road safety and reduce traffic congestion. The experience of individual vehicles on traffic conditions and travel situations can be shared with other vehicles for improving their route planning and driving decisions. Nevertheless, the frequent occurrence of adversary vehicles in the network may affect the overall network performance and safety. These vehicles may behave intelligently to avoid detection. To effectively control and monitor such security threats, an efficient Trust Management system should be employed to identify the trustworthiness of individual vehicles and detect malicious drivers which is the major focus of this work. We propose a hybrid solution, which integrates Edge Computing and Multi-agent modeling in a Trust Management system for vehicular networks. The proposed solution also aims to overcome the limitations of the two commonly utilized approaches in this context: cloud computing and Peer-to-Peer (P2P) networking. Our framework has a set of features that make it an efficient platform to address the major security challenges in vehicular networks including latency, scalability, uncertainty, data accessibility, and malicious behavior detection. Performance of the approach is evaluated by simulating a realistic environment. Experimental results show that the proposed approach outperforms similar approaches from literature for various performance indicators.

A Review on Machine Learning Approaches for Network Malicious Behavior Detection in Emerging Technologies.

Network anomaly detection systems (NADSs) play a significant role in every network defense system as they detect and prevent malicious activities. Therefore, this paper offers an exhaustive overview of different aspects of anomaly-based network intrusion detection systems (NIDSs). Additionally, contemporary malicious activities in network systems and the important properties of intrusion detection systems are discussed as well. The present survey explains important phases of NADSs, such as pre-processing, feature extraction and malicious behavior detection and recognition. In addition, with regard to the detection and recognition phase, recent machine learning approaches including supervised, unsupervised, new deep and ensemble learning techniques have been comprehensively discussed; moreover, some details about currently available benchmark datasets for training and evaluating machine learning techniques are provided by the researchers. In the end, potential challenges together with some future directions for machine learning-based NADSs are specified.

Behavior analysis and blockchain based trust management in VANETs

The development of vehicular ad hoc networks (VANETs) is facing great challenges. Due to the open environment in VANETs, the false information sent by malicious vehicles not only affects the fairness of information interaction but also seriously threatens the driving safety of normal vehicles. Therefore, the study of trust evaluation and management in VANETs has become hot topics in recent years. In this paper, we propose a trust management model of VANETs based on blockchain. In this model, a hidden markov model (HMM) based vehicle trust evaluation method that improve the accuracy on the detection of malicious behavior is proposed. Besides, a trust management method based on the alliance chain is designed, which greatly improves the efficiency of trust updating and querying on the premise of security. Simulation results show that the model is promising and feasible, effective in the aspects of trust evaluation and trust management.

DSSAM: digitally signed secure acknowledgement method for mobile ad hoc network

Mobile ad hoc network (MANET) is an infrastructure-less, self-motivated, arbitrary, self-configuring, rapidly changing, multi-hop network that is self-possessing wireless bandwidth-conscious links without centrally managed router support. In such a network, wireless media is easy to snoop. It is firm to the surety to access any node, easier to insertion of bad elements or attackers for malicious activities in the network. Therefore, security issues become one of the significant considerations for such kind of networks. The deployment of an effective intrusion detection system is important in order to provide protection against various attacks. In this paper, a Digitally Signed Secure Acknowledgement Method (DSSAM) with the use of the RSA digital signature has been proposed and simulated. Three different parameters are considered, namely secure acknowledgment, node authentication, and packet authentication for study. This article observes the DSSAM performance and compares it with two existing standard methods, namely Watchdog and 2-ACK under standard Dynamic Source Routing (DSR) routing environment. In the end, it is noticed that the rate of detection of malicious behaviour is better in the case of the proposed method. However, associated overheads are high. A trade-off between performance and overhead has been considered.

Finding Needles in a Moving Haystack: Prioritizing Alerts with Adversarial Reinforcement Learning

Detection of malicious behavior is a fundamental problem in security. One of the major challenges in using detection systems in practice is in dealing with an overwhelming number of alerts that are triggered by normal behavior (the so-called false positives), obscuring alerts resulting from actual malicious activities. We introduce a novel approach for computing a policy for prioritizing alerts using adversarial reinforcement learning. Our approach assumes that the attacker knows the full state of the detection system and the defender's alert prioritization policy, and will dynamically choose an optimal attack. The first step of our approach is to capture the interaction between the defender and attacker in a game theoretic model. To tackle the computational complexity of solving this game to obtain a dynamic stochastic alert prioritization policy, we propose an adversarial reinforcement learning framework. In this framework, we use neural reinforcement learning to compute best response policies for both the defender and the adversary to an arbitrary stochastic policy of the other. We then use these in a double-oracle framework to obtain an approximate equilibrium of the game, which in turn yields a robust stochastic policy for the defender. We use case studies in network intrusion and fraud detection to demonstrate that our approach is effective in creating robust alert prioritization policies.1

On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events

On the Detection of Malicious Behaviors against Introspection Using Hardware Architectural Events

A hybrid machine learning approach for malicious behaviour detection and recognition in cloud computing

The rapid growth of new emerging computing technologies has encouraged many organizations to outsource their data and computational requirements. Such services are expected to always provide security principles such as confidentiality, availability and integrity; therefore, a highly secure platform is one of the most important aspects of Cloud-based computing environments. A considerable improvement over traditional security strategies is achieved by understanding how malware behaves over the entire behavioural space. In this paper, we propose a new approach to improve the capability of Cloud service providers to model users' behaviours. We applied a particle swarm optimization-based probabilistic neural network (PSO-PNN) for the detection and recognition process. In the first module of the recognition process, we meaningfully converted the users’ behaviours to an understandable format and then classified and recognized the malicious behaviours by using a multi-layer neural network. We took advantage of the UNSW-NB15 dataset to validate the proposed solution by characterizing different types of malicious behaviours exhibited by users. Evaluation of the experimental results shows that the proposed method is promising for use in security monitoring and recognition of malicious behaviours.

Modified zone based intrusion detection system for security enhancement in mobile ad hoc networks

Mobile Ad hoc Networks (MANETs) have gained great interests owing to their dynamic and smoothness of exploitation. Conversely, the wireless and energetic nature adds exposed to different types of protection attacks than the other kind of networks. In this kind of attacks, it is essential to expand proficient intrusion-detection system to prevent MANET from different attacks. In this paper, we recommend a new intrusion-detection system called Modified Zone Based Intrusion Detection System (MZBIDS) for MANETs. Evaluated to contemporary methodologies, MZBIDS exhibits superior malicious behavior-detection ratios in convinced situations whereas it may not significantly influence performance of entire network.

Are free Android app security analysis tools effective in detecting known vulnerabilities?

Increasing interest in securing the Android ecosystem has spawned numerous efforts to assist app developers in building secure apps. These efforts have resulted in tools and techniques capable of detecting vulnerabilities (and malicious behaviors) in apps. However, there has been no evaluation of the effectiveness of these tools and techniques in detecting known vulnerabilities. The absence of such evaluations puts app developers at a disadvantage when choosing security analysis tools to secure their apps. In this regard, we evaluated the effectiveness of vulnerability detection tools for Android apps. We reviewed 64 tools and empirically evaluated 14 vulnerability detection tools (incidentally along with five malicious behavior detection tools) against 42 known unique vulnerabilities captured by Ghera benchmarks, which are composed of both vulnerable and secure apps. Of the 24 observations from the evaluation, the main observation is existing vulnerability detection tools for Android apps are very limited in their ability to detect known vulnerabilities -- all of the evaluated tools together could only detect 30 of the 42 known unique vulnerabilities. More effort is required if security analysis tools are to help developers build secure apps. We hope the observations from this evaluation will help app developers choose appropriate security analysis tools and persuade tool developers and researchers to identify and address limitations in their tools and techniques. We also hope this evaluation will catalyze or spark a conversation in the software engineering and security communities to require a more rigorous and explicit evaluation of security analysis tools and techniques.

Research on reliability of Internet of Things RFID based on improved random hash protocol and cooperative game in low-carbon supply chain environment

With the maturity of RFID technology and the rapid development of mobile intelligent terminals, the Internet of Things (IOT) has attracted more and more attention and will become another revolution after the Internet. However, compared with traditional Internet applications, Internet of Things applications supported by RFID devices and intelligent terminals have more complex and serious security problems. For example, trust mechanism and malicious behavior detection have become the key issues to be solved in the construction of secure and trusted Internet of Things. The in-depth analysis and research of trust mechanism is of great significance to improve the security of the infrastructure of the Internet of Things and even the whole security system of the Internet of Things. Aiming at the relevant requirements of Internet of Things credibility in low-carbon supply chain environment, this paper proposes an improved random hash protocol and assistant game-based RFID credibility of Internet of Things. Combining with random oracle model security theory (ROM), experiments are carried out with data. A collaborative game method is proposed. Through collaboration with intra-agency nodes, inconsistent nodes and their observations are analyzed. Experiments show that simple game and cooperative game can effectively suppress malicious attacks in normal networks and malicious node–dominated networks, respectively. The protocol achieves the advantages of access authentication, anonymity security, anti-retransmit, anti-traceability, data accountability, time-scaling, and cost-effectiveness, and can effectively enhance the credibility of the Internet of Things in a low-carbon supply chain environment.

Trust-based security routing mechanism in mobile social networks

Malicious and selfish behaviors represent a serious security threat against routing in mobile social networks (MSN). Due to MSN’s unique network characteristics, such as sociability, mobility and diversity, it is a challenge to design a misbehavior detection scheme in MSN. To improve the security in MSN routing, a trust-based security routing mechanism is presented in this paper, i.e., a malicious behavior detection mechanism with identity verification scheme. The main idea is to introduce the behavior trust and the identity trust to guide the routing. Firstly, we judge a node’s behavior based on both comprehensive trust and social relationship strength. And then, we forward messages according to the different measurement within and outside the friend groups. We also propose a distributed key management scheme which can issue, verify or revoke certificates based on the evaluation of the social relationship strength. We further improve the efficiency of the proposed mechanism by verifying the identity trust of the node. The simulation results indicate that the proposed routing mechanism can lower the impact of malicious behavior of nodes effectively and it has greater security performance than some classical routing algorithms do.

MALDC: a depth detection method for malware based on behavior chains

Malicious behavior detection is a key topic that has been a focus in the field of intrusion detection. Current intrusion detection systems are primarily based on single-point monitoring and detection and cannot detect attack modes with a hidden attack frequency. The idea presented in this paper is the incorporation of API call sequence software into the analysis and the construction of behavior chains to express the behavior patterns in software. This paper introduces related definitions of behavioral points and behaviors and proposes a depth-detection method for malware based on behavior chains (MALDC). The method monitors behavior points based on API calls and then uses the calling sequence of those behavior points at runtime to construct a behavior chain. Finally, we use depth detection method based on long short-term memory(LSTM) to detect malicious behavior from the behavior chains. To verify the performance of the proposed model, we conducted a large experiment on 54,324 malware and 53,361 benign samples collected from Windows systems and used those samples to train and test the model. Comparative verification by using various classifiers showed that the behavior points extracted based on the above method and the constructed behavior chains can be used to recognize malicious behavior at a high recognition rate. The method achieved an accuracy of 98.64% with a false positive rate of less than 2% in the best case, which is a satisfactory recognition rate for detecting malicious software behavior.

Metamorphic malicious code behavior detection using probabilistic inference methods

Existing antivirus programs detect malicious code based on fixed signatures; therefore, they have limitations in detecting metamorphic malicious code that lacks signature information or possesses circumventing code inserted into it. Research on the methods for detecting this type of metamorphic malicious code primarily focuses on techniques that can detect code based on behavioral similarity to known malicious code. However, these techniques measure the degree of similarity with existing malicious code using API function call patterns. Therefore, they have certain disadvantages, such as low accuracy and large detection times. In this paper, we propose a method which can overcome the limitations of existing methods by using the FP-Growth algorithm, a data mining technique, and the Markov Logic Networks algorithm, a probabilistic inference method. To perform a comparative evaluation of the proposed method's malicious code behavior detection, we performed inference experiments using malicious code with an inserted code for random malicious behavior. We performed experiments to select optimal weights for each inference rule to improve our malicious code behavior inferences’ accuracy. The results of experiments, in which we performed a comparative evaluation with the General Bayesian Network, showed that the proposed method had an 8% higher classification performance.

Chained Anomaly Detection Models for Federated Learning: An Intrusion Detection Case Study

The adoption of machine learning and deep learning is on the rise in the cybersecurity domain where these AI methods help strengthen traditional system monitoring and threat detection solutions. However, adversaries too are becoming more effective in concealing malicious behavior amongst large amounts of benign behavior data. To address the increasing time-to-detection of these stealthy attacks, interconnected and federated learning systems can improve the detection of malicious behavior by joining forces and pooling together monitoring data. The major challenge that we address in this work is that in a federated learning setup, an adversary has many more opportunities to poison one of the local machine learning models with malicious training samples, thereby influencing the outcome of the federated learning and evading detection. We present a solution where contributing parties in federated learning can be held accountable and have their model updates audited. We describe a permissioned blockchain-based federated learning method where incremental updates to an anomaly detection machine learning model are chained together on the distributed ledger. By integrating federated learning with blockchain technology, our solution supports the auditing of machine learning models without the necessity to centralize the training data. Experiments with a realistic intrusion detection use case and an autoencoder for anomaly detection illustrate that the increased complexity caused by blockchain technology has a limited performance impact on the federated learning, varying between 5 and 15%, while providing full transparency over the distributed training process of the neural network. Furthermore, our blockchain-based federated learning solution can be generalized and applied to more sophisticated neural network architectures and other use cases.

Malicious behaviour classification in web logs based on an improved Xgboost algorithm

Attacks against web servers are one of the most serious threats in security fields. Attackers are able to make the computer systems more vulnerable. Analysing the web logs is one of the most effective methods to identify malicious behaviours. In this study, we consider the analysis of HTTP requests in web logs to classify malicious behaviour into multiple categories. At present, web attacks are so complex that single layer classification model is unable to deal with the emerging attacks, in particular, there is a limitation that category features cannot be added to single layer model. Motivated by this, we propose an improved Xgboost algorithm, which uses the method of constructing candidate attacks to attain higher accuracy for malicious behaviour detection. The experimental results show that, compared to other machine learning algorithms, the improved Xgboost algorithm we proposed performs better. Besides, after extracting the important features, it not only does not affect the effectiveness of the algorithm model, but also improves the computational efficiency.

Software behaviour analysis method based on behaviour template

This paper proposes a software behaviours analysis method based on behaviour template (SABT), which according to the context of source code, builds a behaviour template to detect software malicious behaviour based on function transfer map and minimum function blocks. In the present research, many methods used state transfer diagram to build software behaviour model. Our method is based on the corresponding relationship between the functions and system call sequence, which ensures the accuracy of the malicious behaviour detection. Compared with traditional methods, such as N-gram, FSA, and Var-gram, SABT can get higher cover rate of code and detect abnormal behaviour more effectively and efficiently.

Malicious behaviour classification in web logs based on an improved Xgboost algorithm

Attacks against web servers are one of the most serious threats in security fields. Attackers are able to make the computer systems more vulnerable. Analysing the web logs is one of the most effective methods to identify malicious behaviours. In this study, we consider the analysis of HTTP requests in web logs to classify malicious behaviour into multiple categories. At present, web attacks are so complex that single layer classification model is unable to deal with the emerging attacks, in particular, there is a limitation that category features cannot be added to single layer model. Motivated by this, we propose an improved Xgboost algorithm, which uses the method of constructing candidate attacks to attain higher accuracy for malicious behaviour detection. The experimental results show that, compared to other machine learning algorithms, the improved Xgboost algorithm we proposed performs better. Besides, after extracting the important features, it not only does not affect the effectiveness of the algorithm model, but also improves the computational efficiency.

UAV-assisted technique for the detection of malicious and selfish nodes in VANETs

Detecting malicious and selfish nodes is an important task in Vehicular Adhoc NETworks (VANETs). Various proposals adopted trust management as an alternative solution since it is less costly than cryptography-based solution in terms of computation delay and mobility support. However, the existing solutions assume that, in general, the attackers have always a dishonest behavior that persists over time. This assumption may be misleading, as the attackers can behave intelligently to avoid being detected. Moreover, pseudonyms changing strategies to preserve vehicles' privacy are another issue to take into account. In this paper, a new solution for the detection of intelligent malicious behaviors based on the adaptive detection threshold is proposed. In addition to the detection of malicious nodes, our solution relies on Unmanned Aerial Vehicles to face the negative impact of pseudonym changes on the detection process. Our solution also incites attackers to behave well since any malicious behavior will be immediately detected thanks to the adaptive detection threshold adopted. Simulation results depict the high efficiency of our proposal at ensuring high ratios for both detection and packet delivery.

An enhanced performance through agent-based secure approach for mobile ad hoc networks

ABSTRACTThis paper proposes an agent-based secure enhanced performance approach (AB-SEP) for mobile ad hoc network. In this approach, agent nodes are selected through optimal node reliability as a factor. This factor is calculated on the basis of node performance features such as degree difference, normalised distance value, energy level, mobility and optimal hello interval of node. After selection of agent nodes, a procedure of malicious behaviour detection is performed using fuzzy-based secure architecture (FBSA). To evaluate the performance of the proposed approach, comparative analysis is done with conventional schemes using performance parameters such as packet delivery ratio, throughput, total packet forwarding, network overhead, end-to-end delay and percentage of malicious detection.