Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining

( Weixin Liu ),( Kangfeng Zheng ),( Bin Wu ),( Chunhua Wu ),( Xinxin Niu ) 한국인터넷정보학회 2016 KSII Transactions on Internet and Information Syst Vol.10 No.6

Emerging attacks aim to access proprietary assets and steal data for business or political motives, such as Operation Aurora and Operation Shady RAT. Skilled Intruders would likely remove their traces on targeted hosts, but their network movements, which are continuously recorded by network devices, cannot be easily eliminated by themselves. However, without complete knowledge about both inbound/outbound and internal traffic, it is difficult for security team to unveil hidden traces of intruders. In this paper, we propose an autonomous anomaly detection system based on behavior profiling and relation mining. The single-hop access profiling model employ a novel linear grouping algorithm PSOLGA to create behavior profiles for each individual server application discovered automatically in historical flow analysis. Besides that, the double-hop access relation model utilizes in-memory graph to mine time-sequenced access relations between different server applications. Using the behavior profiles and relation rules, this approach is able to detect possible anomalies and violations in real-time detection. Finally, the experimental results demonstrate that the designed models are promising in terms of accuracy and computational efficiency.

A Nature-inspired Multiple Kernel Extreme Learning Machine Model for Intrusion Detection

( Yanping Shen ),( Kangfeng Zheng ),( Chunhua Wu ),( Yixian Yang ) 한국인터넷정보학회 2020 KSII Transactions on Internet and Information Syst Vol.14 No.2

The application of machine learning (ML) in intrusion detection has attracted much attention with the rapid growth of information security threat. As an efficient multi-label classifier, kernel extreme learning machine (KELM) has been gradually used in intrusion detection system. However, the performance of KELM heavily relies on the kernel selection. In this paper, a novel multiple kernel extreme learning machine (MKELM) model combining the ReliefF with nature-inspired methods is proposed for intrusion detection. The MKELM is designed to estimate whether the attack is carried out and the ReliefF is used as a preprocessor of MKELM to select appropriate features. In addition, the nature-inspired methods whose fitness functions are defined based on the kernel alignment are employed to build the optimal composite kernel in the MKELM. The KDD99, NSL and Kyoto datasets are used to evaluate the performance of the model. The experimental results indicate that the optimal composite kernel function can be determined by using any heuristic optimization method, including PSO, GA, GWO, BA and DE. Since the filter-based feature selection method is combined with the multiple kernel learning approach independent of the classifier, the proposed model can have a good performance while saving a lot of training time.

WORM-HUNTER: A Worm Guard System using Software-defined Networking

( Yixun Hu ),( Kangfeng Zheng ),( Xu Wang ),( Yixian Yang ) 한국인터넷정보학회 2017 KSII Transactions on Internet and Information Syst Vol.11 No.1

Network security is rapidly developing, but so are attack methods. Network worms are one of the most widely used attack methods and have are able to propagate quickly. As an active defense approach to network worms, the honeynet technique has long been limited by the closed architecture of traditional network devices. In this paper, we propose a closed loop defense system of worms based on a Software-Defined Networking (SDN) technology, called Worm-Hunter. The flexibility of SDN in network building is introduced to structure the network infrastructures of Worm-Hunter. By using well-designed flow tables, Worm-Hunter is able to easily deploy different honeynet systems with different network structures and dynamically. When anomalous traffic is detected by the analyzer in Worm-Hunter, it can be redirected into the honeynet and then safely analyzed. Throughout the process, attackers will not be aware that they are caught, and all of the attack behavior is recorded in the system for further analysis. Finally, we verify the system via experiments. The experiments show that Worm-Hunter is able to build multiple honeynet systems on one physical platform. Meanwhile, all of the honeynet systems with the same topology operate without interference.

Using Genetic Algorithm for Optimal Security Hardening in Risk Flow Attack Graph

( Fangfang Dai ),( Kangfeng Zheng ),( Binwu ),( Shoushan Luo ) 한국인터넷정보학회 2015 KSII Transactions on Internet and Information Syst Vol.9 No.5

Network environment has been under constant threat from both malicious attackers and inherent vulnerabilities of network infrastructure. Existence of such threats calls for exhaustive vulnerability analyzing to guarantee a secure system. However, due to the diversity of security hazards, analysts have to select from massive alternative hardening strategies, which is laborious and time-consuming. In this paper, we develop an approach to seek for possible hardening strategies and prioritize them to help security analysts to handle the optimal ones. In particular, we apply a Risk Flow Attack Graph (RFAG) to represent network situation and attack scenarios, and analyze them to measure network risk. We also employ a multi-objective genetic algorithm to infer the priority of hardening strategies automatically. Finally, we present some numerical results to show the performance of prioritizing strategies by network risk and hardening cost and illustrate the application of optimal hardening strategy set in typical cases. Our novel approach provides a promising new direction for network and vulnerability analysis to take proper precautions to reduce network risk.

User Identification Using Real Environmental Human Computer Interaction Behavior

( Tong Wu ),( Kangfeng Zheng ),( Chunhua Wu ),( Xiujuan Wang ) 한국인터넷정보학회 2019 KSII Transactions on Internet and Information Syst Vol.13 No.6

In this paper, a new user identification method is presented using real environmental human-computer-interaction (HCI) behavior data to improve method usability. User behavior data in this paper are collected continuously without setting experimental scenes such as text length, action number, etc. To illustrate the characteristics of real environmental HCI data, probability density distribution and performance of keyboard and mouse data are analyzed through the random sampling method and Support Vector Machine(SVM) algorithm. Based on the analysis of HCI behavior data in a real environment, the Multiple Kernel Learning (MKL) method is first used for user HCI behavior identification due to the heterogeneity of keyboard and mouse data. All possible kernel methods are compared to determine the MKL algorithm’s parameters to ensure the robustness of the algorithm. Data analysis results show that keyboard data have a narrower range of probability density distribution than mouse data. Keyboard data have better performance with a 1-min time window, while that of mouse data is achieved with a 10-min time window. Finally, experiments using the MKL algorithm with three global polynomial kernels and ten local Gaussian kernels achieve a user identification accuracy of 83.03% in a real environmental HCI dataset, which demonstrates that the proposed method achieves an encouraging performance.

A Hybrid PSO-BPSO Based Kernel Extreme Learning Machine Model for Intrusion Detection

Yanping Shen,Kangfeng Zheng,Chunhua Wu 한국정보처리학회 2022 Journal of information processing systems Vol.18 No.1

With the success of the digital economy and the rapid development of its technology, network security hasreceived increasing attention. Intrusion detection technology has always been a focus and hotspot of research. A hybrid model that combines particle swarm optimization (PSO) and kernel extreme learning machine(KELM) is presented in this work. Continuous-valued PSO and binary PSO (BPSO) are adopted together todetermine the parameter combination and the feature subset. A fitness function based on the detection rate andthe number of selected features is proposed. The results show that the method can simultaneously determinethe parameter values and select features. Furthermore, competitive or better accuracy can be obtained usingapproximately one quarter of the raw input features. Experiments proved that our method is slightly better thanthe genetic algorithm-based KELM model.

Feature Selection to Mine Joint Features from High-dimension Space for Android Malware Detection

( Yanping Xu ),( Chunhua Wu ),( Kangfeng Zheng ),( Xinxin Niu ),( Tianling Lu ) 한국인터넷정보학회 2017 KSII Transactions on Internet and Information Syst Vol.11 No.9

Android is now the most popular smartphone platform and remains rapid growth. There are huge number of sensitive privacy information stored in Android devices. Kinds of methods have been proposed to detect Android malicious applications and protect the privacy information. In this work, we focus on extracting the fine-grained features to maximize the information of Android malware detection, and selecting the least joint features to minimize the number of features. Firstly, permissions and APIs, not only from Android permissions and SDK APIs but also from the developer-defined permissions and third-party library APIs, are extracted as features from the decompiled source codes. Secondly, feature selection methods, including information gain (IG), regularization and particle swarm optimization (PSO) algorithms, are used to analyze and utilize the correlation between the features to eliminate the redundant data, reduce the feature dimension and mine the useful joint features. Furthermore, regularization and PSO are integrated to create a new joint feature mining method. Experiment results show that the joint feature mining method can utilize the advantages of regularization and PSO, and ensure good performance and efficiency for Android malware detection.

Detecting Malicious Social Robots with Generative Adversarial Networks

( Bin Wu ),( Le Liu ),( Zhengge Dai ),( Xiujuan Wang ),( Kangfeng Zheng ) 한국인터넷정보학회 2019 KSII Transactions on Internet and Information Syst Vol.13 No.11

Malicious social robots, which are disseminators of malicious information on social networks, seriously affect information security and network environments. The detection of malicious social robots is a hot topic and a significant concern for researchers. A method based on classification has been widely used for social robot detection. However, this method of classification is limited by an unbalanced data set in which legitimate, negative samples outnumber malicious robots (positive samples), which leads to unsatisfactory detection results. This paper proposes the use of generative adversarial networks (GANs) to extend the unbalanced data sets before training classifiers to improve the detection of social robots. Five popular oversampling algorithms were compared in the experiments, and the effects of imbalance degree and the expansion ratio of the original data on oversampling were studied. The experimental results showed that the proposed method achieved better detection performance compared with other algorithms in terms of the F1 measure. The GAN method also performed well when the imbalance degree was smaller than 15%.