Journal of Computer Virology and Hacking Techniques最新文献

{"title":"Using deep graph learning to improve dynamic analysis-based malware detection in PE files","authors":"Minh Tu Nguyen, Viet Hung Nguyen, Nathan Shone","doi":"10.1007/s11416-023-00505-x","DOIUrl":"https://doi.org/10.1007/s11416-023-00505-x","url":null,"abstract":"Detecting zero-day malware in Windows PE files using dynamic analysis techniques has proven to be far more effective than traditional signature-based methods. One specific approach that has emerged in recent years is the use of graphs to represent executable behavior, which can be subsequently used to learn patterns. However, many current graph representations omit key parameter information, meaning that the behavioral impact of variable changes cannot be reliably understood. To combat these shortcomings, we present a new method for malware detection by applying a graph attention network on multi-edge directional heterogeneous graphs constructed from API calls. The experiments show the TPR and FPR scores demonstrated by our model, achieve better performance than those from other related works.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135617035","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cryptanalysis of RSA with composed decryption exponent with few most significant bits of one of the primes","authors":"R. Santosh Kumar, K. L. N. C. Prakash, S. R. M. Krishna","doi":"10.1007/s11416-023-00508-8","DOIUrl":"https://doi.org/10.1007/s11416-023-00508-8","url":null,"abstract":"RSA is well known public-key cryptosystem in modern-day cryptography. Since the inception of the RSA, several attacks have been proposed on RSA. The Boneh–Durfee attack is the most prominent and they showed that if the secrete exponent is less than 0.292, RSA is completely vulnerable. In this paper, we further investigate the vulnerability of RSA whenever a secret exponent is large and the composite form with a few most significant bits of one of the primes exposed. Having a large secret exponent can avoid the Boneh–Durfee attack, but in this attack, we show that even though the secret exponent is large and has some specialized structure then RSA is still vulnerable. We follow the Jochemsz and May strategy for constructing the lattice, and the LLL algorithm is used for lattice reduction. Our attack outperforms most of the previous attacks.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135569645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Protection against adversarial attacks with randomization of recognition algorithm","authors":"Grigory Marshalko, Svetlana Koreshkova","doi":"10.1007/s11416-023-00503-z","DOIUrl":"https://doi.org/10.1007/s11416-023-00503-z","url":null,"abstract":"We study a randomized variant of one type of biometric recognition algorithms, which is intended to mitigate adversarial attacks. We show that the problem of an estimation of the security of the proposed algorithm can be formulated in the form of an estimation of statistical distance between the probability distributions, induced by the initial and the randomized algorithm. A variant of practical password-based implementation is discussed. The results of experimental evaluation are given. The preliminary verison of this research was presented at CTCrypt 2020 workshop.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134977187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Provably minimum data complexity integral distinguisher based on conventional division property","authors":"Akram Khalesi, Zahra Ahmadian","doi":"10.1007/s11416-023-00502-0","DOIUrl":"https://doi.org/10.1007/s11416-023-00502-0","url":null,"abstract":"Division property is an effective method for finding integral distinguishers for block ciphers, performing cube attacks on stream ciphers, and studying the algebraic degree of boolean functions. One of the main problems in this field is how to provably find the smallest input multiset leading to a balanced output. In this paper, we propose a new method, using the division property, to find integral distinguishers for permutation functions and block ciphers, with provably-minimum data complexity, in the conventional division property model. The new method is based on a precise and efficient analysis of the target output bit’s algebraic normal form. We examine the proposed method on LBlock, TWINE, SIMON, Present, Gift, and Clyde-128 block ciphers. Although in most cases, the results are consistent with the distinguishers reported in previous work, their optimality is proved, in the conventional division property model. Moreover, the proposed method can find distinguishers for 8-round Clyde-128 with less data complexity than previously reported. Based on the proposed method, we also develop an algorithm capable of determining the maximum number of balanced output bits for integral distinguishers with a certain number of active bits. Accordingly, for the ciphers under study, we determine the maximum number of balanced bits for integral distinguishers with data complexities set to minimum and slightly higher, resulting in improved distinguishers for Gift-64, Present, and SIMON64, in the conventional model.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135385328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Explainable Ransomware Detection with Deep Learning Techniques","authors":"Giovanni Ciaramella, Giacomo Iadarola, Fabio Martinelli, Francesco Mercaldo, Antonella Santone","doi":"10.1007/s11416-023-00501-1","DOIUrl":"https://doi.org/10.1007/s11416-023-00501-1","url":null,"abstract":"Globally, the number of internet users increases every year. As a matter of fact, we use technological devices to surf the internet, for online shopping, or just to relax and keep our relationships by spending time on social networks. By doing any of those actions, we release information that can be used in many ways, such as targeted advertising via cookies but also abused by malicious users for scams or theft. On the other hand, many detection systems have been developed with the aim to counteract malicious actions. In particular, special attention has been paid to the malware, designed to perpetrate malicious actions inside software systems and widespread through internet networks or e-mail messages. In this paper, we propose a deep learning model aimed to detect ransomware. We propose a set of experiments aimed to demonstrate that the proposed method obtains good accuracy during the training and test phases across a dataset of over 15,000 elements. Moreover, to improve our results and interpret the output obtained from the models, we have also exploited the Gradient-weighted Class Activation Mapping.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135536257","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Mal2GCN: a robust malware detection approach using deep graph convolutional networks with non-negative weights","authors":"Omid Kargarnovin, Amir Mahdi Sadeghzadeh, Rasool Jalili","doi":"10.1007/s11416-023-00498-7","DOIUrl":"https://doi.org/10.1007/s11416-023-00498-7","url":null,"abstract":"With the growing use of Deep Learning (DL) to tackle various problems, securing these models against adversaries has become a primary concern for researchers. Recent studies have shown that DL-based malware detectors are vulnerable to adversarial examples. An adversary can create carefully crafted adversarial examples to evade DL-based malware detectors. In this paper, we propose Mal2GCN, a robust malware detection model that uses Function Call Graph (FCG) representation of executable files combined with Graph Convolution Network (GCN) to detect Windows malware. Since the FCG representation of executable files is more robust than the raw byte sequence representation, numerous proposed adversarial example generating methods are ineffective in evading Mal2GCN. Moreover, we use the non-negative training method to transform Mal2GCN into a monotonically non-decreasing function; thereby, making it theoretically robust against appending attacks. Besides, experimental results on a collected dataset of PE executables demonstrate that Mal2GCN can detect malware with 98.15% accuracy, outperforming its counterparts. We then present a black-box source code-based adversarial malware generation approach that can be used to evaluate the robustness of malware detection models against real-world adversaries. This approach injects adversarial code into various locations of malware source code, aiming to evade malware detection models. The experiments indicate that Mal2GCN with non-negative weights achieves high accuracy in detecting Windows malware while also exhibiting robustness against adversarial attacks that add benign features to the malware source code.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135476213","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Use of cryptography in malware obfuscation","authors":"Hassan Jameel Asghar, Benjamin Zi Hao Zhao, Muhammad Ikram, Giang Nguyen, Dali Kaafar, Sean Lamont, Daniel Coscia","doi":"10.1007/s11416-023-00504-y","DOIUrl":"https://doi.org/10.1007/s11416-023-00504-y","url":null,"abstract":"Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique’s potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135859173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Machine learning methods for speech emotion recognition on telecommunication systems","authors":"Alexey Osipov, Ekaterina Pleshakova, Yang Liu, Sergey Gataullin","doi":"10.1007/s11416-023-00500-2","DOIUrl":"https://doi.org/10.1007/s11416-023-00500-2","url":null,"abstract":"The manuscript is devoted to the study of human behavior in stressful situations using machine learning methods, which depends on the psychotype, socialization and a host of other factors. Global mobile subscribers lost approximately $53 billion in 2022 due to phone fraud and unwanted calls, with almost half (43%) of subscribers having spam blocking or caller ID apps installed. Phone scammers build their conversation focusing on the behavior of a certain category of people. Previously, a person is introduced into a state of acute stress, in which his further behavior to one degree or another can be manipulated. We were allowed to single out the target audience by research by Juniper Research. These are men under the age of 44 who have the highest risk of being deceived by scammers. This significantly narrows the scope of research and allows us to limit the behavioral features of this particular category of subscribers. In addition, this category of people uses modern gadgets, which allows researchers not to consider outdated models; has stable health indicators, which allows not to conduct additional studies of people with diseases of the heart system, because. Their percentage in this sample is minimal; and also most often undergoes a polygraph interview, for example, when applying for a job, and this allows us to get a sample sufficient for training the neural network. To teach the method, polygrams were used, marked by a polygraph examiner and a psychologist of healthy young people who underwent a scheduled polygraph test for company loyalty. For testing, the readings of the PPG sensor built into the smart bracelet were taken and analyzed within a month from young people who underwent a polygraph test. We have developed a modification of the wavelets capsular neural network—2D-CapsNet, allowing to identify the state of panic stupor by classification quality indicators: Accuracy—86.0%, Precision—84.0%, Recall = 87.5% and F-score—85.7%, according to the photoplethysmogram graph (PPG), which does not allow him to make logically sound decisions. When synchronizing a smart bracelet with a smartphone, the method allows real-time tracking of such states, which makes it possible to respond to a call from a telephone scammer during a conversation with a subscriber. The proposed method can be widely used in cyber-physical systems in order to detect illegal actions.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135306401","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Editorial special issue: Russian research in cybersecurity","authors":"Vladimir Fomichev, Alisa Koreneva","doi":"10.1007/s11416-023-00494-x","DOIUrl":"https://doi.org/10.1007/s11416-023-00494-x","url":null,"abstract":"This special issue covers works of Russian researchers on cybersecurity, fundamental and applied information security problems, tackling computer network security as well as development and analysis of hardware and software security tools. Here we provide 12 selected papers on different topics within the above-described scope. We would like to make special mention of the invited paper “Undocumented × 86 instructions to control the CPU at the microarchitecture level in modern Intel processors”, which introduces two undocumented × 86 architecture instructions which are intended to read and write Intel processors microcode data.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-08-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135015127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"DHCP DoS and starvation attacks on SDN controllers and their mitigation","authors":"Hafiz Usama Ishtiaq, Areeb Ahmed Bhutta, Adnan Noor Mian","doi":"10.1007/s11416-023-00483-0","DOIUrl":"https://doi.org/10.1007/s11416-023-00483-0","url":null,"abstract":"Software Defined Networking (SDN) technology offers possibilities to improve network administration through a separate central controller for network switching devices. However, security in SDN is a critical issue and SDN faces new challenges due to shared protocols, inherits flaws from traditional networks and control flexibility. Dynamic Host Configuration Protocol (DHCP) is a crucial protocol for SDN, but DHCP itself poses a security risk to SDN. In our study we performed security analysis for DHCP attacks on RYU, OpenDaylight and Floodlight, three popular SDN controllers. Our research demonstrates that they are vulnerable to starvation attacks and denial of service attacks by flooding DHCP discovery messages, slowing down networks and overloading controllers. In order to address these problems, we looked at state-of-the-art DHCP security approaches and evaluated their performance on these SDN controllers. We proposed and implemented a DHCP security algorithm on the RYU controller based on our analysis. Our solution utilize flexibility of SDN controller to identify discovery flood packets and verify authentic hosts to mitigate effects of DHCP attacks. Furthermore, the proposed solution transfers the authentic flows to switch for reduction in controller load. We demonstrate that without significant computational load the suggested method successfully rejects malicious DHCP packets, restores the IP address pool, and mitigates the harmful network consequences of DHCP-related attacks. The proposed solution improves the throughput by 3.6 times, transferred data by 66.8%, CPU usage by 93.9% and packet loss by 95% compared to the conventional RYU controller.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135478385","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}