Current Issue

25 December 2007, Volume 28 Issue 12

Previous Issue    Next Issue

Academic paper

Worm detection and signature extraction based on communication characteristics

Yi XIN,Bin-xing FANG,Long-tao HE,Xiao-chun YUN,Zhi-dong LI

2007, 28(12):  1-7.  doi:1000-436X(2007)12-0001-07

Asbtract ( 0 )   HTML ( 3)   PDF (1622KB) ( 538 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Worm detection and signature extraction was presented based on analysis of similar communication characteristics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of communication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and extract signature quickly in the environment with high strength background noise.

HoneyBow:an automated malware collection tool based on the high-interaction honeypot principle

Jian-wei ZHUGE,Xin-hui HAN,Yong-lin ZHOU,Cheng-yu SONG,Jin-peng GUO,Wei ZOU

2007, 28(12):  8-13.  doi:1000-436X(2007)12-0008-06

Asbtract ( 0 )   HTML ( 5)   PDF (1008KB) ( 841 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Malware has become one of the severest threats to the public Internet.To deal with the malware breakout effectively as early as possible,an automated malware collection solution must be implemented as a precondition.An automated malware collection tool was presented based on the high-interaction honeypot principle called HoneyBow.Comparing with the Nepenthes platform based on the low-interaction honeypot principle,HoneyBow has its advantages on wilder range of captured malware samples and the capability of collecting unknown malware samples,which are validated by the experiment results from wild malware collection and the case of Mocbot dealment.

Port scan detection algorithms based on statistical traffic features

Ping-hui WANG,Qing-hua ZHENG,Guo-lin NIU,Xiao-hong GUAN,Zhong-min CAI

2007, 28(12):  14-18.  doi:1000-436X(2007)12-0014-05

Asbtract ( 0 )   HTML ( 2)   PDF (1047KB) ( 643 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features:the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors efficiently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

Research on dynamic routing mechanism in network simulation

Zhi-yu HAO,Jian-hong ZHAI,Xiao-chun YUN,Hong-li ZHANG

2007, 28(12):  19-24.  doi:1000-436X(2007)12-0019-06

Asbtract ( 0 )   HTML ( 2)   PDF (810KB) ( 175 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A fundamental requirement for any network simulation environment is the realistic forwarding of packets from a source to a destination in the simulated topology.The routing decisions will be affected by topology changes.In almost all current simulators,all the nodes know the topology changes instantaneously,which is obviously unrealistic.The model of dynamic routing was presented and analyzed.Further an approach was proposed to compute the time needed for each node to know the topology changes,and dynamic MTree_Nix routing mechanism was presented,which maintains static routing table and a message queue of topology changes,and looks up routing states according to the known time of different changes.Experimental results show that our approach can improve the realism of dynamic routing in network simulation,with high simulation efficiency.

Reconstruction of BLP model based on secure subject access

Ke-long LIU,Li DING

2007, 28(12):  25-32.  doi:1000-436X(2007)12-0025-08

Asbtract ( 0 )   HTML ( 2)   PDF (1064KB) ( 157 )   Knowledge map   

References | Related Articles | Metrics

Through the research of the BLP model,the “secure subject access” concept was brought forward.After the reconstruction of discretionary-security property,simple-security property,*-property,a modified BLP model-BLP⁺model as presented.

Research on a dynamic self-learning efficient intrusion detection model

Wu YANG,Bing ZHANG,Yuan ZHOU,Wei WANG

2007, 28(12):  33-38.  doi:1000-436X(2007)12-0033-06

Asbtract ( 98 )   HTML ( 2)   PDF (1399KB) ( 220 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A dynamic self-learning efficient intrusion detection model was proposed based on inductive reasoning.Applying the method of inductive reasoning into intrusion detection,an incremental inductive reasoning algorithm for intrusion detection was proposed.This model produced by this algorithm can make self-learning over the ever-emerged new network behavior examples and dynamically modify behavior profile of the model,which overcomes the disadva-ntage that the traditional static detecting model must relearn over all the old and new examples,even can not relearn because of limited memory size.And at the same time,the learning efficiency and detecting efficiency of intrusion detection model are improved greatly.

Safe communicated model of SIP network based on improved SIP protocol

Zhao-xin ZHANG,Bin-xing FANG,Hong-li ZHANG,Chun-xiang JIANG

2007, 28(12):  39-47.  doi:1000-436X(2007)12-0039-09

Asbtract ( 74 )   HTML ( 4)   PDF (1294KB) ( 464 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Through analyzing the security of SIP,combining PKI technology,digital time authentication,digital certificate and the characteristic of SIP network,the safe communicated model of SIP network based on improved SIP protocol was put forward.New call established protocol was constituted used the primary flow for reference,new register protocol and roam register protocol were constituted,time synchronization protocol and negotiating key protocol was added for this model,and test the safe communicated model in real circumstance.The result of the experiment proved that this model improved the confidentiality,integrality,usability,non-repudiation and novelty of the SIP network with the millisecond delay which can be accepted.

Network anomaly detection based on TCM-KNN and genetic algorithm

Yang LI,Bin-xing FANG,Li GUO,Zhi-hong TIAN,Yong-zheng ZHANG,Wei JIANG

2007, 28(12):  48-52.  doi:1000-436X(2007)12-0048-05

Asbtract ( 114 )   HTML ( 4)   PDF (467KB) ( 780 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A network anomaly detection scheme based on TCM-KNN algorithm was proposed.Moreover,genetic algorithm (GA) based instance selection was introduced to boost the detection performance,meanwhile reduce the computational cost for TCM-KNN.A series of experimental results demonstrate the proposed method is effective,the instance selection mechanism also improves TCM-KNN and makes it be a good candidate for anomaly detection in practice.

New group key management framework for mobile ad hoc network based on identity authentication in elliptic curve field

Chun-lai DU,Ming-zeng HU,Hong-li ZHANG

2007, 28(12):  53-59.  doi:1000-436X(2007)12-0053-07

Asbtract ( 77 )   HTML ( 4)   PDF (444KB) ( 121 )   Knowledge map   

References | Related Articles | Metrics

A new key management framework was proposed based on mutual identity authentication in elliptic curve field.Threshold scheme enhances system more stable.Mutual identity-based authentication guarantees node to communicate with the right one,by which the malicious nodes aiming to fake or send false information can be drawn away from MANET.

Method of detecting network anomaly on multi-time-scale

Feng-yu WANG,Xiao-chun YUN,Zhen-zhong CAO

2007, 28(12):  60-65.  doi:1000-436X(2007)12-0060-06

Asbtract ( 69 )   HTML ( 2)   PDF (868KB) ( 266 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

To detect anomaly timely and precisely in high-speed network,an algorithm,named DA-MTS(detecting anomaly on multi-time-scale synchronously),was proposed.Firstly,pre-process the time series of traffic with non-decimated Haar wavelet transform to produce detail signals,which approximately follow Gaussian white noise.Then detect anomaly based on “3σ” principal of normal distribution.Analysis and experiments reveal that this algorithm can detect anomaly on several time-scales recursively without delay,so it can detect anomaly precisely and timely.

Research and implement on segmenting storage model of netflow

Guang-jun WU,Xiao-chun YUN,Xiang-zhan YU,Shu-peng WANG

2007, 28(12):  66-71.  doi:1000-436X(2007)12-0066-06

Asbtract ( 52 )   HTML ( 2)   PDF (685KB) ( 148 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A new model was proposed to maintain sequence and ownership of netflow.This model adopted weak sequence-based high speed data structure in memory to improve real time storage ability.In the disc level a multi-level index data netflow spanning tree was proposed to improve sequence and ownership retrieval efficiency.The performance of evaluation exposes that the storage model of netflow can improve real-time storage ability and decrease the quantities of index data dramatically.

Research of worm-propagation prediction based on stochastic experiment

Ting LIU,Qin-hua ZHENG,Xiao-hong GUAN,Yu QU,Na WANG

2007, 28(12):  72-77.  doi:1000-436X(2007)12-0072-06

Asbtract ( 49 )   HTML ( 2)   PDF (1592KB) ( 572 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

The prediction of the worm propagation is the basis of the worm defense.It is becoming more difficult to model the propagation of worms in the early stage of worm-spreading,because the worm strategies are smarter and the Internet structure is more complicated than ever before.In present study,a stochastic simulator was designed to simulate the propagation of worms.From the analysis of 1000 groups of experiment results,it was proved that the worm-propagation is a stochastic process,and the correlation coefficient between each group of results is close to 1.Therefore,a new prediction method was proposed,which could accurately calculate the propagation of worm when 0.1% of all vulnerable hosts were infected.

Attack scenarios reasoning,hypothesizing and predicting based on capability transition model

Zhi-hong TIAN,Wei-zhe ZHANG,Yong-zheng ZHANG,Hong-li ZHANG,Yang LI,Wei JIANG

2007, 28(12):  78-84.  doi:1000-436X(2007)12-0078-07

Asbtract ( 70 )   HTML ( 2)   PDF (1185KB) ( 330 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

To construct attack scenarios and predict intrusion intents automatically,a real-time alert correlation approach based on capability transition model was proposed.By highly abstracting the reasoning evidences,the process complexity is effectively reduced.Experiment results on the DARPA2000 IDS test dataset indicate that the method is effective and efficient.

Discrete propagation model of CDC-based benign worms

Yong LIU,Han-sun ZHOU,Tie LIU,Dong-hong SUN

2007, 28(12):  85-89.  doi:1000-436X(2007)12-0085-05

Asbtract ( 52 )   HTML ( 5)   PDF (1305KB) ( 104 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

According to the idea of constructing CDC（center for disease control）,the characteristics of CDC-based benign worms was analyzed.Furthermore,the process of CDC-based benign worms countering against worms was modeled.Finally,the model was simulated.From the simulation,two important factors which affect CDC-based benign worms countering against worms was summarized.

Spam filtering algorithm based on geographic E-mail path analysis

Ni ZHANG,Yu JIANG,Bin-xing FANG,Guo LI

2007, 28(12):  90-95.  doi:1000-436X(2007)12-0090-06

Asbtract ( 59 )   HTML ( 2)   PDF (520KB) ( 102 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A geographic E-mail path based algorithm called GEPA (geographic E-mail path analysis) was proposed to allow network administrators to cut off spam traffic on E-mail delivery.The algorithm first extracted route information to build E-mail path subset,and then uesed an effective method mapping IP addresses or domain names of nodes in an E-mail path into geographic information.Further,the algorithm detected spam by their geographic information deviation,using E-mail traffics from a link of backbone border router in China,which crosses the country boundary of China,the performance of GEPA algorithm is evaluated.The experimental results indicated that a 13.9% reduction of E-mail can be achieved with method.The results also showed GEPA was effective and practical which can be implemented in a massive traffic environment handling over millions of mails every day with small memory consumption.

Chinese IP-level network topology measurement and analysis

Yu ZHANG,Bin-xing FANG,Hong-li ZHANG

2007, 28(12):  96-101.  doi:1000-436X(2007)12-0096-06

Asbtract ( 71 )   HTML ( 3)   PDF (588KB) ( 470 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

To build the prospect of Chinese IP-level topology,the traditional destination sampling method was evaluated;three new improved techniques were developed; and Chinese network was measured.With the methodology of complex network,the topology characteristics were extracted and compared.The sizes of autonomous systems (AS) were investigated with the IP2AS technique.The results showe that lots of information is missed by the traditional method; the load is reduced to about a half by the new techniques while the completeness is retained; and the size of new discovered Chinese topology is 5 times as many as that discovered by CAIDA’s skitter.Compared to skitter’s topology,the more complete topology showe more observable dissortativity,weaker clustering,shorter distance and more disequilibrium of node traffic distribution.The heavy-tailed distribution of AS sizes is discovered.

Research of survivability enhancement algorithm based on autonomous configuration

Le-jun ZHANG,Yuan ZHOU,Lin GUO,Wei WANG,Yong-tian YANG

2007, 28(12):  102-107.  doi:1000-436X(2007)12-0102-06

Asbtract ( 40 )   HTML ( 1)   PDF (1228KB) ( 67 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Based on redundancy and diversity,the method of enhancing system survivability was proposed by dynamically configuring atomic modules.According to the history average response time,survivability curves were drawn.The autonomous configuration algorithm was designed based on the survivability of atomic modules,system efficiency and quality of service.The contrast experiment validated the algorithm’s correctness and validity in the condition of atomic modules have different failure rate.The simulation confirmed that this algorithm can enhance the service survivability when atomic module under attack or be ageing

Research on MIX-based anonymous communications

Tian-bo LU,Xiao-ming CHENG,Bing ZHANG

2007, 28(12):  108-115.  doi:1000-436X(2007)12-0108-08

Asbtract ( 92 )   HTML ( 4)   PDF (1004KB) ( 986 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Privacy and anonymity on the Internet are gaining increasing attention from both the scientific and the large Internet user community in recent years.Privacy does not only mean the confidentiality of information,but also mean not revealing who is communicating with whom,and how often.After describing the technology of MIX,a survey of anonymity technologies based on it was given.Finally WonGoo,a scalable and practical decentralized peer-to-peer protocol was presented that provides strong anonymity and high efficiency with layered encryption and random forwarding.

Technical Report

Text detection based on stroke features

Wei-qiang WANG,Li-bo FU,Wen GAO,Qing-ming HUANG,Shu-qiang JIANG

2007, 28(12):  116-120.  doi:1000-436X(2007)12-0116-05

Asbtract ( 75 )   HTML ( 4)   PDF (706KB) ( 139 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A text detection method was presented based on support vector machine (SVM) using the statistics features characterizing character strokes.First,our method extracts stroke edges through a modified edge detector; then,candidate text regions are located by merging the regions that contain stroke edges; finally,a 32-dimensional feature is devised to reflect the unique spatial distribution of stroke edges,and the SVM is utilized to model and verify the candidate text regions.Our experiments on Chinese characters demonstrate the proposed stroke texture features have good distinction power,especially for text regions composed of many characters。

Independent semantic feature extraction algorithm based on short text

Jia-ni HU,Jun GUO,Wei-hong DENG,Wei-ran XU

2007, 28(12):  121-124.  doi:1000-436X(2007)12-0121-04

Asbtract ( 67 )   HTML ( 1)   PDF (595KB) ( 446 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

An independent semantic feature extraction algorithm was proposed,aiming at reducing the sparseness of short text and enhancing its capability of semantic expression.The algorithm first makes use of latent semantic indexing to reduce the dimension and wipe off noise,and then it introduces independent component analysis to extract statistic independent and semantic features.Experimental results prove the feasibility of the algorithm and demonstrate it is superior to latent semantic indexing.

Research on ordered Boolean expression matching with window

Jing CAO,Yan-bing LIU,Ping LIU,Jian-long TAN,Li GUO

2007, 28(12):  125-130.  doi:1000-436X(2007)12-0125-06

Asbtract ( 53 )   HTML ( 1)   PDF (1489KB) ( 137 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Keyword spotting system for broadcast news

Peng-yuan ZHANG,Jian SHAO,Qing-wei ZHAO,Yong-hong YAN

2007, 28(12):  131-135.  doi:1000-436X(2007)12-0131-05

Asbtract ( 52 )   HTML ( 1)   PDF (757KB) ( 211 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A two-step keyword spotting strategy was presented.This strategy allowed to change keyword list conveniently.Different from the previous systems,search space was generated based on all Chinese syllables,not specifically for keywords.Phoneme recognition was performed without any lexical constraints.With 1-best phoneme sequence and keyword list,which generated keyword hypotheses.At last,two confidence measures were introduced adopted in the system:one based on acoustic model and the other based on phoneme lattice.For a decoded speech frame aligned to an HMM state,the acoustic confidence was calculated.The lattice confidence made use of phoneme lattices generated by a phoneme recognizer.These two confidence measures were combined using a weighting factor to obtain a hybrid confidence as they had different dynamic scales.Experiments show that the proposed algorithms significantly improve the system performance on the broadcast news task.

Text steganalysis using AdaBoost

Xin-guang, SUI,Lei SHEN,Ji-kun YAN,Zhong-liang ZHU

2007, 28(12):  136-140.  doi:1000-436X(2007)12-0136-05

Asbtract ( 60 )   HTML ( 2)   PDF (613KB) ( 230 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

The statistical models and features of natural texts was analyzed,and it was pointed out that embedding messages in texts will change the features of them.According to the changes,a blind detecting method was designed using AdaBoost.Five basic parameters of texts was extracted as distinguished feature vectors to discriminate natural texts and stego-texts effectively using AdaBoost.Experimental results show the high accuracy and reliability of the method.

Research on Internet hotspot information detection

Yi-ling ZENG,Hong-bo XU

2007, 28(12):  141-146.  doi:1000-436X(2007)12-0141-06

Asbtract ( 76 )   HTML ( 4)   PDF (818KB) ( 209 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

To recognize the hotspot information through great deal of Internet data,the hotspot information detection algorithm (HID) was designed.Based on segmented word joint,with a customized noise library and multi-level filtering strategies,HID was provided with the ability to detect hotspot information in large amount of Internet pages.Experiment on TDT international standard test corpus proved the efficiency of HID.

Video matching method based on “bag of words”

Yuan-ning LI,Ting LIU,Shu-qiang JIANG,Qing-ming HUANG

2007, 28(12):  147-151.  doi:1000-436X(2007)12-0147-05

Asbtract ( 54 )   HTML ( 2)   PDF (845KB) ( 366 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A “bag of words” was presented based method for video representation and matching.First,all local features of all video frames were quantized into a dictionary of visual words.Then each sub-shot of the video was represented by a set of visual words.Finally,a revered index of visual words was created to speed the matching process of video clips.This method not only takes local appearance and spatial information into account,but also compresses the representation of video content.Highly competitive experimental results show that our proposed method is more effective and efficient than former methods for video matching in large video dataset.

Academic communication

Technologies of network audio retrieval

Wei-qiang ZHANG,Jia LIU

2007, 28(12):  152-155.  doi:1000-436X(2007)12-0152-04

Asbtract ( 52 )   HTML ( 1)   PDF (671KB) ( 243 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

According to the characteristic of network massive data,the traditional histogram algorithm was improved.The principle axis search tree is utilized for pre-processing and the two-stage method is presented for audio retrieval.Experimental results show that the two proposed methods can significantly improve the search speed and precision.

Study on the classification and identification of Blog pages

De-quan ZHENG,Di ZHANG,Tie-jun ZHAO,Hao YU

2007, 28(12):  156-161.  doi:1000-436X(2007)12-0156-05

Asbtract ( 37 )   HTML ( 2)   PDF (544KB) ( 292 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

In order to find an automatic way to recognize the Blog pages from other Web pages for the content extraction of the Blog pages and other researches.According to the characteristic of Blog pages,some basic concepts and ideas in the area of Blog was described,and a novel method on the identification of Blog pages was proposed based on the structure of the Blog pages and keywords.The experimental results showe that a high result can be achieved in precision.

Frequent-pattern discovering algorithm for large-scale corpus

Cai-chun GONG,Min HE,Hai-qiang CHEN,Hong-bo XU,Xue-qi CHENG

2007, 28(12):  162-167.  doi:1000-436X(2007)12-0161-06

Asbtract ( 88 )   HTML ( 3)   PDF (789KB) ( 420 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

A memory-based frequent-pattern discovering algorithm for large-scale corpus was presented.First,the original corpus was partitioned into several parts using appropriate dividing policy.Then each partition was processed independently to produce a temporary result,and the union of all temporary results is the final frequent-pattern set.The algorithm prunes a subtree once it is sure that none of the corresponding pattern will be frequent.Experiment shows that it takes no more than 1.6 gigabytes of memory to discover all patterns appearing more than 100 times for a 3.6 gigabytes news corpus,the average speed is 3.28 magabytes per second.

Investigation on the botnets activities

Xin-hui HAN,Jin-peng GUO,Yong-lin ZHOU,Jian-wei ZHUGE,Wei ZOU

2007, 28(12):  168-172.  doi:1000-436X(2007)12-0167-06

Asbtract ( 73 )   HTML ( 4)   PDF (669KB) ( 622 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Botnets have become the first-choice attack platform for the network attackers to launch distributed denial of service attacks,steal sensitive information and send spam.They have raised serious threats to normal operation of the Internet and the benefits of the Internet users.The investigation on the wild botnets activities is the necessary for the further monitering and countermeasure against world-wide botnets.Based on the investigation and analysis on tracking records of 1 961 wild botnets,it shows the statistical results of botnet activities,including amount of botnets,command and control channel distributions,botnet size and end-host distributions,and various types of botnet attack activities.