Biblio

With the proliferation of malware, the detection and classification of malware have been hot topics in the academic and industrial circles of cyber security, and the generation of malware signatures is one of the important research directions. In this paper, we propose NBP-MS, a method of signature generation that is based on network traffic generated by malware. Specifically, we utilize the network traffic generated by malware to perform fine-grained profiling of its network behaviors first, and then cluster all the profiles to generate network behavior signatures to classify malware, providing support for subsequent analysis and defense.

Previous research on frequency hopping (FH) signal recognition utilizing deep learning only focuses on single-label signal, but can not deal with overlapped FH signal which has multi-labels. To solve this problem, we propose a new FH signal recognition method based on fully convolutional networks (FCN). Firstly, we perform the short-time Fourier transform (STFT) on the collected FH signal to obtain a two-dimensional time-frequency pattern with time, frequency, and intensity information. Then, the pattern will be put into an improved FCN model, named FH-FCN, to make a pixel-level prediction. Finally, through the statistics of the output pixels, we can get the final classification results. We also design an algorithm that can automatically generate dataset for model training. The experimental results show that, for an overlapped FH signal, which contains up to four different types of signals, our method can recognize them correctly. In addition, the separation of multiple FH signals can be achieved by a slight improvement of our method.

Currently, more and more malicious insiders are making threats, and the detection of insider threats is becoming more challenging. The malicious insider often uses legitimate access privileges and mimic normal behaviors to evade detection, which is difficult to be detected via using traditional defensive solutions. In this paper, we propose DeepMIT, a malicious insider threat detection framework, which utilizes Recurrent Neural Network (RNN) to model user behaviors as time sequences and predict the probabilities of anomalies. This framework allows DeepMIT to continue learning, and the detections are made in real time, that is, the anomaly alerts are output as rapidly as data input. Also, our framework conducts further insight of the anomaly scores and provides the contributions to the scores and, thus, significantly helps the operators to understand anomaly scores and take further steps quickly(e.g. Block insider's activity). In addition, DeepMIT utilizes user-attributes (e.g. the personality of the user, the role of the user) as categorical features to identify the user's truly typical behavior, which help detect malicious insiders who mimic normal behaviors. Extensive experimental evaluations over a public insider threat dataset CERT (version 6.2) have demonstrated that DeepMIT has outperformed other existing malicious insider threat solutions.