Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) attack intents: besides dealing with damaging or destroying facilities, the more essential purpose of APT attacks is to gather confidential data from target hosts by planting Trojans. Inspired by this idea and some in-depth analyses on recently happened APT attacks, five typical communication characteristics are adopted to describe application’s network behavior, with which a fine-grained classifier based on Decision Tree and Na ve Bayes is modeled. Finally, with the training of supervised machine learning approaches, the classification detection method is implemented. Compared with general methods, this method is capable of enhancing the detection and awareness capability of unknown Trojans with less resource consumption.
In this paper, we propose a trusted mobile payment environment (TMPE) based on trusted computing and virtualization technology. There are a normal operating system (OS) and a trusted OS (TOS) in TMPE. We store the image of TOS in a memory card to hinder tampering. The integrity of TOS is protected by means of a trusted platform module (TPM). TOS can only be updated through a trusted third party. In addition, virtualization technology is applied to isolate TOS from normal OS. Users complete ordinary affairs in normal OS and security-sensitive affairs in TOS. TMPE can offer users a highly protected environment for mobile payment. Moreover, TMPE has good compatibility in different hardware architectures of mobile platforms. As the evaluation shows, TMPE satisfies the requirement of mobile payment well.
WANG JuanLIN WutaoLI HaoyuDU BianxiaMENG KeWANG Jiang
Focusing on the sensitive behaviors of malware, such as privacy stealing and money costing, this paper proposes a new method to monitor software behaviors and detect malicious applications on Android platform. According to the theory and implementation of Android Binder interprocess communication mechanism, a prototype system that integrates behavior monitoring and intercepting, malware detection, and identification is built in this work. There are 50 different kinds of samples used in the experiment of malware detection, including 40 normal samples and 10 malicious samples. The theoretical analysis and experimental result demonstrate that this system is effective in malware detection and interception, with a true positive rate equal to 100% and a false positive rate less than 3%.
Flume, which implements decentralized information flow control (DIFC), allows a high security level process to "pre-create" secret files in a low security level directory. However, the pre-create mechanism makes some normal system calls unavailable, and moreover, it needs priori knowledge to create a large quantity of objects, which is difficult to estimate in practical operating systems. In this paper, we present an extended Flume file access control mechanism, named Effect, to substitute the mechanism of pre-create, which permits write operations (create, delete, and rename a file) on directories and creates a file access virtual layer that allocates operational views for each process with noninterference properties. In the end, we further present an analysis on the security of Effect. Our work makes it easier for multi-user to share confidential information in decentralized information flow control systems.
Security testing is a key technology for software security.The testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improving software security.However,it is difficult to describe by mathematics the relationship between the results of software functional testing and software nonfunctional security indexes.In this paper,we propose a mathematics model(MSMAM) based on principal component analysis and multiattribute utility theory.This model can get nonfunctional security indexes by analyzing quantized results of functional tests.It can also evaluate software security and guide the effective allocation of testing resources in the process of software testing.The feasibility and effectiveness of MSMAM is verified by experiments.
