National Engineering Research Center for Information Security

Beijing, China

National Engineering Research Center for Information Security

Beijing, China

Time filter

Source Type

Liu Y.-L.,CAS Institute of Software | Liu Y.-L.,Institute of Information Security | Liu Y.-L.,National Engineering Research Center for Information Security | Feng D.-G.,CAS Institute of Software | And 3 more authors.
Ruan Jian Xue Bao/Journal of Software | Year: 2012

The existing performance evaluation methods of worm attack strategies (defense strategies) are not considered defense strategies (attack strategies) change's influence on attack strategies (defense strategies) and performance evaluation of defense strategies are ignoring the implementation cost. In view of this situation, a performance evaluation model based on static Bayesian game (PEM-SBG) is proposed, and the performance evaluation methods of worm attack and defense mechanisms are presented. The performance evaluation method of defense mechanisms is based on gray multiple attributes theory and considers several evaluation metrics about cost and utility, so the evaluation process is much more comprehensive. Finally, the paper uses simulation tools SSFNet to implement simulation experiments under different attack and defense scenarios and validate the method. © 2012 ISCAS.


Wu D.,CAS Institute of Software | Wu D.,University of Chinese Academy of Sciences | Wu D.,Third Security | Feng D.-G.,CAS Institute of Software | And 3 more authors.
Ruan Jian Xue Bao/Journal of Software | Year: 2012

The efficiency evaluation of information system's security measures is important to improve the information system security. Conventional evaluation methods did not consider the interactivity and inter-influence of the business dataflow, attack flow, and security measures factors when evaluating system's security measures. Thus, they can not ensure the effectiveness of the evaluation process and results. An efficiency evaluating approach for information system's security measures under the given vulnerability set is presented in this paper. It employs colored Petri-Net tools to uniform modeling and simulates the interaction among the system's workflow, attack flow, and security measures. Based on this modeling method, the paper proposes an inter-nodes vulnerabilities exploiting graph generation algorithm and improves Dijkstra algorithm to identify shortest-attack-paths, which can cause damage to the information system's security attributes. Next, it constructs a hierarchical model to evaluate the effectiveness of the security measures and employs a gray multiple attributes decision-making algorithm to choose the best effectiveness-improving alternatives. By using this approach, the dependency on evaluators' subjectivity in the process of the evaluation of information system's security measures can be alleviated. Also, it helps to ensure the consistency and traceability of the evaluation results. Finally, a practical Web business system is taken as a case study to validate the correctness and effectiveness of the evaluation model. © 2012 ISCAS.


Wu D.,CAS Institute of Software | Wu D.,University of Chinese Academy of Sciences | Wu D.,Third Security | Lian Y.-F.,CAS Institute of Software | And 4 more authors.
Jisuanji Xuebao/Chinese Journal of Computers | Year: 2012

Business system's security management needs to assess the system security situation by using network attack graph. It also needs to analyze the threats exploiting security vulnerabilities. Current security threat identification and analysis methods cannot handle the upper two problems very well at the same time. It cannot handle uncertainties occurred in the process of vulnerability exploiting threat analysis, either. A security threat identification and analysis method is proposed in this paper. The network attack graph is defined via Colored Petri Net (CPN) and an algorithm named NAGG is proposed to construct network attack graph based on the simulation results. We also give an algorithm named NAGD to simultaneously decompose network attack graph into several sub-attack-graphs, each corresponding to a specific vulnerability exploiting threat. The graph is loop-free and its longest attack path is limited to a certain predefined value. In order to prioritize all security threats for disposal, a vulnerability exploiting threat evaluating method named VETE is given to convert sub-attack graph into uncertain inference rule set. This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph. At last, a typical Web application system is used as an example to validate the effectiveness of the proposed method.


Chen K.,CAS Institute of Software | Lian Y.,CAS Institute of Software | Lian Y.,National Engineering Research Center for Information Security | Zhang Y.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

Zero day vulnerabilities have played an important role in cyber security. Since they are unknown to the public and patches are not available, hackers can use them to attack effectively. Detecting software vulnerabilities and making patches could protect hosts from attacks that use these vulnerabilities. But this method cannot prevent all vulnerabilities. Some methods such as address space randomization could defend against vulnerabilities, but they cannot find them in software to help software vendors to generate patches for other hosts. In this paper, we design and develop a proof-of-concept prototype called AutoDunt (AUTOmatical zero Day vUlNerability deTector), which can detect vulnerable codes in software by analyzing attacks directly in virtual surroundings. It does not need any source codes or care about polymorphic/metamorphic shellcode (even no shellcode). We present a new kind of dependence between variables called latent dependence and use it to save necessary states for virtual surrounding replaying. In this way, AutoDunt does not need to use slicing or taint analysis method to find the vulnerable code in software, which saves managing time. We verify the effectiveness and evaluate the efficiency of AutoDunt by testing 81 real exploits and 7 popular applications at the end of this paper. © 2012 Springer-Verlag.


Wang R.,University of Chinese Academy of Sciences | Wang R.,CAS Institute of Software | Su P.-R.,CAS Institute of Software | Yang Y.,CAS Institute of Software | And 3 more authors.
Tien Tzu Hsueh Pao/Acta Electronica Sinica | Year: 2011

Malware variants are one of the major challenges in malware detecting today. Obfuscation, as a most popular technology to generate these variants, can change the signatures of malware to avoid the current signature-based malware preventing method, which is a big threat to information system. This paper proposes a novel anti-obfuscate malware detecting method. By making use of dynamic taint analysis methods and trigger-based behavior processing engine, this method can abstract the essential behavior logic of malware in fine-grained and form it as signatures of a class of malware, and identify variants more precisely associated with signature merging optimizing process and fuzzy matching methods. Experiment results show that the detecting method in this paper can identify malwares and its variants efficiently.


Chen K.,CAS Institute of Software | Chen K.,University of Chinese Academy of Sciences | Lian Y.,CAS Institute of Software | Lian Y.,National Engineering Research Center for Information Security | Zhang Y.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2010

Vulnerabilities in software threaten safety of hosts. Generating patches could overcome this problem. Patches are usually generated with human intervention, which is very time-consuming and needs a lot of experience. A few heuristic methods can generate patches automatically. But they usually have high false negative and/or false positive rate. We proposed a novel solution and implemented a real system called PatchGen that can automatically generate patches for vulnerabilities. PatchGen innovatively combines several techniques: (1) It can automatically generate patches for Windows x86 binaries without any need for source code, debugging information or human intervention. (2) Attribute-based taint analysis method (ATAM) is proposed to find attack point and overflow point with no need to record or analyze program execution traces, which saves both analysis time and memory. (3) PatchGen automatically tunes the candidate position to find the most suitable position to patch. We made several experiments on PatchGen. The results show that PatchGen can successfully generate patches for buffer overflow vulnerabilities in several minutes. The running overhead of the patched applications is less than 1% in average. © 2010 Springer-Verlag.


Zhang Y.,University of Chinese Academy of Sciences | Zhang Y.,National Engineering Research Center for Information Security | Feng D.,University of Chinese Academy of Sciences | Feng D.,CAS Institute of Software
Jisuanji Yanjiu yu Fazhan/Computer Research and Development | Year: 2010

With the development of space technology, people pay more and more attention to the use of space data. Space data cannot be accessed without any restriction. So the access control models of space data are becoming more and more important. This is also a hot spot in current research in the world. Presented in this paper is an STS-RBAC model, which is an improvement of traditional RBAC model. STS-RBAC model is based on the spatial database operations and it includes the attributes of space, time and scale. It can also be used in vector data and raster data. This model can manage the problems of multi-scale spatial objects as well. Scale, as is all known, is a basic element in the security of spatial data such as time and space. STS-RBAC model focuses on the special character of spatial data, and introduces role hierarchies based on the constraints of position and time, which guarantees the reliability in spatial database access. STS-RBAC model also defines the transmissibility and partial order in permissions, which makes it possible that authorizations can be inferred from others. This decreases the time and space when spatial database is accessed. With the help of STS-RBAC model, it is possible to access spatial data more efficiently and securely.


Chen K.,University of Chinese Academy of Sciences | Chen K.,CAS Institute of Software | Chen K.,National Engineering Research Center for Information Security | Feng D.-G.,University of Chinese Academy of Sciences | And 2 more authors.
Jisuanji Xuebao/Chinese Journal of Computers | Year: 2010

Exploring multiple execution paths is an important method to analyze executable files. Most researchers use randomly generated input or construct input by path conditions to explore program paths. These methods suffer from two flaws: they cannot analyze all the paths while there are too many useless paths to analyze. This paper introduces weak control dependence and path reference set to analyze path conditions. It also ensures three basic kinds of elements in checked conditions. Lazy analysis is proposed based on these definitions and theories to explore multiple execution paths. When analyzing a program, it can choose suitable branch conditions to explore paths according to a program check point. In this way, the number of path conditions can be decreased without missing any necessary conditions that guarantee the program to run to the check point and the checked condition to have the same structures. A prototype is implemented to make some experiments on seven malwares. Taint analysis is used to trace the input from outer space such as tainted files in the overall analysis process. Shadow memory is also exploited to increase the managing speed. The results show that the method decreases the number of path conditions and increases the efficiency when exploring multiple paths.


Ying L.-Y.,CAS Institute of Software | Ying L.-Y.,University of Chinese Academy of Sciences | Ying L.-Y.,National Engineering Research Center for Information Security | Yang Y.,CAS Institute of Software | And 3 more authors.
Ruan Jian Xue Bao/Journal of Software | Year: 2011

Network protocol reverse analysis is an important aspect of malware analysis. There are many different network protocols and every protocol contains different types of fields that result in various malware behaviors. Without the protocol syntax and filed semantics, analyzers cannot understand how malware interacts with the outside network. This paper presents a syntax and a behavior semantics analysis method of the network protocol. By monitoring the way malware parse the network data and by using different fields in a virtual execution environment, this method can identify protocol fields, extract protocol syntax and correlate each syntax with malware behaviors, accordingly. This paper designs and implements the prototype Prama (protocol reverse analyzer for malware analysis). Experimental results show that this method can correctly infer protocol syntax and tag fields with meaningful malware behaviors. © Copyright 2011, Institute of Software, the Chinese Academy of Sciences.


Zhang Y.-J.,University of Chinese Academy of Sciences | Zhang Y.-J.,National Engineering Research Center for Information Security | Feng D.-G.,University of Chinese Academy of Sciences | Chen K.,University of Chinese Academy of Sciences | Chen K.,National Engineering Research Center for Information Security
Tongxin Xuebao/Journal on Communications | Year: 2010

Considering the access control of spatial database can not support both vector and raster data, and the efficiency is not high. Based on these insufficiencies, an effective index mechanism was developed, which supported both vector and raster data. Moreover, an authorization method was proposed, which solved the problem of policy conflict and improved the efficiency of authorization evaluation. At last, some experiments were done. The result shows its validity for vector and raster data. Moreover it can be easily used in most space database to improve their efficiency.

Loading National Engineering Research Center for Information Security collaborators
Loading National Engineering Research Center for Information Security collaborators