Search

Your search keyword '"Shize Guo"' showing total 209 results
Start Over Author "Shize Guo"
209 results on '"Shize Guo"'

1. Enhancing reinforcement learning based adversarial malware generation to evade static detection

Author

Dazhi Zhan, Yanyan Zhang, Ling Zhu, Jun Chen, Shiming Xia, Shize Guo, and Zhisong Pan

Subjects
Malware detection, Static analysis, Adversarial example, Evasion attack, Reinforcement learning, Engineering (General). Civil engineering (General), TA1-2040
Abstract

The anti-detection capabilities of adversarial malware examples have drawn the attention of antivirus vendors and researchers. In black-box scenarios where internal information of the target model cannot be accessed, with the ability of the reinforcement learning (RL) agents to adjust strategies based on the feedback from the environment, existing RL-based methods enable evasion of Windows PE malware detectors. However, obtaining evasion rewards as positive feedback in the black-box setting proves challenging, resulting in low training efficiency. To address this issue, we introduce the intrinsic curiosity reward into the framework to motivate the agent to explore unknown state spaces and learn effective evasion strategies. Additionally, we employ the generative adversarial network (GAN) to obtain varying synthetic data, which replaces random or benign bytes as adversarial payloads for the agent's action content, improving attack capabilities and reducing the risk of hard-coded adversarial perturbations being anchored. We compare the attack performance with other RL-based baseline methods, and experimental results show that our framework is more flexible and effective, achieving a 63%-85% attack success rate against EMBER, FireEye and MalConv. Even if defensive measures are taken, the proposed method still has a certain attack capability, and the success rate remains between 48%-67%.

Published
2024
Full Text
View/download PDF

2. An improved signal detection algorithm for a mining-purposed MIMO-OFDM IoT-based system

Author

Jikun Guo, Qing Zhao, Lixuan Guo, Shize Guo, and Gen Liang

Subjects
coal mine, iot, mimo-ofdm, signal detection, mmse, ml, Mathematics, QA1-939, Applied mathematics. Quantitative methods, T57-57.97
Abstract

The coal mine internet of things (IoT) communication system is used for real-time monitoring of mining production to ensure the safety and reliability of personnel and equipment in the mine. To eliminate multipath fading in the process of wireless communication in mines, multiple-output multiplexing (MIMO) and orthogonal frequency division multiplexing (OFDM) technologies are introduced. In this paper, a wireless communication system architecture of IoT in mining based on MIMO-OFDM is constructed. Aiming to solve the problems of intersymbol interference and frequency selective fading at the receiver, an improved minimum mean square error ordered successive interferences cancellation (MMSE-OSIC) signal detection algorithm is proposed. First, the signal-to-interference plus noise ratio of the received signal is calculated and the calculation results are sorted. The lowest signal-to-noise ratio is selected as the weakest signal layer. Then, the MMSE-OSIC algorithm is used to extract all of the signals, except the weakest layer. Finally, a maximum likelihood (ML) algorithm is used to traverse the whole signal domain; the signal symbol with the smallest distance from the weakest signal layer is found as the original signal of the weakest signal layer, and it is combined with the signal detected by MMSE-OSIC; then, the final signal detection result is obtained. The simulation results show that, compared with three benchmark algorithms, the proposed MMSE-OSIC algorithm has better signal detection performance under the conditions of different modulation methods and different channel numbers.

Published
2023
Full Text
View/download PDF

3. Instance attack: an explanation-based vulnerability analysis framework against DNNs for malware detection

Author

Ruijin Sun, Shize Guo, Changyou Xing, Yexin Duan, Luming Yang, Xi Guo, and Zhisong Pan

Subjects
Malware, Adversarial examples, DNN, Interpretable, Electronic computers. Computer science, QA75.5-76.95
Abstract

Deep neural networks (DNNs) are increasingly being used in malware detection and their robustness has been widely discussed. Conventionally, the development of an adversarial example generation scheme for DNNs involves either detailed knowledge concerning the model (i.e., gradient-based methods) or a substantial quantity of data for training a surrogate model. However, under many real-world circumstances, neither of these resources is necessarily available. Our work introduces the concept of the instance-based attack, which is both interpretable and suitable for deployment in a black-box environment. In our approach, a specific binary instance and a malware classifier are utilized as input. By incorporating data augmentation strategies, sufficient data are generated to train a relatively simple and interpretable model. Our methodology involves providing explanations for the detection model, which entails displaying the weights assigned to different components of the specific binary. Through the analysis of these explanations, we discover that the data subsections have a significant impact on the identification of malware. In this study, a novel function preserving transformation algorithm designed specifically for data subsections is introduced. Our approach involves leveraging binary diversification techniques to neutralize the effects of the most heavily-weighted section, thus generating effective adversarial examples. Our algorithm can fool the DNNs in certain cases with a success rate of almost 100%. Instance attack exhibits superior performance compared to the state-of-the-art approach. Notably, our technique can be implemented in a black-box environment and the results can be verified utilizing domain knowledge. The model can help to improve the robustness of malware detectors.

Published
2023
Full Text
View/download PDF

4. Detection of SSL/TLS protocol attacks based on flow spectrum theory

Author

Shize GUO, Fan ZHANG, Zhuoxue SONG, Ziming ZHAO, Xinjie ZHAO, Xiaojuan WANG, and Xiangyang LUO

Subjects
SSL/TLS attacks, network traffic detection, flow spectrum theory, long short-term memory, Electronic computers. Computer science, QA75.5-76.95
Abstract

Network attack detection plays a vital role in network security.Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection.The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol.With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled.Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”.The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows.The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator.Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows.Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space.On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Published
2022
Full Text
View/download PDF

5. Efficient Persistent Fault Analysis with Small Number of Chosen Plaintexts

Author

Fan Zhang, Run Huang, Tianxiang Feng, Xue Gong, Yulong Tao, Kui Ren, Xinjie Zhao, and Shize Guo

Subjects
Fault Attack, Persistent Fault Analysis, Multiple Faults, AES, LED, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64
Abstract

In 2018, Zhang et al. introduced the Persistent Fault Analysis (PFA) for the first time, which uses statistical features of ciphertexts caused by faulty Sbox to recover the key of block ciphers. However, for most of the variants of PFA, the prior knowledge of the fault (location and value) is required, where the corresponding analysis will get more difficult under the scenario of multiple faults. To bypass such perquisite and improve the analysis efficiency for multiple faults, we propose Chosen-Plaintext based Persistent Fault Analysis (CPPFA). CPPFA introduces chosen-plaintext to facilitate PFA and can reduce the key search space of AES-128 to extremely small. Our proposal requires 256 ciphertexts, while previous state-of-the-art work still requires 1509 and 1448 ciphertexts under 8 and 16 faults, respectively, at the only cost of requiring 256 chosen plaintexts. In particular, CPPFA can be applied to the multiple faults scenarios where all fault locations, values and quantity are unknown, and the worst time complexity of CPPFA is O(28+nf ) for AES-128, where nf represents the number of faults. The experimental results show that when nf > 4, 256 pairs of plaintext-ciphertext can recover the master key of AES-128. As for LED-64, only 16 pairs of plaintext-ciphertext reduce the remaining key search space to 210.

Published
2023
Full Text
View/download PDF

6. How to Make Attention Mechanisms More Practical in Malware Classification

Author

Xin Ma, Shize Guo, Haiying Li, Zhisong Pan, Junyang Qiu, Yu Ding, and Feiqiong Chen

Subjects
Attention mechanisms, multi-dimensional sequence, disassembly code, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Malware and its variants continue to pose a threat to network security. Machine learning has been widely used in the field of malware classification, but some emerging studies, such as attention mechanisms, are rarely applied in this field. In this paper, we analyze the correspondence between bytecode and disassembly of malware, and propose a new feature extraction method based on multi-dimensional sequence. Also, we construct a new classification framework based on attention mechanism and Convolutional Neural Networks mechanism. Furthermore, we also compare the different architectures based on the attention mechanisms. Experiments on open datasets show that our feature extraction method and our framework have a good classification effect, and the accuracy rate is 0.9609.

Published
2019
Full Text
View/download PDF

7. A Comprehensive FPGA Reverse Engineering Tool-Chain: From Bitstream to RTL Code

Author

Tao Zhang, Jian Wang, Shize Guo, and Zhe Chen

Subjects
FPGA, reverse engineering, bitstream, hardware trojan, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

As recently studied, field-programmable gate arrays (FPGAs) suffer from growing Hardware Trojan (HT) attacks, and many techniques, e.g., register-transfer level (RTL) code-based analyzing, have been presented to detect HTs on FPGAs. However, for most of the FPGA end users, they can only obtain bitstream, rather than the RTL code. Therefore, we present a new FPGA reverse engineering tool-chain. It can precisely transform the FPGA bitstream to an RTL code and therefore assists in HT detection. In detail, we first construct an integrated database involving the FPGA architecture information and the bitstream mapping information. Then, we build two tools, namely, bitstream reversal tool (BRT) and netlist reversal tool (NRT). They can be combined together to retrieve the RTL code from the FPGA bitstream in moderate time. To demonstrate the effectiveness of our tool-chain, we evaluate it qualitatively and quantitatively by using two benchmarks (ISCAS'85 and ISCAS'89) and three real applications (8051 core, 68HC08, and AES). Our tool-chain is comprehensive since it covers all the reverse engineering stages, from bitstream to netlist and from netlist to code, without any support from other tools. Moreover, it rebuilds the netlist with a 100% correct rate and retrieves RTL code, which is exactly, functionally equivalent to the original one for all our benchmarks. To the best of our knowledge, it is the first tool that can perform integrated, precise reverse engineering for FPGAs, paving the way for the netlist-/code-based HT detection.

Published
2019
Full Text
View/download PDF

8. A Benchmark Suite of Hardware Trojans for On-Chip Networks

Author

Jian Wang, Shize Guo, Zhe Chen, and Tao Zhang

Subjects
Benchmarks, hardware trojan, network-on-chip, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

As recently studied, network-on-chip (NoC) suffers growing threats from hardware trojans (HTs), leading to performance degradation or information leakage when it provides communication service in many/multi-core systems. Therefore, defense techniques against NoC HTs experience rapid development in recent years. However, to the best of our knowledge, there are few standard benchmarks developed for the defense techniques evaluation. To address this issue, in this paper, we design a suite of benchmarks which involves multiple NoCs with different HTs, so that researchers can compare various HT defense methods fairly by making use of them. We first briefly introduce the features of target NoC and its infected modules in our benchmarks, and then, detail the design of our NoC HTs in a one-by-one manner. Finally, we evaluate our benchmarks through extensive simulations and report the circuit cost of NoC HTs in terms of area and power consumption, as well as their effects on NoC performance. Besides, comprehensive experiments, including functional testing and side channel analysis are performed to assess the stealthiness of our HTs.

Published
2019
Full Text
View/download PDF

9. Feature-Based Transfer Learning Based on Distribution Similarity

Author

Xiaofeng Zhong, Shize Guo, Hong Shan, Liang Gao, Di Xue, and Nan Zhao

Subjects
Distribution similarity, feature transfer, KL divergence, transfer learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Transfer learning has been found helpful at enhancing the target domain's learning process by transferring useful knowledge from other different but related source domains. In many applications, however, collecting and labeling target information is not only very difficult but also expensive. At the same time, considerable prior experience in this regard exists in other application domains. This paper proposes a feature-based transfer learning method based on distribution similarity that aims at the partial overlap of features between two domains. The non-overlapping features are completed by leveraging the distribution similarity of other features within the source domain. Features of the two domains are then reweighted in accordance with the distribution similarity between the source and target domains. This, in turn, decreases the distribution discrepancy between the two domains, therefore achieving the desired feature transfer. Results of the experiments performed on Facebook and Sina Microblog data sets demonstrate that the proposed method is capable of effectively enhancing the accuracy of the prediction function.

Published
2018
Full Text
View/download PDF

10. Personality Recognition on Social Media With Label Distribution Learning

Author

Di Xue, Zheng Hong, Shize Guo, Liang Gao, Lifa Wu, Jinghua Zheng, and Nan Zhao

Subjects
Personality recognition, label distribution learning, social media mining, big five personality, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Personality is an important psychological construct accounting for individual differences in people. To reliably, validly, and efficiently recognize an individual's personality is a worthwhile goal; however, the traditional ways of personality assessment through self-report inventories or interviews conducted by psychologists are costly and less practical in social media domains, since they need the subjects to take active actions to cooperate. This paper proposes a method of big five personality recognition (PR) from microblog in Chinese language environments with a new machine learning paradigm named label distribution learning (LDL), which has never been previously reported to be used in PR. One hundred and thirteen features are extracted from 994 active Sina Weibo users' profiles and micro-blogs. Eight LDL algorithms and nine non-trivial conventional machine learning algorithms are adopted to train the big five personality traits prediction models. Experimental results show that two of the proposed LDL approaches outperform the others in predictive ability, and the most predictive one also achieves relatively higher running efficiency among all the algorithms.

Published
2017
Full Text
View/download PDF

11. GraphMoco:a Graph Momentum Contrast Model that Using Multimodel Structure Information for Large-scale Binary Function Representation Learning

Author

Runjin, Sun, ShiZe, Guo, Wei, Li, XingYu, Zhang, Xi, Guo, and ZhiSong, Pan

Subjects
Computer Science - Cryptography and Security
Abstract

In the field of cybersecurity, the ability to compute similarity scores at the function level is import. Considering that a single binary file may contain an extensive amount of functions, an effective learning framework must exhibit both high accuracy and efficiency when handling substantial volumes of data. Nonetheless, conventional methods encounter several limitations. Firstly, accurately annotating different pairs of functions with appropriate labels poses a significant challenge, thereby making it difficult to employ supervised learning methods without risk of overtraining on erroneous labels. Secondly, while SOTA models often rely on pre-trained encoders or fine-grained graph comparison techniques, these approaches suffer from drawbacks related to time and memory consumption. Thirdly, the momentum update algorithm utilized in graph-based contrastive learning models can result in information leakage. Surprisingly, none of the existing articles address this issue. This research focuses on addressing the challenges associated with large-scale BCSD. To overcome the aforementioned problems, we propose GraphMoco: a graph momentum contrast model that leverages multimodal structural information for efficient binary function representation learning on a large scale. Our approach employs a CNN-based model and departs from the usage of memory-intensive pre-trained models. We adopt an unsupervised learning strategy that effectively use the intrinsic structural information present in the binary code. Our approach eliminates the need for manual labeling of similar or dissimilar information.Importantly, GraphMoco demonstrates exceptional performance in terms of both efficiency and accuracy when operating on extensive datasets. Our experimental results indicate that our method surpasses the current SOTA approaches in terms of accuracy., Comment: 22 pages,7 figures

Published
2023

12. Instance Attack:An Explanation-based Vulnerability Analysis Framework Against DNNs for Malware Detection

Author

RuiJin, Sun, ShiZe, Guo, JinHong, Guo, ChangYou, Xing, LuMing, Yang, Xi, Guo, and ZhiSong, Pan

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence
Abstract

Deep neural networks (DNNs) are increasingly being applied in malware detection and their robustness has been widely debated. Traditionally an adversarial example generation scheme relies on either detailed model information (gradient-based methods) or lots of samples to train a surrogate model, neither of which are available in most scenarios. We propose the notion of the instance-based attack. Our scheme is interpretable and can work in a black-box environment. Given a specific binary example and a malware classifier, we use the data augmentation strategies to produce enough data from which we can train a simple interpretable model. We explain the detection model by displaying the weight of different parts of the specific binary. By analyzing the explanations, we found that the data subsections play an important role in Windows PE malware detection. We proposed a new function preserving transformation algorithm that can be applied to data subsections. By employing the binary-diversification techniques that we proposed, we eliminated the influence of the most weighted part to generate adversarial examples. Our algorithm can fool the DNNs in certain cases with a success rate of nearly 100\%. Our method outperforms the state-of-the-art method . The most important aspect is that our method operates in black-box settings and the results can be validated with domain knowledge. Our analysis model can assist people in improving the robustness of malware detectors.

Published
2022

13. SimCLF: A Simple Contrastive Learning Framework for Function-level Binary Embeddings

Author

RuiJin, Sun, Shize, Guo, Jinhong, Guo, Wei, Li, Dazhi, Zhan, Meng, Sun, and Zhisong, Pan

Subjects
Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Machine Learning, Computer Science - Programming Languages, Computer Science - Software Engineering
Abstract

Function-level binary code similarity detection is a crucial aspect of cybersecurity. It enables the detection of bugs and patent infringements in released software and plays a pivotal role in preventing supply chain attacks. A practical embedding learning framework relies on the robustness of the assembly code representation and the accuracy of function-pair annotation, which is traditionally accomplished using supervised learning-based frameworks. However, annotating different function pairs with accurate labels poses considerable challenges. These supervised learning methods can be easily overtrained and suffer from representation robustness problems. To address these challenges, we propose SimCLF: A Simple Contrastive Learning Framework for Function-level Binary Embeddings. We take an unsupervised learning approach and formulate binary code similarity detection as instance discrimination. SimCLF directly operates on disassembled binary functions and could be implemented with any encoder. It does not require manually annotated information but only augmented data. Augmented data is generated using compiler optimization options and code obfuscation techniques. The experimental results demonstrate that SimCLF surpasses the state-of-the-art in accuracy and has a significant advantage in few-shot settings.

Published
2022

Catalog

Books, media, physical & digital resources
See catalog results