2,003 research outputs found

    A lightweight intrusion alert fusion system

    Full text link
    In this paper, we present some practical experience on implementing an alert fusion mechanism from our project. After investigation on most of the existing alert fusion systems, we found the current body of work alternatively weighed down in the mire of insecure design or rarely deployed because of their complexity. As confirmed by our experimental analysis, unsuitable mechanisms could easily be submerged by an abundance of useless alerts. Even with the use of methods that achieve a high fusion rate and low false positives, attack is also possible. To find the solution, we carried out analysis on a series of alerts generated by well-known datasets as well as realistic alerts from the Australian Honey-Pot. One important finding is that one alert has more than an 85% chance of being fused in the following 5 alerts. Of particular importance is our design of a novel lightweight Cache-based Alert Fusion Scheme, called CAFS. CAFS has the capacity to not only reduce the quantity of useless alerts generated by IDS (Intrusion Detection System), but also enhance the accuracy of alerts, therefore greatly reducing the cost of fusion processing. We also present reasonable and practical specifications for the target-oriented fusion policy that provides a quality guarantee on alert fusion, and as a result seamlessly satisfies the process of successive correlation. Our experimental results showed that the CAFS easily attained the desired level of survivable, inescapable alert fusion design. Furthermore, as a lightweight scheme, CAFS can easily be deployed and excel in a large amount of alert fusions, which go towards improving the usability of system resources. To the best of our knowledge, our work is a novel exploration in addressing these problems from a survivable, inescapable and deployable point of view

    Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

    Full text link
    Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, machine learning models are known to lack robustness against inputs crafted by an adversary. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features, and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model. Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well. We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware samples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.Comment: 15 pages, 11 figure

    Flow Boiling Pressure Drop for R410A and RL32H in Multi-channel Tube

    Get PDF
    This paper introduced a test facility to conduct both flow boiling and condensation test in a multi-channel tube, including structure designs in test section to maintain good and stable flow regime in multi-channels. It supports flow boiling and condensing testing at the same time. The refrigerant cycle was driven by a gear pump, liquid refrigerant flows from the gear pump, passes through an electrical pre-heater, evaporator and post-heater, then flow through water/glycol bath pre-condenser, condenser and post-condenser. Experimental data for pure R410A, R410A and lubricant RL32H mixture pressure drop in flow boiling is presented and analyzed in this paper. Inlet vapor quality was changing at 0.2, 0.4, 0.6 to 0.8 with 0.2 quality increase along the tube, mass fraction of lubricant was changing from 0%, 1%, 3% to 5%, and mass velocity of the pure and mixture varied from 100 to 700 kg s-1 m-2. The experiments have been conducted for average saturation temperature at 5ºC. Literatures on two phase flow boiling pressure drop for both pure refrigerant and refrigerant mixtures are carefully reviewed, popular published correlations are used in this study to evaluate test data. New two phase flow boiling pressure drop correlations for pure refrigerant and mixtures inside multi-channel tube are proposed. Some published data are used to validate new correlations

    Bis(μ-adamantane-1,3-dicarboxyl­ato-κ4 O 1,O 1′:O 3,O 3′)bis­[aqua­(3-carboxy­adam­antane-1-carboxyl­ato-κO 1)(1,10-phen­an­throline-κ2 N,N′)erbium(III)] dihydrate

    Get PDF
    The asymmetric unit of the binuclear centrosymmetric title compound, [Er2(C12H14O4)2(C12H15O4)2(C12H8N2)2(H2O)2]·2H2O, contains one ErIII atom, one coordinated water mol­ecule, one 1,10-phenanthroline (phen) ligand, two differently coordinated adamantane-1,3-dicarboxyl­ate (H2L) ligands and one lattice water mol­ecule. The ErIII ion is eight-coordinated by four O atoms from bridging L 2−, one O atom from HL −, one O atom from the coordinated water and two N atoms from a phen ligand. Extensive O—H⋯O hydrogen-bonding inter­actions result in the formation of chains which are further linked into a layer-like network by π–π stacking inter­actions centroid–centroid distance = 3.611 (3) Å] between adjacent phen ligands belonging to neighbouring chains. The carboxy group of the HL − ligand is equally disordered over two positions
    • …
    corecore