Understanding and Detecting Malicious Cyber Infrastructures

Malware (e.g., trojans, bots, and spyware) is still a pervasive threat on the Internet. It is able to infect computer systems to further launch a variety of malicious activities such as sending spam, stealing sensitive information and launching distributed denial-of-service (DDoS) attacks. In order to continue malevolent activities without being detected and to improve the efficiency of malicious activities, cyber-criminals tend to build malicious cyber infrastructures to communicate with their malware and to exploit benign users. In these infrastructures, multiple servers are set to be efficient and anonymous in (i) malware distribution (using redirectors and exploit servers), (ii) control (using C&C servers), (iii) monetization (using payment servers), and (iv) robustness against server takedowns (using multiple backups for each type of server). The most straightforward way to counteract the malware threat is to detect malware directly on infected hosts. However, it is difficult since packing and obfuscation techniques are frequently used by malware to evade state-of-the-art anti-virus tools. Therefore, an alternate solution is to detect and disrupt the malicious cyber infrastructures used by malware. In this dissertation, we take an important step in this direction and focus on identifying malicious servers behind those malicious cyber infrastructures. We present a comprehensive inferring framework to infer servers involved in malicious cyber infrastructure based on the three roles of those servers: compromised server, malicious server accessed through redirection and malicious server accessed through directly connecting. We characterize these three roles from four novel perspectives and demonstrate our detection technologies in four systems: PoisonAmplifier, SMASH, VisHunter and NeighbourWatcher. PoisonAmplifier focuses on compromised servers. It explores the fact that cybercriminals tend to use compromised servers to trick benign users during the attacking process. Therefore, it is designed to proactively find more compromised servers. SMASH focuses on malicious servers accessed through directly connecting. It explores the fact that multiple backups are usually used in malicious cyber infrastructures to avoid server takedowns. Therefore, it leverages the correlation among malicious servers to infer a group of malicious servers. VisHunter focuses on the redirections from compromised servers to malicious servers. It explores the fact that cybercriminals usually conceal their core malicious servers. Therefore, it is designed to detect those “invisible” malicious servers. NeighbourWatcher focuses on all general malicious servers promoted by spammers. It explores the observation that spammers intend to promote some servers (e.g., phishing servers) on the special websites (e.g., forum and wikis) to trick benign users and to improve the reputation of their malicious servers. In short, we build a comprehensive inferring framework to identify servers involved in malicious cyber infrastructures from four novel perspectives and implement different inference techniques in different systems that complement each other. Our inferring framework has been evaluated in live networks and/or real-world network traces. The evaluation results show that it can accurately detect malicious servers involved in malicious cyber infrastructures with a very low false positive rate. We found the three roles of malicious servers we proposed can characterize most of servers involved in malicious cyber infrastructures, and the four principles we developed for the detection are invariable across different malicious cyber infrastructures. We believe our experience and lessons are of great benefit to the future malicious cyber infrastructure study and detection

Controllability analysis of directed networks in finite states based on pruning motif isomorph

The current driver nodes search methods are difficult to cope with large networks, and the solution process does not consider the node cost. In order to solve the practical control problem of networks with different node costs in finite states, this paper proposes a pruning and motif isomorph search method for driver node set. Firstly, we prove the sufficient conditions for the network to be strictly controllable under partial nodes control, then we classify the nodes and prove the equivalence controllability of the pruning network, and then we establish three models of maximum augmenting path search, local pruning and motif matching to form a complete driver nodes set search algorithm. Finally, the algorithm is validated by real networks. The results show that our method not only guarantee the accuracy of search results, but also has the low time complexity, which can efficiently handle large networks, and no more than 16.84% of the maximum driver nodes can control the whole network

Constituency Parsing using LLMs

Constituency parsing is a fundamental yet unsolved natural language processing task. In this paper, we explore the potential of recent large language models (LLMs) that have exhibited remarkable performance across various domains and tasks to tackle this task. We employ three linearization strategies to transform output trees into symbol sequences, such that LLMs can solve constituency parsing by generating linearized trees. We conduct experiments using a diverse range of LLMs, including ChatGPT, GPT-4, OPT, LLaMA, and Alpaca, comparing their performance against the state-of-the-art constituency parsers. Our experiments encompass zero-shot, few-shot, and full-training learning settings, and we evaluate the models on one in-domain and five out-of-domain test datasets. Our findings reveal insights into LLMs' performance, generalization abilities, and challenges in constituency parsing

The lithospheric lager and block velocity structure and motion of Substance for Tibetan plateau

Abstract HKT-ISTP 2013 A

Research on Ecological Efficiency of Industrial Structure

531-533This paper uses industrial structure as a critical reference frame for evaluating ecological efficiency. It calculates the industrial structures and ecological efficiency value of 29 municipalities, autonomous regions, and provinces of China for the period between 2005 and 2017. Analysis of the regional characteristics and development trends of ecological efficiency of China's industrial structure are conducted. The results show that the industrial structural ecological efficiency of China exhibits the phenomenon of spatial agglomeration, and gradient decrease, and gradually increasing gaps between the provinces