GraphMoco:a Graph Momentum Contrast Model that Using Multimodel Structure Information for Large-scale Binary Function Representation Learning

In the field of cybersecurity, the ability to compute similarity scores at the function level is import. Considering that a single binary file may contain an extensive amount of functions, an effective learning framework must exhibit both high accuracy and efficiency when handling substantial volumes of data. Nonetheless, conventional methods encounter several limitations. Firstly, accurately annotating different pairs of functions with appropriate labels poses a significant challenge, thereby making it difficult to employ supervised learning methods without risk of overtraining on erroneous labels. Secondly, while SOTA models often rely on pre-trained encoders or fine-grained graph comparison techniques, these approaches suffer from drawbacks related to time and memory consumption. Thirdly, the momentum update algorithm utilized in graph-based contrastive learning models can result in information leakage. Surprisingly, none of the existing articles address this issue. This research focuses on addressing the challenges associated with large-scale BCSD. To overcome the aforementioned problems, we propose GraphMoco: a graph momentum contrast model that leverages multimodal structural information for efficient binary function representation learning on a large scale. Our approach employs a CNN-based model and departs from the usage of memory-intensive pre-trained models. We adopt an unsupervised learning strategy that effectively use the intrinsic structural information present in the binary code. Our approach eliminates the need for manual labeling of similar or dissimilar information.Importantly, GraphMoco demonstrates exceptional performance in terms of both efficiency and accuracy when operating on extensive datasets. Our experimental results indicate that our method surpasses the current SOTA approaches in terms of accuracy.Comment: 22 pages,7 figure

Improved Side Channel Cube Attacks on PRESENT

The paper presents several improved side channel cube attacks on PRESENT based on single bit leakage model. Compared with the previous study of Yang et al in CANS 2009 [30], based on the same model of single bit leakage in the 3rd round, we show that: if the PRESENT cipher structure is unknown, for the leakage bit 0, 32-bit key can be recovered within $2^{7.17}$ chosen plaintexts; if the cipher structure is known, for the leakage bit 4,8,12, 48-bit key can be extracted by $2^{11.92}$ chosen plaintexts, which is less than $2^{15}$ in [30]; then, we extend the single bit leakage model to the 4th round, based on the two level “divide and conquer” analysis strategy, we propose a sliding window side channel cube attack on PRESENT, for the leakage bit 0, about $2^{15.14}$ chosen plaintexts can obtain 60-bit key; in order to obtain more key bits, we propose an iterated side channel cube attack on PRESENT, about $2^{8.15}$ chosen plaintexts can obtain extra 12 equivalent key bits, so overall $2^{15.154}$ chosen plaintexts can reduce the PRESENT-80 key searching space to $2^{8}$; finally, we extend the attack to PRESENT-128, about $2^{15.156}$ chosen plaintexts can extract 85 bits key, and reduce the PRESENT-128 key searching space to $2^{43}$. Compared with the previous study of Abdul-Latip et al in ASIACCS 2011 [31] based on the Hamming weight leakage model, which can extract 64-bit key of PRESENT-80/128 by $2^{13}$ chosen plaintexts, our attacks can extract more key bits, and have certain advantages over [31]

An improved signal detection algorithm for a mining-purposed MIMO-OFDM IoT-based system

The coal mine internet of things (IoT) communication system is used for real-time monitoring of mining production to ensure the safety and reliability of personnel and equipment in the mine. To eliminate multipath fading in the process of wireless communication in mines, multiple-output multiplexing (MIMO) and orthogonal frequency division multiplexing (OFDM) technologies are introduced. In this paper, a wireless communication system architecture of IoT in mining based on MIMO-OFDM is constructed. Aiming to solve the problems of intersymbol interference and frequency selective fading at the receiver, an improved minimum mean square error ordered successive interferences cancellation (MMSE-OSIC) signal detection algorithm is proposed. First, the signal-to-interference plus noise ratio of the received signal is calculated and the calculation results are sorted. The lowest signal-to-noise ratio is selected as the weakest signal layer. Then, the MMSE-OSIC algorithm is used to extract all of the signals, except the weakest layer. Finally, a maximum likelihood (ML) algorithm is used to traverse the whole signal domain; the signal symbol with the smallest distance from the weakest signal layer is found as the original signal of the weakest signal layer, and it is combined with the signal detected by MMSE-OSIC; then, the final signal detection result is obtained. The simulation results show that, compared with three benchmark algorithms, the proposed MMSE-OSIC algorithm has better signal detection performance under the conditions of different modulation methods and different channel numbers

A DNS Tunnel Sliding Window Differential Detection Method Based on Normal Distribution Reasonable Range Filtering

A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance

Low-cost design of stealthy hardware trojan for bit-level fault attacks on block ciphers

Fault analysis is a very powerful technique to break cryptographic implementations. In particular, bit-level fault analysis (BLFA), where faults are injected by flipping one or a few isolated bits, are among the most efficient of the lot. BLFA requires both precise fault injection capabilities and sophisticated key extraction skills. Algebraic fault analysis (AFA) is a good analysis technique for BLFA. Compared with differential fault analysis (DFA), AFA relies on the automation from machine solvers. Since it fully utilizes the leakages along propagation paths, it can extract the whole key when there is only one or a few bits infected, and when the injection is into the much deeper rounds. In practice, it is very difficult to inject precise bit-level faults and expensive equipments are indeed required. However, if the underlying cryptographic hardware is maliciously modified, BLFA can be easily achieved. This recent security threat is popularly known as Hardware trojan horse (HTH). HTH is a by-product of much popular and economically necessary outsourcing trend in semiconductors. A well designed HTH can precisely inject any type of faults to enable AFA and bypass detections, by having low cost and with low activation rate.Accepted versio