37 research outputs found
GraphMoco:a Graph Momentum Contrast Model that Using Multimodel Structure Information for Large-scale Binary Function Representation Learning
In the field of cybersecurity, the ability to compute similarity scores at
the function level is import. Considering that a single binary file may contain
an extensive amount of functions, an effective learning framework must exhibit
both high accuracy and efficiency when handling substantial volumes of data.
Nonetheless, conventional methods encounter several limitations. Firstly,
accurately annotating different pairs of functions with appropriate labels
poses a significant challenge, thereby making it difficult to employ supervised
learning methods without risk of overtraining on erroneous labels. Secondly,
while SOTA models often rely on pre-trained encoders or fine-grained graph
comparison techniques, these approaches suffer from drawbacks related to time
and memory consumption. Thirdly, the momentum update algorithm utilized in
graph-based contrastive learning models can result in information leakage.
Surprisingly, none of the existing articles address this issue. This research
focuses on addressing the challenges associated with large-scale BCSD. To
overcome the aforementioned problems, we propose GraphMoco: a graph momentum
contrast model that leverages multimodal structural information for efficient
binary function representation learning on a large scale. Our approach employs
a CNN-based model and departs from the usage of memory-intensive pre-trained
models. We adopt an unsupervised learning strategy that effectively use the
intrinsic structural information present in the binary code. Our approach
eliminates the need for manual labeling of similar or dissimilar
information.Importantly, GraphMoco demonstrates exceptional performance in
terms of both efficiency and accuracy when operating on extensive datasets. Our
experimental results indicate that our method surpasses the current SOTA
approaches in terms of accuracy.Comment: 22 pages,7 figure
Improved Side Channel Cube Attacks on PRESENT
The paper presents several improved side channel cube attacks on PRESENT based on single bit leakage model. Compared with the previous study of Yang et al in CANS 2009 [30], based on the same model of single bit leakage in the 3rd round, we show that: if the PRESENT cipher structure is unknown, for the leakage bit 0, 32-bit key can be recovered within chosen plaintexts; if the cipher structure is known, for the leakage bit 4,8,12, 48-bit key can be extracted by chosen plaintexts, which is less than in [30]; then, we extend the single bit leakage model to the 4th round, based on the two level “divide and conquer” analysis strategy, we propose a sliding window side channel cube attack on PRESENT, for the leakage bit 0, about chosen plaintexts can obtain 60-bit key; in order to obtain more key bits, we propose an iterated side channel cube attack on PRESENT, about chosen plaintexts can obtain extra 12 equivalent key bits, so overall chosen plaintexts can reduce the PRESENT-80 key searching space to ; finally, we extend the attack to PRESENT-128, about chosen plaintexts can extract 85 bits key, and reduce the PRESENT-128 key searching space to . Compared with the previous study of Abdul-Latip et al in ASIACCS 2011 [31] based on the Hamming weight leakage model, which can extract 64-bit key of PRESENT-80/128 by chosen plaintexts, our attacks can extract more key bits, and have certain advantages over [31]
An improved signal detection algorithm for a mining-purposed MIMO-OFDM IoT-based system
The coal mine internet of things (IoT) communication system is used for real-time monitoring of mining production to ensure the safety and reliability of personnel and equipment in the mine. To eliminate multipath fading in the process of wireless communication in mines, multiple-output multiplexing (MIMO) and orthogonal frequency division multiplexing (OFDM) technologies are introduced. In this paper, a wireless communication system architecture of IoT in mining based on MIMO-OFDM is constructed. Aiming to solve the problems of intersymbol interference and frequency selective fading at the receiver, an improved minimum mean square error ordered successive interferences cancellation (MMSE-OSIC) signal detection algorithm is proposed. First, the signal-to-interference plus noise ratio of the received signal is calculated and the calculation results are sorted. The lowest signal-to-noise ratio is selected as the weakest signal layer. Then, the MMSE-OSIC algorithm is used to extract all of the signals, except the weakest layer. Finally, a maximum likelihood (ML) algorithm is used to traverse the whole signal domain; the signal symbol with the smallest distance from the weakest signal layer is found as the original signal of the weakest signal layer, and it is combined with the signal detected by MMSE-OSIC; then, the final signal detection result is obtained. The simulation results show that, compared with three benchmark algorithms, the proposed MMSE-OSIC algorithm has better signal detection performance under the conditions of different modulation methods and different channel numbers
A DNS Tunnel Sliding Window Differential Detection Method Based on Normal Distribution Reasonable Range Filtering
A covert attack method often used by APT organizations is the DNS tunnel,
which is used to pass information by constructing C2 networks. And they often
use the method of frequently changing domain names and server IP addresses to
evade monitoring, which makes it extremely difficult to detect them. However,
they carry DNS tunnel information traffic in normal DNS communication, which
inevitably brings anomalies in some statistical characteristics of DNS traffic,
so that it would provide security personnel with the opportunity to find them.
Based on the above considerations, this paper studies the statistical discovery
methodology of typical DNS tunnel high-frequency query behavior. Firstly, we
analyze the distribution of the DNS domain name length and times and finds that
the DNS domain name length and times follow the normal distribution law.
Secondly, based on this distribution law, we propose a method for detecting and
discovering high-frequency DNS query behaviors of non-single domain names based
on the statistical rules of domain name length and frequency and we also give
three theorems as theoretical support. Thirdly, we design a sliding window
difference scheme based on the above method. Experimental results show that our
method has a higher detection rate. At the same time, since our method does not
need to construct a data set, it has better practicability in detecting unknown
DNS tunnels. This also shows that our detection method based on mathematical
models can effectively avoid the dilemma for machine learning methods that must
have useful training data sets, and has strong practical significance
Low-cost design of stealthy hardware trojan for bit-level fault attacks on block ciphers
Fault analysis is a very powerful technique to break cryptographic implementations. In particular, bit-level fault analysis (BLFA), where faults are injected by flipping one or a few isolated bits, are among the most efficient of the lot. BLFA requires both precise fault injection capabilities and sophisticated key extraction skills. Algebraic fault analysis (AFA) is a good analysis technique for BLFA. Compared with differential fault analysis (DFA), AFA relies on the automation from machine solvers. Since it fully utilizes the leakages along propagation paths, it can extract the whole key when there is only one or a few bits infected, and when the injection is into the much deeper rounds. In practice, it is very difficult to inject precise bit-level faults and expensive equipments are indeed required. However, if the underlying cryptographic hardware is maliciously modified, BLFA can be easily achieved. This recent security threat is popularly known as Hardware trojan horse (HTH). HTH is a by-product of much popular and economically necessary outsourcing trend in semiconductors. A well designed HTH can precisely inject any type of faults to enable AFA and bypass detections, by having low cost and with low activation rate.Accepted versio