Symmetric-Key Cryptographic Routine Detection in Anti-Reverse Engineered Binaries Using Hardware Tracing

Electronics ◽  
2020 ◽  
Vol 9 (6) ◽  
pp. 957 ◽  
Juhyun Park ◽  
Yongsu Park

Software uses cryptography to provide confidentiality in communication and to provide authentication. Additionally, cryptographic algorithms can be used to protect software against cracking core algorithms in software implementation. Recently, malware and ransomware have begun to use encryption to protect their codes from analysis. As for the detection of cryptographic algorithms, previous works have had demerits in analyzing anti-reverse engineered binaries that can detect differences in analysis environments and normal execution. Here, we present a new symmetric-key cryptographic routine detection scheme using hardware tracing. In our experiments, patterns were successfully generated and detected for nine symmetric-key cryptographic algorithms. Additionally, the experimental results show that the false positive rate of our scheme is extremely low and the prototype implementation successfully bypasses anti-reversing techniques. Our work can be used to detect symmetric-key cryptographic routines in malware/ransomware with anti-reversing techniques.

2017 ◽  
Vol 2017 ◽  
pp. 1-11 ◽  
Fu-Hau Hsu ◽  
Chih-Wen Ou ◽  
Yan-Ling Hwang ◽  
Ya-Ching Chang ◽  
Po-Ching Lin

Web-based botnets are popular nowadays. A Web-based botnet is a botnet whose C&C server and bots use HTTP protocol, the most universal and supported network protocol, to communicate with each other. Because the botnet communication can be hidden easily by attackers behind the relatively massive HTTP traffic, administrators of network equipment, such as routers and switches, cannot block such suspicious traffic directly regardless of costs. Based on the clients constituent of a Web server and characteristics of HTTP responses sent to clients from the server, this paper proposes a traffic inspection solution, called Web-based Botnet Detector (WBD). WBD is able to detect suspicious C&C (Command-and-Control) servers of HTTP botnets regardless of whether the botnet commands are encrypted or hidden in normal Web pages. More than 500 GB real network traces collected from 11 backbone routers are used to evaluate our method. Experimental results show that the false positive rate of WBD is 0.42%.

The prevention of leakage of data has been defined as a process or solution which identifies data that is confidential, tracks the data in a way in which it moves in and out of its enterprise to prevent any unauthorized data disclosure in an intentional or an unintentional manner. As data that is confidential is able to reside on various computing devices and move through several network access points or different types of social networks such as emails. Leakage of emails has been defined as if the email either deliberately or accidentally goes to an addressee to whom it should not be addressed. Data Leak Prevention (DLP) is the technique or product that tries mitigating threats to data leaks. In this work, the technique of clustering will be combined with the frequency of the term or the inverse document frequency in order to identify the right centroids for analysing the various emails that are communicated among members of an organization. Every member will fit in to various topic clusters and one such topic cluster can also comprise of several members in the organization who have not communicated with each other earlier. At the time when a new email is composed, every addressee will be categorized to be a potential leak recipient or one that is legal. Such classification was based on the emails sent among the sender and the receiver and also on their topic clusters. The work had investigated the technique of K-Means clustering and also proposed a Tabu - K-Means (TABU-KM) technique of clustering to identify points of optimal clustering. The proposed TABU-KM optimizes the K-Means clustering. Experimental results demonstrated that the proposed method achieves higher True Positive Rate (TPR) for known and unknown recipient and lower False Positive Rate (FPR) for known and unknown recipient

2017 ◽  
Vol 49 (11) ◽  
pp. 854-859
Sandrine Urwyler ◽  
Nina Cupa ◽  
Mirjam Christ-Crain

AbstractIn this study, we compared the 2 mg dexamethasone suppression test (DST) with the gold-standard 1 mg DST in obese patients in order to reduce the false-positive rate for Cushing’s syndrome (CS). The primary endpoint was the comparison of serum cortisol levels after 1 mg versus 2 mg DST in patients with a BMI >30 kg/m2 and at least one additional feature of the metabolic syndrome. Secondary endpoints were comparison of salivary cortisol and ACTH levels, respectively. Fifty-four obese patients were included. Median serum cortisol levels after 1 mg DST and 2 mg DST were similar [28 nmol/l (20; 36) vs. 28 nmol/l (20; 38), p=0.53]. Salivary cortisol was 8.2 nmol/l (4.7; 11.7) after the 1 mg DST vs. 6.7 nmol/l (4.2; 9.5) after the 2 mg test, p=0.09. ACTH levels were higher after the 1 mg DST compared to the 2 mg DST [10.0 pg/ml (7.6; 10.7) vs. 5.0 pg/ml (5.0; 5.1), p<0.0001]. The false positive rate after the 1 mg DST was 14.8% (n=8) and was reduced to 11.1% (n=6) after the 2 mg DST. All non-suppressors (n=8) had type 2 diabetes and most of them took a medication interacting with cytochrome P450 3A4 (CYP3A4). In individuals with obesity, the 2 mg DST was not superior to the 1 mg DST in regard to serum cortisol levels. However, in some patients, particularly with poorly controlled diabetes or medication interacting with CYP3A4 and without adequate suppression after the 1 mg DST, the 2 mg DST might prove helpful to reduce the false-positive rate for CS. Number: NCT02227420

2019 ◽  
Vol 9 (1) ◽  
Ginette Lafit ◽  
Francis Tuerlinckx ◽  
Inez Myin-Germeys ◽  
Eva Ceulemans

AbstractGaussian Graphical Models (GGMs) are extensively used in many research areas, such as genomics, proteomics, neuroimaging, and psychology, to study the partial correlation structure of a set of variables. This structure is visualized by drawing an undirected network, in which the variables constitute the nodes and the partial correlations the edges. In many applications, it makes sense to impose sparsity (i.e., some of the partial correlations are forced to zero) as sparsity is theoretically meaningful and/or because it improves the predictive accuracy of the fitted model. However, as we will show by means of extensive simulations, state-of-the-art estimation approaches for imposing sparsity on GGMs, such as the Graphical lasso, ℓ1 regularized nodewise regression, and joint sparse regression, fall short because they often yield too many false positives (i.e., partial correlations that are not properly set to zero). In this paper we present a new estimation approach that allows to control the false positive rate better. Our approach consists of two steps: First, we estimate an undirected network using one of the three state-of-the-art estimation approaches. Second, we try to detect the false positives, by flagging the partial correlations that are smaller in absolute value than a given threshold, which is determined through cross-validation; the flagged correlations are set to zero. Applying this new approach to the same simulated data, shows that it indeed performs better. We also illustrate our approach by using it to estimate (1) a gene regulatory network for breast cancer data, (2) a symptom network of patients with a diagnosis within the nonaffective psychotic spectrum and (3) a symptom network of patients with PTSD.

Phu C. Tran ◽  
Will DeBrock ◽  
Mary E. Lester ◽  
Brett C. Hartman ◽  
Juan Socas ◽  

Abstract Background Transcutaneous tissue oximetry is widely used as an adjunct for postoperative monitoring after microvascular breast reconstruction. Despite a high sensitivity at detecting vascular issues, alarms from probe malfunctions/errors can generate unnecessary nursing calls, concerns, and evaluations. The purpose of this study is to analyze the false positive rate of transcutaneous tissue oximetry monitoring over the postoperative period and assess changes in its utility over time. Patients and Methods Consecutive patients undergoing microvascular breast reconstruction at our institution with monitoring using transcutaneous tissue oximetry were assessed between 2017 and 2019. Variables of interest were transcutaneous tissue oximetry alarms, flap loss, re-exploration, and salvage rates. Results The study included 175 patients (286 flaps). The flap loss rate was 1.0% (3/286). Twelve patients (6.8%) required re-exploration, with 9 patients found to have actual flap compromise (all within 24 hours). The salvage rate was 67.0%. The 3 takebacks after 24 hours were for bleeding concerns rather than anastomotic problems. Within the initial 24-hour postoperative period, 43 tissue oximetry alarms triggered nursing calls; 7 alarms (16.2%) were confirmed to be for flap issues secondary to vascular compromise. After 24 hours, none of the 44 alarms were associated with flap compromise. The false positive rate within 24 hours was 83.7% (36/43) compared with 100% (44/44) after 24 hours (p = 0.01). Conclusion The transcutaneous tissue oximetry false positive rate significantly rises after 24 hours. The benefit may not outweigh the concerns, labor, and effort that results from alarms after postoperative day 1. We recommend considering discontinuing this monitoring after 24 hours.

Sign in / Sign up

Export Citation Format

Share Document