Shang-Nan Yin

Bio: Shang-Nan Yin is an academic researcher from Konkuk University. The author has contributed to research in topics: Intrusion detection system & Cluster analysis. The author has an hindex of 3, co-authored 6 publications receiving 51 citations.

Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph

Abstract: In recent cyber incidents, Ransom software (ransomware) causes a major threat to the security of computer systems. Consequently, ransomware detection has become a hot topic in computer security. Unfortunately, current signature-based and static detection model is often easily evadable by obfuscation, polymorphism, compress, and encryption. For overcoming the lack of signature-based and static ransomware detection approach, we have proposed the dynamic ransomware detection system using data mining techniques such as Random Forest (RF), Support Vector Machine (SVM), Simple Logistic (SL) and Naive Bayes (NB) algorithms for detecting known and unknown ransomware. We monitor the actual (dynamic) behaviors of software to generate API calls flow graphs (CFG) and transfer it in a feature space. Thereafter, data normalization and feature selection were applied to select informative features which are the best for discriminating between various categories of software and benign software. Finally, the data mining algorithms were used for building the detection model for judging whether the software is benign software or ransomware. Our experimental results show that our proposed system can be more effective to improve the performance for ransomware detection. Especially, the accuracy and detection rate of our proposed system with Simple Logistic (SL) algorithm can achieve to 98.2% and 97.6%, respectively. Meanwhile, the false positive rate also can be reduced to 1.2%.

An efficient privacy protection in mobility social network services with novel clustering-based anonymization

Abstract: A popular means of social communication for online users has become a trend with rapid growth of social networks in the last few years. Facebook, Myspace, Twitter, LinkedIn, etc. have created huge amounts of data about interactions of social networks. Meanwhile, the trend is also true for offline scenarios with rapid growth of mobile devices such as smart phones, tablets, and laptops used for social interactions. These mobile devices enlarge the traditional social network services platform and lead to a greater amount of mobile social network data. These data contain more private information of individuals such as location, habit, and health condition. However, there are many analytical, sociological, and economic questions that can be answered using these data, so the mobility data managers are expected to share the data with researchers, governments, and/or companies. Therefore, mobile social network data is badly in need of anonymization before it is shared or analyzed widely. k-anonymization is a well-known clustering-based anonymization approach. However, the implementation of this basic approach has been a challenge since many of the mobile social network data involve categorical data values. In this paper, we propose an approach for categorical data clustering using rough entropy method with DBSCAN clustering algorithm to improve the performance of k-anonymization approach. It has the ability to deal with uncertainty in the clustering process and can effectively find arbitrarily shaped clusters. We will report the proposed approach and discuss the credibility by theoretical studies and examples. And experimental results on two benchmark data sets obtained from UCI Machine Learning Repository show that our approach is second to none among the Fuzzy Centroids, MMeR, SDR and ITDR, etc. with respect to the local and global purity of clusters. Since the clustering algorithm is a key point of k-anonymization for clustering mobile social network data, our experimental results show that our proposed algorithm can be more effective to balance the utility of the mobile social network data and the performance of anonymization.

Intrusion Detection System based on Complex Event Processing in RFID middleware

Abstract: Radio Frequency Identification (RFID) technology has been applied in many fields, such as tracking product through the supply chains, electronic passport (ePassport), proximity card, etc. Most companies will choose low-cost RFID tags. However, these RFID tags are almost no security mechanism so that criminals can easily clone these tags and get the user permissions. In this paper, we aim at more efficient detection proximity card be cloned and design a real-time intrusion detection system based on one tool of Complex Event Processing (Esper) in the RFID middleware. We will detect the cloned tags through training our system with the user's habits. When detected anomalous behavior which may clone tags have occurred, and then send the notification to user. We discuss the reliability of this intrusion detection system and describes in detail how to work.

A malware detection system based on heterogeneous information network

Abstract: In this era of information networks, more and more malware (malicious software) poses a serious threat to security. How to detect malware attacks in a timely and effective manner becomes particularly important. The increasingly sophisticated malware calls for new defense technologies to detect and combat novelty attack and threats. In this paper, we propose a novel malware detection method that not only depends on API calls, further analyze the relationship between them and creates higher-level semantics to avoid attackers evading detection. We construct a heterogeneous information network (HIN) through their rich relationships between software and related APIs, and then use meta-path-based methods to describe the semantic relevance to software and APIs. We use each meta-path to calculate similarities between software and aggregate different similarities with Multi-kernel Learning (MKL) to construct a malware detection system. We collected real sample data and conducted a comprehensive experiment. Through experiments we have obtained a relatively high detection rate and a relatively low false detection rate, shows the effectiveness of our proposed method.

LDFGB Algorithm for Anomaly Intrusion Detection

Abstract: With the development of internet technology, more and more risks are appearing on the internet and the internet security has become an important issue. Intrusion detection technology is an important part of internet security. In intrusion detection, it is important to have a fast and effective method to find out known and unknown attacks. In this paper, we present a graph-based intrusion detection algorithm by outlier detection method which is based on local deviation factor (LDFGB). This algorithm has better detection rates than a previous clustering algorithm. Moreover, it is able to detect any shape of cluster and still keep high detection rate for detecting unknown or known attacks. LDFGB algorithm uses graph-based cluster algorithm (GB) to get an initial partition of dataset which depends on a parameter of cluster precision, then we use the outlier detection algorithm to further processing the results of graph-based cluster algorithm. This measure is effective to improve the detection rates and false positive rates.

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions.

Abstract: In recent years, ransomware has been one of the most notorious malware targeting end users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.

Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems

Abstract: With the advent of big data and cloud services, user data has become an important issue. Although a variety of detection and prevention technologies are used to protect user data, ransomware that demands money in exchange for one’s data has emerged. In order to detect and prevent ransomware, file- and behavior-based detection methods have been investigated. Nevertheless, we are still facing from ransomware threats, as it is difficult to detect and prevent ransomware containing unknown malicious codes. In particular, these methods are limited in that they cannot detect ransomware for backup systems such as cloud services. For instance, if files infected with ransomware are synchronized with the backup systems, the infected files will not be able to be restored through the backed-up files. In this paper, we utilize an entropy technique to measure a characteristic of the encrypted file (i.e., uniformity). Machine learning is applied for classifying infected files based file entropy analysis. The proposed method can recover the original file from the backup system by detecting ransomware infected files that have been synchronized to the backup system, even if the user system is infected by ransomware. Conducted analysis results confirm that the proposed method provides a high detection rate with low false positive and false negative rates compared with the existing detection methods.

A Survey on Detection Techniques for Cryptographic Ransomware

Abstract: Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for a ransom to recover the hijacked documents. It is a cyber threat that targets both companies and residential users, and has spread in recent years because of its lucrative results. Several articles have presented classifications of ransomware families and their typical behaviour. These insights have stimulated the creation of detection techniques for antivirus and firewall software. However, because the ransomware scene evolves quickly and aggressively, these studies quickly become outdated. In this study, we surveyed the detection techniques that the research community has developed in recent years. We compared the different approaches and classified the algorithms based on the input data they obtain from ransomware actions, and the decision procedures they use to reach a classification decision between benign or malign applications. This is a detailed survey that focuses on detection algorithms, compared to most previous studies that offer a survey of ransomware families or isolated proposals of detection algorithms. We also compared the results of these proposals.