Browsing by Author "Zhang, Qinghua"

Filter results by typing the first few letters
Now showing 1 - 2 of 2
  • No Thumbnail Available
    Improving Performance of Peer-to-peer Systems by Caching
    (2005-01-09) Zhang, Qinghua; Douglas Reeves, Committee Chair; David Thuente, Committee Member; Khaled Harfoush, Committee Member
    Recently, Peer-to-Peer (P2P) has attracted a great deal of interest in industry and research literature. P2P systems are application layer networks, in which logically distinct computing elements - peers, bear comparable roles and responsibilities. P2P enables peers to share resources in a distributed manner. Existing P2P systems work well but are inefficient with respect to information retrieval. Some measurements show that more than half of the current Internet traffic is P2P traffic. Some search methods currently used by P2P groups flood the network, thus consuming a lot of bandwidth. In addition, some P2P applications require some forms of global knowledge of peer resources. Caching is one way to improve the performance of any system that makes repetitive requests. This thesis proposes a selective query-forwarding scheme based on caching. This simple caching mechanism improves efficiency and scalability in information retrieval for P2P systems. Query processing is expedited by caching similar queries or replies, thus making searches more efficient. The performance of this caching-based search algorithm is evaluated and compared with two existing P2P search algorithms (flooding and Random Walk) in P2P file sharing systems. The simulation experiments are designed and performed based on some measurement and empirical data. The results show this caching-based scheme is an attractive technique for keyword based searching in P2P systems. In some cases it achieves 75\% query hits through caching. Its performance is also superior in that it consumes less bandwidth and takes less time to satisfy queries. Finally, this approach doesn't incur additional network traffic to develop knowledge on resource location and thus scales well with the size of the network.
  • No Thumbnail Available
    Polymorphic and Metamorphic Malware Detection
    (2009-05-16) Zhang, Qinghua; S. Purushothaman Iyer, Committee Member; Peng Ning, Committee Member; Wenye Wang, Committee Member; Douglas S. Reeves, Committee Chair
    Software attacks are a serious problem. Conventional anti-malware software expects malicious software, malware, to contain fixed and known code. Malware writers have devised methods of concealing or constantly changing their attacks to evade anti-malware software. Two important recent techniques are polymorphism, which makes uses of code encryption, and metamorphism, which uses a variety of code obfuscation techniques. This dissertation presents three new techniques for detection of these malware. The first technique is to recognize polymorphic malware that are encrypted and that self-decrypt before launching the attacks in network traffic. We propose a new approach that combines static analysis and instruction emulation techniques to more accurately identify the starting location and instructions of the decryption routine, which is characteristic of such malware, even if self-modifying code is used. This method has been implemented and tested on current polymorphic exploits, including ones generated by state-of-the-art polymorphic engines. All exploits have been detected (i.e., a 100% detection rate), including those for which the decryption routine is dynamically coded or self-modifying. The method has also been tested on benign network traffic and Windows executables. The false positive rates are approximately .0002% and .01% for these two categories, respectively. Running time is approximately linear in the size of the network payload being analyzed and is between 1 and 2 MB/s. The second technique is a means of recognizing metamorphic malware which has a transformed program image with equivalent or updated functionalities. We propose a new approach that uses fully automated static analysis of executables to summarize and compare program semantics, based primarily on the pattern of library or system functions which are called. This method has been prototyped and evaluated using randomized benchmark programs, instances of known malware program variants, and utility software available in multiple releases. The results demonstrate three important capabilities of the proposed method: (a) it does well at identifying metamorphic variants of common malware. (b) it distinguishes easily between programs that are not related and, (c) it can identify and detect program variations, or code reuse. Such variations can be due to the insertion of malware (such as viruses) into the executable of a host program. The third technique improves the applicability of a semantic metamorphic malware detector which is the second technique of this dissertation. We propose an automated approach to generate common malware behavior patterns for detection of metamorphic malware or new malware instances. This method combines static analysis and data-mining techniques. This method has been prototyped and evaluated on real world malicious bot software and benign Windows programs. Through the experimental comparison with the metamorphic malware detector, this method results in an about 80% reduction in semantic pattern population to detect known and new malware instances. It is more robust to a junk behavior pollution attack than the malware detector is. A set of experiments was performed to test the quality of the common behavior patterns which were generated with different parameter configurations. Two optimized common behavior patterns were obtained. The corresponding detection rates and true false positive rates are 94%, 8.3%, and 78%, 0.32% respectively. According to a recent paper [1], for indirect comparison and simple reference, the values of the two detection rates which are 94% and 78% more than double the detection rate of signature-based methods on unknown malware programs, which is 33.75%.