Guofei Gu

Texas A&M University, College Station, Texas, United States

Are you Guofei Gu?

Claim your profile

Publications (56)13.2 Total impact

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Malware is pervasive in networks, and poses a critical threat to network security. However, we have very limited understanding of malware behavior in networks to date. In this paper, we investigate how malware propagates in networks from a global perspective. We formulate the problem, and establish a rigorous two layer epidemic model for malware propagation from network to network. Based on the proposed model, our analysis indicates that the distribution of a given malware follows exponential distribution, power law distribution with a short exponential tail, and power law distribution at its early, late and final stages, respectively. Extensive experiments have been performed through two real-world global scale malware data sets, and the results confirm our theoretical findings.
    IEEE Transactions on Knowledge and Data Engineering 01/2015; 27(1):170-179. DOI:10.1109/TKDE.2014.2320725 · 1.82 Impact Factor
  • Network and Distributed System Security Symposium; 01/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: Android phones often carry personal information, attracting malicious developers to embed code in Android applications to steal sensitive data. With known techniques in the literature, one may easily determine if sensitive data is being transmitted out of an Android phone. However, transmission of sensitive data in itself does not necessarily indicate privacy leakage; a better indicator may be whether the transmission is by user intention or not. When transmission is not intended by the user, it is more likely a privacy leakage. The problem is how to determine if transmission is user intended. As a first solution in this space, we present a new analysis framework called AppIntent. For each data transmission, AppIntent can efficiently provide a sequence of GUI manipulations corresponding to the sequence of events that lead to the data transmission, thus helping an analyst to determine if the data transmission is user intended or not. The basic idea is to use symbolic execution to generate the aforementioned event sequence, but straightforward symbolic execution proves to be too time-consuming to be practical. A major innovation in AppIntent is to leverage the unique Android execution model to reduce the search space without sacrificing code coverage. We also present an evaluation of AppIntent with a set of 750 malicious apps, as well as 1,000 top free apps from Google Play. The results show that AppIntent can effectively help separate the apps that truly leak user privacy from those that do not.
    Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.
    Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security; 11/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Among the leading reference implementations of the Software Defined Networking (SDN) paradigm is the OpenFlow framework, which decouples the control plane into a centralized application. In this paper, we consider two aspects of OpenFlow that pose security challenges, and we propose two solutions that could address these concerns. The first challenge is the inherent communication bottleneck that arises between the data plane and the control plane, which an adversary could exploit by mounting a "control plane saturation attack" that disrupts network operations. Indeed, even well-mined adversarial models, such as scanning or denial-of-service (DoS) activity, can produce more potent impacts on OpenFlow networks than traditional networks. To address this challenge, we introduce an extension to the OpenFlow data plane called "connection migration", which dramatically reduces the amount of data-to-control-plane interactions that arise during such attacks. The second challenge is that of enabling the control plane to expedite both detection of, and responses to, the changing flow dynamics within the data plane. For this, we introduce "actuating triggers" over the data plane's existing statistics collection services. These triggers are inserted by control layer applications to both register for asynchronous call backs, and insert conditional flow rules that are only activated when a trigger condition is detected within the data plane's statistics module. We present Avant-Guard, an implementation of our two data plane extensions, evaluate the performance impact, and examine its use for developing more scalable and resilient SDN security services.
  • [Show abstract] [Hide abstract]
    ABSTRACT: Web bots, such as XRumer, Magic Submitter and SENuke, have been widely used by attackers to perform illicit activities, such as massively registering accounts, sending spam, and automating web-based games. Although the technique of CAPTCHA has been widely used to defend against web bots, it requires users to solve some explicit challenges, which is typically interactive and intrusive, resulting in decreased usability. In this paper, we design a novel, non-intrusive moving-target defense system, NOMAD, to complement existing solutions. NOMAD prevents web bots from automating web resource access by randomizing HTML elements while not affecting normal users. Specifically, to prevent web bots uniquely identifying HTML elements for later automation, NOMAD randomizes name/id parameter values of HTML elements in each HTTP form page. We evaluate NOMAD against five powerful state-of-the-art web bots on several popular open source web platforms. According to our evaluation, NOMAD can prevent all these web bots with a relatively low overhead.
    2013 IEEE Conference on Communications and Network Security (CNS); 10/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Bots are still a serious threat to Internet security. Although a lot of approaches have been proposed to detect bots at host or network level, they still have shortcomings. Host-level approaches can detect bots with high accuracy. However they usually pose too much overhead on the host. While network-level approaches can detect bots with less overhead, they have problems in detecting bots with encrypted, evasive communication C&C channels. In this paper, we propose EFFORT, a new host-network cooperated detection framework attempting to overcome shortcomings of both approaches while still keeping both advantages, i.e., effectiveness and efficiency. Based on intrinsic characteristics of bots, we propose a multi-module approach to correlate information from different host- and network-level aspects and design a multi-layered architecture to efficiently coordinate modules to perform heavy monitoring only when necessary. We have implemented our proposed system and evaluated on real-world benign and malicious programs running on several diverse real-life office and home machines for several days. The final results show that our system can detect all 17 real-world bots (e.g., Waledac, Storm) with low false positives (0.68%) and with minimal overhead. We believe EFFORT raises a higher bar and this host-network cooperated design represents a timely effort and a right direction in the malware battle.
    Computer Networks 09/2013; 57(13):2628-2642. DOI:10.1016/j.comnet.2013.05.010 · 1.28 Impact Factor
  • Seungwon Shin, Guofei Gu
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, for the first time we show a new attack to fin- gerprint SDN networks and further launch efficient resource consumption attacks. This attack demonstrates that SDN brings new security issues that may not be ignored. We provide the first feasibility study of such attack and hope to stimulate further studies in SDN security research.
    Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking; 08/2013
  • Information and Communications Security, Edited by Qing, Sihan and Zhou, Jianying and Liu, Dongmei, 01/2013: pages 213-228; Springer International Publishing., ISBN: 9783319027258
  • [Show abstract] [Hide abstract]
    ABSTRACT: The OpenFlow (OF) switching specification represents an innovative and open standard for enabling the dynamic programming of flow control policies in production networks. Unfortunately, thus far researchers have paid little attention to the development of methods for verifying that dynamic flow policies inserted within an OpenFlow network do not violate the network's underlying security policy. We introduce Flover, a model checking system which verifies that the aggregate of flow policies instantiated within an OpenFlow network does not violate the network's security policy. We have implemented Flover using the Yices SMT solver, which we then integrated into NOX, a popular OpenFlow network controller. Flover provides NOX a formal validation of the OpenFlow network's security posture.
    Communications (ICC), 2013 IEEE International Conference on; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware code, and manipulate the environment state as vaccines, we would then be able to immunize a computer from infections. Towards this end, this paper provides the first systematic study and presents a prototype system, AUTOVAC, for automatically extracting the system resource constraints from malware code and generating vaccines based on the system resource conditions. Specifically, through monitoring the data propagation from system-resource-related system calls, AUTOVAC automatically identifies the environment related state of a computer. Through analyzing the environment state, AUTOVAC automatically generates vaccines. Such vaccines can be then injected into other computers, thereby being immune from future infections from the same malware or its polymorphic variants. We have evaluated AUTOVAC on a large set of real-world malware samples and successfully extracted working vaccines for many families including high-profile Conficker, Sality and Zeus. We believe AUTOVAC represents an appealing technique to complement existing malware defenses.
    Distributed Computing Systems (ICDCS), 2013 IEEE 33rd International Conference on; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: User interface (UI) interactions are essential to Android applications, as many Activities require UI interactions to be triggered. This kind of UI interactions could also help malicious apps to hide their sensitive behaviors (e.g., sending SMS or getting the user's device ID) from being detected by dynamic analysis tools such as TaintDroid, because simply running the app, but without proper UI interactions, will not lead to the exposure of sensitive behaviors. In this paper we focus on the challenging task of triggering a certain behavior through automated UI interactions. In particular, we propose a hybrid static and dynamic analysis method to reveal UI-based trigger conditions in Android applications. Our method first uses static analysis to extract expected activity switch paths by analyzing both Activity and Function Call Graphs, and then uses dynamic analysis to traverse each UI elements and explore the UI interaction paths towards the sensitive APIs. We implement a prototype system SmartDroid and show that it can automatically and efficiently detect the UI-based trigger conditions required to expose the sensitive behavior of several Android malwares, which otherwise cannot be detected with existing techniques such as TaintDroid.
    Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices; 10/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: Inspired by the biological vaccines, we explore the possibility of developing similar vaccines for malware immunization. We provide the first systematic study towards this direction and present a prototype system, AGAMI, for automatic generation of vaccines for malware immunization. With a novel use of several dynamic malware analysis techniques, we show that it is possible to extract a lightweight vaccine from current malware, and after injecting such vaccine on clean machines, they can be immune from future infection from the same malware family. We evaluate AGAMI on a large set of real-world malware samples and successfully extract working vaccines for many families such as Conficker and Zeus. We believe it is an appealing complementary technique to existing malware defense solutions.
    Proceedings of the 2012 ACM conference on Computer and communications security; 10/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: The prevalence of malware in Android marketplaces is a growing and significant problem. Among the most worrisome concerns are with regarding to malicious Android applications that attempt to steal money from unsuspecting users. These malicious applications get uploaded under the guise of benign applications, typically to third-party alternative market places that lack proper security vetting procedures, and are subsequently downloaded and executed by unsuspecting victims. In this work, we propose "Money-Guard", a systematic approach to detect stealthy moneystealing applications in popular Android markets. Our technique relies on detecting two key behavioral heuristics that seem to be common across many money-stealing Android malware: hardcoded exfiltration and notification suppression. In our preliminary analysis of 47 SMS-based money stealing applications, we confirm that 41 of these applications follow the above pattern, and describe a light weight detection approach that will identify this behavioral pattern.
    Proceedings of the 2012 ACM conference on Computer and communications security; 10/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose a new, active scheme for fast and reliable detection of P2P malware by exploiting the enemies' strength against them. Our new scheme works in two phases: host-level dynamic binary analysis to automatically extract built-in remotely-accessible/controllable mechanisms (referred to as Malware Control Birthmarks or MCB) in P2P malware, followed by network-level informed probing for detection. Our new design demonstrates a novel combination of the strengths from both host-based and network-based approaches. Compared with existing detection solutions, it is fast, reliable, and scalable in its detection scope. Furthermore, it can be applicable to more than just P2P malware, more broadly any malware that opens a service port for network communications (e.g., many Trojans/backdoors). We develop a prototype system, PeerPress, and evaluate it on many representative real-world P2P malware (including Storm, Conficker, and more recent Sality). The results show that it can effectively detect the existence of malware when MCBs are extracted, and the detection occurs in an early stage during which other tools (e.g., BotHunter) typically do not have sufficient information to detect. We further discuss its limitations and implications, and we believe it is a great complement to existing passive detection solutions.
    Proceedings of the 2012 ACM conference on Computer and communications security; 10/2012
  • Chao Yang, Yimin Song, Guofei Gu
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper, we consider the problem of “evil twin” attacks in wireless local area networks (WLANs). An evil twin is essentially a rogue (phishing) Wi-Fi access point (AP) that looks like a legitimate one (with the same SSID). It is set up by an adversary, who can eavesdrop on wireless communications of users' Internet access. Existing evil twin detection solutions are mostly for wireless network administrators to verify whether a given AP is in an authorized list or not, instead of for a wireless client to detect whether a given AP is authentic or evil. Such administrator-side solutions are limited, expensive, and not available for many scenarios. Thus, a lightweight, effective, and user-side solution is highly desired. In this work, we propose a novel user-side evil twin detection technique that outperforms traditional administrator-side detection methods in several aspects. Unlike previous approaches, our technique does not need a known authorized AP/host list, thus it is suitable for users to identify and avoid evil twins. Our technique does not strictly rely on training data of target wireless networks, nor depend on the types of wireless networks. We propose to exploit fundamental communication structures and properties of such evil twin attacks in wireless networks and to design new active, statistical and anomaly detection algorithms. Our preliminary evaluation in real-world widely deployed 802.11b and 802.11 g wireless networks shows very promising results. We can identify evil twins with a very high detection rate while maintaining a very low false positive rate.
    IEEE Transactions on Information Forensics and Security 10/2012; 7(5):1638-1651. DOI:10.1109/TIFS.2012.2207383 · 2.07 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Through injecting dynamic script codes into compromised websites, attackers have widely launched search poisoning attacks to achieve their malicious goals, such as spreading spam or scams, distributing malware and launching drive-by download attacks. While most current related work focuses on measuring or detecting specific search poisoning attacks in the crawled dataset, it is also meaningful to design an effective approach to find more compromised websites on the Internet that have been utilized by attackers to launch search poisoning attacks, because those compromised websites essentially become an important component in the search poisoning attack chain. In this paper, we present an active and efficient approach, named PoisonAmplifier, to find compromised websites through tracking down search poisoning attacks. Particularly, starting from a small seed set of known compromised websites that are utilized to launch search poisoning attacks, PoisonAmplifier can recursively find more compromised websites by analyzing poisoned webpages' special terms and links, and exploring compromised web sites' vulnerabilities. Through our 1 month evaluation, PoisonAmplifier can quickly collect around 75K unique compromised websites by starting from 252 verified compromised websites within first 7 days and continue to find 827 new compromised websites on a daily basis thereafter.
    Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses; 09/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: File carving is the process of reassembling files from disk fragments based on the file content in the absence of file system metadata. By leveraging both file header and footer pairs, traditional file carving mainly focuses on document and image files such as PDF and JPEG. With the vast amount of malware code appearing in the wild daily, recovery of binary executable files becomes an important problem, especially for the case in which malware deletes itself after compromising a computer. However, unlike image files that usually have both a header and footer pair, executable files only have header information, which makes the carving much harder. In this paper, we present Bin-Carver, a first-of-its-kind system to automatically recover executable files with deleted or corrupted metadata. The key idea is to explore the road map information defined in executable file headers and the explicit control flow paths present in the binary code. Our experiment with thousands of binary code files has shown our Bin-Carver to be incredibly accurate, with an identification rate of 96.3% and recovery rate of 93.1% on average when handling file systems ranging from pristine to chaotic and highly fragmented.
    Digital Investigation 08/2012; 9:S108–S117. DOI:10.1016/j.diin.2012.05.014 · 0.99 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, about 25 million victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. We measure the potential power of Conficker to estimate its effects on the networks/hosts when it performs malicious operations. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield and FIRE and our evaluation shows that unlike a previous study which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raises a question of how we can improve and complement existing reputation-based techniques to prepare for future malware defense? Based on this, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the case of Conficker. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.
    IEEE Transactions on Information Forensics and Security 05/2012; 7(2-7):676 - 690. DOI:10.1109/TIFS.2011.2173486 · 2.07 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: To detect bots, a lot of detection approaches have been proposed at host or network level so far and both approaches have clear advantages and disadvantages. In this paper, we propose EFFORT, a new host-network cooperated detection framework attempting to overcome shortcomings of both approaches while still keeping both advantages, i.e., effectiveness and efficiency. Based on intrinsic characteristics of bots, we propose a multi-module approach to correlate information from different host- and network-level aspects and design a multi-layered architecture to efficiently coordinate modules to perform heavy monitoring only when necessary. We have implemented our proposed system and evaluated on real-world benign and malicious programs running on several diverse real-life office and home machines for several days. The final results show that our system can detect all 15 real-world bots (e.g., Waledac, Storm) with low false positives (0.68%) and with minimal overhead. We believe EFFORT raises a higher bar and this host-network cooperated design represents a timely effort and a right direction in the malware battle.
    Proceedings - IEEE INFOCOM 03/2012; DOI:10.1109/INFCOM.2012.6195713