Feng Cheng

Feng Cheng
Peking University | PKU · School of Mathematical Sciences

About

107
Publications
28,398
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,741
Citations
Introduction
Skills and Expertise

Publications

Publications (107)
Chapter
Within today’s organizations, a Security Information and Event Management (SIEM) system is the centralized repository expected to aggregate all security-relevant data. While the primary purpose of SIEM solutions has been regulatory compliance, more and more organizations recognize the value of these systems for threat detection due to their holisti...
Chapter
With more cloud customers are storing their data in multiple Cloud Service Providers (CSPs), they are responsible for managing the data in the multi-cloud storage environment, including monitoring the events on the cloud. They could monitor various cloud storage services by collecting, processing, and analyzing the cloud storage log files generated...
Chapter
Nowadays, more cloud customers are utilizing multiple cloud service providers (CSPs) to store their data in the cloud as it provides better data availability and service reliance than storing in the single CSP. However, there are several challenges faced by cloud customers to securely manage their cloud storage resources for cloud end-users (a user...
Article
Efficient change control and configuration management is imperative for addressing the emerging security threats in cloud infrastructure. These threats majorly exploit misconfiguration vulnerabilities e.g. excessive permissions, disabled logging features and publicly accessible cloud storage buckets. Traditional security tools and mechanisms are un...
Preprint
Full-text available
div>Efficient change control and configuration management is imperative for addressing the emerging security threats in cloud infrastructure. These threats majorly exploit misconfiguration vulnerabilities e.g. excessive permissions, disabled logging features and publicly accessible cloud storage buckets. Traditional security tools and mechanisms...
Preprint
div>Efficient change control and configuration management is imperative for addressing the emerging security threats in cloud infrastructure. These threats majorly exploit misconfiguration vulnerabilities e.g. excessive permissions, disabled logging features and publicly accessible cloud storage buckets. Traditional security tools and mechanisms...
Article
Full-text available
Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we pro...
Conference Paper
Full-text available
CloudRAID for Business (CfB) is a proof-of-concept enterprise cloud storage broker (ECSB) system that provides data security in the cloud. It applies a single-authority ciphertext-based policy attribute-based encryption (CP-ABE) scheme into its key management system (KMS) to solve its scalability and access control issues for multi-users and multi-...
Conference Paper
In this paper, we formulate threat detection in SIEM environments as a large-scale graph inference problem. We introduce a SIEM-based knowledge graph which models global associations among entities observed in proxy and DNS logs, enriched with related open source intelligence (OSINT) and cyber threat intelligence (CTI). Next, we propose MalRank, a...
Chapter
Password-based authentication remains the main method of user authentication in computer systems. In case of a leak of the user database, the obfuscated storage of passwords is the last remaining protection of credentials. The strength of a password determines how hard it is to crack a password hash for uncovering the plain text password. Internet...
Preprint
Full-text available
CloudRAID for Business (CfB) is a proof-of-concept enterprise cloud storage broker (ECSB) service that provides data security in the cloud. It applies single-authority ciphertext-based policy attribute-based encryption (CP-ABE) scheme into its key management system (KMS) to solve its scalability and access control issues for multiuser and multi-dev...
Conference Paper
Full-text available
Cyber-attacks against cloud storage infrastructure e.g. Amazon S3 and Google Cloud Storage, have increased in recent years. One reason for this development is the rising adoption of cloud storage for various purposes. Robust countermeasures are therefore required to tackle these attacks especially as traditional techniques are not appropriate for t...
Conference Paper
Full-text available
The majority of security breaches in cloud infrastructure in recent years are caused by human errors and misconfigured resources. Novel security models are imperative to overcome these issues. Such models must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection and adopt proactive techniques. Thus...
Conference Paper
The emergence of the Internet allows the enterprise to implement telework policy in order for the employee to work and access company file anytime, anywhere. But it raises the challenge for the enterprise to enforce physical access control on enterprise’s files to the employee outside the enterprise network. One of the solutions for the enterprise...
Conference Paper
The emergence of the Internet allows the enterprise to implement telework policy in order for the employee to work and access company file anytime, anywhere. But it raises the challenge for the enterprise to enforce physical access control on enterprise’s files to the employee outside the enterprise network. One of the solutions for the enterprise...
Conference Paper
Full-text available
Cloud Storage Brokers (CSB) provide seamless and concurrent access to multiple Cloud Storage Services (CSS) while abstracting cloud complexities from end-users. However, this multi-cloud strategy faces several security challenges including enlarged attack surfaces, malicious insider threats, security complexities due to integration of disparate com...
Conference Paper
Full-text available
Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. The key advantages of MSA include inherent support for continuous deployment of large complex applications, agility and enhanced productivity. However, studies indicate that most MSA are homogeneous, and introduc...
Conference Paper
The analysis of security-related event logs is an important step for the investigation of cyber-attacks. It allows tracing malicious activities and lets a security operator find out what has happened. However, since IT landscapes are growing in size and diversity, the amount of events and their highly different representations are becoming a Big Da...
Chapter
The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. This has increased interest on application container counter-measures e.g. detection and mitigation of the high number of vulnerabilities affecting container images, in particular images retained at DockerHub....
Preprint
Full-text available
Microservice Architectures (MSA) structure applications as a collection of loosely coupled services that implement business capabilities. A key advantage of MSA is inherent support for continuous deployment of large complex applications. However, studies indicate that homogeneous MSA are vulnerable to code reuse attacks, and as such serves as an ec...
Conference Paper
Full-text available
The security challenges of container technologies such as Docker and Kubernetes are key issues in software development and other industries. Hence, there is increasing interest on measures to counter the high number of vulnerabilities affecting container images, in particular images retained at DockerHub. However, investigations on application laye...
Article
Full-text available
The relevance of identity data leaks on the Internet is more present than ever. Almost every week we read about leakage of databases with more than a million users in the news. Smaller but not less dangerous leaks happen even multiple times a day. The public availability of such leaked data is a major threat to the victims, but also creates the opp...
Conference Paper
Full-text available
Cloud storage brokerage is an abstraction aimed at providing value-added services. However, Cloud Service Brokers are challenged by several security issues including enlarged attack surfaces due to integration of disparate components and API interoperability issues. Therefore, appropriate security risk assessment methods are required to identify an...
Conference Paper
With the increasing demand for personal and enterprise data storage service, Cloud Storage Broker (CSB) provides cloud storage service using multiple Cloud Service Providers (CSPs) with guaranteed Quality of Service (QoS), such as data availability and security. However monitoring cloud storage usage in multiple CSPs has become a challenge for CSB...
Conference Paper
Full-text available
Cloud storage brokerage systems abstract cloud storage complexities by mediating technical and business relationships between cloud stakeholders, while providing value-added services. This however raises security challenges pertaining to the integration of disparate components with sometimes conflicting security policies and architectural complexit...
Conference Paper
Adversaries use increasingly complex and sophisticated tactics, techniques and procedures to compromise single computer systems and complete IT environments. Most of the standard detection and prevention systems are not able to provide a decent level of protection against sophisticated attacks, because adversaries are able to bypass various detecti...
Conference Paper
The identification of vulnerabilities relies on detailed information about the target infrastructure. The gathering of the necessary information is a crucial step that requires an intensive scanning or mature expertise and knowledge about the system even though the information was already available in a different context. In this paper we propose a...
Article
After almost two decades of development, modern Security Information and Event Management (SIEM) systems still face issues with normalisation of heterogeneous data sources, high number of false positive alerts and long analysis times, especially in large-scale networks with high volumes of security events. In this paper, we present our own prototyp...
Conference Paper
An increasing number of attacks use advanced tactics, techniques and methods to compromise target systems and environments. Such multi-step attacks are often able to bypass existing prevention and detection systems, such as Intrusion Detection Systems (IDSs), firewalls and anti-virus solutions. These security systems either use an anomaly-based or...
Conference Paper
Full-text available
Nowadays, identity breaches are happening almost on a daily basis. Just recently, hundreds of millions of identities were leaked from services like LinkedIn, MySpace and VKontakte. Undoubtedly, these breaches constitute a major threat because victims might fall to identity theft. As part of our warning service for victims of these breaches, we have...
Conference Paper
The relevance of identity data leaks on the Internet is more present than ever. Almost every month we read about leakage of databases with more than a million users in the news. Smaller but not less dangerous leaks happen even multiple times a day. The public availability of such leaked data is a major threat to the victims, but also creates the op...
Conference Paper
Nowadays, attacks against single computer systems or whole infrastructures pose a significant risk. Although deployed security systems are often able to prevent and detect standard attacks in a reliable way, it is not uncommon that more sophisticated attackers are capable to bypass these systems and stay undetected. To support the prevention and de...
Article
Modern security information and event management systems should be capable to store and process high amount of events or log messages in different formats and from different sources. This requirement often prevents such systems from usage of computational heavy algorithms for security analysis. To deal with this issue, we built our system based on...
Conference Paper
Nowadays, we have a lot of data produced by social media services, but more and more often these data contain information about a location that gives us the wide range of possibilities to analyze them. Since we can be interested not only in the content, but also in the location where this content was produced. For good analyzing geo-spatial data, w...
Article
Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially...
Conference Paper
For testing new methods of network security or new algorithms of security analytics, we need the experimental environments as well as the testing data which are much as possible similar to the real-world data. Therefore, the researchers are always trying to find the best approaches and recommendations of creating and simulating testbeds, because th...
Conference Paper
The detection of vulnerabilities in computer systems and computer networks as well as the representation of the re- sults are crucial problems. The presented method tackles the problem with an automated detection and an intuitive rep- resentation. For detecting vulnerabilities the approach uses a logical representation of preconditions and postcond...
Conference Paper
The detection of vulnerabilities in computer systems and computer networks as well as the weakness analysis are crucial problems. The presented method tackles the problem with an automated detection. For identifying vulnerabilities the approach uses a logical representation of preconditions and postconditions of vulnerabilities. The conditional str...
Conference Paper
An important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data...
Conference Paper
Modern Security Information and Event Management systems should be capable to store and process high amount of events or log messages in different formats and from different sources. This requirement often prevents such systems from usage of computational-heavy algorithms for security analysis. To deal with this issue, we built our system based on...
Conference Paper
Nowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a P...
Conference Paper
Modern machine learning techniques have been applied to many aspects of network analytics in order to discover patterns that can clarify or better demonstrate the behavior of users and systems within a given network. Often the information to be processed has to be converted to a different type in order for machine learning algorithms to be able to...
Conference Paper
As computer networks grow in size and complexity, monitoring them becomes more challenging. In order to meet the needs of IT administrators maintaining such networks, various Network Monitoring Systems (NMS) have been developed. Most NMSs rely solely on active scanning techniques in order to detect the topology of the networks they monitor. We prop...
Conference Paper
The amount of identity data leaks in recent times is drastically increasing. Not only smaller web services, but also established technology companies are affected. However, it is not commonly known, that incidents covered by media are just the tip of the iceberg. Accordingly, more detailed investigation of not just publicly accessible parts of the...
Conference Paper
Understanding events produced by IT systems is a vital part of effectively managing and maintaining medium and large sized computer networks. As a result, Security Information and Management (SIEM) systems have become an indispensable part of modern networks. One of the main challenges facing SIEM systems is the ability to parse and extract relevan...
Article
Full-text available
Invited paper. Preliminary version of this paper appears as ”Hierarchical Object Log Format for Normalisation of Security Events” in Proceedings of the 9th International Conference on Information Assurance and Security (IAS 2013). The differences in log file formats employed in a variety of services and applications remain to be a problem for secu...
Conference Paper
Internet scalability depends on scalability of its core routing protocol - Border Gateway Protocol (BGP). However, dynamics of BGP still conceal many unanswered questions. Most of these questions are related to BGP update messages: root cause of update spikes, correlation between update spikes in the different parts of the Internet and influence of...
Conference Paper
The differences in log file formats employed in a variety of services and applications remain to be a problem for security analysts and developers of intrusion detection systems. The proposed solution, i.e. the usage of common log formats, has a limited utilization within existing solutions for security management. In our paper, we reveal the reaso...
Conference Paper
Looking at current IDS and SIEM systems, we observe heavy processing power dedicated solely to answering a simple question, What is the format of the log line that the IDS (or SIEM) system should process next? Due to the apparent difficulties of uniquely identifying a log line at run-time, most systems today do little or no normalisation of the eve...
Conference Paper
Such information as system and application logs as well as the output from the deployed security measures, e.g., IDS alerts, firewall logs, scanning reports, etc., is important for the administrators or security operators to be aware at first time of the running state of the system and take efforts if necessary. In this context, high performance se...
Conference Paper
The current state of affairs regarding the way events are logged by IT systems is the source of many problems for the developers of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems. These problems stand in the way of the development of more accurate security solutions that draw their results from the da...
Conference Paper
A huge amount of information about real-time events are being generated in every second in a running IT-Infrastructure and recorded by the system logs, application logs, as well as the output from the deployed security or management methods, e.g., IDS alerts, firewall logs, scanning reports, etc. To rapidly gather, process, correlate, and analyze t...
Article
Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False-positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requ...
Article
Intrusion Detection Systems are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grow, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyse alerts and to decrease false positives. Knowledge about...
Article
Full-text available
Cryptographically Generated Address (CGA) is one of the most novel security features introduced in IPv6 suite. CGA is designed to prevent addresses theft without relying on trust authority or additional security infrastructures. However, CGA is relatively computationally intensive, and bandwidth consuming. Besides, it has some security limitations....
Conference Paper
Scanning is essential for gathering information about the actual state of computer systems or networks. Therefore, it is always taken as the first step of potential attacks against targets. In certain cases, scanning itself is categorized as an attack. Scanning can on the other hand be used for the right purposes, for example, checking the system c...
Conference Paper
Modern attacks are using sophisticated and innovative techniques. The utilization of cryptography, self-modified code, and integrated attack frameworks provide more possibilities to circumvent most existing perimeter security approaches, such as firewalls and IDS. Even Application Layer Gateways (ALG) which enforce the most restrictive network acce...
Article
In response to the emerging deployment of IPv6 on network devices, this paper proposes the integration of IPv6 on Lock-Keeper, an implementation of a high level security system for preventing online attacks. It is designed to permit the secure data exchange over physically separated networks in an IPv4-based environment. A new intercommunication mo...
Conference Paper
Intrusion Detection Systems (IDS) are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grows, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyze alerts and to decrease false positives. Knowledge...
Conference Paper
Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. The problem of false-positive alerts is a popular existing problem for most of IDS approaches. The solution to address this problem is correlation and clustering of alerts. To meet the practical requirements,...
Article
Intrusion Detection Systems (IDS) have been used widely to detect malicious behavior in network communication and hosts. IDS management is an important capability for distributed IDS solutions, which makes it possible to integrate and handle different types of sensors or collect and synthesize alerts generated from multiple hosts located in the dis...
Conference Paper
Secured communication has been widely deployed to guarantee confidentiality and integrity of connections over untrusted networks, e.g., the Internet. Although secure connections are designed to prevent attacks on the connection, they hide attacks inside the channel from being analyzed by Intrusion Detection Systems (IDS). Furthermore, secure connec...