公开(公告)号：US20180082064A1

公开(公告)日：2018-03-22

申请号：US15645767

申请日：2017-07-10

Applicant: SICHUAN UNIVERSITY ,  BEIJING TONGTECH CO., LTD.

Inventor： Junfeng WANG ,  Baoxin XU ,  Dong LIU ,  Fan LI ,  Xiaosong ZHANG

IPC: G06F21/56 ,  G06N99/00

CPC classification number: G06F21/566 ,  G06F21/563 ,  G06F2221/033 ,  G06N5/003 ,  G06N7/005 ,  G06N20/00

Abstract: A method of detecting malware in Linux platform through the following steps: use objdump-D command to disassemble ELF format benign software and malware samples to generate assembly files; traverse the generated assembly files one by one, read the ELF files' code segment and meanwhile identify whether the code segment contains main( ) function; analyze the code segment read. Divide assembly code into different basic blocks. Each basic block is marked by its lowest address. Add control flow graph's vertex to the adjacency linked list; establish the relation between basic blocks, add control flow graph's edges to the adjacency linked list and generate a basic control flow graph; extract control flow graph's features and write them into ARFF files; take ARFF files as the data set of a machine learning tool named weka to carry out data mining and construct classifier; classify the ELF samples to be tested by using the classifier.

公开(公告)号：US20170353386A1

公开(公告)日：2017-12-07

申请号：US15602703

申请日：2017-05-23

Applicant: SICHUAN UNIVERSITY

Inventor： Junfeng WANG ,  Fuchun SUN ,  Lixiang LIU ,  Dong LIU ,  Shiping YANG

IPC: H04L12/801 ,  H04L12/807 ,  H04L12/26

CPC classification number: H04L47/12 ,  H04L43/0864 ,  H04L47/27

Abstract: A kind of congestion improvement method based on the QUIC protocol adds the information of round trip delay in the congestion algorithm, self-adaptive changes the value of α to judge the situation of current network through comparison between the RTT of last time and the current RTT and then adjusts the current target window value in accordance with the current network situation, changing the congestion window based on the cubic growth curve of the cubic algorithm. This improvement method can make the QUIC protocol judge the current network situation more timely and accurately and can make the congestion window change quickly to fully utilize the bandwidth. The maximum congestion window limitation 200 exists in the QUIC protocol, which will not exceed 200 no matter how the congestion window grows. Such limitation largely reduces the throughput rate of QUIC protocol in the network environment with high bandwidth and long round trip delay.

公开(公告)号：US20170346750A1

公开(公告)日：2017-11-30

申请号：US15602433

申请日：2017-05-23

Applicant: SICHUAN UNIVERSITY

Inventor： Junfeng WANG ,  Lixiang LIU ,  Fuchun SUN ,  Dong LIU ,  Shiping YANG

IPC: H04L12/807 ,  H04L12/801 ,  H04L1/16

CPC classification number: H04L47/27 ,  H04L1/0019 ,  H04L1/1607 ,  H04L1/1825 ,  H04L47/12

Abstract: A kind of self-adaptive network congestion control method based on SCPS-TP, which includes the following steps: The SCPS-TP's gateway source-end receives and transmits the packets to destination end; Judge if there is new packet received in accordance with the analyzed ACK; If there is no new packet received, when the duplicate ACK counter increase to a certain value, change the window size's growth pattern to linear self-adaptive pattern; If there is new packet received, the congestion control is in the exponential growth pattern. After window is enlarged, Diff is bigger than the set threshold value and the congestion control method is changed to linear self-adaptive pattern; If congestion control is in the linear self-adaptive pattern, adjust window size in accordance with Diff; The SCPS-TP's gateway source-end sends the packets in the packet loss buffer to destination end and sends new packets in accordance with the size of congestion window.

公开(公告)号：US20180121652A1

公开(公告)日：2018-05-03

申请号：US15645548

申请日：2017-07-10

Applicant: SICHUAN UNIVERSITY

Inventor： Junfeng WANG ,  Jie LIANG ,  Xiaosong ZHANG ,  Dong LIU ,  Yong MA

IPC: G06F21/56

CPC classification number: G06F21/566 ,  G06F21/56 ,  G06F21/567 ,  G06F2221/033

Abstract: A kind of malicious software clustering method expressed based on TLSH feature, which belongs to analysis and test area of malicious software. The Cuckoo Sandbox is used to analyze malicious software to acquire three kinds of character string features, which are static feature of software, resource assess record during operation and API; then character strings are disassembled, filtered and sorted and TLSH algorithm is used to compress them into three groups of feature values with size of 70 characters; Finally, OPTICS algorithm is utilized to realize automatic classification on malicious software family. Invention adopts unsupervised learning methods, which does not need manual tab for training in advance. Features which are extracted are compressed and expressed by using TLSH. Under situation that feature is not lost, data dimension is largely lowered and clustering speed is improved.

公开(公告)号：US20180013683A1

公开(公告)日：2018-01-11

申请号：US15602471

申请日：2017-05-23

Applicant: SICHUAN UNIVERSITY

Inventor： Junfeng WANG ,  Dong LIU ,  Lixiang LIU ,  Fuchun SUN ,  Shiping YANG

IPC: H04L12/807 ,  H04L12/24 ,  H04L12/26

CPC classification number: H04L47/27 ,  H04L41/145 ,  H04L43/0864 ,  H04L43/0888

Abstract: A kind of transmission method based on the learnable power model, which conducts periodic record for the historical change trend of the network. This method conducts weighting smooth processing on the round trip time and judges the changing trend of congestion control window. Then, it establishes model for the relationship between network power and the congestion control widow. When a new ACK is received, it immediately updates the window of power model. Finally, it forecasts the size of the congestion control window of the next time period by combining the congestion window and the network power changing trend. For the network packet loss or time-out events, the retransmission mechanism of traditional TCP is used, and when the packet loss ends, the power model process is used again. This invention reduces the influence of the network random events of the estimation error of traditional algorithm.