You are here


Group: Security

Network Security and Forensics

This project focuses on the state-of-the-art theory, techniques and prototypes in the area of network security and forensics. Our vision is to tightly collaborate to solve advanced security issues and achieve efficient and robust security management. Network attacks generally leave traces, called attack symptoms, as a result of the progresses of attacks. In this project, we propose an architecture to infer attack symptoms from on-line packet streams and study active intrusive characteristic profiling for predicting unknown attacks. We also work on smart data reduction to support scalable network forensics in order to back track attack origin accurately and reconstruct detailed attack procedure. Further, we are also interested in security issues in web mashup environment, time series spectrum analysis, and also in the virtualized environments.


  • Runtime Execution Introspection for Security Protection in Virtualized Cloud. (Sept. 2015 ~ Aug. 2017)
    • Design and implement a hardware-assisted virtual machine introspection (VMI) based profiling system in QEMU/KVM virtualization environment that can perform runtime execution introspection of a target (malware) process in a VM. (Link)
  • Real-time Continuous Security Protection System for Security Isolation Man-agement in Virtualized Cloud. (Jan. 2014 ~ Dec. 2016)
    • Propose a real-time continuous security protection system in Cloud, which can monitor, inspect and analyze the operation of a VM or a guest process in real-time by Windows API hooking. We applied different sequence analysis method and similarity analysis method to analysis the behavior patterns in the malware profiles. (Link)
  • Malware Profiling and Anomaly Detection for Mobile Cyber-Physical System. (Jan. 2012 ~ Dec. 2015)
    • Develop a monitoring system for inspecting Android Apps by hacking An-droid Dalvik VM and traversing Android memory to obtain the runtime in-formation of an App. Sequence and similarity analysis are applied on the malware profiles for Android malware family classification. (Link)
  • Combing Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments. (Jan. 2010 ~ Dec. 2013) (Link)
    • Propose a profiling system that leverages the virtualization technology to perform dynamic analysis to introspect and analyze the target malware. It can perform active fingerprinting to identify malware by finding specific behavior pattern in the populated behavior profiles.
  • A Security Proxy-Based Cross-Domain Communication for Web Mashups. (Jan. 2008 ~ Dec. 2010) (Link)
    • Propose a secure cross-domain communication mechanism that supports fi-ne-grained access control of web elements that belong to different sources in a web mashup to guarantee the confidentiality, integrity, and authenticity.
  • Service Behavior Profiling and Probabilistic Inference for Network Anomaly Detection. (Jun. 2006 ~ Jun. 2009) (Link)
    • Propose a novel method to model a complex network attack activity jointly at three levels: transport layer protocol, network service, and attack symptom. The state of each level is monitored by finite state machine, and the signifi-cant states are analyzed by Principal Component Analysis. Adopt Markov process to build a probabilistic inference model to compute the belief score of on-going attacks, based on the current observed attack symptoms. It ensures a certain level of confidence in the attack assessment, and significantly reduces the false positives.
  • Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum Analysis. (Jun. 2006 ~ Jun. 2009) (Link)
    • Botnet exhibits long-term, slow-paced and persistent communication patterns hidden in the large amount of network traffic. I propose a detection model by transforming time series data to frequency domain to identify such patterns.
  • A Scalable Network Forensics Mechanism for Stealthy Self-Propagating Attacks. (Jun. 2006 ~ Jun. 2009) (Link)
    • We notice a problem and feasibility of back tracking the origin of a self-propagating stealthy attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in attack origin identification. We develop a data reduction method to filter out attack irrelevant data and only retain evidence relevant to potential attacks for post-mortem investigation. With real-world trace, we can trim down up to 97% attack-irrelevant network traffic and successfully identify attack origin.
  • Design and Implementation of the Specification Language, Compiler and Engine for Stateful Content-based Processing in SoC Environment. (Aug. 2004 ~ July. 2006) (Link)
    • Design and implement a stateful content-based packet classification system, SConPaC, which could inspect packet content, maintain and track protocol state for deep analysis with 300+ Mbps throughput with SoC.



  • Shun-Wen Hsiao, Yeali. S. Sun, and Meng Chang Chen, “Behavior Grouping of Android Malware Family,” in Proc. IEEE International Conference on Communications (ICC), May 2016. (EI)
  • Li-Ming Chen, Shun-Wen Hsiao, Meng Chang Chen, and Wanjiun Liao, “Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum Analysis,” IEEE Systems Journal, issue 99, pp. 1-12, Sept. 2014. (SCI, IF: 1.980)
  • Shun-Wen Hsiao, Yeali S. Sun, and Meng Chang Chen, “A Security Proxy-Based Cross-Domain Communication for Web Mashups,” Journal of Web Engineering, vol. 12, no.3-4, pp. 291-316, Jul. 2013. (SCI, IF: 0.361)
  • Shun-Wen Hsiao, Yi-Ning Chen, Yeali S. Sun, and Meng Chang Chen, “A Cooperative Botnet Profiling and Detection in Virtualized Environment,” in Proc. IEEE Conference on Communications and Network Security (IEEE CNS 2013), Washington, D.C., Oct. 2013. (EI)
  • Shun-Wen Hsiao, Yi-Ning Chen, Yeali S. Sun, and Meng Chang Chen, “Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments,” in Proc. 7th International Conference on Network and System Security (NSS 2013), Madrid, Spain, Jun. 2013, LNCS vol. 7873, pp. 699-706. (EI)
  • Shun-Wen Hsiao, Yeali S. Sun, Fu-Chi Ao, and Meng Chang Chen, “A Secure Proxy-Based Cross-Domain Communication for Web Mashups,” in Proc. 2011 IEEE 9th European Conference on Web Services (ECOWS), Lugano, Switzerland, Sep. 2011, pp. 57-64. (EI)
  • Shun-Wen Hsiao, Yeali S. Sun, Meng Chang Chen, and Hui Zhang, “Behavior Profiling for Robust Anomaly Detection,” in Proc. 2010 IEEE International Conference on Wireless Communications, Networking and Information Security (WCNIS), Beijing, China, Jun. 2010, pp. 465-471. (EI)
  • Shun-Wen Hsiao, Yeali S. Sun, Meng Chang Chen, and Hui Zhang, “Cross-Level Behavioral Analysis for Robust Early Intrusion Detection,” in Proc. IEEE International Conference on Intelligence and Security Informatics (ISI), Vancouver, Canada, May 2010, pp. 95-100. (EI)
  • Li-Ming Chen, Meng Chang Chen, Yeali S. Sun, Shun-Wen Hsiao, Vyas Sekar, Hui Zhang, “Scalable Long-term Network Forensics for Epidemic Attacks,” in Proc. International Conference on Network and Service Security (N2S ‘09), Paris, France, Jun. 2009, pp. 1-6. (EI)
  • Yuan-Chieh Lin, Shun-Wen Hsiao, Li-Ping Tung, Yeali S. Sun, and Meng Chang Chen, “A Distributed Channel Access Scheduling Scheme with Clean-Air Spatial Reuse for Wireless Mesh Networks,” in Proc. IFIP Networking, Singapore, May 2008, pp. 856-864. (EI)
  • 蕭舜文、孫雅麗、陳孟彰(2015)。虛擬化環境之殭屍網路惡意程式行為側寫與偵測。前瞻科技與管理
  • 蕭舜文、孫雅麗、陳孟彰(2014)。虛擬化環境之殭屍網路惡意程式行為側寫與偵測。中華安全科技與管理學會雲端技術與安全管理學術研討會,中壢,台灣。
  • 蕭舜文、孫雅麗、潘育群、王乾隆(2010)。資安網站平台的安全認證登入機制。TANET 2010 臺灣網際網路研討會,台南,台灣。(入圍最佳論文)
  • 蕭舜文、孫雅麗、潘育群、王乾隆(2010)。資安事件通報平台資料交換格式設計。TANET 2010 臺灣網際網路研討會,台南,台灣。

Useful Tools:


Last Update: December 2015

Copyright 2013 © Advanced Networking Technologies and Services Group, ALL RIGHT RESERVED.