Publications

Journal Articles


DawnGNN: Documentation augmented Windows malware detection using graph neural network

Published in Computers & Security, 2024

We introduce DawnGNN, a novel Windows malware detection framework leveraging official API documentation and graph neural networks. It converts API sequences into graphs, encodes API descriptions using BERT, and employs a Graph Attention Network for detection. Tested on three datasets, DawnGNN demonstrates enhanced detection capabilities, showcasing the value of API documentation in malware analysis.

Recommended citation: Pengbin Feng, Le Gai, Li Yang, Qin Wang, Teng Li, Ning Xi, Jianfeng Ma. " DawnGNN: Documentation augmented Windows malware detection using graph neural network." Computers & Security. 2024: 103788.
Download Paper

Conference Papers


TED: Abusing Tunnel Hosts and IPv6 Extension Headers for Pulsing DoS Attacks

Published in USENIX Security 2026, 2026

IP tunneling mechanisms are widely deployed to facilitate the Internet’s transition from IPv4 to IPv6, yet their security implications remain insufficiently scrutinized. In this paper, we present TED, a novel pulsing denial-of-service attack that exploits structural vulnerabilities in IP tunneling and IPv6 Extension Headers (EHs) processing. Unlike prior amplification attacks that depend on application-layer services, TED operates entirely at the network layer, requiring no victim interaction, prolonged traffic accumulation, or protocol-specific dependencies. Delay lines are constructed by TED through nested EHs, capitalizing on the tunnel hosts’ blind forwarding logic and lack of deep packet inspection. These artificial delay lines allow attackers to solve the send-time schedule problem, converging asynchronous, low-rate traffic into a destructive, high-magnitude pulse at the victim. Our Internet-wide measurement identified over 1.9 million vulnerable tunnel hosts acting as unwitting relays, including hosts within critical satellite infrastructure. Evaluation results demonstrate that TED achieves an effective amplification factor exceeding 180×× while successfully evading existing low-rate and pulsing attack detection mechanisms based on specific application layer protocols. We discuss the root causes of these transitional vulnerabilities and possible mitigation strategies for network operators and equipment vendors.

Recommended citation: Le Gai, Zedong Jia, Lin He, Daguo Cheng, Chentian Wei, Ying Liu. "TED: Abusing Tunnel Hosts and IPv6 Extension Headers for Pulsing DoS Attacks." USENIX Security 2026.

Divide, Predict, Conquer: Adaptive Internet-wide Service Discovery with Limited Seeds

Published in INFOCOM 2026, 2025

To address the challenge of severe reliance on massive prior knowledge (seeds) and low efficiency in Internet-wide service discovery, this project proposes SPADE, an efficient prediction and discovery method featuring adaptivity and divide-and-conquer. This method first acquires a limited number of high-value seeds from target hosts through a multi-level adaptive sampling strategy. Subsequently, drawing on data mining concepts, it progressively extracts two-layer service deployment features using a divide-and-conquer strategy and executes multi-layer predictions in stages. Experiments show that SPADE achieves over 94% Top-1 hit rate and coverage while consuming only 0.15%-1% of the seed volume required by existing state-of-the-art methods. Furthermore, the method accelerates the discovery speed by 219 to 805 times, completing an Internet-wide prediction covering hundreds of millions of hosts within 7 minutes.

Recommended citation: Daguo Cheng, Zedong Jia, Ying Liu, Lin He, Le Gai, et al. "Divide, Predict, Conquer: Adaptive Internet-wide Service Discovery with Limited Seeds." INFOCOM 2026.

Fast Calculation of National Commercial Cryptographic Algorithm Based on RISC-V Processing Core

Published in ChinaSoft 2024, 2024

The project implements and optimizes the national cryptographic algorithms on a domestic RISC-V platform, achieving both software and hardware acceleration. It optimizes the critical computational steps of bilinear pairing and elliptic curves at the instruction level, designs cryptographic processing units for point multiplication and modular exponentiation respectively, and ultimately accelerates the computation of the national cryptographic algorithms.

Recommended citation: Ning Zhang, Le Gai, Pengbin Feng. "Fast Calculation of National Commercial Cryptographic Algorithm Based on RISC-V Processing Core." ChinaSoft 2024.