Please wait a minute...

����Ŀ¼

    15 December 2020, Volume 6 Issue 6
    Previous Issue    Next Issue
    Special Column:Network Application and Protection Technology
    Survey on anomaly detection technology based on logs
    Yingjun ZHANG,Ushangqi LI,Mu YANG,Haixia ZHANG,Kezhen HUANG
    2020, 6(6):  1-12.  doi:10.11959/j.issn.2096-109x.2020072
    Asbtract ( 2209 )   HTML ( 392)   PDF (739KB) ( 2694 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Log information has become an important information resource in the rapid development of information systems.Through the analysis of logs,abnormal detection,fault diagnosis and performance diagnosis can be performed.The log-based anomaly detection technology was focused on.Firstly,the currently used log-based anomaly detection framework was introduced,and then the key link technologies such as log analysis and log anomaly detection were focused on.Finally,the current technology was summarized and suggestions for future research directions were given.

    Method of diversity software protection based on fusion compilation
    Xiaobing XIONG,Hui SHU,Fei KANG
    2020, 6(6):  13-24.  doi:10.11959/j.issn.2096-109x.2020075
    Asbtract ( 297 )   HTML ( 41)   PDF (1061KB) ( 299 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    For the obvious characteristics and single mode of the existing common protection methods,with the help of the LLVM framework,a diversity software protection method based on fusion compilation was proposed.In the proposed method,the target software is encrypted randomly,and deeply integrated with the bunker code at the compilation level,and the encrypted target software is decrypted by memory execution technology.Then it is executed in the form of no process in memory,and the diversified protection effect of the target software is realized by the diversity of the bunker and the randomness of the fusion strategies.A number of commonly used software are selected as the test case,and the proposed method is tested from the aspects of resource cost,protection effect,comparative experiment and so on.Compared with the traditional methods such as obfuscation and packing,the proposed method has great advantages in anti-static analysis and anti-dynamic debugging,and can effectively resist the mainstream methods of reverse analyzing and cracking.

    Research on construction of conditional exception code used in branch obfuscation
    Pu GENG,Yuefei ZHU
    2020, 6(6):  25-34.  doi:10.11959/j.issn.2096-109x.2020061
    Asbtract ( 174 )   HTML ( 18)   PDF (1051KB) ( 248 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Using conditional exception code construction and exception handler to replace conditional jump code,the branch obfuscation get the right branch selection,but the address of branch point was concealed,so this obfuscation method can defeat symbolic execution by impeding the constraint condition collecting.The normal method of conditional exception code construction has a fault that the key data in conditional exception code has two-value problem,this fault make down the ability of branch obfuscation in impeding symbolic execution.Based on this shortcoming,a novel method which can make the key data in conditional exception code diversity was proposed.This method can improve the difficulty of constraint condition fetching,so the ability to defeat symbolic execution of branch obfuscation was enhanced.At last,a prototype obfuscation system based on structural exception handler was implemented to test the new method of conditional exception code construction.

    Mining behavior pattern of mobile malware with convolutional neural network
    Xin ZHANG,Weizhong QIANG,Yueming WU,Deqing ZOU,Hai JIN
    2020, 6(6):  35-44.  doi:10.11959/j.issn.2096-109x.2020073
    Asbtract ( 268 )   HTML ( 38)   PDF (1943KB) ( 243 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The features extracted by existing malicious Android application detection methods are redundant and too abstract to reflect the behavior patterns of malicious applications in high-level semantics.In order to solve this problem,an interpretable detection method was proposed.Suspicious system call combinations clustering by social network analysis was converted to a single channel image.Convolution neural network was applied to classify Android application.The model trained was used to find the most suspicious system call combinations by convolution layer gradient weight classification activation mapping algorithm,thus mining and understanding malicious application behavior.The experimental results show that the method can correctly discover the behavior patterns of malicious applications on the basis of efficient detection.

    Analysis of DoS attacks on Docker inter-component stdio copy
    Tianyu ZHOU,Wenbo SHEN,Nanzi YANG,Jinku LI,Chenggang QIN,Wang YU
    2020, 6(6):  45-56.  doi:10.11959/j.issn.2096-109x.2020074
    Asbtract ( 673 )   HTML ( 85)   PDF (1740KB) ( 563 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    In recent years,Docker has been widely deployed due to its flexibility and high scalability.However,its modular design leads to the DoS attacks on inter-component communication.A new DoS attack that outputs to stdout,causing high CPU usages among different Docker components.Analysis shows that the stdout output triggers the goroutines of Docker components.To find all goroutines setup paths,using the static analysis method to analyze the Docker components systematically was proposed.A static analysis framework was designed and implemented,and evaluated on Docker source code.The results show that static analysis framework finds 34 paths successfully,while 22 of them are confirmed by runtime verification.

    Software protection technology based on code fragmentation
    Jingcheng GUO,Hui SHU,Xiaobing XIONG,Fei KANG
    2020, 6(6):  57-68.  doi:10.11959/j.issn.2096-109x.2020063
    Asbtract ( 342 )   HTML ( 41)   PDF (1166KB) ( 184 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Aiming at the shortcomings of the current software protection technology,a code fragmentation technology was proposed.This technology is a new software protection technology that takes functions as units,shells functions,randomizes memory layout,and performs dynamic linking.The code shellization realizes the position-independent morphing of code fragments,the memory layout randomizes the random memory loading of the code fragments,the dynamic linking realizes the dynamic execution of the code fragments,and the program fragmentation processing is achieved through the above three links.The experiments show that the code fragmentation technology can not only realize the randomization of the memory location of function fragments during program execution,but also the dynamic link execution of function fragments,increasing the difficulty of static reverse analysis and dynamic reverse debugging of the program,and improving the anti-reverse analysis ability of the program.

    Analysis of security extension protocol in e-mail system
    Jingjing SHANG,Yujia ZHU,Qingyun LIU
    2020, 6(6):  69-79.  doi:10.11959/j.issn.2096-109x.2020083
    Asbtract ( 344 )   HTML ( 46)   PDF (1035KB) ( 500 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    E-mail is the main entry point for hackers to launch network attacks.Impersonating a trusted entity is an important means of e-mail forged.An attribute graph based on the e-mail authentication mechanism was built to measure the global adoption rate of e-mail security extension protocols for government agencies.Research on the deployment effect of security extension protocol was from three dimensions:e-mail content phishing,domain phishing,and letterhead phishing.The results show that about 70% of the SPF protocols are deployed in the mail systems of government agencies in various countries,and less than 30% of the DMARC protocol is deployed.The adoption rate of email identity detection is low.When forged e-mail gets in,the e-mail providers' warning mechanism for counterfeit emails need to be improved.

    Papers
    Research on national security risk assessment model of open government data
    Biao WANG,Xingyang LIU,Ka XU,Wangyang LIU,Kenan WANG,Yuqing XIA
    2020, 6(6):  80-87.  doi:10.11959/j.issn.2096-109x.2020077
    Asbtract ( 421 )   HTML ( 35)   PDF (721KB) ( 380 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    As an important strategic resource of national and social development,the government open data is of great value.But China lack standards in the security risk assessment of government open data,especially the security of national data is at risk.Based on the theory of information security risk assessment,a government open data security risk assessment model was constructed with national security assets,open data vulnerability and security threat as the main security risk elements.Analytic hierarchy process (AHP) and fuzzy comprehensive evaluation methods were used to quantify and evaluate the security risks of government open data,and the validity of the model is verified by example.

    Model of cyberspace threat early warning based on cross-domain and collaboration
    Gang XIONG,Yuwei GE,Yanjie CHU,Weiquan CAO
    2020, 6(6):  88-96.  doi:10.11959/j.issn.2096-109x.2020078
    Asbtract ( 457 )   HTML ( 65)   PDF (2313KB) ( 613 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The development of network threat shows the characteristics of initiative,concealment and ubiquity.It poses a severe challenge to the passive,local and isolated traditional network defense mode.In view of the new trend of integration of big data,artificial intelligence and network security,a cross-domain collaborative network threat early warning model was proposed,which could enable and increase efficiency for cyberspace security.Firstly,starting from the overall structure of the protected network space,the model constructs a cross-domain function framework with the vertical and horizontal conjunction by dividing the security threat domain,decomposing the system function,designing the information sharing mechanism.Secondly,to enhance the ability of threat information detection,the collaborative technology architecture is designed by the logic of hierarchical management,and the key technologies involved in threat information perception,processing and application,are systematically introduced.Finally,with the help of application scenarios,qualitatively the capability increment of the proposed threat early warning model was described.

    Low failure recovery cost controller placement strategy in software defined networks
    Qi WU,Hongchang CHEN
    2020, 6(6):  97-104.  doi:10.11959/j.issn.2096-109x.2020066
    Asbtract ( 182 )   HTML ( 9)   PDF (893KB) ( 170 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The controller placement is an important problem in software defined networks.Existing researches pay more attention to deploying controller planning for node failures and ignore the fact that the link failure can also effect the network drastically.To solve the problem,a mathematical model for the controller placement that plans ahead for the link failures to avoid a drastic increase failure recovery cost was proposed.To solve the model,an algorithm based on simulated annealing was designed.The simulation results show that the proposed model and algorithm can improve the robustness of the network.The maximum failure recovery cost is significantly reduced when a link falls in failures.

    TPCM-based trusted PXE boot method for servers
    Guojie LIU,Jianbiao ZHANG
    2020, 6(6):  105-111.  doi:10.11959/j.issn.2096-109x.2020079
    Asbtract ( 469 )   HTML ( 37)   PDF (813KB) ( 236 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The PXE startup mechanism downloads operating system files through the network and starts the operating system,which is widely used in server network startup.It is widely used in server network startup.The PXE boot process is secured and trusted through trusted computing technology to prevent the PXE boot file from being tampered with maliciously,ensuring the safe and reliable operation of the server.The cyber security classified protection standard requires that the system boot program and system program of the server device be trusted and verified based on the trusted root.A TPCM-based server trusted PXE boot method based on the requirements of classified protection standard was proposed to ensure the security and trust of the server's BIOS firmware,PXE bootfiles,and Linux system files.When the server performs PXE boot,TPCM measured BIOS firmware,BIOS boot environment measured PXE boot files,and PXE boot environment measured Linux system files.Taking TPCM as the root of trust,one level of measurement,one level of trust,and a chain of trust were established to achieve a trusted server operating environment.The proposed method was tested on a domestically-controlled,self-controllable Shenwei server.The experimental results show that the proposed method is feasible.

    Lightweight malicious domain name detection model based on separable convolution
    Luhui YANG,Huiwen BAI,Guangjie LIU,Yuewei DAI
    2020, 6(6):  112-120.  doi:10.11959/j.issn.2096-109x.2020084
    Asbtract ( 215 )   HTML ( 18)   PDF (1976KB) ( 567 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The application of artificial intelligence in the detection of malicious domain names needs to consider both accuracy and calculation speed,which can make it closer to the actual application.Based on the above considerations,a lightweight malicious domain name detection model based on separable convolution was proposed.The model uses a separable convolution structure.It first applies depthwise convolution on every input channel,and then performs pointwise convolution on all output channels.This can effectively reduce the parameters of convolution process without impacting the effectiveness of convolution feature extraction,and realize faster convolution process while keeping high accuracy.To improve the detection accuracy considering the imbalance of the number and difficulty of positive and negative samples,a focal loss function was introduced in the training process of the model.The proposed algorithm was compared with three typical deep-learning-based detection models on a public data set.Experimental results denote that the proposed algorithm achieves detection accuracy close to the state-of-the-art model,and can significantly improve model inference speed on CPU.

    Evaluation method of privacy protection effect based on multi-layer fuzzy comprehensive evaluation
    Yihan YU,Yu FU,Xiaoping WU
    2020, 6(6):  121-127.  doi:10.11959/j.issn.2096-109x.2020082
    Asbtract ( 264 )   HTML ( 26)   PDF (745KB) ( 191 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Aiming at the problem that the evaluation of the privacy protection effect from a single data level cannot describe the overall privacy protection effect of the network environment,with the help of the fuzzy comprehensive evaluation method,the privacy protection effect influencing factors were condensed from the entire life cycle of the data.According to the data privacy differences,the factors and block weights were determined,and the overall calculation results of the overall privacy protection effect of the network environment were obtained.Case analysis shows that the proposed method is feasible and effective.

    Triple receiver public key encryption cryptosystem
    Liutao ZHAO,Lin ZHONG,Jidong LIU,Caiqun WANG,Dan WU
    2020, 6(6):  128-136.  doi:10.11959/j.issn.2096-109x.2020080
    Asbtract ( 328 )   HTML ( 25)   PDF (679KB) ( 197 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    A triple receiver public key cryptosystem was proposed.In the cryptosystem,a sender encrypted a message and sent to three receivers,while the three receivers were able to decrypt the message with their own private keys.Based on bilinear map,two triple receiver public key encryption schemes with different security were constructed.If the gap bilinear Diffie-Hellman (GBDH) problem and the computational Diffie-Hellman (CDH) problem were proved formally to be intractable,then the two schemes proposed were semantically secure against chosen-plaintext attacks and against adaptive chosen ciphertext attacks respectively.The proposed scheme only added an exponential operation and a hash operation,and constructed three independent receivers which had a high efficiency.Analyses show that proposed scheme can improve the security of TLS protocol and apply to hierarchical public key cryptosystems.

    Issues of identity verification of typical applications over mobile terminal platform
    Xiaolin ZHANG,Dawu GU,Chi ZHANG
    2020, 6(6):  137-151.  doi:10.11959/j.issn.2096-109x.2020081
    Asbtract ( 366 )   HTML ( 23)   PDF (1440KB) ( 745 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Recent studies have shown that attacks against USIM card are increasing,and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access.Considering the USIM card being cloned easily even under 5G network,the identity verification process of the popular mobile applications over mobile platform was analyzed.The application behaviors were profiled while users were logging in,resetting password,and performing sensitive operations,thereby the tree model of application authentication was summarized.On this basis,58 popular applications in 7 categories were tested including social communication,healthcare,etc.It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions.To address this issue,two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

    Charging pile recommendation method for idle electric taxis based on recurrent neural network
    Jian JIA,Linfeng LIU,Jiagao WU
    2020, 6(6):  152-163.  doi:10.11959/j.issn.2096-109x.2020085
    Asbtract ( 351 )   HTML ( 19)   PDF (1915KB) ( 270 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    A charging pile recommendation method for idle electric taxis (CPRM-IET) based on recursive neural network was proposed to recommend the optimal charging piles for idle electric taxis.Usually,the movement of each idle electric taxi depends on the subconscious movement tendency and driving habits of the driver.Therefore,it is necessary to predict the future movement based on its historical movement trajectories,so as to find the charging piles with the least extra movements.In CPRM-IET,a dual-stage attention-based recurrent neural network (DA-RNN) model was provided to predict the future trajectories of electric taxis.DA-RNN model includes two types of attention mechanisms which are input attention mechanism and temporal attention mechanism.The input attention mechanism assigns different weights to the input driving sequence at each time slot,and the temporal attention mechanism assigns weights to the hidden state of the encoder.Based on the predicted future trajectories,several charging piles with the least extra movements were selected and recommended for the idle electric taxis.The simulation results show that CPRM-IET can achieve preferable results in terms of charging extra movement and root mean square error,which reflects that CPRM-IET can accurately predict the future trajectories of idle electric taxis and recommend optimal charging piles for these electric taxis.

    User interests-based microblog tracing algorithm
    Xiao YANG,Xiuzhen CHEN,Jin MA,Haozhe LIANG,Shenghong LI
    2020, 6(6):  164-173.  doi:10.11959/j.issn.2096-109x.2020086
    Asbtract ( 393 )   HTML ( 53)   PDF (17025KB) ( 172 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Microblog information tracing refers to finding the source set of microblog topics according to the analysis of crawled microblog texts and it’s of great significance in the aspect of public opinion control and information security.A user interests-based tracing method (ITM) was proposed.The proposed method calculates the influence of the blogger based on the interest of the microblog blogger,and also calculates the influence of the commentators based on the interest of the commentators.The ranking algorithm was used to score the blogs according to publication time,notability and influence,and the source of the blogs was traced according to the blog score rank.Experimental results show that the accuracy of the proposed algorithm improved about 21% compared with the traditional tracing algorithms.

Copyright Information
Bimonthly, started in 2015
Authorized by:Ministry of Industry and Information Technology of the People's Republic of China
Sponsored by:Posts and Telecommunications Press
Co-sponsored by:Xidian University, Beihang University, Huazhong University of Science and Technology, Zhejiang University
Edited by:Editorial Board of Chinese Journal of Network and Information Security
Editor-in-Chief:FANG Bin-xing
Executive Editor-in-Chief:LI Feng-hua
Director:Xing Jianchun
Address:F2, Beiyang Chenguang Building, Shunbatiao No.1 Courtyard, Fengtai District, Beijing, China
Tel:010-53879136/53879138/53879139
Fax:+86-81055464
ISSN 2096-109X
CN 10-1366/TP
Links
More...
visited
Total visitors:
Visitors of today:
Now online:
Copyright of website: Editorial Office of Chinese Journal of Network and Information Security