����Ŀ¼

15 February 2022, Volume 8 Issue 1

Previous Issue    Next Issue

Comprehensive Review

Research review of network defense decision-making methods based on attack and defense game

Xiaohu LIU, Hengwei ZHANG, Junqiang MA, Yuchen ZHANG, Jinglei TAN

2022, 8(1):  1-14.  doi:10.11959/j.issn.2096-109x.2021089

Asbtract ( 1176 )   HTML ( 261)   PDF (971KB) ( 1632 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Game theory studies the optimal decision-making problem under the condition of conflict confrontation.It is one of the basic theories of cyberspace security, and can provide a theoretical basis for solving the problem of network defense decision-making.The six game characteristics of network attack and defense were defined, such as goal opposition, strategy dependence, non-cooperative relationship, incomplete information, dynamic evolution and interest drive.Based on the hypothesis of rational player and limited resources, a 5-tuple network attack and defense game model was formally defined by using player, attack and defense strategy set, attack and defense action set, attack and defense information set and attack and defense income.The existing conditions of game equilibrium were analyzed, and the general process of network defense decision-making based on attack and defense game model was summarized.The applicable scenarios of network defense decision-making methods based on eight different types of game models were analyzed, such as complete information static game, complete information dynamic game, incomplete information static game, incomplete information dynamic game, evolutionary game, differential game, time game and random game, and summarizes their research ideas.The advantages and disadvantages of network defense decision-making methods based on different types of game models were given.The development process of network defense decision-making method based on attack defense game was summarized, and the advantages and characteristics of defense decision-making method was explained.It were pointed out that there were three problems in the research process, such as the relationship between the number of factors considered in game modeling and the complexity of the model, the dependence of game reasoning on information and data, and the generalization and migration of game model.It also looked forward to the next research direction from the description mechanism of normative strategy, the calculation method of optimizing revenue and the integration with other network security technologies.And the problems that should be solved were explained.

Topic: Security Awareness and Detection Method

Survey of software anomaly detection based on deception

Jianming FU, Chang LIU, Mengfei XIE, Chenke LUO

2022, 8(1):  15-29.  doi:10.11959/j.issn.2096-109x.2022003

Asbtract ( 435 )   HTML ( 77)   PDF (1001KB) ( 689 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Advanced persistent threats (APT) will use vulnerabilities to automatically load attack code and hide attack behavior, and exploits code reuse to bypass the non-executable stack ＆amp; heap protection, which is an essential threat to network security.Traditional control flow integrity and address space randomization technologies have effectively prevented the pace of APT.However, the complexity of the software and the evolution of attacks make the software still being vulnerable.For this reason, deception defense with resources as bait is an indispensable supplement for network security.The trapping mechanism consists of bait design and attack detection, which infer possible unauthorized access or malicious attacks by sensing the interaction behavior with the bait.According to the three types of bait, which are file, data and code, the automatic construction scheme of bait is designed and deployed, and the effectiveness of bait is measured from the aspects of believability, detectability and enticement, etc.Ransom ware detection based on deception defense focuses on the deployment location of bait files, and in the area of vulnerability detection, code reuse attacks are detected by injecting bait code.Research work related to the implementation of deception defense in each phase of APT attacks was introduced, and the mechanism of deception defense from bait type, bait generation, bait deployment, and bait measurement was described.Simultaneously, deception defense applications in ransom ware detection, vulnerability detection, and Web security were analyzed.In response to the shortcomings of existing ransom ware detection research in terms of bait file design and deployment, a dynamic update method of bait for ransom ware detection was proposed.The deception defense challenges were discussed and hoped that deception defense can provide theoretical and technical support for discovering unknown attacks and attack attribution.

Detection of SSL/TLS protocol attacks based on flow spectrum theory

Shize GUO, Fan ZHANG, Zhuoxue SONG, Ziming ZHAO, Xinjie ZHAO, Xiaojuan WANG, Xiangyang LUO

2022, 8(1):  30-40.  doi:10.11959/j.issn.2096-109x.2022004

Asbtract ( 568 )   HTML ( 92)   PDF (6724KB) ( 456 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Network attack detection plays a vital role in network security.Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection.The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol.With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled.Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”.The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows.The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator.Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows.Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space.On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Methods of security situation prediction for industrial internet fused attention mechanism and BSRU

Xiangdong HU, Zhengguo TIAN

2022, 8(1):  41-51.  doi:10.11959/j.issn.2096-109x.2021092

Asbtract ( 222 )   HTML ( 34)   PDF (3905KB) ( 468 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

The security situation prediction plays an important role in balanced and reliable work for industrial internet.In the face of massive, high-dimensional and time-series data generated in the industrial production process, traditional prediction models are difficult to accurately and efficiently predict the network security situation.Therefore, the methods of security situation prediction for industrial internet fused attention mechanism and bi-directional simple recurrent unit (BSRU) were proposed to meet the real-time and accuracy requirements of industrial production.Each security element was analyzed and processed, so that it could reflect the current network state and facilitate the calculation of the situation value.One-dimensional convolutional network was used to extract the spatial dimension features between each security element and preserve the temporal correlation between features.The BSRU network was used to extract the time dimension features between the data information and reduced the loss of historical information.Meanwhile, with the powerful parallel capability of SRU network, the training time of model was reduced.Attention mechanism was introduced to optimize the correlation weight of BSRU hidden state to highlight strong correlation factors, reduced the influence of weak correlation factors, and realized the prediction of industrial internet security situation combining attention mechanism and BSRU.The comparative experimental results show that the model reduces the training time and training error by 13.1% and 28.5% than the model using bidirectional long short-term memory network and bidirectional gated recurrent unit.Compared with the convolutional and BSRU network fusion model without attention mechanism, the prediction error is reduced by 28.8% despite the training time increased by 2%.The prediction effect under different prediction time is better than other models.Compared with other prediction network models, this model achieves the optimization of time performance and uses the attention mechanism to improve the prediction accuracy of the model under the premise of increasing a small amount of time cost.The proposed model can well fit the trend of network security situation, meanwhile, it has some advantages in multistep prediction.

Vulnerability identification technology research based on project version difference

Cheng HUANG, Mingxu SUN, Renyu DUAN, Susheng WU, Bin CHEN

2022, 8(1):  52-62.  doi:10.11959/j.issn.2096-109x.2021094

Asbtract ( 355 )   HTML ( 35)   PDF (1438KB) ( 341 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

The open source code hosting platform has brought power and opportunities to software development, but there are also many security risks.The open source code has poor quality, the dependency libraries of projects are complex and vulnerability collection platforms are inadequate in collecting vulnerabilities.All these problems affect the security of open source projects and complex software with open source complements and most security patches can't be discovered and applied in time.Thus, the hackers could be easily found such vulnerable software.To discover the vulnerability in the open source community fully and timely, a vulnerability identification system based on project version difference was proposed.The update contents of projects in the open source community were collected automatically, then features were defined as security behaviors and code differences from the code and log in patches, 40 features including comment information feature group, page statistics feature group, code statistics feature group and vulnerability type feature group were proposed to build feature set.And random forest model was built to learn classifiers for vulnerability identification.The results show that VpatchFinder achieves a precision rate of 0.844, an accuracy rate of 0.855 and a recall rate of 0.851.Besides, 68.07% of community vulnerabilities can be early discovered by VpatchFinder in real open source CVE vulnerabilities.This research result can improve the current issue in software security architecture design and development.

Abnormal link detection algorithm based on semi-local structure

Haoran SHI, Lixin JI, Shuxin LIU, Gengrun WANG

2022, 8(1):  63-72.  doi:10.11959/j.issn.2096-109x.2021040

Asbtract ( 154 )   HTML ( 16)   PDF (1247KB) ( 209 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

With the research in network science, real networks involved are becoming more and more extensive.Redundant error relationships in complex systems, or behaviors that occur deliberately for unusual purposes, such as wrong clicks on webpages, telecommunication network spying calls, have a significant impact on the analysis work based on network structure.As an important branch of graph anomaly detection, anomalous edge recognition in complex networks aims to identify abnormal edges in network structures caused by human fabrication or data collection errors.Existing methods mainly start from the perspective of structural similarity, and use the connected structure between nodes to evaluate the abnormal degree of edge connection, which easily leads to the decomposition of the network structure, and the detection accuracy is greatly affected by the network type.In response to this problem, a CNSCL algorithm was proposed, which calculated the node importance at the semi-local structure scale, analyzed different types of local structures, and quantified the contribution of edges to the overall network connectivity according to the semi-local centrality in different structures, and quantified the reliability of the edge connection by combining with the difference of node structure similarity.Since the connected edges need to be removed in the calculation process to measure the impact on the overall connectivity of the network, there was a problem that the importance of nodes needed to be repeatedly calculated.Therefore, in the calculation process, the proposed algorithm also designs a dynamic update method to reduce the computational complexity of the algorithm, so that it could be applied to large-scale networks.Compared with the existing methods on 7 real networks with different structural tightness, the experimental results show that the method has higher detection accuracy than the benchmark method under the AUC measure, and under the condition of network sparse or missing, It can still maintain a relatively stable recognition accuracy.

Multi-type low-rate DDoS attack detection method based on hybrid deep learning

Lijuan LI, Man LI, Hongjun BI, Huachun ZHOU

2022, 8(1):  73-85.  doi:10.11959/j.issn.2096-109x.2022001

Asbtract ( 451 )   HTML ( 55)   PDF (3254KB) ( 611 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Low-Rate distributed denial of service (DDoS) attack attacks the vulnerabilities in the adaptive mechanism of network protocols, posing a huge threat to the quality of network services.Low-Rate DDoS attack was characterized by high secrecy, low attack rate, and periodicity.Existing detection methods have the problems of single detection type and low identification accuracy.In order to solve them, a multi-type low-rate DDoS attack detection method based on hybrid deep learning was proposed.Different types of low-rate DDoS attacks and normal traffic in different scenarios under 5G environment were simulated.Traffic was collected at the network entrance and its traffic characteristic information was extracted to obtain multiple types of low-rate DDoS attack data sets.From the perspective of statistical threshold and feature engineering, the characteristics of different types of low-rate DDoS attacks were analyzed respectively, and the effective feature set of 40-dimension low-rate DDoS attacks was obtained.CNN-RF hybrid deep learning algorithm was used for offline training based on the effective feature set, and the performance of this algorithm was compared with LSTM-Light GBM and LSTM-RF algorithms.The CNN-RF detection model was deployed on the gateway to realize the online detection of multiple types of low-rate DDoS attacks, and the performance was evaluated by using the newly defined error interception rate and malicious traffic detection rate indexes.The results show that the proposed method can detect four types of low-rate DDoS attacks online, including Slow Headers attack, Slow Body attack, Slow Read attack and Shrew attack, and the error interception rate reaches 11.03% in 120 s time window.The detection rate of malicious traffic reaches 96.22%.It can be judged by the results that the proposed method can significantly reduce the intensity of low-rate DDoS attack traffic at the network entrance, and can be deployed and applied in the actual environment.

Research and Development

Adversarial example defense algorithm for MNIST based on image reconstruction

Zhongyuan QIN, Zhaoxiang HE, Tao LI, Liquan CHEN

2022, 8(1):  86-94.  doi:10.11959/j.issn.2096-109x.2021095

Asbtract ( 372 )   HTML ( 49)   PDF (1210KB) ( 409 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

With the popularization of deep learning, more and more attention has been paid to its security issues.The adversarial sample is to add a small disturbance to the original image, which can cause the deep learning model to misclassify the image, which seriously affects the performance of deep learning technology.To address this challenge, the attack form and harm of the existing adversarial samples were analyzed.An adversarial examples defense method based on image reconstruction was proposed to effectively detect adversarial examples.The defense method used MNIST as the test data set.The core idea was image reconstruction, including central variance minimization and image quilting optimization.The central variance minimization was only processed for the central area of the image.The image quilting optimization incorporated the overlapping area into the patch block selection.Considered and took half the size of the patch as the overlap area.Using FGSM, BIM, DeepFool and C＆amp;W attack methods to generate adversarial samples to test the defense performance of the two methods, and compare with the existing three image reconstruction defense methods (cropping and scaling, bit depth compression and JPEG compression).The experimental results show that the central variance minimization and image quilting optimization algorithms proposed have a satisfied defense effect against the attacks of existing common adversarial samples.Image quilting optimization achieves over 75% classification accuracy for samples generated by the four attack algorithms, and the defense effect of minimizing central variance is around 70%.The three image reconstruction algorithms used for comparison have unstable defense effects on different attack algorithms, and the overall classification accuracy rate is less than 60%.The central variance minimization and image quilting optimization proposed achieve the purpose of effectively defending against adversarial samples.The experiments illustrate the defense effect of the proposed defense algorithm in different adversarial sample attack algorithms.The comparison between the reconstruction algorithm and the algorithm shows that the proposed scheme has good defense performance.

Research on network slicing security for 5G mMTC

Zijun XU, Jianwei LIU, Geng LI

2022, 8(1):  95-105.  doi:10.11959/j.issn.2096-109x.2022006

Asbtract ( 492 )   HTML ( 51)   PDF (3356KB) ( 589 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

With the emergence of new 5G business, architecture and technology, more and more researchers pay attention to security issues and potential security risks.Massive machine type communication is one of the three major application scenarios of 5G.It provides high performance such as large connection and low power consumption.Due to factors such as limited resources of MTC equipment, it may also weaken the security of 5G networks.At the same time, different scenarios and applications have obvious demands for network performance, service quality and security level.The flexibility of 5G networking is realized by network slicing technology.It meets the diversity and customization of 5G network services, but also brings new security threats.5G commercial rapid development.The number of IoT devices has increased exponentially.In order to ensure that 5G networks provide more efficient and safe on-demand services, it is particularly important to study the security mechanism and strategy of network slicing for 5G mMTC application scenarios.Therefore, the characteristics and security requirements of 5G mMTC were analyzed.The main security threats of network slicing were listed.In view of the above security requirements and threats, the contribution and deficiency of existing security schemes around the aspects of specific network slice authentication, slice security isolation, security management and arrangement were summarized and expounded.And the future research in this field was prospected.A SM2-based secondary authentication and security isolation model for 5G mMTC network slicing was proposed.This model framework meeted the efficiency of large-scale authentication for 5G devices and users by introducing batch authentication and pre-authentication mechanisms.By hierarchical encryption of different communication data, the security isolation between 5G mMTC network slices was realized.The performance and security of the model were also analyzed.

Reversible data hiding in encrypted images based on fine-grained embedding room reservation

Jinwei LI, Xiaoya ZHANG, Yuanzhi YAO, Nenghai YU

2022, 8(1):  106-117.  doi:10.11959/j.issn.2096-109x.2022008

Asbtract ( 310 )   HTML ( 48)   PDF (1549KB) ( 348 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Reversible data hiding in encrypted images has attracted considerable attention due to the privacy-preserving requirement for cloud data management.The good performance in this area can be achieved by using the existing framework of reserving room before encryption, where the image is partitioned to two independent slices consisting of blocks and then traditional reversible data hiding techniques are utilized to vacate room.In order to better exploit the spatial correlation of images, a fine-grained scalable embedding room reservation strategy in which blocks were rearranged to constitute the textured slice and the smooth slice was proposed.The block-size can be adjusted adaptively according to the texture of the images and the size of room to be vacated.The original locations of these blocks were efficiently represented as the to-be-embedded auxiliary information for image restoration.Because pixels in the smooth slice are easier to be predicted, the smooth slice can contain more pixel bits from the textured slice to reserve more room and fewer embedding distortions are induced with traditional reversible data hiding techniques.Extensive experiments demonstrate the merits of the proposed method in terms of embedding capacity and image quality.

Intellectualized forensic technique for Android pattern locks

Jiahao QIU, Weidong QIU, Yangde WANG, Yan ZHA, Yuming XIE, Yan LI

2022, 8(1):  118-127.  doi:10.11959/j.issn.2096-109x.2022005

Asbtract ( 313 )   HTML ( 33)   PDF (1706KB) ( 281 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

In the field of digital forensics, how to unlock mobile devices such as phones has always been an urgent problem to overcome.As a special kind of password, pattern lock is widely used in mobile phone screen unlock and software access authorization.Existing pattern lock cracking techniques have several non-negligible disadvantages, such as poor concealment, low practicability, non-intelligence and single application scenario.Two basic threat models were abstracted from shoulder surfing, surveillance camera, and real-time forensics, and a multi-scenario side channel attack on pattern locks was proposed.Based on the data of surveillance camera or manual video, intelligent vision recognition algorithms were adopted to identify, select and track the target device and biological key points in the video dynamically.Then, discrete tracking points were integrated by spatial mapping and pruning algorithm.The denoising algorithm was used to eliminate redundancy and optimize the trajectory.Through procedures above, the original trajectory was simplified into regular polylines defined by several key turning points.Finally, the simplified pattern was compared and matched with the rules of legal pattern locks to inference and retort its actual pattern.Possible candidates will be sorted in the output according to their confidences.Results show that in the surveillance camera scenario, where the device screen is always visible, the cracking success rate of our technique is 89% for 10 attempts and 99.3% for 20 attempts.In the face-to-face scenario, where the subject consciously blocks the screen and his drawing finger, the success rate was 82% after 10 attempts and 89.3% after 20 attempts.In the surveillance camera scenario, the increase of shooting horizontal distance can significantly decrease the cracking success rate.But this effect diminishes with the increase of the number of attempts.Results show that the cracking success rate of the complex password is always higher than that of the simple password during 20 attempts, which means a complex pattern lock cannot play a better protection role if the proposed technique is applied.Shooting angle deflection within 5° has little effect on the success rate of cracking.

Design of miner type identification mechanism based on reputation management model

Jiaren YU, Youliang TIAN, Hui LIN

2022, 8(1):  128-138.  doi:10.11959/j.issn.2096-109x.2022002

Asbtract ( 128 )   HTML ( 20)   PDF (1132KB) ( 411 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

In the public mining pool, miners can freely enter the mining pool to submit proof of work to obtain rewards, and there are no conditions to restrict different types of miners.There will be malicious miners submitting invalid workloads and miners not submitting workloads in the mining pool, occupying the verification computing resources of the mining pool, reducing the verification efficiency of the mining pool, and causing the mining pool system to collapse.Aiming at the problem that it is difficult to distinguish the type of miners in the mining pool, which leads to the collapse of the mining pool system, a reputation management mechanism was introduced to measure the behavior of miners, and contracts were deployed to prevent miners from colluding with the pool manager.A design of miner type identification mechanism based on reputation management model was proposed.A reputation mechanism was constructed to measure the behavior of miners.When a miner conducts malicious behavior, the miner's reputation value would be lowered.When the miner's reputation value was less than the reputation threshold of the mining pool, the system would remove the miner, so that the miner can no longer enter the mining pool to submit proof of work and get rewards.The miners in the mining pool were dynamically updated by Markov process, so that the miners in the mining pool were conducting honest behaviors and submitting proof of work.At the same time, a reward system was designed to motivate the miners in the mining pool, and smart contracts were deployed in the mining pool to prevent miners from collusion with the mining pool manager.Finally, analyzing the scheme from the perspective of security and performance, the proposed scheme was not only safe in the process of miners submitting proof of workload, but also solved the problem of identifying miner types in public mining pools, thereby solving the problem of malicious miners submitting invalid workloads, eliminating malicious miners, and avoiding mining pools verifying invalid workloads, to improve the verification efficiency of the mining pool.

Privacy-preserving federated learning framework with irregular-majority users

Qianxin CHEN, Renwan BI, Jie LIN, Biao JIN, Jinbo XIONG

2022, 8(1):  139-150.  doi:10.11959/j.issn.2096-109x.2022011

Asbtract ( 497 )   HTML ( 84)   PDF (1421KB) ( 622 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

In response to the existing problems that the federated learning might lead to the reduction of aggregation efficiency by handing the majority of irregular users and the leak of parameter privacy by adopting plaintext communication, a framework of privacy-preserving robust federated learning was proposed for ensuring the robustness of the irregular user based on the designed security division protocol.PPRFL could enable the model and its related information to aggregate in ciphertext on the edge server facilitate users to calculate the model reliability locally for reducing the additional communication overhead caused by the adoption of the security multiplication protocol in conventional methods, apart from lowering the high computational overhead resulted from homomorphic encryption with outsourcing computing to two edge servers.Based on this, user could calculate the loss value of the model through jointly using the verification sets issued by the edge server and that held locally after parameter updating of the local model.Then the model reliability could be dynamically updated as the model weight together with the historic information of the loss value.Further, the model weight was scaled under the guidance of prior knowledge, and the ciphertext model and ciphertext weight information are sent to the edge server to aggregate and update the global model parameters, ensuring that global model changes are contributed by high-quality data users, and improving the convergence speed.Through the security analysis of the Hybrid Argument model, the demonstration shows that PPRFL can effectively protect the privacy of model parameters and intermediate interaction parameters including user reliability.The experimental results show that the PPRFL scheme could still achieve the accuracy of 92% when all the participants in the federated aggregation task are irregular users, with the convergence efficiency 1.4 times higher than that of the PPFDL.Besides, the PPRFL scheme could still reach the accuracy of 89% when training data possessed by 80% of the users in the federated aggregation task were noise data, with the convergence efficiency 2.3 times higher than that of the PPFDL.

Prediction method of 0day attack path based on cyber defense knowledge graph

Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG

2022, 8(1):  151-166.  doi:10.11959/j.issn.2096-109x.2021101

Asbtract ( 843 )   HTML ( 125)   PDF (2849KB) ( 984 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

To solve the difficulty of attack detection caused by the 0day vulnerability, a prediction method of 0day attack path based on cyber defense knowledge graph was proposed.The cyber defense knowledge graph was constructed to refine the discrete security data such as threat, vulnerability and asset into the complete and high-related knowledge format by extracting concepts and entities related to network attack from cyber security ontology research finds and databases.Based on the knowledge integrated by the knowledge graph, assumed and restricted the unknown attributes such as the existence, availability and harmfulness of 0day vulnerabilities, and model the concept of ＆quot;attack＆quot; as a relationship between attacker entities and device entities in the knowledge graph to transform the attack prediction to the link prediction of knowledge graph.According to this, apply path ranking algorithm was applied to mine the potential 0day attack in the target system and construct the 0day attack graph.Predicted the 0day attack path by utilizing the scores output by classifiers as the occurrence probabilities of single step attack and computing the occurrence probabilities of different attack paths.The experimental result shows that with the help of complete knowledge system provided by knowledge graph, the proposed method can reduce the dependence of prediction analysis on expert model and overcome the bad influence of 0day vulnerability to improve the accuracy of 0day attack prediction.And utilizing the characteristic that path ranking algorithm reasons based on the structure of graph can also help to backtrack the reasons of predicting results so as to improve the explainability of predicting.

Information security vulnerability scoring model for intelligent vehicles

Haiyang YU, Xiuzhen CHEN, Jin MA, Zhihong ZHOU, Shuning HOU

2022, 8(1):  167-179.  doi:10.11959/j.issn.2096-109x.2021096

Asbtract ( 455 )   HTML ( 67)   PDF (1248KB) ( 584 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

More and more electronic devices are integrated into the modern vehicles with the development of intelligent vehicles.There are various design flaws and vulnerabilities hidden in a large number of hardware, firmware and software.Therefore, the vulnerabilities of intelligent vehicles have become the most important factor affecting the vehicle safety.The safety of vehicles is seriously affected by the disclosure of a large number of vulnerabilities, and the wide application of smart cars is also restricted.Vulnerability management is an effective method to reduce the risk of vulnerabilities and improve vehicle security.And vulnerability scoring is one the important step in vulnerability management procedure.However, current method have no capability assessing automotive vulnerabilities reasonably.In order to handle this problem, a vulnerability scoring model for intelligent vehicles was proposed, which was based on CVSS.The attack vector and attack complexity were optimized, and property security, privacy security, functional safety and life safety were added to characterize the possible impact of the vulnerabilities according to the characteristics of intelligent vehicles.With the machine learning method, the parameters in CVSS scoring formula were optimized to describe the characteristics of intelligent vehicle vulnerabilities and adapt to the adjusted and new added weights.It is found in case study and statistics that the diversity and distribution of the model are better than CVSS, which means the model can better score different vulnerabilities.And then AHP is used to evaluate the vulnerability of the whole vehicle based on the vulnerability score of the model, a score is given representing the risk level of whole vehicle.The proposed model can be used to evaluate the severity of information security vulnerabilities in intelligent vehicles and assess the security risks of the entire vehicle or part of the system reasonably, which can provide an evidence for fixing the vulnerabilities or reinforcing the entire vehicle.

Robustness evaluation of commercial liveness detection platform

Pengcheng WANG, Haibin ZHENG, Jianfei ZOU, Ling PANG, Hu LI, Jinyin CHEN

2022, 8(1):  180-189.  doi:10.11959/j.issn.2096-109x.2022010

Asbtract ( 236 )   HTML ( 26)   PDF (18234KB) ( 173 )   Knowledge map   

Figures and Tables | References | Related Articles | Metrics

Liveness detection technology has become an important application in daily life, and it is used in scenarios including mobile phone face unlock, face payment, and remote authentication.However, if attackers use fake video generation technology to generate realistic face-swapping videos to attack the living body detection system in the above scenarios, it will pose a huge threat to the security of these scenarios.Aiming at this problem, four state-of-the-art Deepfake technologies were used to generate a large number of face-changing pictures and videos as test samples, and use these samples to test the online API interfaces of commercial live detection platforms such as Baidu and Tencent.The test results show that the detection success rate of Deepfake images is generally very low by the major commercial live detection platforms currently used, and they are more sensitive to the quality of images, and the false detection rate of real images is also high.The main reason for the analysis may be that these platforms were mainly designed for traditional living detection attack methods such as printing photo attacks, screen remake attacks, and silicone mask attacks, and did not integrate advanced face-changing detection technology into their liveness detection.In the algorithm, these platforms cannot effectively deal with Deepfake attacks.Therefore, an integrated live detection method Integranet was proposed, which was obtained by integrating four detection algorithms for different image features.It could effectively detect traditional attack methods such as printed photos and screen remakes.It could also effectively detect against advanced Deepfake attacks.The detection effect of Integranet was verified on the test data set.The results show that the detection success rate of Deepfake images by proposed Integranet detection method is at least 35% higher than that of major commercial live detection platforms.