Please wait a minute...

Current Issue

    27 November 2015, Volume 36 Issue 11
    Previous Issue    Next Issue
    Comprehensive Review
    Detecting APT attacks: a survey from the perspective of big data analysis
    2015, 36(11):  1-14.  doi:10.11959/j.issn.1000-436x.2015184
    Asbtract ( 2237 )   PDF (798KB) ( 3582 )   Knowledge map   
    Related Articles | Metrics
    Advanced persistent threats have become the major threats of highly protected networks. Traditional detecting technologies were not able to find out APT attacks which were targeted, pretended and persistent. As a result, novel detecting technologies have become the hot topic in the field of APT defence. Firstly, concrete descriptions of the six phases of APT attacks were provided combined with typical technologies and theories of APT, the features of APT attacks were conduded. Secondly, the current research situation of frameworks defending APT was illustrated, and the research points and recent developments of four key technologies including anomalous detection of network flow, anomalous detection of malevolent codes, security events mining in social networks and correlation analysis of security events were analyzed. Finally, both the comprehensive defending framework and the detecting framework based on intelligent feedback were established, and the challenges and developing directions of detecting technologies in the process of dealing with APT attacks were pointed out.
    Mobile Security
    Tree-based lightweight RFID grouping proof protocol
    2015, 36(11):  15-24.  doi:10.11959/j.issn.1000-436x.2015188
    Asbtract ( 481 )   PDF (1124KB) ( 625 )   Knowledge map   
    Related Articles | Metrics
    RFID grouping proof protocol, which was the instantiation of the RFID application, needs higher secure and lightweight requirement. According to the participation of the verifier in the protocol, online and offline verifier tree-based lightweight RFID group proof protocol OTLP and FTLP separately were put forward. Both protocols can meet the RFID group proof protocol’s security requirements. Compared with the existing group proof protocol, they require less computational complexity and have higher efficiency and availability.
    Proxy-based privacy-preserving scheme for mobile Internet
    2015, 36(11):  25-32.  doi:10.11959/j.issn.1000-436x.2015190
    Asbtract ( 493 )   PDF (1354KB) ( 411 )   Knowledge map   
    Related Articles | Metrics
    A privacy-preserving scheme was proposed based on proxy gateway, which avoided using the trusted center and provided high quality privacy-protecting services. First of all, based on the existing architecture of mobile Internet, the proxy gateway was employed to cache relevant service information and adopt different privacy-preserving methods for various requirements, which achieve the targeted services. Secondly, taking the location privacy as an example, a lightweight privacy-preserving scheme is designed and achieved, which fully considers the effect of side information. Finally, theoretical analysis and evaluation results show the effectiveness and safety of proposed scheme.
    Secure and efficient distributed pseudonym generation in VANET
    2015, 36(11):  33-40.  doi:10.11959/j.issn.1000-436x.2015253
    Asbtract ( 502 )   PDF (724KB) ( 862 )   Knowledge map   
    Related Articles | Metrics
    A RSU-aided distributed method for pseudonym generation was put forward. Firstly, vehicle users generated their own temporary public keys. When a vehicle passed through RSU, its temporary public key was blindly signed by RSU. After the vehicle obtained a signature for its temporary public key, it combined the temporary public key and the signature together to make up a vehicle pseudonym (temporary public key and its signature by RSU). A vehicle communicated with the surrounding nodes through pseudonym. The advantage of this method is that RSU could share some workload of certificate authority (CA) in VANET. It improves system efficiency and strengthens its scalability. Meanwhile, since the private key which generates vehicle’s pseudonym is in the RSU, but not in the vehicle. It is more difficult for adversary to extract private key from system. As a result, the security of system is enhanced.
    Secure coordinated beamforming for multiuser MISO interference channels
    2015, 36(11):  41-51.  doi:10.11959/j.issn.1000-436x.2015198
    Asbtract ( 453 )   PDF (2607KB) ( 843 )   Knowledge map   
    Related Articles | Metrics
    For preventing the leakage of confidential messages in multiuser multiple-input single-output (MISO) interference channels, a secure coordinated beamforming (SCB) scheme was proposed for the perfect channel state information (CSI) case and a robust secure coordinated beamforming (RSCB) scheme for the imperfect CSI case. Under the perfect CSI, the beam forming vectors at transmitters were jointly optimized to maximize the minimum secrecy rate. The locally optimal solution to the original non-convex problem was obtained using the semidefinite relaxation (SDR) technique and the successive convex approximation (SCA) algorithm. Moreover, the framework was generalized to the case of imperfect CSI with the deterministic errors in both channel vector and channel covariance matrix. The RSCB scheme was used to maximize the worst-case secrecy rate. Simulation results validate the efficacy and the robustness of the proposed schemes.
    Multidimensional digital media-oriented access control scheme
    2015, 36(11):  52-60.  doi:10.11959/j.issn.1000-436x.2015201
    Asbtract ( 383 )   PDF (1556KB) ( 592 )   Knowledge map   
    Related Articles | Metrics
    In the emerging scenario of multidimensional digital media, users desire the self-constraining access permission by using environmental state, temporal state and etc. To achieve this goal, an authorization attribute based on concepts of environmental state, temporal state and roles was defined, then a multidimensional digital media-oriented access control scheme was proposed. Specifically, the assignment relationships of user-authorization attribute and authorization attribute-access permission were defined. On the basis of this, the authorization attributes for users according to their ID, attribute information, environmental states, temporal states and roles were assigned using the assignment relationship of the user-authorization attribute, the access permission for users in accordance with the authorization attributes were assigned with the assignment relationship of the authorization attribute-access permission. Additionally, constraint conditions were introduced into the proposed scheme to set self-constraining of the access permission for users in terms of the authorization attributes. Through this way, the dynamic reduction of the access permission was realized. Finally, the description of the Z-notation was employed to formalize our scheme. Results of instance analysis demonstrate that the proposed scheme is effective and efficiency. Comparing with related works, the proposed scheme is able to support the principles of the least privilege, separation of duty, data abstraction and etc.
    Cloud Security
    Verifiable outsourcing private key generation algorithm in an identity-based encryption scheme
    2015, 36(11):  61-66.  doi:10.11959/j.issn.1000-436x.2015233
    Asbtract ( 427 )   PDF (1129KB) ( 613 )   Knowledge map   
    Related Articles | Metrics
    An identity-based encryption scheme with verifiable outsourcing private key generation algorithm was proposed where the PKG outsourcers the task of private key generation to the server, and could verify the correctness of the outsourcing result effectively. The distinguish ability of the cipher text and verifiability of the outsourcing result was proved without random oracles, and the proposed scheme was realized in a simulation environment. The experiment shows that the cost of the PKG is smaller than that of the servers, and it is much smaller than that of computing the private keys of all users directly.
    Threshold scheme for different access clusters based on vector space
    2015, 36(11):  67-72.  doi:10.11959/j.issn.1000-436x.2015212
    Asbtract ( 307 )   PDF (908KB) ( 426 )   Knowledge map   
    Related Articles | Metrics
    Aiming at that the secret sharing of clusters with different access right was difficult problem, the concept of inner product vector space over the finite field was introduced. Then the direct sum of subspaces and the organization layout of basis vector for its orthogonal complement space were researched. A (s+r, m+n)-threshold scheme based on vector space was designed by using the Gram-Schmidt algorithm and the closest vector theorem. Furthermore, this scheme was popularized to the situation with finite numbers of different access clusters. The results reveal that this threshold scheme for different access clusters based on vector space is proved to satisfy the requirement of reconstruction and security feature as a perfect secret sharing scheme.
    Multi-element based on proxy re-encryption scheme for mobile cloud computing
    2015, 36(11):  73-79.  doi:10.11959/j.issn.1000-436x.2015217
    Asbtract ( 522 )   PDF (1985KB) ( 802 )   Knowledge map   
    Related Articles | Metrics
    The integration of the cloud and mobile computing make users obtain the data and the service more conveniently and efficiently. However, because of the openness of cloud platform and mobile communication network, how to implement the security access and usage of data for mobile cloud computing has to be solved urgently now. An multi-element access control condition based on proxy re-encryption scheme for the security requirement of mobile cloud computing was proposed, which was consisted of system model, algorithm and the description of re-encryption keys. In this scheme, data center in cloud obtained the objective access control condition of users based on their access request, and generated the corresponding re-encryption cipher for the users. The private key of the users could be used to decrypt the cipher. The scheme has achieved the target of multi-element proxy re-encryption without increasing the amount of users' private keys in mobile cloud computing.
    Multiuser and multiple-replica provable data possession scheme based on multi-branch authentication tree
    2015, 36(11):  80-91.  doi:10.11959/j.issn.1000-436x.2015234
    Asbtract ( 406 )   PDF (2359KB) ( 429 )   Knowledge map   
    Related Articles | Metrics
    It was a challenging problem that how to accomplish the integrity verification for the data of multi-user and multiple-replica efficiently and dynamically in cloud storage environment. Based on the properties of signature scheme of bilinear algebraic maps and multi-branch authentication tree, a novel multi-user and multiple-replica provable data possession scheme was presented. In this scheme, the cipher-text was processed by the random mask technology to guarantee data privacy, and the block tag authentication efficiency has been improved and the data operation can be updated dynamically by manipulating the multi-branch authentication tree. Moreover, in order to reduce the computational overhead effectively the batch auditing tasks for the data of multi-user and multiple-replica simultaneously under the help of the third party auditor is introduced. Finally, analysis shows that proposed scheme has provably security and efficiency.
    New user revocation approach based on intermediate agency for cloud data access control
    2015, 36(11):  92-101.  doi:10.11959/j.issn.1000-436x.2015235
    Asbtract ( 376 )   PDF (1866KB) ( 682 )   Knowledge map   
    Related Articles | Metrics
    Attribute-based encryption mechanism was a significant approach for data fine-grained access control in cloud in which the user revocation was the most crucial aspect of the access control. However, the existing user revocation schemes either encrypt the symmetric key or the original data, so keeping the balance between security and efficiency was difficult. In order to solve the security and efficiency problems that user revocation brought in the fine-grained access control, a new user revocation approach based on intermediate agency was proposed. In this approach, a intermediate agency to process original cipher text was employed, then the decryption should be finished by users. Because the user couldnot decrypt the cipher text alone, encrypting data after user revocation was required. Theoretical analysis and experimental results show that in the fine-grained access control environment proposed approach can achieve security and efficiency in user revocation compared with the existing schemes.
    Security protection mechanism of virtual machine computing environment under the cloud computing
    2015, 36(11):  102-107.  doi:10.11959/j.issn.1000-436x.2015236
    Asbtract ( 427 )   PDF (1215KB) ( 747 )   Knowledge map   
    Related Articles | Metrics
    A protection mechanism for the computing environment of virtual machine was proposed, this scheme combined inside and outside monitoring mechanism to measure and monitor the computing environment of virtual machines, and it could continually and dynamically monitor and measure the virtual machines. This scheme could also use the feedback control mechanism to ensure the security of the virtual machines computing environment and enhance the dynamic adaptability of virtual machines. Comparing with the existing virtual machine security mechanisms, proposed scheme fully considers the computational loss of the cloud virtual machines, which has a high security and efficiency, and it is suitable for the virtual computing environment.
    Novel cloud data assured deletion approach based on ciphertext sample slice
    2015, 36(11):  108-117.  doi:10.11959/j.issn.1000-436x.2015237
    Asbtract ( 419 )   PDF (842KB) ( 943 )   Knowledge map   
    Related Articles | Metrics
    The technique named assured deletion was namely that the expired or backup data was reliably deleted and remain permanently unrecoverable and inaccessible by any party. However, the previous schemes only deleted the key while the cipher text still maintains entirely. Once the key was compromised, it would be a great threat to the privacy of sensitive data. Therefore, it cannot satisfy the real sense of assured deletion. Aiming at the above problems, a new scheme based on cipher text sample slice named ADCSS was proposed. The scheme can ensure that the cloud server only store the incomplete data by means of cipher text sample slice, which contributes to the top confidentiality of outsourced data even the key is obtained by accident or by malicious attacks. Moreover, the goal of assured deletion can be achieved by destroying the exact cipher text. Theoretical analysis and experimental results show that the proposed scheme can meet the requirement of the assured deletion of sensitive data on cloud storage. Moreover, the scheme performs higher security than the existing ones with low performance overhead.
    Network Security
    Adaptive AP clustering algorithm and its application on intrusion detection
    2015, 36(11):  118-126.  doi:10.11959/j.issn.1000-436x.2015242
    Asbtract ( 410 )   PDF (513KB) ( 942 )   Knowledge map   
    Related Articles | Metrics
    The massive traffic of network data flow deteriorates the real-time performance for intrusion detection system, therefore compressing the train data can speed up the efficiency on unknown sample classification. As to improve the speed of data compressing and clustering on large volume of dataset, an improved adaptive affinity propagation method is proposed. The samples closer to the cluster center are directly linked to the center without clustering, which can sharply reduce the final cluster amounts as well as the full cost of clustering. Then the clustering parameters can be continuously adjusted depending on the cluster associations to refine the clustering result. Application analysis results on two datasets of intrusion detection demonstrate that the proposed method can identify the representative samples from the initial large amount of data, and speed up the efficiency of detection without reducing the model accuracy.
    Yaksha scheme based content publish/subscribe system for NDN
    2015, 36(11):  127-135.  doi:10.11959/j.issn.1000-436x.2015251
    Asbtract ( 375 )   PDF (1444KB) ( 314 )   Knowledge map   
    Related Articles | Metrics
    It is allowed that data of content producer can be cached anywhere in NDN (named data networking). This scheme decoupling of data from the source makes traditional end-end authentication transmission unavailable in NDN. Existing solutions of content delivery rely on CDN (content delivery network) or require that data source is always on- line. However, these requirements are not fit for mobile ad hoc networks (MANET). A new Yaksha system is developed based on ElGamal. And then based on this new Yaksha scheme a content publish/subscribe system for NDN MANET is proposed which is called EY-CPS. In EY-CPS, Yaksha server distributes and manages the encrypted/decrypted key for content transmitted on network. So, even if in two cases that there is no CDN or data source is offline, it is also allowed that content consumer accesses content cached on network in new scheme. In addition, it is guaranteed that only legitimate users can publish and access content, because Yaksha server distributes “license” only to legitimate user. The license is used for verifying user identity before publishing content to the network or attaining content from the network. Finally, security properties of EY-CPS in LS2 is proved and comparison analysis is made between proposed solution and related solutions.
    Research on network anomaly detection based on one-class SVM and active learning
    2015, 36(11):  136-146.  doi:10.11959/j.issn.1000-436x.2015252
    Asbtract ( 728 )   PDF (1110KB) ( 804 )   Knowledge map   
    Related Articles | Metrics
    A network anomaly detection method based on one-class SVM and active learning was presented. Firstly, the original instances were used to trained an one-class SVM model in unsupervised manner. Then the instances which can improve the performance mostly were found by active learning strategy. Finally, the classify model was retrained in semi-supervised manner with both labeled and unlabeled data. The experiment results demonstrate that the presented method can improve performance with a small amount of labeled data and reduce the cost of labeling through active learning. It is more feasible to be used in real network environment.
    Message combined with instruction analysis for network protocol’s abnormal behavior
    2015, 36(11):  147-155.  doi:10.11959/j.issn.1000-436x.2015256
    Asbtract ( 357 )   PDF (1682KB) ( 476 )   Knowledge map   
    Related Articles | Metrics
    Pay close attention to the protocol’s abnormal behavior, and takes the message raw data and the protocol binary code both as the analysis objects. The proposed method uses dynamic taint analysis combined with static analysis, firstly monitor and analyze the process of protocol program parses the message in our developed virtual platform Abnormal Disc prototype system, and record the protocol’s public behavior; then based on the proposed abnormal behavior perception and mining algorithm, static analyze the protocol’s abnormal behavior trigger conditions and abnormal behavior instruction sequences. Finally, generate the new protocol messages with the sensitive information according to the abnormal behavior trigger conditions, and dynamic trigger the abnormal behaviors execute. Abnormal Disc prototype system can perceive, trigger and analyze the protocol’s abnormal behaviors. According to the statistical analysis results, the evaluation method of protocol execution security was proposed. The experimental results show that the method can accurately mine the protocol’s abnormal behavior, and evaluate the protocol’s execution security.
    Parallel detection algorithm on long duration data streaming
    2015, 36(11):  156-166.  doi:10.11959/j.issn.1000-436x.2015268
    Asbtract ( 438 )   PDF (942KB) ( 642 )   Knowledge map   
    Related Articles | Metrics
    Parallel data streaming algorithm was proposed according to the weak real-time performance, low detection precision and estimation accuracy for detection of long duration flow. The different threads access the shared data structure in the parallel algorithm of long duration flow detection based on shared data structure, but it generates excessive synchronous overhead. On the basis of the analytical result on the parallel algorithm of long duration flow detection with shared data structure, the different threads own local data structure in the parallel algorithm of long duration flow detection based on independent data structure, where it doesn’t need synchronization and generates minor overhead. Theoretical analysis and experimental results show that the parallel algorithm of long duration flow detection based on independent data structure has good time efficiency, high detection precision and estimation accuracy of long duration flow.
    Research on distributed genetic k-means for anomaly detection in MANET
    2015, 36(11):  167-173.  doi:10.11959/j.issn.1000-436x.2015269
    Asbtract ( 407 )   PDF (543KB) ( 502 )   Knowledge map   
    Related Articles | Metrics
    Aiming at the diversity and the large amount of monitoring data of MANET (mobile ad hoc networks), an anomaly detection method in MANET based on improved k-means algorithm was proposed. By introducing the classification the contribution degree, the weight of each dimension can be calculated reasonably, and genetic algorithm and k-means were combined to prevent the results of clustering from getting in local optimization. Then, the detection method under the framework of MapReduce was put forward, and parallel clustering was achieved by using population migration strategy . The experimental results show that the detection accuracy and efficiency of the proposed method are better than the traditional ones.
    Analysis and improvement of an identity-based signcryption
    2015, 36(11):  174-179.  doi:10.11959/j.issn.1000-436x.2015271
    Asbtract ( 395 )   PDF (1240KB) ( 537 )   Knowledge map   
    Related Articles | Metrics
    Identity-based signcryption was a cryptography scheme with low computation cost and simple key management, which was suitable to guarantee the confidentiality and authentication of information. Zhang, et al proposed an efficient identity-based signcryption scheme, and provided security provement in the random oracle model. Through analysis, it was found out that Zhang’s signcryption scheme was imperfect. To avoid the defect, a new identity-based signcryption scheme was proposed, whose security was proved in the random orcale model. Both the theoretical analysis and the experimental results show that proposed scheme is efficient and suitable for practical application.
    Trust-aware secure virtual network embedding algorithm
    2015, 36(11):  180-189.  doi:10.11959/j.issn.1000-436x.2015272
    Asbtract ( 420 )   PDF (1101KB) ( 1029 )   Knowledge map   
    Related Articles | Metrics
    Against the new security threats brought by the network virtualization technology, the concepts of trust relationship and trust degree were introduced into the virtual network resource allocation phase. Security issues in the network virtualization environment were quantitative analyzed. A mathematical model of the secure virtual network embedding problem was modeled in order to reduce the cost. The local and global importance of network nodes were considered in the mapping phase. The network nodes were ranked by TOPSIS method, and a trust-aware virtual network embedding heuristic algorithm was proposed. Simulation results show that the proposed algorithm performs better in acceptance ratio, revenue and resource utilization.
    Towards session identification using principal behavior for multi-party secure protocol
    2015, 36(11):  190-200.  doi:10.11959/j.issn.1000-436x.2015273
    Asbtract ( 355 )   PDF (1300KB) ( 507 )   Knowledge map   
    Related Articles | Metrics
    Aiming at the problem of session identification for muti-party secure protocol, three characters were presented, i.e., neighboring-host-behavior(NHB), host-role-behavior(HRB) and principal-message-behavior (PMB), to explore the correlation among multiple flows employed in a same session. Then a session identification approach was proposed using these features. Finally, the approach was evaluated on three classical multi-party secure protocols in three scenes. The experimental results indicate the identification precision is above 90%, and the false negatives rate and false positives rate are below 6%.
    RMPCM: network-wide anomaly detection method based on robust multivariate probabilistic calibration model
    2015, 36(11):  201-212.  doi:10.11959/j.issn.1000-436x.2015274
    Asbtract ( 434 )   PDF (3031KB) ( 655 )   Knowledge map   
    Related Articles | Metrics
    Anomaly detection algorithm based on robust multivariate probabilistic calibration model was proposed. This algorithm established normal status model of traffic flow matrix based on the latent variable probability model of multivariate t-distribution. The algorithm implemented network anomaly detection by comparing Mahalanobis distance between samples and normal status model. Theoretical analysis and experiments demonstrate its robustness and wide application. The algorithm is applicable when dealing with both data integrity and loss. It also has a stronger resistance over noise interference and lower sensitivity on model parameters, all of which indicate its performance stability.
Copyright Information
Authorized by: China Association for Science and Technology
Sponsored by: China Institute of Communications
Editor-in-Chief: Zhang Ping
Associate Editor-in-Chief:
Zhang Yanchuan, Ma Jianfeng, Yang Zhen, Shen Lianfeng, Tao Xiaofeng, Liu Hualu
Editorial Director: Wu Nada, Zhao Li
Address: F2, Beiyang Chenguang Building, Shunbatiao No.1 Courtyard, Fengtai District, Beijing, China
Post: 100079
Tel: 010-53933889、53878169、
53859522、010-53878236
Email: xuebao@ptpress.com.cn
Email: txxb@bjxintong.com.cn
ISSN 1000-436X
CN 11-2102/TN
Links
More...
Visited
Total visitors:
Visitors of today:
Now online:
Copyright of website © 2021 Journal on Communications
Address: F2, Beiyang Chenguang Building, Shunbatiao No.1 Courtyard, Fengtai District, Beijing, China   Post: 100079
Tel: 010-53933889、53878169、53859522、53878236   Email: xuebao@ptpress.com.cn; txxb@bjxintong.com.cn