Currently Large Language Model (LLM) has achieved remarkable results in the fields of text generation, machine translation and sentiment analysis. In order to protect the model dataset and parameter copyrights, prevent unauthorized copying and use, and verify the authenticity of messages, watermarking techniques are needed to ensure the security and trustworthiness of LLM. According to the different points in time when LLM operates, this paper categorized the current watermarking techniques into three types, watermarks embedded in model training, watermarks inserted in the inference phase and additional watermarks after text generation. For the robustness, confidentiality and effectiveness needs of watermarking, this paper also organized the evaluation metrics of watermarking techniques and reviewed the existing anti-watermarking attacks. This paper provides a comprehensive overview of LLM watermarking techniques with the aim of further promoting their development and application.

With the popularization of the Internet and the increasing threat to network security, the analysis and detection of abnormal characteristics of network traffic have become an important research topic in the field of network security. The article mainly studied the methods of abnormal analysis and detection of network traffic characteristics in recent years. Firstly, the basic concepts and types of network traffic abnormality analysis were introduced. Secondly, the current main anomaly detection technologies were discussed in details, including methods based on statistics, information theory, graph theory, machine learning, and deep learning. Then, common network traffic anomaly detection methods were compared. Finally, the challenges of current research and future development directions were discussed.

This paper conducted an in-depth study on provable security theory, sequential aggregate signature algorithms and aggregate signature technology. By improved the existing provably secure sequential aggregate signature algorithm based on the ISRSAC-PSS scheme, introduced a "block-type" concept and design a block sequential aggregate sig-nature algorithm based on ISRSAC-PSS. The analysis demonstrates that, under the hardness assumption of the large integer factorization problem, the proposed algorithm is provably secure in the random oracle model. Computational analysis reveals that with reasonable grouping strategies, the algorithm not only enhances efficiency but also reduces application overhead.

To address the issues of low prediction accuracy and missing metric collection in current network security situation forecasting, this paper proposed an improved iTransformer model based on fast Fourier transformation. The model utilized the iTransformer architecture to perform dimensional reversal embedding on time series data. By applying fast Fourier transform, the one-dimensional time series was transformed into two-dimensional space, where intra-period neighboring features and inter-period non-neighboring features were mapped to rows and columns of two-dimensional tensors. The model first inputs intra-period features into the encoder to use the attention mechanism to learn local features within the period, which effectively captured dynamic correlations among network security indicators (such as the relationship between the number of information security vulnerabilities and infected hosts). Next, the intra-period tensor output by the encoder was fused into the two-dimensional form and passed into the convolutional module to further extract two-dimensional features, which captured global features across periods. Finally, adaptive aggregation was performed based on the relative importance of the periods reflected by the amplitude. The experimental results show that the model achieves an imputation fitting degree of 0.879 with a 10% missing rate, and a prediction fitting degree of 0.995378, outperforming most existing models. It can accurately impute missing values for network security situation indicators and predict situation values.

As our cyber security capabilities are gradually improving, the number and complexity of network attacks are also gradually increasing, and cyber attack detection technology are facing greater challenges. To improve the accuracy of cyber attack detection, this article proposed a cyber attack detection model HaoResNet based on residual convolutional neural network and tested the HaoResNet model on the USTC-TFC2016 dataset. First, HaoResNet model converted the pcap traffic file into a grayscale image, and then performed 2-classification, 10-classification, and 20-classification experiments on normal and malicious traffic. The experimental results demonstrate that HaoResNet achieves 100% accuracy on the 2-classification task, 99% accuracy on the normal traffic 10-classifier task, 98% accuracy on the malicious traffic 10- classification task, and 98% accuracy on the 20-classification task. Compared with existing models, HaoResNet achieves the higher detection precision on the 2- classification task.

Neural distinguishers have good generalisation ability as well as powerful learning ability, but there is still a lack of perfect and universal neural network distinguishing model. In order to increase the accuracy of the neural distinguishers of Simon32/64 and Simeck32/64, increase the generalizability of the neural differential distinguishers, this paper proposed three improvement directions. First, multiple ciphertext pairs were used as inputs to the Simon32/64 and Simeck32/64 neural distinguishers, and the Inception network module was added to the neural network model to improve the overfitting phenomenon. Then, added Simon32/64 and Simeck32/64 penultimate round difference information to the multi-ciphertext pair input samples, constructed the netural distinguishers of 7 to 10 rounds of Simon32/64 and 7 to 11 rounds of Simeck32/64. Finelly, multiple ciphertext pairs were combined with polyhedral difference, constructed polyhedral differential distinguishers for Simon32/64 and Simeck32/64. The accuracy of the polyhedral neural distinguishers were improved. The experimental results show that the new polyhedral netural distinguishers of 8-round of Simon32/64 reach the accuracy of 99.54% and 8-round of Simeck32/64 reach the accuracy of 99.67%. In addition, the improved netural distinguishers of the 10-round of Simon32/64 and Simeck32/64 are applied to the final round of key recovery attacks of 12-round of Simon32/64 and Simeck32/64, the success rate of the attacks respectively reaches 86% and 97% in 100 attack experiments.

This paper addressed the evaluation of the security of a lightweight stream cipher algorithm based on a time-varying mutually coupled dual chaotic system, which was crucial for securing data in resource-constrained environments such as the Internet of things and mobile communications. The article selected the mixed integer linear programming method as an analytical tool to construct a mathematical model of the algorithm, and revealed the maximum linear correlation coefficients of the algorithm under different modes of operation, ranging from 2^-54 to 2^-26, by optimally solving the model. This finding suggests that the algorithm is vulnerable in terms of correlation, and an attacker may be able to crack the algorithm by exhaustively enumerating up to 110 bits of the initial key, which is much less complex than the complexity of exhaustively enumerating its 128-bit initial key. This paper not only provides a quantitative assessment of the security of this algorithm, but also emphasizes the importance of correlation analysis in cryptographic design and the effectiveness of the mixed integer linear programming technique in the security assessment of cryptographic algorithms. Overall, the research in this paper is of great theoretical and practical significance in advancing the security analysis and design of lightweight cryptographic algorithms, and provides strong theoretical support for data security in resource-constrained environments.

Webshell, as a covert and harmful web backdoor, has drawn significant attention in the field of cybersecurity. Code obfuscation techniques in Webshells significantly reduce the effectiveness of traditional detection methods, furthermore, many traditional detection models fail to efficiently handle large scale data. Therefore, this paper proposed a method for Webshell detection, BAT-SRU, which combined BERT word embeddings, a bidirectional SRU network, and a self-attention mechanism. This method extracted code features through abstract syntax trees, combined sample de-obfuscation and dangerous function statistics to enhanced feature quality, and used the BAT-SRU model for detection. Existing methods, such as detection based on Word2Vec and bidirectional GRU, classification using opcode sequences and random forest, and AST-based feature extraction with Text-CNN, suffer from insufficient feature representation and poor adaptability to highly obfuscated code. Compared to the aforementioned methods, BAT-SRU demonstrates superior performance in detecting PHP Webshells, achieving an accuracy of 99.68%, precision of 99.13%, recall of 99.22%, and an F1 score of 99.18%. Additionally, when compare to RNN and its variant models, BAT-SRU reduces training time by 23.47% and inference time by 40.14%.

With the rapid development of the Internet and mobile Internet technologies, more and more people are eager to obtain information and express their views and opinions on social networks. However, in recent years, social networks have been flooded with an increasing amount of offensive language and other undesirable comments, leading to the proliferation of online violence. Currently, research on offensive language detection is mostly concentrated in the English language field, with few studies focused on offensive language detection in Chinese. To address this issue, this thesis collected a large amount of tweet data from the Sina Weibo platform and annotated the data according to established rules to construct a Chinese offensive language dataset. Then, statistical features, including sentiment features, content features, and communication features, were extracted. Finally, a multi-task learning-based offensive language detection model was constructed. The auxiliary task of sentiment analysis was introduced to improve the detection performance of the model by leveraging the high correlation between the two tasks. Experimental results show that the model proposed in this thesis outperforms other commonly used detection methods for offensive language detection. The research provides methods and ideas for future offensive language detection on social networks.

Software-defined Networking achieves centralization, programmability, and flexibility by separating the control plane and data plane. However, the network architecture faces new attack threats. Timeout sniffing against SDN switches is one of the main security threats. The existing timeout sniffing methods ignore the impact of the maximum timeout value, the generation time of sniffing packets, and the relationship between timeouts on sniffing timeouts, resulting in problems such as sniffing failed, timeout type recognition error, and low timeout sniffing accuracy. In order to solve the above problems, this paper proposed a OpenFlow switch timeout flow entry timeout mechanism sniffing method based on the detection interval change-TIMIC. The method first obtained a timeout value by adjusting the sending interval of the sniffing packet and then determined the specific timeout mechanism and more accurate timeout value through the timeout value. The experimental results show that TIMIC can successfully detect timeout types and values under different timeout mechanisms, and the detected timeout values can maintain a small sniffing error. Under the universal timeout setting, TIMIC sends fewer timeout sniffing packets and has lower sniffing costs.

With the development of cloud service technology, more and more applications are migrated to the cloud in the form of containers, and the security monitoring of containers has become a research hotspot. Containers have the advantages of being lightweight, fast to deploy, and easy to transplant. However, their weak isolation makes them face many security problems: container escape attacks, container image poisoning, kernel vulnerability exploitation, etc. In response to these attack threats, this article used eBPF system monitoring technology, combined with BMC root of trust, image static analysis, general policy engine, and runtime proof, to propose a container runtime security monitoring solution. The monitoring program implemented based on eBPF in the solution can identify and monitor container behavior events such as processes, capabilities, files, and networks. The solution designed a fine-grained container security policy, combined the container system call whitelist obtained by static analysis of container images, detected abnormal container behavior, and protected container security from multiple dimensions. The solution also designed and implemented a runtime attestation protocol based on the BMC root of trust. The TPM integrated in the BMC is used as the root of trust, and its attestation can effectively ensure the integrity and authenticity of the alarm log based on eBPF monitoring events. It has been proven that the monitoring server can monitor the security status of various types of containers over a long period of time and take corresponding countermeasures for abnormal security events.

The primary information security risks encountered by enterprises and organizations stem from internal threats, particularly malicious behaviors by internal personnel. These risks are inherently more covert and difficult to detect compared to external attacks. To improve the accuracy of detecting malicious behaviors by internal personnel, this study proposed an insider threat detection model based on the CNN-LSTM algorithm, utilizing user behavior log analysis. The model leveraged the publicly available CMU CERT R4.2 insider threat dataset to construct sequences of user behavior features. In this model, a CNN layer was first employed to extract key features from user behavior data, followed by an LSTM layer to capture temporal dependencies and predict behavior patterns. Finally, a fully connected layer is used to determine whether the behavior constitutes a threat. Comparative experiments with CNN, LSTM, and LSTM-CNN models validate the feasibility and superior performance of the proposed model in detecting insider threats, achieving an AUC score of 0.99. The experimental results further demonstrate that the CNN-LSTM algorithm significantly reduces the false positive rate and achieves a detection accuracy of 98%, effectively identifying potential internal threats within organizations.