With the widespread adoption of deserialization technology in Java Web application development, attacks exploiting the Java deserialization mechanism have also increased significantly, posing severe threats to the security of Java Web applications. Current mainstream blacklisting defense mechanisms cannot defend against unknown deserialization vulnerabilities, and most existing Java deserialization vulnerability mining tools have low accuracy as they rely on static analysis. This paper proposed a Java deserialization vulnerability mining tool based on fuzzing called DSM-Fuzz. Firstly, DSM-Fuzz performed bidirectional taint analysis on bytecode to extract potential deserialization-related function call chains. Then a TrustRank algorithm-based strategy was used to evaluate relevance between functions and call chains, and allocated energy to seeds accordingly. To optimize syntax and semantics of test cases, this paper designed and implemented a seed mutation algorithm based on deserialization features, utilizing internal Java object information to guide fuzzing strategy to breakthrough vulnerability call chain paths. Experiments show that DSM-Fuzz achieves 90% higher vulnerability code coverage with 50% more detected vulnerabilities in several Java libraries, outperforming other tools. Thus, it can effectively facilitate Java deserialization vulnerability detection.

The power system is gradually transforming towards intelligence and digitalization. More and more terminal devices are interconnected and sharing data through the Internet of things technology. However, due to the characteristics of device diversity, resource constraints, complex communication environment, wide physical distribution, and high real-time requirements, its security verification faces severe challenges in password cracking, counterfeit attacks, and complexity. In order to cope with the authentication security challenges of power Internet of things smart terminals in communication, PUF technology was introduced and an extended CRP structure was designed. A power Internet of things smart terminal authentication protocol based on physical unclonable function (PUF) was proposed. Simulation experiments are carried out using ProVerif tools and Tamarin tools, which prove that the protocol can effectively resist common attacks such as man-in-the-middle attacks and counterfeit attacks. The protocol features such as lightweight and two-way authentication are theoretically analyzed and compared with similar schemes. The results show that the scheme has significant advantages in many aspects. This study provides an innovative and efficient solution for the security authentication of power Internet of things smart terminals, which not only makes up for the shortcomings of traditional authentication schemes, but also provides a more secure and reliable technical foundation for future power Internet of things systems, which helps to improve the overall security level and operation efficiency of the power system.

The semi-quantum key agreement protocol is suitable for scenarios where participants have limited capabilities or cannot afford expensive equipment, making it more aligned with practical requirements than quantum key agreement. However, current research on three-party semi-quantum key agreement protocols is limited, and they commonly suffer from the issue of low efficiency. To solve this problem, the paper proposed a three-party semi-quantum key agreement which is based on the logical six-qubit $\chi $-state. The protocol leverages the entanglement properties of the logical six-qubit $\chi $-state, achieving fair key agreement between two semi-quantum parties and one fully quantum party through straightforward unitary operations and particle measurements, without the need for a trusted third party. The protocol not only enhances quantum bit efficiency but also possesses the capability to resist participant and external attacks.

As blockchain and smart contracts evolve, the demand for updatability of data and contracts has become increasingly prominent. To achieve data modification without compromising the security, coherence, and integrity of the blockchain, the concept of redactable blockchain has been proposed, with the chameleon hash algorithm serving as a key method for editing block data. This paper presened a redactable blockchain scheme based on the chinese remainder theorem. The scheme designed a chameleon hash algorithm using decentralized weighted key generation, utilizing threshold and weighted secret sharing and multi-party computation to ensure the security and invisibility of the keys. Additionally, by eliminating trusted central authorities and secret distributors, it prevented single points of failure and malicious behavior. Furthermore, the scheme employed group signature technology with privacy protection to verify and trace editors, ensuring the anonymity and reliability of the redactable blockchain without actively revealing the identities of the signers. This paper conducts a security analysis and experimental evaluation of the proposed scheme, comparing it with existing redactable blockchain solutions. The results indicate that this scheme enhances security while maintaining high efficiency.

The Vehicular Ad-hoc Network(VANET), as an important bridge for real-time communication and information exchange between vehicles and the external world, can enhance traffic safety, optimize traffic efficiency, and improve the quality of public services. It plays a crucial role in the development of intelligent transportation systems and future smart cities. With the widespread adoption of vehicle networks, communication security issues such as identity anonymity, message authentication, and location privacy have received widespread attention. This paper proposed a certificate-based locally verifiable aggregate signature privacy protection authentication scheme for vehicle-to-infrastructure (V2I) communication in vehicle networks. Compared to traditional identity-based aggregate signature schemes, the proposed solution not only addressed the key escrow problem of traditional identity-based signature schemes but also balanced the conflict between authority supervision and user privacy. In terms of data verification, it achieved batch verification of vehicle data and effective local verification, allowing for the correctness of specific data blocks to be verified without the need to know the entire message sequence, reducing overhead.

In federated learning, the need for a large amount of parameter exchange may lead to security threats from untrusted participating devices. In order to protect training data and model parameters, effective privacy protection measures must be taken. Given the imbalanced nature of heterogeneous data, this paper proposed an adaptive differential privacy method to protect the security of federated learning based on heterogeneous data. Firstly, different initial privacy budgets were set for different clients, and Gaussian noise was added to the gradient parameters of the local model; Secondly, during the training process, the privacy budget of each client was dynamically adjusted based on the loss function value of each iteration to accelerate convergence speed; Then, set a trusted central node to randomly exchange the parameters of each layer of local models from different clients, and then uploaded the confused local model parameters to the central server for aggregation; Finally, the central server aggregated the obfuscation parameters uploaded by trusted central nodes, added appropriate noise to the global model based on a pre-set global privacy budget threshold, and performed privacy correction to achieve server level privacy protection. The experimental results show that under the same heterogeneous data conditions, compared to ordinary differential privacy methods, the adaptive differential privacy method proposed in this paper has faster convergence speed and better model performance.

With the increasing severity of cybersecurity threats, especially the Distributed Denial of Service (DDoS) attacks, pose significant challenges to network stability and business continuity. This paper proposed a novel distributed large-scale traffic cleaning solution aimed at effectively combating DDoS attacks. The scheme utilized real-time port traffic mirroring technology and deep packet detection technology to rapidly identify and cleanse malicious traffic. Furthermore, by directly cleansing attack traffic on network edge devices, it preventd bandwidth waste and network congestion. Experiments were conducted by simulating normal and malicious traffic and applying the proposed scheme for traffic monitoring and cleansing. The results demonstrate that the scheme can significantly enhance the interception and cleansing efficiency of DDoS attack traffic, holding substantial practical application value and theoretical significance.

The e-voting scheme receives more and more attention due to its efficiency and accuracy of results. However its security has always been the bottleneck. This paper introduced an E-voting protocol that leveraged a multi-key homomorphic encryption algorithm without ciphertext expansion. The protocol enabled the verification of vote legitimacy and the counting of votes on encrypted data, culminating in the use of distributed decryption to announce the election outcomes. The multi-key homomorphic encryption algorithm without ciphertext extension could ensure the anonymity and security of a voter’s identity and balloted throughout the full cycle. Also each balloted has nothing to do with the number of participants, thereby the protocol guaranteed the validity of the E-voting protocol. Though theoretical proofs, this paper demonstrates that based on multi-key homomorphic encryption, the E-voting protocol encompasses various security features and correctness.

The smart grid transforms the potential value of data into actual benefits through sharing, thus ensuring the security of data sharing is crucial. The article proposed a data security sharing model based on multi authority attribute based encryption (MA-ABE) for fine-grained access control of data in smart grid scenarios. The article used the linear integer secret sharing scheme (LSSS) to construct the MA-ABE scheme, which enabled one attribute to be monitored by multiple authorities, and multiple authorities to jointly generate user private keys, making the scheme resistant to collusion attacks against attribute authorities (AA). Associated each authority with a blockchain and utilized relay technology to achieve multi chain collaboration, ensuring flexibility in cross domain data sharing. It has been proven through security protocols that the proposed MA-ABE scheme satisfies the indistinguishability under chose plaintext attacks based on the discriminative dual line Diffie Hellman assumption. The article demonstrates through theoretical analysis and comparative experiments that the proposed MA-ABE scheme has certain advantages in storage, computation, and functionality. The simulation results show that the throughput and latency of the model meet the requirements of smart grid data sharing, and can be applied to fine-grained access control of smart grid while ensuring the performance of smart grid data sharing.

In stream processing, static resource allocation is difficult to cope with real-time changes and sudden streaming data loads, so elasticity mechanisms need to be introduced. However, when determining the elastic scaling timing and scaling strategy, if the balance between the cost and benefit of scaling is not fully considered, frequent resource adjustments will be triggered, resulting in the system becoming unstable or less efficient instead. To solve this problem, this paper proposed a resource adaptive scaling algorithm, which determined the direction and scale of resource scaling by analyzing the scale of streaming data load and resource usage. At the same time, the algorithm proposed a maximum average processing throughput method, which took the processing throughput before and after the scaling operation as a quantitative index to evaluate the overhead and benefit brought by resource scaling, optimize the scaling strategy, and avoid unnecessary frequent adjustment of resources. Based on this algorithm, this paper designed a network flow elasticity processing framework, which realized the flexible expansion of the framework and the dynamic adjustment of resources. The framework is tested in different network bandwidth scenarios, and the experimental results show that the algorithm can effectively weigh the overhead and benefit, and accurately realize the resource scaling, and after applying the algorithm, the resource utilization of the framework is effectively increased more than 40%, which is able to satisfy the performance requirements of high-speed network stream processing.

A Dockerfile is a text file used for building Docker container images. It includes a series of instructions and configurations that outline how to assemble a Docker container’s environment. Dockerfile misconfigurations can cause numerous performance and security issues. The existing rule-mining based detection and repair methods focus predominantly on associations within common commands, while neglect dependencies between commands. These methods usually target high-frequency commands, however ignore patterns with low frequencies. In response to the above issues, a method for subtree sequence rule mining-based Dockerfile misconfiguration detection and repair was proposed. First, the Dockerfile was converted into an abstract syntax tree. This tree was broken down into ordered subtrees, which were serialized to form an intermediate representation. Second, the subtrees were grouped into clusters. A sequence rule mining algorithm was then applied to these clusters for rule extraction. Meanwhile, the left-hand side of the rules was constrained to the root node of the subtrees, focusing on target instructions and preventing the explosive growth of rule generation. Finally, the largest sequence rules were identified to synthesize common command combinations, and semantic rules were derived to serve as a guideline for Dockerfile violation detection and automatic repair. Experiments show that this method successfully extracts 31 semantic rules, including 12 rules that are previously unpublished. It improves the precision rate of violation detection by 10% and the success rate of repair by 5.6% compared to baseline methods.

In recent years, Runtime Application Self-Protection (RASP) has emerged as an embedded defense mechanism widely used to detect and prevent common web application attacks, such as SQL injection, cross-site scripting (XSS), and Java deserialization attacks. However, existing RASP systems often rely on blacklist-based detection, which is prone to evasion and struggles against novel threats. This paper introduced a hybrid system, HP-RASP, which combined heuristic rules and deep learning models to provide adaptive security at runtime. Notably, it incorporated a BERT model into the RASP framework to analyze and detect SQL injection attacks, while employing stack monitoring and blacklist matching to defend against XSS and deserialization attacks. HP-RASP used Java instrumentation to dynamically insert monitoring logic into critical classes and methods, enabling real-time analysis of web requests. The system was evaluated on multiple open-source datasets and compared to the current mainstream RASP system, OpenRASP. Experimental results demonstrate significant improvements in detection accuracy, performance overhead, and robustness over existing approaches. For SQL injection, HP-RASP achieved an accuracy of 81.9%, 1.84 times higher than OpenRASP, with recall and F1 scores also notably surpassing OpenRASP. For XSS protection, HP-RASP achieved a 99.9% recall rate for both reflective and stored XSS attacks, and an 84.6% recall rate for deserialization attacks. HP-RASP also performed well in terms of response time and resource consumption, without significant increases in either metric.

To address data imbalance as well as high resource and time consumption in encrypted traffic classification, this paper proposed a fine-tuning model named CEFT (Comprehensive Enhanced Fine-Tuning). CEFT used ET-BERT as its pre-trained model and introduced an OT (Optimal Transport) module and an I-ELM (Improved Extreme Learning Machine) module on top of it. These additions not only enhanced classification performance but also improved training efficiency. In CEFT, encrypted traffic was first fed into the ET-BERT model for feature extraction. Then, an OT module was employed to measure the transport cost between the model’s predicted distribution and the true distribution. By adjusting weighted to minimize this cost, the model achieved more accurate predictions across different categories, effectively mitigating the issue of data imbalance. Meanwhile, by incorporating the I-ELM module, CEFT enabled rapid weight updates, thereby reducing the lengthy gradient computation process and accelerating training, effectively addressing the problems of high resource and time consumption. Experiments show that CEFT achieves accuracies of 98.97% and 99.70% on the ISCX-VPN-Service and ISCX-VPN-App datasets, respectively, and significantly outperforms existing benchmark models in terms of precision, recall, and F1-score. On the ISCX-VPN-Service dataset, CEFT reduces training time by approximately 33.33%, and on the ISCX-VPN-App dataset, by about 35.37%, markedly shortening the training duration.

In the current network environment, constantly upgrading variants of malicious code pose significant challenges to network security. Although existing artificial intelligence models have shown significant effectiveness in detecting malicious code, there are still two undeniable shortcomings. Firstly, their generalization ability is poor. Although they perform well on training data, their performance is not ideal in actual testing due to the phenomenon of concept drift. Secondly, their robustness is poor and they are susceptible to attacks from adversarial samples. To solve the above problems, this paper proposed a dynamic detection method for malicious code based on ensemble learning. According to the different features of API sequences, statistical feature analysis module, semantic feature analysis module, and structural feature analysis module were respectively constructed. Each module performed targeted malicious code detection, and finally integrated the analysis results of each module to obtain the final detection conclusion. The experimental results on the Speakeasy dataset show that compared with existing research methods, this method has significant advantages in various performance indicators and good robustness, which can effectively resist two adversarial attack methods against API sequences.