Top Read Articles

    Published in last 1 year |  In last 2 years |  In last 3 years |  All
    Please wait a minute...
    For Selected: Toggle Thumbnails
    A Survey of Large Language Models in the Domain of Cybersecurity
    ZHANG Changlin, TONG Xin, TONG Hui, YANG Ying
    Netinfo Security    2024, 24 (5): 778-793.   DOI: 10.3969/j.issn.1671-1122.2024.05.011
    Abstract601)   HTML278)    PDF (20073KB)(445)      

    In recent years, with the rapid advancement of large language model technology, its application potential in various fields such as healthcare and law has become evident, simultaneously pointing to new directions for progress in the field of cybersecurity. This paper began by providing an overview of the foundational theories behind the design principles, training mechanisms, and core characteristics of large language models, offering the necessary background knowledge to readers. It then delved into the role of large language models in enhancing the capabilities to identify and respond to the growing threats online, detailing research progress in areas such as penetration testing, code security audit, social engineering attacks, and the assessment of professional cybersecurity knowledge. Finally, it analyzed the challenges related to security, cost, and interpretability of this technology, and looked forward to the future development direction.

    Table and Figures | Reference | Related Articles | Metrics
    Data Augmentation Method via Large Language Model for Relation Extraction in Cybersecurity
    LI Jiao, ZHANG Yuqing, WU Yabiao
    Netinfo Security    2024, 24 (10): 1477-1483.   DOI: 10.3969/j.issn.1671-1122.2024.10.001
    Abstract510)   HTML1829)    PDF (8545KB)(272)      

    Relationship extraction technology can be used for threat intelligence mining and analysis, providing crucial information support for network security defense. However, relationship extraction tasks in cybersecurity face the problem of dataset deficiency. In recent years, large language model has shown its superior text generation ability, providing powerful technical support for data augmentation tasks. In order to compensate for the shortcomings of traditional data augmentation methods in terms of accuracy and diversity, this paper proposed a data augmentation method via large language model for relation extraction in cybersecurity named MGDA. MGDA used large language model to enhance the original data from four granularities of words, phrases, grammar, and semantics in order to ensure accuracy while improving diversity. The experimental results show that the proposed data augmentation method in this paper effectively improves the effectiveness of relationship extraction tasks in cybersecurity and diversity of generated data.

    Table and Figures | Reference | Related Articles | Metrics
    Security Analysis of Cryptographic Application Code Generated by Large Language Model
    GUO Xiangxin, LIN Jingqiang, JIA Shijie, LI Guangzheng
    Netinfo Security    2024, 24 (6): 917-925.   DOI: 10.3969/j.issn.1671-1122.2024.06.009
    Abstract501)   HTML60)    PDF (19521KB)(234)      

    With the extensive application of large language model(LLM) in software development, the role in enhancing development efficiency has also introduced new security risks, particularly in the field of cryptography applications that demand high security. This paper proposed an open-source prompt dataset named LLMCryptoSE, containing 460 natural language description prompts of cryptographic scenarios. It aimed to assess the security of code generated by LLM for cryptographic applications. At the same time, through an in-depth analysis of code snippets generated by LLM, this paper primarily evaluated the misuse of cryptographic API, employing the methodology that combined the static analysis tool CryptoGuard with manual review to conduct a detailed evlatuation of 1380 code snippets. The assessment of three mainstream LLM, including ChatGPT 3.5, ERNIE 3.5, and Spark 3.5, revealed that 52.90% of the code snippets contained at least one instance of cryptographic misuse, with Spark 3.5 showing a relatively better performance with a misuse rate of 48.48%. Based on these findings, the study not only reveals the current challenges in cryptographic application security faced by LLM, but also offers a series of recommendations for LLM users and developers to enhance security. These are aims at providing practical guidance for improving the application of LLM in cryptographic fields.

    Table and Figures | Reference | Related Articles | Metrics
    Research of Privacy-Preserving Proximity Test
    LI Zengpeng, WANG Siyang, WANG Mei
    Netinfo Security    2024, 24 (6): 817-830.   DOI: 10.3969/j.issn.1671-1122.2024.06.001
    Abstract362)   HTML55)    PDF (27378KB)(147)      

    With the rapid development of emerging technologies such as mobile computing and the Internet of Things, location-based services (LBS) are playing an increasingly important role in people's daily lives. Many applications (e.g., mobile dating) use LBS to capture and collect the user's precise location, and perform proximity user discovery by performing distance calculations. However, while LBS brings convenience to users, it also exposes it to the risk of leaking private location information. At present, most LBS applications record the user's precise location in plaintext, which is easy to leak information such as the user's location and mobility patterns. In addition, most existing research efforts that can protect the user's private location data have some shortcomings, such as high communication overhead, long communication time, or a lack of computational security. Therefore, this paper proposed an efficient privacy-preserving proximity test solution to protect user's location privacy, and constructd a optimized privacy-preserving proximity test protocol for circles based on Brakerski/Fan-Vercauteren (B/FV) homomorphic encryption. Compared with the existing work, the proposed scheme used lattice-based encryption and had better communication performance. In addition, this paper implementd a prototype system based on B/FV homomorphic encryption, and gove the potential application in scenarios with high privacy protection requirements and low arithmetic speed limitations. The experimental results of the prototype system show that the proposed scheme has a broad practical application prospect in practical deployment applications.

    Table and Figures | Reference | Related Articles | Metrics
    Subversion Attacks and Countermeasures of SM9 Encryption
    OUYANG Mengdi, SUN Qinshuo, LI Fagen
    Netinfo Security    2024, 24 (6): 831-842.   DOI: 10.3969/j.issn.1671-1122.2024.06.002
    Abstract348)   HTML42)    PDF (13790KB)(210)      

    China’s independently developed identity-based encryption algorithm SM9 has been successfully selected as an ISO/IEC international standard. However, adversary can tamper components of cryptographic algorithms to undermine their security. During the initial design of SM9 encryption algorithm, such subversion attacks were not considered. Whether SM9 encryption algorithm is vulnerable to subversion attacks and how to resist subversion attacks is still an unknown issue. To answer the above question, this paper introduced a subversion attack model for identity-based encryption(IBE) and defined two properties: plaintext recoverability and undetectability. In addition, this paper implemented a subversion attack on SM9 encryption algorithm and found that an adversary could recover a plaintext with only two successive ciphertexts. Moreover, this paper proposed a subversion-resilient SM9 encryption(SR-SM9), and proved SR-SM9 was not only secure under the adaptive chosen identity and ciphertext attack(ID-IND-CCA2) but also was subversion-resilient. Finally, this paper implemented SR-SM9 based on gmalg library and Python language. Compared with SM9, SR-SM9 only adds 0.6% computation cost with no additional communication cost.

    Table and Figures | Reference | Related Articles | Metrics
    Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics
    WANG Qiang, LIU Yizhi, LI Tao, HE Xiaochuan
    Netinfo Security    2024, 24 (10): 1484-1492.   DOI: 10.3969/j.issn.1671-1122.2024.10.002
    Abstract345)   HTML1284)    PDF (12152KB)(730)      

    Advanced persistent threat (APT) attacks with complex organization, efficient planning and clear directivity are one of the main threats facing our country, and the trend of covert action and regular attack of APT organizations is becoming more and more obvious. In recent years, it has become more and more difficult for our country to master the main APT activities, which is not unrelated to the fact that APT organizations disappear their attacks into normal information services and network activities, and hide their attack traffic in normal communication traffic. The state in which this kind of highly concealed attack behavior is concealed is called dense state. How to detect dense state behavior and implement system confrontation is one of the bottleneck problems to be solved in the current cyber space defense. From the perspective of clarifying the mechanism of traffic transmission hiding technology for advanced attack activities in cyberspace, this paper puts forward a research framework and countermeasure capability evaluation index system of traffic dense disappearing countermeasure based on two dimensions of anonymous communication link construction and traffic characteristic behavior detection, and comprehensively expounds the relevant research progress, research methods and solutions in recent years. In order to explore the new development direction of dense state countermeasure capability in cyberspace.

    Table and Figures | Reference | Related Articles | Metrics
    Detection of DDoS Attacks in the Internet of Things Based on Artificial Intelligence
    YIN Jie, CHEN Pu, YANG Guinian, XIE Wenwei, LIANG Guangjun
    Netinfo Security    2024, 24 (11): 1615-1623.   DOI: 10.3969/j.issn.1671-1122.2024.11.001
    Abstract336)   HTML139)    PDF (10880KB)(223)      

    Aiming at the optimal solution for detecting IoT DDoS attacks, this paper used multiple algorithms to detect and model IoT DDoS attacks. This paper used kernel density estimation to screen out influential traffic feature fields. A DDoS attack detection model based on machine learning and deep learning algorithms was established. The feasibility of processing data sets and performing attack detection through reversible residual neural networks and large language models was analyzed. Experimental results show that the ResNet50 algorithm performs best in comprehensive indicators. In distinguishing DDoS attack traffic from other traffic issues, the gradient boosting algorithm performs better. In terms of segmenting DDoS attack types, the optimized ResNet50-GRU algorithm performs better.

    Table and Figures | Reference | Related Articles | Metrics
    Vulnerability Causation Analysis Based on Dynamic Execution Logging and Reverse Analysis
    SHEN Qintao, LIANG Ruigang, WANG Baolin, ZHANG Jingcheng, CHEN Kai
    Netinfo Security    2024, 24 (10): 1493-1505.   DOI: 10.3969/j.issn.1671-1122.2024.10.003
    Abstract301)   HTML611)    PDF (15702KB)(565)      

    Software vulnerabilities pose a great threat to software security, and there are numerous security incidents due to software vulnerabilities around the world every year. However, in the actual development process, due to the lack of security awareness of developers and the increasing complexity of code and business logic, it is difficult to avoid the existence of security vulnerabilities in software code. Aiming at the challenges of inaccurate error code positioning and inefficient analysis faced by the existing methods, this paper broke through the challenges of obtaining and reverse analysis of instruction runtime information and accurate positioning of error code, and proposed a method for locating the cause of program errors based on trace logs and reverse execution, which was capable of tracking the code execution flow of the program, recording the register state information and storage access state information of the instruction in the runtime state, and analyzing the pointer associated with the pointer that triggered the execution error. It can track the code execution flow of the program, record the register state information and storage access state information in the running state of the instruction, analyze the set of instructions that generate, use, and compute the pointer value associated with the pointer that triggers the execution error, and realize the efficient and accurate vulnerability cause analysis and localization.

    Table and Figures | Reference | Related Articles | Metrics
    Survey on Fuzzing Test in Deep Learning Frameworks
    ZHANG Zihan, LAI Qingnan, ZHOU Changling
    Netinfo Security    2024, 24 (10): 1528-1536.   DOI: 10.3969/j.issn.1671-1122.2024.10.006
    Abstract283)   HTML675)    PDF (11289KB)(92)      

    With the widespread application of deep learning technology in various fields, ensuring the security and stability of its frameworks has become crucial. This paper starts from the user’s perspective to analyze the types of vulnerabilities that different user groups may encounter and the corresponding fuzzing test methods. The article first introduced the development background and importance of deep learning frameworks, then discussed in detail the current state of testing research for model libraries, deep learning frameworks, and compilers, and reviewed key techniques such as model mutation, weight generation, sample construction, and model testing. Then the article analyzed the root cause of bug in PyTorch and MLIR. Finally, the article looked forward to future research directions, including error localization and automatic repair techniques, as well as fuzzing test enhanced by large language models.

    Table and Figures | Reference | Related Articles | Metrics
    Netinfo Security    2024, 24 (10): 0-0.  
    Abstract282)      PDF (1730KB)(165)      
    Related Articles | Metrics
    A Data-Free Personalized Federated Learning Algorithm Based on Knowledge Distillation
    CHEN Jing, ZHANG Jian
    Netinfo Security    2024, 24 (10): 1562-1569.   DOI: 10.3969/j.issn.1671-1122.2024.10.010
    Abstract276)   HTML671)    PDF (8704KB)(79)      

    Federated learning algorithms usually face the problem of huge differences between clients, and these heterogeneities degrade the global model performance, which are mitigated by knowledge distillation approaches. In order to further liberate public data and improve the model performance, DFP-KD trained a robust federated learning global model using datad-free knowledge distillation methods; used ReACGAN as the generator part; and adopted a step-by-step EMA fast updating strategy, which speeded up the update rate of the global model while avoiding catastrophic forgetting. Comparison experiments, ablation experiments, and parameter value influence experiments show that DFP-KD is more advantageous than the classical data-free knowledge distillation algorithms in terms of accuracy, stability, and update rate.

    Table and Figures | Reference | Related Articles | Metrics
    Blockchain Scaling Solutions: ZK-Rollup Review
    ZHANG Jiwei, WANG Wenjun, NIU Shaozhang, GUO Xiangkuo
    Netinfo Security    2024, 24 (7): 1027-1037.   DOI: 10.3969/j.issn.1671-1122.2024.07.005
    Abstract272)   HTML199)    PDF (12763KB)(99)      

    Blockchain application systems have achieved remarkable progress in the global market in recent years. With the proliferation of blockchain technology across various sectors such as finance, healthcare, energy, and the Internet of Things, the volume of transactions has surged, thereby exacerbating issues related to scalability and transaction costs. Addressing these challenges has turned Layer-1 and Layer-2 scaling technologies into focal points of research, with numerous methods proposed to mitigate these issues. This paper provided a concise overview of Layer-1 solutions and primarily delved into various Layer-2 solutions, comparing their respective advantages and limitations. This paper placed particular emphasis on the ZK-Rollup solution, delving into its underlying principles and examining its advantages in addressing scalability and reducing transaction fees. Furthermore, it identified potential challenges associated with ZK-Rollup technology, including security, privacy protection, and compatibility with other blockchain systems. In response to these challenges, the paper proposed possible improvements and optimizations, aiming to provide new insights and methodologies for enhancing blockchain scalability and transaction efficiency.

    Table and Figures | Reference | Related Articles | Metrics
    Mining Traffic Detection Method Based on Global Feature Learning
    WEI Jinxia, HUANG Xizhang, FU Yuhao, LI Jing, LONG Chun
    Netinfo Security    2024, 24 (10): 1506-1514.   DOI: 10.3969/j.issn.1671-1122.2024.10.004
    Abstract269)   HTML450)    PDF (11223KB)(91)      

    Mining traffic detection is a variable-length data classification task. Existing detection schemes, such as keyword matching and N-gram feature signatures, which are based on local feature classification methods, fail to fully utilize the global features of traffic. By employing deep learning models to model mining traffic, global features within the mining traffic are extracted to enhance the accuracy of mining traffic detection. The traffic classification model proposed in the article first employed a Transformer encoder to extract global features of the traffic, followed by a sequence summarizer to process the encoded results, obtaining a fixed-length representation for classification. Due to the mining samples accounting for less than 3% in the dataset, using accuracy to measure the classification effect of the model leads to significant bias. Therefore, the article comprehensively considered the precision and recall of the model, and employed the F1 score to evaluate the classification performance. Utilizing sinusoidal positional encoding in the model’s encoder enables the model to achieve an F1 score of 99.84% on the test set, with a precision rate of 100%.

    Table and Figures | Reference | Related Articles | Metrics
    Research on ARP Spoofing Attack and Hardware Defense
    HE Kaiyu, WANG Bin, YU Zhe, CHEN Fang
    Netinfo Security    2024, 24 (10): 1604-1610.   DOI: 10.3969/j.issn.1671-1122.2024.10.015
    Abstract266)   HTML355)    PDF (7834KB)(73)      

    In view of the cumbersome configuration and high cost of the existing ARP spoofing attack defense methods, a hardware defense device based on FPGA was designed and tested in the real network environment. First, the real LAN environment was built, and the arpspoof tool was used to implement ARP spoofing attack on the target host in the LAN, and the target host couldn’t access the external network after being attacked. A network security protection device based on FPGA platform was designed to identify and filter ARP spoofing packets by analyzing the network packets in the upstream and downstream links and comparing them with the corresponding packet fields of the security protection policy. Finally, the network security protection device was connected to the LAN, and the ILA of VIVADO captured the related field waveforms of ARP spoofing attack packets. The waveform data shows that the network security device can effectively identify the MAC address and IP address of ARP spoofing attack packets and effectively intercept them. The changes of network link bandwidth, attack interception rate, and system resource usage of the attacked host are also collected.

    Table and Figures | Reference | Related Articles | Metrics
    Research Progress in Lattice-Based Public-Key Encryption with Keyword Search
    YE Qing, HE Junfei, YANG Zhichao
    Netinfo Security    2024, 24 (6): 903-916.   DOI: 10.3969/j.issn.1671-1122.2024.06.008
    Abstract253)   HTML24)    PDF (18407KB)(124)      

    With the explosive growth of data and the rapid development of cloud computing, the demand for data secure sharing and querying is gradually increasing among users. Public-key encryption with keyword search allows resource-constrained users to efficiently search for encrypted data stored in the cloud servers, providing an effective solution for cloud data secure queries. However, with the arrival of the quantum era, the existing cryptosystems are facing a huge impact. Lattice-based cryptography has received widespread attention for the advantages of being reducible to the worst-case difficulty assumption, resistance to quantum attacks, and high security. The article provided an overview of the recent research progress of lattice-based public-key encryption with keyword search from the perspective of security and functionality. Firstly, it outlined the research progress of lattice-based public key cryptography, the definition and the security model of public-key encryption with keyword search. Then, it focused on analyzing the recent lattice-based public-key encryption with keyword search schemes, analyzed the research on the security of the schemes from the starting point of attacking means, and compared the algorithmic efficiencies of the schemes in terms of the communication overhead and the computational complexity. Finally, it summarized the application scenarios and the future research trends.

    Table and Figures | Reference | Related Articles | Metrics
    Systematic Risk Assessment Analysis for Smart Wearable Devices
    ZHAO Ge, ZHENG Yang, TAO Zelin
    Netinfo Security    2024, 24 (10): 1595-1603.   DOI: 10.3969/j.issn.1671-1122.2024.10.014
    Abstract252)   HTML356)    PDF (12573KB)(76)      

    Existing smart wearable devices generally have more vulnerable points and need to scientifically determine the risks they face through risk assessment. The current security risk assessment methods for smart wearable devices are mostly based on fragmented vulnerability points, without fully considering the systematic characteristics of the application scenarios of wearable devices, and are unable to assess the security risks as a whole. Therefore, the article proposed a risk assessment method for wearable devices based on a layered attack path diagram, which categorized the vulnerabilities of wearable devices according to their vulnerabilities’ location in the system, drew a multi-layer vulnerability relationship diagram, added direct threats and data asset targets facing the system to the diagram, and merged and calculated the attack paths from the direct threats, external vulnerability layer, indirect threats, to internal vulnerability layer attack target attack path for risk assessment. The proposed method takes the characteristics of system architecture into full consideration in the risk assessment process, which makes it easier and more accurate to assess the risk, and helps to find the bottlenecks of system security and evaluate the effectiveness of countermeasures.

    Table and Figures | Reference | Related Articles | Metrics
    Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection
    WEN Weiping, ZHANG Shichen, WANG Han, SHI Lin
    Netinfo Security    2024, 24 (5): 657-666.   DOI: 10.3969/j.issn.1671-1122.2024.05.001
    Abstract240)   HTML144)    PDF (13952KB)(106)      

    With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

    Table and Figures | Reference | Related Articles | Metrics
    A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion
    GU Guomin, CHEN Wenhao, HUANG Weida
    Netinfo Security    2024, 24 (5): 694-708.   DOI: 10.3969/j.issn.1671-1122.2024.05.004
    Abstract238)   HTML18)    PDF (16852KB)(140)      

    To evade detection, advanced persistent threat(APT) attackers often employ strategies such as encrypted malicious traffic and covert tunnels to conceal malicious activities, thereby increasing the difficulty of detection. Currently, most methods for detecting DNS covert tunnels are based on characteristics such as statistics, frequency, and packets. These methods are not well-suited for real-time detection, which can lead to data leaks. Therefore, it is necessary to detect based on individual DNS requests rather than performing statistical analysis on traffic, to achieve real-time and reliable detection. When the system determines that a single DNS request is tunnel traffic, it can respond accordingly to prevent data leaks. However, existing methods for detecting encrypted malicious traffic have issues such as the inability to fully extract traffic feature information, limited means of feature extraction, and underutilization of features. Thus, this paper proposed a method for detecting covert tunnel malicious encrypted traffic based on multi-model fusion. For DNS covert tunnels, the paper proposed a detection method that fused MLP, 1D-CNN, and RNN models and calculates the fusion results based on a proposed mathematical model. This method can monitor covert tunnels in real-time, further improving the overall detection accuracy. For encrypted malicious traffic, the paper proposed a parallel fusion detection method combining 1D-CNN and LSTM models. The parallel fusion model can more comprehensively extract feature information and reflect the full scope of the traffic data, thereby enhancing the detection accuracy of the model.

    Table and Figures | Reference | Related Articles | Metrics
    A Certificateless Anonymous Authentication Key Agreement Protocol for VANET
    LIU Yidan, MA Yongliu, DU Yibin, CHENG Qingfeng
    Netinfo Security    2024, 24 (7): 983-992.   DOI: 10.3969/j.issn.1671-1122.2024.07.001
    Abstract238)   HTML35)    PDF (11612KB)(122)      

    In the vehicular ad-hoc network (VANET), nodes communicate on open wireless channels, making them vulnerable to malicious attacks. Ensuring the integrity of message and anonymity of identities during vehicle communication has become crucial. In response to the problem that existing WZQ protocol cannot resist ephemeral key leakage attack, this article proposed a certificateless anonymous authentication key agreement protocol for VANET named iWZQ. iWZQ used certificateless signature technology to solve complex key storage and key escrow problems, and separated identity authentication and traffic message verification to avoid the problem of frequent checking of message revocation list. In addition, the security of this protocol has been proven using provable theory and Scyther tool. Comparing the proposed protocol with other protocols, the performance analysis results show that iWZQ effectively reduces computational time and communication costs while improving security.

    Table and Figures | Reference | Related Articles | Metrics
    A Survey on Trusted Execution Environment Based Secure Inference
    SUN Yu, XIONG Gaojian, LIU Xiao, LI Yan
    Netinfo Security    2024, 24 (12): 1799-1818.   DOI: 10.3969/j.issn.1671-1122.2024.12.001
    Abstract229)   HTML43)    PDF (25055KB)(144)      

    Machine learning technologies, especially deep neural networks, have gained popularity in various fields such as autonomous driving, smart homes, and voice assistants. In scenarios with high real-time requirements, many service providers deploy models on edge devices to avoid network latency and communication costs. However, service providers have no absolute control of edge devices, making deployed models vulnerable to attacks like model stealing, fault injection, and membership inference. This can lead to serious consequences such as theft of high-value models, manipulation of inference results, and leakage of private training data, ultimately undermining the competitiveness of service providers. To address these issues, numerous researchers have worked on trusted execution environments (TEE) based secure inference, which ensures security while maintaining model availability. This paper began by introducing relevant background knowledge, providing a definition of secure inference, and summarizing security models in edge deployment scenarios. Subsequently, existing solutions for model confidentiality and inference integrity were categorized and introduced, with a comparative analysis and summary. Finally, the paper outlined research challenges and directions for the future of secure inference.

    Table and Figures | Reference | Related Articles | Metrics