Loading...
Netinfo Security

Table of Content

    10 November 2015, Volume 15 Issue 11 Previous Issue    Next Issue
    Orginal Article
    For Selected: Toggle Thumbnails
    Orginal Article
    Research on No Bilinear Pairing Fuzzy Keyword Search Encryption in Cloud
    Zhi-guang QIN, Wen-yi BAO, Yang ZHAO, Hu XIONG
    2015, 15 (11):  1-6.  doi: 10.3969/j.issn.1671-1122.2015.11.001
    Abstract ( 318 )   HTML ( 0 )   PDF (1473KB) ( 558 )  

    Already there has been many keyword searchable encryption researches done, but they mostly bear a weakness of offline keyword guessing attack, besides they are based on the heavier pairing computation. What’s more, most public encryption keyword search schemes can’t support fuzzy keyword search, this obvious drawback reduces the usability of the search system. The scheme we propose use the server’s public key to encrypt the keywords and data, and if outside attackers have no server’s private key, he will not obtain any information of the keyword ciphertexts, so we can use public channel to transport PEKS. The scheme not only supports accurate keyword search encryption but also supports the search when the keywords input have any spelling mistakes or format inconsistent situations. So it has greatly improved the availability of the system. The scheme use El Gamal encryption instead of the bilinear-pairing encryption, which greatly reduce the computational overhead.

    Figures and Tables | References | Related Articles | Metrics
    Research on VT-d based Virtual Machine Isolation Framework
    Yong-jiao YANG, Fei YAN, Zhao YU, Huan-guo ZHANG
    2015, 15 (11):  7-8.  doi: 10.3969/j.issn.1671-1122.2015.11.002
    Abstract ( 489 )   HTML ( 1 )   PDF (1903KB) ( 393 )  

    As the basis of cloud computing IaaS service, virtualization technology can fundamentally solve the threats that the virtual machines face on the cloud computing platform. In view of the deficiencies of the current cloud computing virtual machine isolation implementation environment in the aspect of device I/O and memory access isolation, this paper presents security isolation framework on a Xen cloud platform, combining the ideal of virtualization technology VT-d with trusted computing independent domain. In the framework, data and code encryption is implemented by vTPM independent domain, which encrypts the VM image. The framework assigns NIC to VM through VT-d technology, and extends the authorization control of grant table mechanism in XSM module. Experiments and analysis show that the framework is able to ensure device I/O and memory access security isolation between the virtual machines effectively, enhance the security of virtual machine isolation environment, and meet the system performances.

    Figures and Tables | References | Related Articles | Metrics
    A New Cloudware PaaS Platform Based on Microservices Architecture
    Dong GUO, Wei WANG, Guo-sun ZENG
    2015, 15 (11):  15-20.  doi: 10.3969/j.issn.1671-1122.2015.11.003
    Abstract ( 800 )   HTML ( 7 )   PDF (1649KB) ( 2061 )  

    With the development of microservice, container technology, the software paradigm is evolved towards Cloudware in cloud environment. Cloudware is based on service, supported by cloud platform, and it is the important method to cloudlization traditional software. It is the most important method for software development, deployment, maintains and usage in future cloud environment, and it is also a new thought for software in cloud platform. We proposed a new Cloudware PaaS platform based on microservice architecture and light weighted container technology. The traditional software can be directly deployed in this platform without modification, and provide service to the client by a browser. By utilizing the microservice architecture, this platform has the following characteristics, such as scalability, auto-deployment, disaster recovery and elastic configuration.

    Figures and Tables | References | Related Articles | Metrics
    Research and Application of Cloud Computing Tenant Virtual Machine Active Trusted Verify Mechanism
    Zheng1 TAO, Jun1 HU, Huan1 Wu, Jing1 Yang
    2015, 15 (11):  21-26.  doi: 10.3969/j.issn.1671-1122.2015.11.004
    Abstract ( 399 )   HTML ( 0 )   PDF (2270KB) ( 159 )  

    Recent years,cloud computing developed rapidly,and it’s security become the current research focus.But a lot of the researches about trusted computing are passive called by applications and use fixed format policies.It’s difficult to adapt the complicated relations.This paper presents a verify mechanism for virtual machines in cloud computing environment,this mechanism based on active trusted computing thought,through the acitive monitor,all components runs independently.It can works with complicated relations and adapt to dynamic distributed system.With this mechanism,users and facilitator make confirm the standard trusted lib through SLA protocol,third-party verifier provide report for users.Compared with conventional way,users can look up the report to know and ensured current security status of virtual machines in cloud computing environment.

    Figures and Tables | References | Related Articles | Metrics
    Research on Security of IoT Perception Layer Based on Node Authentication
    Yu-ting ZHANG, Cheng-hua YAN, Yu-ren WEI
    2015, 15 (11):  27-32.  doi: 10.3969/j.issn.1671-1122.2015.11.005
    Abstract ( 524 )   HTML ( 0 )   PDF (2391KB) ( 210 )  

    The perception layer is the information source of the Internet of things, and also the basis for the application of the Internet of things, the security problem is the primary problem of the whole Internet of things. With the continuous development of network information security, despite the traditional network security management system in the network security can achieve interoperability between the three levels, the security system for the Internet of things sensing layer nodes and between nodes is not mature. Since the nodes are easily controlled, attaches are vulnerable to attack them. When the nodes communicate with each other, it is very easy to be monitored, stole, faked, and destroyed, and so on. From this, it is necessary to strengthen the identity authentication of the Internet of things to ensure the security of the whole system. This paper introduces the main security threats and related security mechanisms of the Internet of things, based on the discrete logarithm problem solving elliptic curve encryption algorithm.

    Figures and Tables | References | Related Articles | Metrics
    Research on the Evaluation Method of AS-IP Declaring Relationship Authenticity
    Zhao-ming HU, Lei LIU, Bo-wen SHANG, Pei-dong ZHU
    2015, 15 (11):  33-39.  doi: 10.3969/j.issn.1671-1122.2015.11.006
    Abstract ( 595 )   HTML ( 0 )   PDF (1708KB) ( 453 )  

    In BGP network, if an autonomous system (AS) declares an IP address prefix that not belongs to it, and then the network prefix hijack occurs. There are two reasons make prefix hijack difficult to detect: 1) Prefix hijacking will be find by the hijacked AS when and only when the IP address prefix that was hijacked was transmitted to its domain. 2) Because BGP lacks security mechanism to verify the IP address declarer have this IP address, other ASes cannot confirm the prefix hijacking even if they have got the hijacked routes. This paper presents an AS-IP declaring relationship authenticity evaluation method based on spatial consistency and temporal stability, which builds a matrix of declaring relationship according to the history routing tables, calculates a stability degree of this matrix to judge the authenticity of the declaring relationship, and generates an AS-IP matching relation knowledge base. This paper analyses and detects the routing data of RouteViews and domestic operators, and the experiments show that this method can judge the authenticity of the declaring relationship, generate a AS-IP matching relation knowledge base, and detect the prefix hijacking effectively.

    Figures and Tables | References | Related Articles | Metrics
    A New Secret Handshakes Scheme Based on Chaotic Maps
    Wen-bo WANG, Qing-feng CHENG, Si-qi LU, Jin-hua ZHAO
    2015, 15 (11):  40-46.  doi: 10.3969/j.issn.1671-1122.2015.11.007
    Abstract ( 523 )   HTML ( 0 )   PDF (2343KB) ( 210 )  

    The primitive secret handshake refers to a privacy-preserving authentication protocol which negotiate the session key without the leak of identity. The authentication can be passed if and only if the two participants are from the same group, after which the shared session key would be established for further communication. However those who do not belong to the group will not get any information about the group. Pal used the ZSS signature to propose a secret handshake scheme with dynamic matching, which has some drawbacks in user revocation and user tracking. This paper first modifies the ZSS signature into the chaotic map based ZSS (ZSS-CM), which is later used to construct a new secret handshake based on chaotic map (SH-CM). The SH-CM protocol costs less computing resources than the protocol proposed by Pal, meanwhile maintaining the basic security properties of secret handshakes, supporting user revocation and user tracking as well, which achieves better security.

    Figures and Tables | References | Related Articles | Metrics
    Design and Implementation of Stateful Firewall Based on Software-defined Networking
    Qi LIU, Yun-fang CHEN, Wei ZHANG
    2015, 15 (11):  47-52.  doi: 10.3969/j.issn.1671-1122.2015.11.008
    Abstract ( 432 )   HTML ( 0 )   PDF (1712KB) ( 404 )  

    Compared with the traditional network architecture, the control and data planes are decoupled in software-defined networking, which provide a new solution for research on new network applications and future Internet technologies. However, according to the recent research and progress of SDN, security problem has not been addressed, which will be a significant issue. Traditional firewalls in the face of constantly updating a large number of network attacks are still loopholes, the urgent need for innovative mechanisms firewall in the face of danger situation. SDN is a new control and forwarding separation and direct programmable network architecture, the main idea is to decouple traditional tight coupling network equipment to get forwarding plane and control plane, network management staffissued can send the firewall policy to the switches in the network through a central controller. In this paper, after introducing the relevant knowledge of SDN firewall architecture, a stateful firewall policies be designed by a software-defined network programming language pyretic based on IP address recognition, and deployed in the control plane. In order to fully show the flexibility and control of fine-grained firewall policy in software-defined network environments, a stateful firewall policy is deployed and issued in the virtual network.

    Figures and Tables | References | Related Articles | Metrics
    Research and Design of Web Application Firewall Based on Feature Matching
    Xiao-jie XIN, Yang XIN, Shuo JI
    2015, 15 (11):  53-59.  doi: 10.3969/j.issn.1671-1122.2015.11.009
    Abstract ( 470 )   HTML ( 2 )   PDF (2513KB) ( 521 )  

    With the rapid development of Web application, the security situation is not optimistic, the majority of Web applications have security vulnerabilities, and the traditional network security equipment for the application layer attack prevention is very limited. The traditional firewall can only protect the network layer, IPS, IDS cannot effectively protect the application layer attacks by flexible encoding and packet segmentation. The Web application firewall works in the application layer, it analysis the HTTP requests and responses, then compares the analysis results to the HTTP attack feature library, blocking Web application attacks, protect application layer effectively. This paper analyzed the HTTP protocol and mainstream web attacks and bypass mode, aiming at the deficiency of the HTTP protocol and the defect of model matching, and it adopted Simhash feature extraction and block prevention and filtering search technology, to propose a based on feature matching of Web Application Firewall System. Experiments show that the Web application firewall can defend against all kinds of Web application layer attacks, effectively solve the problem of the Web attack detection.

    Figures and Tables | References | Related Articles | Metrics
    A Document Clustering Algorithm Based on Dirichlet Process Mixture Model
    Yue GAO, Wen-xian WANG, Shu-xian YANG
    2015, 15 (11):  60-65.  doi: 10.3969/j.issn.1671-1122.2015.11.010
    Abstract ( 534 )   HTML ( 4 )   PDF (2180KB) ( 910 )  

    With the prevalence of Internet, network forum, microblog, WeChat, etc are an important channel for people to obtain and publish information. However, the uncertainty of the documents quantity and content brings great challenge for Internet public opinion analysis. In document clustering, choosing a right clustering number is a hard task. In this paper, a document clustering algorithm based on Dirichlet process mixture model (DCA-DPMM) was proposed. DCA-DPMM could extends standard finite mixture models to an infinite number of mixture components, using CRP(Chinese restaurant process) of the Dirichlet Process, this paper implement Dirichlet process mixture model based on CRP. The clustering assignment of data points could be sampled at different iterations by the Gibbs sampling algorithm. The experiments results showed that the proposed document clustering algorithm, compared with classical K-means clustering algorithm, not only could determine the clustering number dynamically, but also can improve the clustering quality such as purity, F-score and silhouette coefficient.

    Figures and Tables | References | Related Articles | Metrics
    Research on LBS(P,L,K) Model and Its Anonymous Algorithms
    Fu-xia JIANG Chao-hui ZHANG
    2015, 15 (11):  66-70.  doi: 10.3969/j.issn.1671-1122.2015.11.011
    Abstract ( 463 )   HTML ( 0 )   PDF (1535KB) ( 310 )  

    At present, most position anonymity algorithms exist larger anonymous region, longer anonymity time and higher possibility of unsuccessful anonymity, and inquiry details which may include more privacy information are not protected better. To solve these problems, this paper proposes an anonymous model called LBS(P,L,K),which is based on k-anonymous model .This model sets parameters P and L by sensitivity of the queries in order to protect privacy of user queries and personalized needs of users. At the same time, this paper proposes algorithm called grid-fake users anonymity algorithm, which can not only protect the location privacy, but also to protect the query privacy. The algorithm’s idea is as follows: first the space is mapped to mxn grid, then iteration search neighborhood space of the grid of the user lies in until finds the Minimum contain space, then stripping the edges with smallest user distribution density one by one according to the density matrix, on purpose of finding the anonymous user set meeting the anonymity condition in a minimum range, and achieving a better balance between privacy and quality of service. By contrast experiment, the algorithm has a higher success rate of anonymity, a smaller anonymous area and a higher relative anonymity under meeting the requirements of individual users, so it increases the quality of the user's query service.

    Figures and Tables | References | Related Articles | Metrics
    A Structured Data Protection Method for Geographic Information System
    Chen JI, Xiao-qiang LI, Qian LIU
    2015, 15 (11):  71-76.  doi: 10.3969/j.issn.1671-1122.2015.11.012
    Abstract ( 407 )   HTML ( 1 )   PDF (1338KB) ( 310 )  

    The development of Internet and the combination of Internet and GIS have changed GIS greatly in the way of the data collection, information processing to data publication and use. However, the security risk of internet and the diversity of network attacks bring challenges for ensuring GSI’s security. Although there are some solutions to these problems, they can’t be widely utilized because of their limitations. In this paper the authors focus on solving the problem in data protection. Firstly, possible safety problems of GIS and current research situation will be briefly reviewed. Then, a new structured data protection method will be proposed to overcome the limitations of traditional GIS security scheme. According to the results, our method can reduce the risk of data security by a centralized application platform. Also, a fine-grained data access control can prevent unauthorized access. Moreover, the date theft behaviors can be quickly tracked by the delicate behavior audit and process marking. Through our structured data protection method, the illegal disclosure of important data can be prevented while the espionage can be deterred.

    Figures and Tables | References | Related Articles | Metrics
    Analysis of An Enhanced Apriori Algorithms in Data Mining
    Xue HU, Hua-min FENG, Ming-wei LI, Zhao DING
    2015, 15 (11):  77-83.  doi: 10.3969/j.issn.1671-1122.2015.11.013
    Abstract ( 533 )   HTML ( 3 )   PDF (2926KB) ( 776 )  

    In the highly developed information society, network data expand rapidly and much important information hide behind the surge of data. So it is necessary that analyze a large amounts of data. Apriori algorithm is a frequent item set algorithm for mining association rules. Its core idea is to excavate frequent item sets through two stages including generating candidate sets and closed down testing of plot. May generate a large number of candidate sets and may need to repeat scanning database are the two major drawbacks of Apriori algorithm. By eliminating unnecessary transmission of records in the database, the improved Apriori algorithm effectively reduces the time spent on I/O, greatly optimizes the efficiency of the algorithm, proves and gives the algorithm implementation thought. In this paper, an enhanced Apriori algorithm is proposed which takes less scanning time. It is achieved by eliminating the redundant generation of sub-items during pruning the candidate item sets. Both traditional and enhanced Apriori algorithms are compared and analyzed in this paper.

    Figures and Tables | References | Related Articles | Metrics
    Research on Evaluation Model and Its Verification of IT Emergency Response Capabilities of the People,s Bank of China Based on G1 and Entropy Method
    Lu-jun ZHENG, Ru-hao WEI, Dong WANG, Jia-xi TIAN
    2015, 15 (11):  84-89.  doi: 10.3969/j.issn.1671-1122.2015.11.014
    Abstract ( 427 )   HTML ( 0 )   PDF (2362KB) ( 423 )  

    In recent years, IT risk have been an important part of bank’s risk. The People,s Bank of China(PBC), as the management department of critical information infrastructure of banks, should enhance the research on IT risk management both theoretically and practically.In this paper, we summarized related emergency assessment experience. Based on the order relation analysis (G1) and entropy method, we have constructed IT risk assessment index set for the emergency response capability of PBC. Based on assessing and evaluating certain information system, we verified the indicator model is feasible and effective, and then initially established the IT risk response capability evaluation system.

    Figures and Tables | References | Related Articles | Metrics