Loading...
Netinfo Security

Table of Content

    10 October 2016, Volume 16 Issue 10 Previous Issue    Next Issue
    Orginal Article
    For Selected: Toggle Thumbnails
    Orginal Article
    Design and Implementation on Multilevel Security Mandatory Access Control System for Virtual Machine Based on BLP
    Yaping CHI, Tingting JIANG, Chuping DAI, Wei SUN
    2016, 16 (10):  1-7.  doi: 10.3969/j.issn.1671-1122.2016.10.001
    Abstract ( 608 )   HTML ( 1 )   PDF (7052KB) ( 216 )  

    Multilevel security is a mechanism that supports the simultaneous access of users and resources with different privileges, while ensuring that both users and resources can access the information that they have access to. In the cloud computing, the virtual machines that belonging to different users or enterprises may run on the same physical host, usually they have different levels of security. So it is very meaningful to implement multilevel secure access control policy to protect the virtual machine communication. In reaction to the phenomenon, mandatory access control security model that suitable for the virtual machine environment was built by modifying the model elements, security axioms and state transition rules of the traditional BLP security model. By using SELinux technology through shared memory and authorization table way, the multilevel security mandatory access control in the virtual environment was realized, that effectively enhance access security between the virtual machine and virtual machine with the host machine.

    Figures and Tables | References | Related Articles | Metrics
    Multiple View Cooperative Visual Analytics of Network Operation Log
    Jinsong WANG, Jingyun HUANG, Hongwei ZHANG, Huirong NAN
    2016, 16 (10):  8-14.  doi: 10.3969/j.issn.1671-1122.2016.10.002
    Abstract ( 394 )   HTML ( 3 )   PDF (7475KB) ( 117 )  

    Network operation log is the main source of information for network managers to master the state of the network. After dealing with the network operation data and according to the feature analysis, this paper presents a collaborative visual analyze system for network operation log, it provides multiple views with direct and rich interactions to modeling the data from different aspects. Force graph, stack graph and heat map are introduced to the visualization of network security. By collaborative visual analytics can help network administrators understand the structure of the whole network and the operating characteristics of the network. The system includes two modules. One is to analyze the network structure by three dimensions, port, connection and flow, and then distinguish the hosts between servers and clients. The other is to analyze the anomalies of the whole network by the overall flow situation, and then to find communication modes by time dimension.

    Figures and Tables | References | Related Articles | Metrics
    Research and Application on Cloud Security Management Service for Intelligent Terminal
    Lianyin WANG, Yinghao WEI, Shuangqiu XING, Chao LU
    2016, 16 (10):  15-20.  doi: 10.3969/j.issn.1671-1122.2016.10.003
    Abstract ( 452 )   HTML ( 1 )   PDF (6271KB) ( 124 )  

    In view of the security management and protection requirements of mobile terminals, this paper designs a cloud security service platform technology architecture for intelligent terminal, and puts forward security measures and complete research and development. The platform achieved mobile terminal equipment management, security certificate, encrypted transmission, application security, security service interface by comprehensive use of cloud computing, mobile internet, identity authentication, encryption transmission and key management technology. At present, this platform is in trail operation in Tian Jin, Fu Jian and Jiang Su. The security protection of mobile terminal is realized by this platform.According to the practical application effect, the technology and the functional architecture of the platform has a strong replicability which is conducive to realize to safety management and service of mobile terminal and application by cloud mode.

    Figures and Tables | References | Related Articles | Metrics
    Identity-based Authenticated Protocol without Bilinear Pairing
    Min SHI, Weiwei YE, Qingyu OU
    2016, 16 (10):  21-27.  doi: 10.3969/j.issn.1671-1122.2016.10.004
    Abstract ( 394 )   HTML ( 3 )   PDF (6944KB) ( 134 )  

    Authenticated key agreement protocol is a very important concept of cryptography, which can be used to ensure the confidentiality and integrity of data. By adding an implicit authentication in the key agreement, the user can confirm that only the intended party can complete key agreement with himself. The method avoids the middle man attack in traditional key agreement protocol. At present, most of the authenticated key agreement protocols use bilinear pairing which has low computational efficiency. Therefore it is a hot research topic to study and design the authentication key agreement protocol without using bilinear pairing. Although some scholars have put forward some schemes, the construction of these schemes is still somewhat complicated. In order to improve the efficiency of the protocol, this paper presents an identity-based authenticated key agreement protocols without using bilinear pairings. At the same time, the protocol is simple in structure and good in security. The protocol’s security is reduced to CDH mathematical difficulty hypothesis, and is formally proved in the eCK model. By comparison, it shows that the protocol has higher efficiency and better security.

    Figures and Tables | References | Related Articles | Metrics
    Research on Method of Key Words Quick Search in Encrypted Databases
    Junzheng XIANG, Hequn XIAN, Chengliang TIAN, Min LI
    2016, 16 (10):  28-33.  doi: 10.3969/j.issn.1671-1122.2016.10.005
    Abstract ( 422 )   HTML ( 2 )   PDF (5656KB) ( 95 )  

    Database encryption is an efficient way to protect data security. Traditional key words query operation cannot be executed directly over encrypted databases. This paper designs an encrypted key words query method based on the bloom filter mechanism. In this method, key words are treated as strings, which are mapped by multiple hash functions and multiple indices are obtained. The bloom array is initialized to 0, and the value 0s of the positions corresponding to the indices of the bloom array are changed to 1s. When searching, the retrieved key words are mapped by the same hash functions and multiple indices are obtained. The search of the encrypted data is realized by judging whether the values of the positions corresponding to the indices of the bloom array are 1s. This paper also gives the introductions of the principle of bloom filter, error analysis and hash function. Experimental results show that the method has high efficiency and practicability.

    Figures and Tables | References | Related Articles | Metrics
    A Network Behavior-based Access Control Model
    Chang LIU, Jingsha HE
    2016, 16 (10):  34-39.  doi: 10.3969/j.issn.1671-1122.2016.10.006
    Abstract ( 436 )   HTML ( 1 )   PDF (6161KB) ( 105 )  

    Towards the problem that the separation between identity authentication and behavior authentication in open network environment, we focus on the rules and characteristics of users’ network behavior. Base on the traditional identity authentication, we put forward the action-based access control model. This paper makes clear the definition of users’ network behavior, take user’s glance time and access path as data source, compared the calculated value gotten from the algorithm with threshold, model it with temporal information and environment information, then realize user’s behavior verification. For new users, we check the behavior with Markov Chains; for existing users, we establish the directed tree of frequent access, using the mean-variance algorithm to detect the behavior. This model can adapt to the changes of user’s behavior automatically. Moreover, this framework can avoid the phenomenon like malicious misappropriate of user accounts, which has significant meanings toward network security.

    Figures and Tables | References | Related Articles | Metrics
    Research on DDoS Attack Effect Evaluation Based on TOPSIS-GRA Integrated Evaluation Method
    Chengliang ZHAO, Aiping LI, Rong JIANG
    2016, 16 (10):  40-46.  doi: 10.3969/j.issn.1671-1122.2016.10.007
    Abstract ( 513 )   HTML ( 5 )   PDF (6758KB) ( 125 )  

    In order to overcome the disadvantages of traditional subjective and objective weighting methods in index system of distributed denial of service (DDoS) attack effect evaluation and improve the assessment accuracy, this paper proposes a new integrated evaluation method called TOPSIS-GRA based on the idea of ensemble learning, in which fuzzy-analytic hierarchy process (FAHP) is combined with entropy weight method to calculate the index weight, and technique for order preference by similarity to ideal solution (TOPSIS) is integrated with grey relational analysis (GRA) model to perform the evaluation calculation. With the immaturity research of DDoS attack effect evaluation, this paper proposes a complete feasible evaluation process including index system, combination weighting and TOPSIS-GRA integrated evaluation method. Experimental results show that the TOPSIS-GRA integrated evaluation method has strong applicability for DDoS attack effect assessment, and the evaluation result is objective and reliable.

    Figures and Tables | References | Related Articles | Metrics
    Research on Formalized Description of Application Security
    Mingde ZHANG, Maning BI, Shun WANG, Qingguo ZHANG
    2016, 16 (10):  47-53.  doi: 10.3969/j.issn.1671-1122.2016.10.008
    Abstract ( 503 )   HTML ( 1 )   PDF (6828KB) ( 105 )  

    With the gradual increase of applications within organizations, the issues of application-security have become increasingly prominent. Due to the complexity and variety of applications and their security, how to reasonably express application-security becomes a difficult problem. Existing researches on application-security focus only on some aspects or lack of pertinence, and there is still no systematically formalized model for application-security at present. This paper presents formalized description for applications through analyzing subject-object access mechanism and distinguishing business functions, security functions and application policies. Then formalized descriptions for two most common security functions (authentication and authorization) are given. In authorization, based on the concept of secrecy introduced, three kinds of roles (position role, business role and secrecy role) and object’s degrees of secrecy are analyzed, and authority manager, authority verifier and authority relying party are differentiated. Meanwhile, four unified-management policies and their formalized description are proposed through the introduction of users’ identity information and unified portal.

    Figures and Tables | References | Related Articles | Metrics
    Research on Location Privacy Protection Based on Dummy Locations in Mobile Internet Environment
    Shasha WU, Jinbo XIONG, Guohua YE, Zhiqiang YAO
    2016, 16 (10):  54-59.  doi: 10.3969/j.issn.1671-1122.2016.10.009
    Abstract ( 512 )   HTML ( 1 )   PDF (6078KB) ( 129 )  

    In order to solve location privacy protection issue in location-based services (LBS) under the mobile Internet environment, the paper proposes a scheme based on dummy locations under the structure of client-server to protect the location privacies of users. The scheme specifies anonymous level and anonymous region according to the requirements of users, generates the corresponding number of dummy locations, and sends both k-1 dummy locations and the user’s real location to the LBS server after the k-anonymity procession, in order to protect the real location. Security analysis and experimental analysis demonstrate that the scheme can resist location homogeneity attack and location distribution attack, and protect the users’ location privacies effectively.

    Figures and Tables | References | Related Articles | Metrics
    Research on an Intelligent Local Mobile Cloud Resource Allocation Mechanism
    Jinyang LIU, Xingwei WANG, Min HUANG
    2016, 16 (10):  60-68.  doi: 10.3969/j.issn.1671-1122.2016.10.010
    Abstract ( 392 )   HTML ( 2 )   PDF (9130KB) ( 127 )  

    To overcome the performance limitations of intelligent mobile devices, people try to expand cloud computing services to mobile devices, which is often said to be mobile cloud computing (MCC) technology. This paper proposes a local mobile cloud resource allocation mechanism which includes the design of local mobile resource clouds and mobile cloud resource allocation mechanism. Firstly, a plurality of small resource clouds are deployed locally and interconnected in a whole, which is directly connected with the local mobile communication network to improve the quality of services in respects of latency, bandwidth, etc. Then, a mathematical model is built to describe the local mobile cloud resource allocation problem, and the greedy-based artificial fish school mobile cloud resource allocation algorithm is proposed to solve the model. Finally, simulation experiments on mobile cloud resource allocation mechanism are performed and the resource allocation algorithms are compared and analyzed. The results show that the local mobile cloud resource allocation mechanism is very good for the users to provide good quality of service and so on.

    Figures and Tables | References | Related Articles | Metrics
    A Pretreatment of DPI System Based on the Cache Hit
    Yuepeng MA, Jiqiang LIU, Jian WANG
    2016, 16 (10):  69-75.  doi: 10.3969/j.issn.1671-1122.2016.10.011
    Abstract ( 507 )   HTML ( 2 )   PDF (6508KB) ( 122 )  

    The rapid growth of data services in mobile network brings not only convenience and benefits,but also lots of security risks.In order to purify the mobile network environment and mining the potential value of network data,more and more operators use DPI(Deep Packet Inspection) systems on mobile data traffic to supervise the network data.However,facing high speed network data,DPI systems have a poor performance.In order to improve the efficiency of DPI processing in high speed network data,this paper proposes a new method of pretreatment based on the cache hit.The five-tuple of the data packets used as the key and the connection with the protocol mark used as the value,create the hash structure cache.Before arrival packets entering the DPI process,search their key-value pairs in the cache.If the key-value pair is found,mark the packet identified.By avoiding pattern matching processing of some data packets,the DPI processing pressure is reduced,and the throughput of the system if improved.Experiments show that this method effectively enhance the efficiency of the analysis of mobile network data.The method is feasible and can be recommended.

    Figures and Tables | References | Related Articles | Metrics
    Research of Data One-way Transfer Reliability Based on Fiber Optic Communication Technology
    Xudong SHAO, Haiping JIANG, Han ZHANG
    2016, 16 (10):  76-79.  doi: 10.3969/j.issn.1671-1122.2016.10.012
    Abstract ( 466 )   HTML ( 4 )   PDF (4164KB) ( 206 )  

    The one-way transfer technology based on the fiber optic communication has been common applied to the data transfer between different security level networks, but it cannot ensure the transfer reliability. Now this paper presents a design from using kinds of technologies to prevent losing bits on multi-lay to ensure the data transfer reliability and integrity. Now the one-way transfer technology applied this design has been conducted a pilot run in some ministries and agencies, and achieved good results.

    Figures and Tables | References | Related Articles | Metrics
    Review of Android Malware Detection
    Jiaping LIN, Hui LI
    2016, 16 (10):  80-88.  doi: 10.3969/j.issn.1671-1122.2016.10.013
    Abstract ( 602 )   HTML ( 20 )   PDF (9455KB) ( 259 )  

    Smart phones are becoming increasingly popular in daily routines around the world. However, malware in smart phones is getting more prevalent, and will introduce potential risks to smart phone users. Nowadays, eighty percent of smart phones adopt the Android operating system. However, the number of Android malware is rapidly increasing, and there are various kinds of malicious behaviors. Android malware has been a great threat to the security of the mobile users. In this paper, we investigate the harms of the Android malware. We first introduce the classification and features of malware and analyze the permission and behavior of malware. Then we introduce the malware detection tools and summarize the malware penetration and the stealth techniques. Furthermore, we analyze malware detection methods in prior works. Finally, we propose the detection direction in the future and give some advice to reduce the harm of malware.

    Figures and Tables | References | Related Articles | Metrics