Loading...
Netinfo Security

Table of Content

    10 June 2019, Volume 19 Issue 6 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    Construction Technology and Application of Industrial Control System Security and Trusted Environment
    Wenli SHANG, Long YIN, Xianda LIU, Jianming ZHAO
    2019, 19 (6):  1-10.  doi: 10.3969/j.issn.1671-1122.2019.06.001
    Abstract ( 593 )   HTML ( 7 )   PDF (12685KB) ( 300 )  

    Aiming at the problem of low information security protection ability of traditional PLC in industrial measurement and control system, this paper presents a method of building a trusted computing environment based on the key technology of embedded equipment security protection in industrial control system. Firstly, this paper introduces the research work and shortcomings of trusted computing in system application, and then gives a detailed design of security technology architecture for industrial embedded equipment, including trusted PLC main control unit based on bus arbitration mechanism, trusted PLC running environment based on virtualization sandbox technology and trusted PLC network security unit based on white list access control. Experiments show that the trusted computing environment construction method proposed in this paper can be used to build a secure and trusted system network for traditional industrial control equipment and realize the equipment built-in security capability.

    Figures and Tables | References | Related Articles | Metrics
    An Improved Scheme of Multi-PKG Cloud Storage Access Control
    Zhongyuan QIN, Yin HAN, Qunfang ZHANG, Xuejin ZHU
    2019, 19 (6):  11-18.  doi: 10.3969/j.issn.1671-1122.2019.06.002
    Abstract ( 534 )   HTML ( 2 )   PDF (8473KB) ( 138 )  

    In order to improve the security of cloud storage access control, an improved multiple private key generation center(PKG) cloud storage access control method based on attribute encryption is proposed. This paper first introduces the attribute encryption and access control model based on ciphertext-policy attribute-based encryption(CP-ABE). An improved multi-PKG scheme is then presented for cloud storage access control in this paper, which improves a single PKG to a primary PKG and several sub-PKGs. The primary PKG selects initialization parameters for generating a public key parameter and a master key of the primary PKG and each sub-PKG for data encryption. The sub-PKG then generates the relevant private key information and sends it to the client. Only the client receives the private key information of all the sub-PKGs to successfully calculate the private key for data decryption. This improved scheme can achieve flexible, fine-grained access control in the third-party server and the private key generation center(PKG) untrusted cloud storage scenario, while ensuring the confidentiality of user data. Ensure that for any ciphertext data stored by the user on the cloud server, only users who meet the corresponding attribute requirements can successfully decrypt to get the plaintext data, while any untrusted third party cannot illegally obtain the user’s private information independently.

    Figures and Tables | References | Related Articles | Metrics
    Study and Implementation of Fault Injection Method for Device Drivers
    Gaoshou ZHAI, Ruixia ZHAI, Feng LIU, Honghui LI
    2019, 19 (6):  19-27.  doi: 10.3969/j.issn.1671-1122.2019.06.003
    Abstract ( 530 )   HTML ( 4 )   PDF (10503KB) ( 115 )  

    In this paper, a flexible and controllable model of fault injection is put forward based on location and replacement of function invocation instructions at the time of module installation and based on automatic recovery and interactive re-triggering at run-time. The corresponding prototype is designed and implemented where notifier chain is used for monitoring the installation of target modules, command line arguments of Shell programs and module parameters are used comprehensively for the configuration of target functions of fault injection, and debugfs is exploited for triggering fault again. Compared with other fault injection tools, our prototype has more flexible and more controllable features in routines of triggering faults of multiple kernel functions so that robustness and dependability of kernel modules such as device drivers can be verified more effectively.

    Figures and Tables | References | Related Articles | Metrics
    A Survey on Data Integrity Auditing Technology in Cloud Storage
    Bilin SHAO, Xiaojun LI, Genqing BIAN, Yu ZHAO
    2019, 19 (6):  28-36.  doi: 10.3969/j.issn.1671-1122.2019.06.004
    Abstract ( 832 )   HTML ( 22 )   PDF (11728KB) ( 377 )  

    Cloud storage is the best way to address the growing dilemma of data storage costs caused by explosive bursts of data. When users store data in the cloud, they lose the physical control of the data. Testing the integrity of the outsourced data is an urgent problem to be solved. This paper summarizes the advantages and disadvantages of existing data auditing protocols from three perspectives: Provable Data Possession (PDP), Proof of Retrievability (PoR) and Proof of Ownership (PoW), andevaluate the performance of a typical protocol from technical principle, time cost, reliability, detection probability and other indicators. The research finds that: Most audit protocols are only for specific scenarios, and the universal audit protocol for balancing performance in all aspects needs to be improved; the audit protocol matching the technologies such as cloud storage, fog storage, and blockchain is still in the process of exploration phase. Finally, we predict the future development trend of outsourcing data auditing methods from five aspects: cloud auditing protocol, alliance chain auditing protocol and component pool auditing protocol and so on.

    Figures and Tables | References | Related Articles | Metrics
    Security Analysis of User Real Password under Different Password Composition Policies
    Yajun GUO, Bei YE, Wei ZHOU
    2019, 19 (6):  37-44.  doi: 10.3969/j.issn.1671-1122.2019.06.005
    Abstract ( 573 )   HTML ( 2 )   PDF (9604KB) ( 137 )  

    Password composition policies place requirements on the length and complexity of passwords created by users. Current studies have shown that using password composition policies can help improve user password strength, but these studies are mainly conducted in the laboratory or on the network by recruiting participants, and the passwords that participants are required to create may not appear in reality. Different from these studies, starting from the reality, this paper studies the impact of several password composition policies used in the real websites on the passwords created by users by using the real passwords leaked from the websites. This paper mainly compares some features of the real passwords in three scenes: no password policy, basic6 policy and 2class6 policy, and analyzes the security of these passwords. The study finds that password composition policy affects the length and character type of the password selected by the user, and policy which requires multiple character types increases the length of the password. The study also finds that none of the above three password composition policies can help users create strong passwords.

    Figures and Tables | References | Related Articles | Metrics
    Research on a Biometrics-based Multi-cloud Server Authentication Scheme
    Baoyuan KANG, Mingming XIE, Lin SI
    2019, 19 (6):  45-52.  doi: 10.3969/j.issn.1671-1122.2019.06.006
    Abstract ( 441 )   HTML ( 2 )   PDF (9200KB) ( 115 )  

    The progress of wireless communication technology has promoted the development of mobile services. The traditional single server has been unable to accept the multi-user large-scale access. In order to solve this problem, a lot of cloud server authentication scheme are proposed. Based on passwords and smart cards authentication schemes are less security in multi-cloud server environment. Due to biometric technology is closely related to the physical characteristics of the individual, so it has been become the first choice to enhance security. Recently, KUMARI put forward an authentication scheme based on biometric technology in cloud server environment. However, we find that their schemes cannot resist replay attacks. At the same time, the scheme also has loopholes in the mutual authentication stage and lack the mutual authentication key parameters, which lead to users and servers cannot authenticate each other. Therefore, this paper improves KUMARI’s scheme by adding time-stamp and necessary parameter storage. Security analysis shows that the improved scheme not only resists replay attacks, offline password guessing attacks and other common attacks, but also enables users and servers to perform effective authentication.

    Figures and Tables | References | Related Articles | Metrics
    Network Intrusion Detection with Incomplete Information Based on Deep Learning
    Xuli RAO, Pengna XU, Zhide CHEN, Li XU
    2019, 19 (6):  53-60.  doi: 10.3969/j.issn.1671-1122.2019.06.007
    Abstract ( 561 )   HTML ( 6 )   PDF (9138KB) ( 170 )  

    In the process of network data collection and transmission, the situation of incomplete collection and information loss occurs frequently. Network intrusion detection in the case of incomplete information has become a problem of network anomaly detection. Aiming at solving the problem of incomplete information intrusion detection accuracy, combined with the characteristics of network data, this paper proposes a deep learning network intrusion detection model (NIDLL-DL) based on incomplete information, which uses multi-layer perceptual neural network to construct deep learning model to realize intrusion detection under incomplete information. The experimental results show that the classification accuracy of NIDII-DL under incomplete information is higher than other algorithms, and its sensitivity to incomplete information is lower.

    Figures and Tables | References | Related Articles | Metrics
    Method on the Model of Exploration and Exploitation to Optimize the AFL Smutation
    Peng XU, Jiayong LIU, Bo LIN
    2019, 19 (6):  61-67.  doi: 10.3969/j.issn.1671-1122.2019.06.008
    Abstract ( 616 )   HTML ( 12 )   PDF (7772KB) ( 153 )  

    Fuzzing is to detect and identify security vulnerabilities by generating different input continuously. It has been widely used in vulnerability discovery. At present, gray-box fuzzy testing is the most popular fuzzing strategy. It combines lightweight code instrumentation with data feedback driver to generate new program input. AFL is an excellent grey-box fuzzing test tool. It is famous for its efficient forkserver execution, reliable genetic algorithm and a variety of mutation strategies. However, its mutation strategy mainly sampled random mutation, which has great blindness. In this paper, a method of reinforcement learning is proposed to optimize mutation strategy. Taking Multi-Armed Bandit problem as a model, the execution effect of input generated by different mutation modes in the target program is recorded. The probabilistic distribution of mutation operation results is adaptively learned byExploration-Exploitation algorithm, and mutation operation strategy is intelligently adjusted to improve the fuzzing performance of AFL. According to the above principles, Thompson sampling is chosen as the optimization algorithm to design and implement AFL-EE fuzzing tool. Five kinds of common file programs are tested and verified. Experiments show that the method can automatically adjust the mutation operation strategy and effectively generate test input with high coverage. The method is feasible and has less additional resource consumption. It is superior to the original AFL in general.

    Figures and Tables | References | Related Articles | Metrics
    Abnormal Traffic Detection Algorithm Based on Deep Neural Network
    Guanheng CHEN, Jinshu SU
    2019, 19 (6):  68-75.  doi: 10.3969/j.issn.1671-1122.2019.06.009
    Abstract ( 957 )   HTML ( 19 )   PDF (9036KB) ( 273 )  

    As the scale of computer networks and applications grows exponentially, the potential damage caused by attacks increases significantly and becomes more apparent. Traditional abnormal traffic detection methods can no longer meet the needs of Internet security, so machine learning-based algorithm has become one of the effective methods for complex and growing network attacks. This paper presents an abnormal traffic detection algorithm based on deep neural network. By comparing the current classical data sets, this paper chooses ISCX data set which contains more attack and protocol types for experimental analysis. The experimental results show that compared with naive Bayesian algorithm, the proposed algorithm greatly improves the accuracy and reduces the false alarm rate. It is an efficient algorithm for abnormal traffic detection.

    Figures and Tables | References | Related Articles | Metrics
    Debug and Analysis of Fully Homomorphic Encryption Library Based on GPU
    Wenchao LIU, Feng PAN, Xiaoyuan YANG, Tanping ZHOU
    2019, 19 (6):  76-83.  doi: 10.3969/j.issn.1671-1122.2019.06.010
    Abstract ( 937 )   HTML ( 17 )   PDF (8278KB) ( 304 )  

    Fully homomorphic encryption can solve the privacy protection problem in cloud computing well, but the low efficiency is still the bottleneck of the practical application of full homomorphic encryption. There are a large number of independent matrix and vector operations in the lattice-based homomorphic encryption scheme and GPU is suitable for processing large number of independent data operations, which can greatly improve the homomorphic operation efficiency of the homomorphic encryption scheme. This paper analyzes the structure of the homomorphic encryption algorithm, verifies the reliability of the homomorphic encryption software library and analysis of noise changes and correctness of different parameters during the bootstrap process. The homomorphic encryption software library TFHE and its corresponding GPU version cuFHE was debugged and analyzed separately. The experimental results show that the GPU version of the TFHE operation speed is 4.5 times that of the CPU version TFHE. The GPU can greatly improve the homomorphic running speed of the homomorphic encryption scheme.

    Figures and Tables | References | Related Articles | Metrics
    Design of Electronic Warehouse Receipts System Based on Blockchain
    Yuanjian ZHOU, Dongmei QING, Yining LIU, Songzhan LV
    2019, 19 (6):  84-90.  doi: 10.3969/j.issn.1671-1122.2019.06.011
    Abstract ( 828 )   HTML ( 40 )   PDF (6947KB) ( 256 )  

    In the current electronic warehouse receipt business, the authenticity of warehouse receipt is maintained by third-party organizations, and the data is managed centrally, which makes it difficult to trace the source of goods. In this case, the breach of trust of third-party institutions will lead to serious transaction security problems. In order to solve the problems of mutual trust and transaction security in the electronic warehouse receipt system, a block chain based electronic warehouse receipt system is designed in this paper. The system is built on the hyperledger fabric platform. Firstly, the client obtains a valid identity certificate from the certificate authority node(CA node), and then packages the warehouse receipts transaction information into blocks for whole network broadcast, and all nodes can verify the legitimacy and validity of the transaction. Finally, the consensus mechanism is used to realize the consensus of the whole network node, and the legal block is added into the block chain. Thus the warehouse receipt transaction information cannot be tampered. The introduction of block chain technology can not only ensure the security of warehouse receipt information system, but also realize the traceability of warehouse receipt transaction information and the sharing of account books.

    Figures and Tables | References | Related Articles | Metrics