Loading...
Netinfo Security

Table of Content

    10 October 2019, Volume 19 Issue 10 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    A Network Access Control System in Virtualized Environments
    Xiangquan SHI, Jing TAO, Baokang ZHAO
    2019, 19 (10):  1-9.  doi: 10.3969/j.issn.1671-1122.2019.10.001
    Abstract ( 521 )   HTML ( 9 )   PDF (9733KB) ( 103 )  

    Network access control technology is one of the main technologies to ensure the security of network communication systems. It is widely used in traditional data centers, campus networks and enterprise networks. However, in virtualized environment, traditional port-based network access control (PNAC) is difficult to effectively control virtual machine network access. This paper comprehensively analyzes the reasons of the failure of traditional network access control technology in virtualized environment, develops a network access control framework VE-NAC for virtualized environment, and designs the network access control process suitable for virtualized environment. VE-NAC is compatible with 802.1x protocol and does not need to modify the authentication client. This paper implements VE-NAC in openstack virtualization environment, and tests the functions and delay of VE-NAC prototype system, which verifies the validity and feasibility of VE-NAC implementing network access control in virtualization environment.

    Figures and Tables | References | Related Articles | Metrics
    National Secret Substitution of zk-snark Bilinear Pair
    Lin LI, Xuxia ZHANG
    2019, 19 (10):  10-15.  doi: 10.3969/j.issn.1671-1122.2019.10.002
    Abstract ( 685 )   HTML ( 7 )   PDF (6371KB) ( 274 )  

    In recent years, with the emphasis on privacy protection, zero-knowledge proof technology has also developed rapidly. zk-snark is a compact non-interactive zero-knowledge proof protocol, in which the polynomial division algorithm is implemented by the fast Fourier transform algorithm, which requires that the order of the bilinear pair used by zk-snark satisfy formula: n-1|220. However, the bilinear pairing used in the current national secret SM9 algorithm does not meet this requirement. If the direct replacement with the existing bilinear pair is directly used, the performance of zk-snark will be greatly reduced. In this paper, based on the BN curve to construct a bilinear pairing method, a national secret substitution of zk-snark bilinear pairnally densified scheme of zk-snark bilinear pairing is proposed. Under the premise of not affecting the performance of zk-snark, the security requirements of the national secret are met, so that zk -snark can be applied to national secret products.

    Figures and Tables | References | Related Articles | Metrics
    Research on Internet of Things Security Mechanism Based on Short Distance Wireless Communication
    Zhigang JIN, Tong WU, Gen LI
    2019, 19 (10):  16-23.  doi: 10.3969/j.issn.1671-1122.2019.10.003
    Abstract ( 481 )   HTML ( 2 )   PDF (9285KB) ( 92 )  

    A large number of wireless communication technologies are nowapplied in the Internet of Things field, and the security problems therein are often neglected due to cost and the like. Aiming at the security problems exposed by shortdistance wireless communication technology in IoT devices, this paper takes the smart locks which are widely used in the field of Internet of Things as the research object, and analyzes the short distance wireless communication technology with Bluetooth Low Energy as an example. The application of IoT smart lock security mechanism, using protocol analysis and security model analysis, etc., studied the security vulnerabilities existing in the IoT smart lock. The method of remote attack on IoT smart lock is described by example. Based on CPN model, the resistance of IoT smart lock to illegal replay attacks and eavesdropping attacks is analyzed, and corresponding improvement methods are proposed for security vulnerabilities. The CPN model is used to analyze the reinforced communication model to prove that it can resist the resistance to illegal replay attacks and eavesdropping attacks.

    Figures and Tables | References | Related Articles | Metrics
    Research on Malware Detection Technology Based on Image Analysis
    Jian ZHANG, Bohan CHEN, Liangyi GONG, Zhaojun GU
    2019, 19 (10):  24-31.  doi: 10.3969/j.issn.1671-1122.2019.10.004
    Abstract ( 622 )   HTML ( 12 )   PDF (9447KB) ( 192 )  

    With the increasing complexity and quantity of malware, malware detection is becoming increasingly challenging. At present, the most common malware detection method is to use machine learning technology to detect malware. In order to improve the efficiency of malware analysis, some researchers have proposed a method based on image analysis to classify malware. This paper summarized the different methods of detecting malware using malware images, and compared them from the aspects of image generation, feature extraction and classification algorithms. Finally, the solutions to the shortcomings of these methods is proposed.

    Figures and Tables | References | Related Articles | Metrics
    Research on Construction of Risk and Trust Architecture Based on Lean Trust
    Ran ZI, Jia LIU
    2019, 19 (10):  32-41.  doi: 10.3969/j.issn.1671-1122.2019.10.005
    Abstract ( 462 )   HTML ( 6 )   PDF (11493KB) ( 125 )  

    With the rapid deployment of new technologies like cloud computing, big data and mobile communication, as well as the IT systems’ growing internalsecurity threat such as data breach and advanced persistent threats, Zero Trust concept has been put forward and drawn considerable attention recently. Domestic and foreign cybersecurity companies implemented several new security projects based on the Zero Trustconcept. However, several obstacles occurred during the research and implementation of Zero Trust. For example, it is difficult to involve the existing applications systems and security devices into the Zero Trust architecture without efforts of modification, which is of high cost. Meanwhile, based on the literal understanding of Zero Trust, Zero Trust equals to no trust in the network security architecture. Moreover, traditional security concepts are deemed to be replaced by Zero Trust. These defects and misunderstandings impeded the implementations and promotion of Zero Trust. In this paper, a Lean Trust secure access architecture is proposed based on the Lean Trust concept. Comparing with Zero Trust, Lean Trust architecture clearly identifies the role of risk and trust in network security architecture. Based on the continuous evaluation and precise manipulation of risk and trust, the Lean Trust secure access architecture promotes the security of the access process to the application and service resources. Moreover, the compatibility with existing security devices and application systems makes the proposed architecture more practical.

    Figures and Tables | References | Related Articles | Metrics
    Research on Multi-server Lightweight Multi-factor Authentication Protocol in Telemedicine Environment
    Min ZHANG, Chunxiang XU, Minying HUANG
    2019, 19 (10):  42-49.  doi: 10.3969/j.issn.1671-1122.2019.10.006
    Abstract ( 530 )   HTML ( 4 )   PDF (8806KB) ( 98 )  

    The existing telemedicine environment identity authentication is aimed at a single server environment. With the development of telemedicine systems, users have access to multiple hospital servers to query for medical conditions, as well as hospital server and commercial insurance or other third-party servers. Therefore, the research on multi-server identity authentication scheme in telemedicine environment has positive significance. In 2019, BARMAN et al. proposed a multi-server identity authentication scheme for telemedicine environment, but there are still many security problems in this scheme, such as poor scalability, vulnerable to privileged attacks, and inability to implement access control. In order to solve the above problems, this paper proposes a multi-factor identity authentication scheme based on Fuzzy Commitment and HMAC algorithm. Through analysis, it can be seen that the proposed scheme can solve the security threats of BARMAN’s scheme though the computation and communication increased slightly.

    Figures and Tables | References | Related Articles | Metrics
    Research on Classification Method of Network Security Data Based on Data Feature Learning
    Yanhua LIU, Xiaoling GAO, Minchen ZHU, Peihuang SU
    2019, 19 (10):  50-56.  doi: 10.3969/j.issn.1671-1122.2019.10.007
    Abstract ( 419 )   HTML ( 5 )   PDF (7699KB) ( 152 )  

    Data classification plays an important role in cyberspace security situational awareness applications. However, with the expansion of network system scale, the increase of network speed, and the increase of network security incidents, the number of security data increases dramatically, which greatly affects the accuracy of data classification, thus bringing great challenges to security applications such as intrusion detection, security assessment and attack intention recognition. This paper proposes a data classification model integrating SMOTE-SVM algorithm and XGBoost algorithm. Firstly, in view of the data imbalance situation, by combining with up-sampling and down-sampling, a data feature balance method based on SMOTE-SVM algorithm is designed to improve the rationality of training data distribution and training accuracy. Then, in view of the diversity of multi-source heterogeneous security data, single-hot coding technology is used to standardize the data. Finally, based on XGBoost algorithm, feature extraction and classification of data sets are carried out. Experimental results show that the proposed method has obvious advantages in data classification accuracy, recall rate and comprehensive effectiveness. It can effectively improve the analysis ability of large data of network security, and has important application significance for network security situational awareness.

    Figures and Tables | References | Related Articles | Metrics
    An Enhanced Kerberos Protocol Based on OTP with Formal Analysis
    Limin MA, Wei ZHANG, Ying SONG
    2019, 19 (10):  57-64.  doi: 10.3969/j.issn.1671-1122.2019.10.008
    Abstract ( 489 )   HTML ( 4 )   PDF (8226KB) ( 87 )  

    Kerberos protocol is an important trusted third-party authentication protocol in distributed networks. It is widely used in mainstream operating systems, cloud computing, wireless networks and other application scenarios, but it is vulnerable to password guessing attacks, replay attacks and so on. Although PKINIT protocol based on public key cryptography can enhance the resistance of Kerberos protocol to these attacks, it needs to introduce too much computing resources and communication costs. Therefore, this paper proposes and implements a scheme based on one-time password mechanism to enhance the security of Kerberos protocol, and makes formal analysis based on BAN logic. The experimental results show that compared with the PKINIT protocol, the scheme reduces the computational complexity, reduces the initial authentication service time to 67.7% of the PKINIT protocol, and has the advantage of easy deployment.

    Figures and Tables | References | Related Articles | Metrics
    A Dynamic Cloud Security Storage System Based on Data Drifting
    Xing ZHAO, Xiaodong WANG, Chuanrong ZHANG
    2019, 19 (10):  65-73.  doi: 10.3969/j.issn.1671-1122.2019.10.009
    Abstract ( 444 )   HTML ( 3 )   PDF (10138KB) ( 80 )  

    Data security is core issue of Cloud storage. Presently, Cloud storage physical positions of data are relatively changeless so that the uncertainty and complexity of system are low. According to the idea of dynamic resiliency for security defense, as long as the dynamic change is introduced, the security of Cloud storage might be enhanced systematically. Be derived from the idea, a novel mechanism, named dynamic cloud security storage system based on data drifting, is presented. The mechanism firstly separates a document into particles, and then stores them on different nodes of Cloud storage. The particles are driven to keep drifting among nodes during the store, to achieve the dynamic resilient storage view. Once user needs the document, all of the particles are gathered to the nearest node for following download. In order to improve the security, uniform distribution and Mason rotation method are mixed together to obtain better randomness. For the effective utilization of the idle network bandwidth, without affecting normal network data communication, the instance also adds a traffic monitoring module by actively drift traffic control. The simulations of the system with respect to the mechanism show that it has valid functions and security.

    Figures and Tables | References | Related Articles | Metrics
    Research on Traffic Identification Technology for Unknown Protocols
    Xudong WANG, Xiangzhan YU, Hongli ZHANG
    2019, 19 (10):  74-83.  doi: 10.3969/j.issn.1671-1122.2019.10.010
    Abstract ( 575 )   HTML ( 13 )   PDF (12324KB) ( 212 )  

    With the rapid development of the Internet and the arrival of the era of big data and artificial intelligence, Internet security is facing great challenges. Network protocols play an important role in network data transmission. More and more traffic uses unknown network protocols, which makes it more difficult to monitor and analyze Internet traffic. Therefore, the research on network protocol identification and analysis technology is becoming more and more important. This paper summarizes the technical methods in protocol analysis and identification in recent years, and looks forward to the research direction of future technologies.

    Figures and Tables | References | Related Articles | Metrics
    A Key Exchange Cryptosystem Based on Polar Codes
    Zhe LI, Yiliang HAN, Yu LI
    2019, 19 (10):  84-90.  doi: 10.3969/j.issn.1671-1122.2019.10.011
    Abstract ( 410 )   HTML ( 1 )   PDF (7464KB) ( 204 )  

    Based on the Polar codes, a key exchange cryptosystem based on Polar codes is proposed. This paper construct the key exchange scheme, the scheme proposed in this paper only involves linear calculation and has high efficiency, reduced computational complexity.The scheme is analyzed from the perspective of security and confidentiality.The present exhaustive attacks and selective ciphertext attacks will not reduce the security of this scheme, the two parties of communication can share the secret session key on the insecure open letter.This paper stores the key (public key, private key) through the improved key storage method, reduces the key storage space, and it provides practical light key exchange scheme for the coming 5G era, further improving the transmission rate of information and data, making it more safe and efficient in the high-speed and intelligent 5G era channel transmission process.

    Figures and Tables | References | Related Articles | Metrics