Netinfo Security

Context-based Attack Scenario Reconstruction Model for IDS Alarms

JIANG Nan, CUI Yaohui, WANG Jian, WU Jinchao

2020, 20 (7): 1-10. doi: 10.3969/j.issn.1671-1122.2020.07.001

Abstract ( 855 )

HTML ( 61 )

PDF (11084KB) ( 313 )

Intrusion detection system(IDS) is a key component of the network security defense strategy. However, under the background of huge and complicated network environment and the increasing scale of network attacks, there are many problems in IDS, such as poor readability caused by large number of alarms, which greatly reduces the usability of IDS. This paper proposes an attack scenario reconstruction method for IDS real alarm data streams. From the perspective of attackers, a complete multi-step attack behavior is defined as an attack event, which creatively separates the parallel events in the alarm stream with the mechanism of dynamic time window supplemented by similarity judgment of alarm context features, and decomposes the attack in the event by extracting the attack path displayed in the IP layer, and further obtain the attack type conversion sequence of the attacker on each path for causality knowledge mining thus intuitively displays the attacker’s multi-step attack scenario. The experimental results show that it can completely capture the attack events in the alarm data stream, and display the multi-step attack behavior accurately and intuitively, which effectively improves the actual application experience of IDS.

Figures and Tables | References | Related Articles | Metrics

Low-latency Optimal Orchestration of Containerized Security Service Function Chain

XU Yuwei, ZHAO Baokang, SHI Xiangquan, SU Jinshu

2020, 20 (7): 11-18. doi: 10.3969/j.issn.1671-1122.2020.07.002

Abstract ( 623 )

HTML ( 21 )

PDF (9229KB) ( 179 )

The development of cloud computing brings the need for security services virtualization. Building SFC (service function chain) based on NFV/SDN technology is an important way to meet the need of virtualized security services in data centers. Containerization has become the latest development trend of security SFC orchestration. Traditional security SFC orchestration algorithms are usually on the virtual machine architectures, which can not meet requirements in lightweight, latency, flexibility, etc., and have not fully utilized the performance advantages of containerized NFV platform. This paper constructs a containerized NFV platform orchestration model, analyzes the network latency optimization goal of security SFC, and studies the approximate local optimization property under flat network topology. This paper proposes a latency optimal placement (LOP) algorithm, which uses multi-stage decision to handle each security SFC request, and in each stage, a physical host that can hold the maximum number of consecutive VNFs is selected to minimize the cross host latency of each security SFC. Simulation experiments and comparative analysis show that, compared with MINI algorithm that maximizes resource utilization, the LOP algorithm proposed in this paper can achieve the optimization goal of reducing latency, and can reduce the resource consumption of placing the security SFC.

Figures and Tables | References | Related Articles | Metrics

Java Deserialization Vulnerability Gadget Chain Discovery Method Based on Bytecode Search

DU Xiaoyu, YE He, WEN Weiping

2020, 20 (7): 19-29. doi: 10.3969/j.issn.1671-1122.2020.07.003

Abstract ( 1175 )

HTML ( 75 )

PDF (13731KB) ( 400 )

Deserialization vulnerability is one of the hotspots of application security research in recent years. As the functions of Java class library are constantly updated and expanded, the potential scope of deserialization vulnerability is more extensive. Discovering deserialization vulnerability through manpower requires a lot of time to screen and construct the gadget chain. This paper introduces the Java deserialization vulnerability principle, common scenarios and deserialization vulnerability gadget chain construction method, and combining with the common vulnerability discovery methods, proposes a method to discover gadget chain, which is implemented as a gadget chain discovering tool Zero Gadget. The method uses the stain analysis and symbol execution technologies to generate the gadget tree from the deserialization vulnerability entry point to the dangerous function, and uses the depth-first search algorithm to search the gadget tree and generate the relevant gadget chain. This paper selects common Java basic libraries to test the effect of gadget chain discovery. The experimental results show that this method can successfully discover the potential gadget chains and have a high accuracy rate, which has positive significance for automatic discovery of deserialization vulnerability gadget chain.

Figures and Tables | References | Related Articles | Metrics

Android Malicious Process Identification Method Based on Abnormal Encrypted Traffic Annotation

XU Guotian

2020, 20 (7): 30-41. doi: 10.3969/j.issn.1671-1122.2020.07.004

Abstract ( 609 )

HTML ( 30 )

PDF (13973KB) ( 141 )

Existing Android malicious sample analysis methods need to obtain the sample program to be checked in advance. When the object to be checked is an android smart terminal instead of a sample program, it is impossible to determine which process in the smart terminal is the malicious process to be checked, which affects the effective application of the sample analysis method. Existing detection methods for malicious encrypted traffic can achieve high recognition accuracy, but it is impossible to determine the mapping relationship between malicious traffic and malicious processes in the android terminal, i.e. Which process generates malicious encrypted traffic cannot be determined, and further the specific location information of malicious processes cannot be locked. In order to solve the above problems, this paper proposes an android malicious process identification method based on anomalous encrypted traffic annotation. By monitoring the network communication data generated by android terminals, DNS characteristics, TLS handshake negotiation characteristics and flow statistical characteristics are extracted, and binary classifier based on random forest algorithm is adopted to identify malicious encrypted communication flow. Then, by extracting the characteristics of the flow 5-tuple, a one-to-one mapping is established between the malicious encrypted communication stream and the android terminal process to determine the specific location of the malicious process in the terminal. The experimental results show that the detection accuracy of the proposed method for unknown malicious encrypted traffic in complex network environment is 97.46%, and malicious processes in android terminals can be located according to the detected malicious encrypted data flow.

Figures and Tables | References | Related Articles | Metrics

A Host Fingerprint Anti-detection Model Based on SDN

ZHANG Tao, LU Bing, LI Ding, HE Kang

2020, 20 (7): 42-52. doi: 10.3969/j.issn.1671-1122.2020.07.005

Abstract ( 539 )

HTML ( 21 )

PDF (12943KB) ( 139 )

Point at the difficulty of host fingerprint detection defense, a host fingerprint anti-detection model based on SDN is proposed. The model constructs virtual nodes that contain fake fingerprint information. By identifying fingerprint probes and constructing response messages according to the fingerprint template, it can deceive fingerprint detection attackers. Then put forward honeypot mapping and traffic traction technology, combined with honeypots, redirect the attack traffic directed to the virtual node to the honeypot, and realize the capture and analysis of aggressive behavior. To analyze the benefits of the model for cybersecurity, a probabilistic model of the proposed model’s defense effectiveness was established. The influence of parameters such as the number of detections, the number of virtual nodes, the number of honeypot mapping rules, the number of allowable losses, the virtual node spoofing rate, and the honeypot detection rate on the probability of attack success is quantified. Finally, the DPDK technology is used to build a prototype system based on the X86 platform. The experimental results show that the proposed model has a higher success rate of deception than the typical anti-recognition tool IPMorph, and the additional performance overhead is less than 5%.

Figures and Tables | References | Related Articles | Metrics

Research on Key Technologies of Security Situation Assessment for the Virtual Layer of Cloud Platform

YU Qing, ZHENG Chonghui, DU Ye

2020, 20 (7): 53-59. doi: 10.3969/j.issn.1671-1122.2020.07.006

Abstract ( 602 )

HTML ( 11 )

PDF (7985KB) ( 151 )

With the increasing attacks and destructions against cloud platforms, the security guarantee mechanism of cloud platforms has also changed from traditional passive protection to active defense. Situation assessment is a method that can actively analyze and evaluate the current security risk status of the cloud platform, and is a key part of the whole process of situation awareness. This paper aims at a large number of virtual machines deployed in cloud platforms, on the basis of analysis and extraction of virtual layer security situation assessment elements, an improved adaptive genetic simulated annealing algorithm OAGSAA is proposed, and applied to BP neural network, which can effectively analyze and evaluate the security status of the virtual layer. Simulation experiment results show that the method has higher prediction accuracy and convergence speed, and can avoid falling into the local minimum.

Figures and Tables | References | Related Articles | Metrics

Research on Android Application DEX File Protection Method

YUAN Xiaoxiao, LUO Senlin, YANG Peng

2020, 20 (7): 60-69. doi: 10.3969/j.issn.1671-1122.2020.07.007

Abstract ( 687 )

HTML ( 19 )

PDF (10569KB) ( 141 )

Aiming at the problem that the existing DEX file protection method is difficult to resist dynamic recovery attack and cannot be compatible with ART virtual machine, a DEX file protection method based on function extraction and implicit recovery is proposed. The method first extracts the key functions in the DEX file, then reconstructs, encrypts, renames and hides the DEX file, and then adds the shell by modifying the APP startup entry and replacing the smali file, and finally adding the repair SO library to complete the reinforcement of the APK. When the application starts, the shell program is used to decrypt and obtain the original DEX file, and the original DEX parsing is loaded into the memory. Finally, the hardening function is repaired based on the Dalvik virtual machine and the ART virtual machine respectively, and the internal logic of the application is normally executed. Take the DEX files in the self-developed APK as experimental subjects. The experimental results show that the proposed method can effectively resist static analysis and dynamic recovery attacks, and is compatible with both virtual machines, and the time increment of function running is constant.

Figures and Tables | References | Related Articles | Metrics

Intrusion Detection of ICS Based on Improved Border-SMOTE for Unbalance Data

ZHANG Xiaoyu, WANG Huazhong

2020, 20 (7): 70-76. doi: 10.3969/j.issn.1671-1122.2020.07.008

Abstract ( 717 )

HTML ( 10 )

PDF (7187KB) ( 116 )

In the actual industrial environment, the imbalance between normal and abnormal samples results in the low recognition rate of a few abnormal samples. However, intrusion detection model of industrial control system(ICS) pays special attention to the detection success rate of abnormal samples. Therefore, this paper proposed a Border-SMOTE algorithm based on the introduction of adaptive idea, which generated a small number of samples reasonably according to the sample distribution in the border area. The results on the UCI unbalanced data set show the effectiveness of the improved algorithm. In the process of constructing intrusion detection model of ICS, the original data was preprocessed with improved Border-SMOTE, and TWSVM was used as classifier to identify the attack data after synthesizing reasonable attack data. The experimental results on the unbalanced industrial control data set SWaT show that the proposed model improves the ability of identifying attack samples.

Figures and Tables | References | Related Articles | Metrics

Research on Captcha Recognition of Lightweight Convolutional Neural Network with Gabor

LIU Jing, ZHANG Xueqian, LIU Quanming

2020, 20 (7): 77-84. doi: 10.3969/j.issn.1671-1122.2020.07.009

Abstract ( 554 )

HTML ( 8 )

PDF (8963KB) ( 87 )

As a widely used verification method, captcha effectively identifies the logged-in users, which is of great significance to the protection of network security. To solve the problem of large parameters and difficult training cost of convolutional neural network, this paper proposes an captcha recognition method based on the combination of Gabor features and convolutional neural network to realize the recognition and classification. Gabor operator is used to extract the detail features as the input of convolution neural network, and the improved depthwise separable convolutions to obtain the features at different scales and increased the model differentiation. Finally, the experimental results show that the improved convolutional neural network has a practical significance for the average recognition accuracy of the verification code of about 98%.

Figures and Tables | References | Related Articles | Metrics

Analysis and Research on Vulnerability of Docker Container Isolation in Cloud Environment

BIAN Manlin, WANG Liming

2020, 20 (7): 85-95. doi: 10.3969/j.issn.1671-1122.2020.07.010

Abstract ( 904 )

HTML ( 52 )

PDF (12621KB) ( 375 )

Cloud computing is another innovative concept that emerged after the Internet and computer in the information age. The future development of emerging technologies such as big data, the Internet of Things and 5G communications cannot be separated from the support of cloud computing.Virtualization is one of the key technologies supporting cloud computing.The existing virtualization methods are mainly divided into virtual machine-based virtualization and container-based virtualization. With the advent of Docker, container technology has become more popularin cloud services.Compared with traditional virtual machines, Docker containers are significantly more lightweight and high-performance. However, Docker use software to achieve isolation, which is weaker than virtual machines. As a result, Docker have to face more serious security issues. Poor isolation has become one of the main security challenges faced by Docker, which seriously affects the further promotion and development of container technology. As a result, the study on the security of container isolation is of great significance. This paper studies the security issues caused by the weak isolation of Docker in cloud environment. We analyze the Docker container isolation mechanism. And the results show that some pseudo file systems in Docker have not been isolated. We can obtain the host-related information through the non-isolated pseudo file system, which causes the host information leakage.In addition, through experiments, this paper further proves that once the host information leakage is maliciously used by an attacker, it can cause security issues such as co-existence of malicious containers and co-resident containers DoS attacks, which pose a serious security threat to co-resident legal container services.

Figures and Tables | References | Related Articles | Metrics

Table of Content