Loading...
Netinfo Security

Table of Content

    10 December 2021, Volume 21 Issue 12 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    Domain-Flux Malicious Domain Name Detection and Analysis Based on HMM
    GUO Xiangmin, LIANG Guangjun, XIA Lingling
    2021, 21 (12):  1-8.  doi: 10.3969/j.issn.1671-1122.2021.12.001
    Abstract ( 378 )   HTML ( 41 )   PDF (8729KB) ( 223 )  

    With widely using domain generation algorithm (DGA) to generate a large number of random domain names to avoid detection, botnet has become the primary threat to network security today. In addition, the research on DGA domain name identification methods has important practical significance for countering malicious programs, fighting botnet and ensuring information security. This paper designed a DGA domain name detection and analysed framework based on the ELK big data platform. On the basis of fully studying the existing DGA domain name identification methods such as blacklists, this paper collected the request query log of the DNS business system. By adopting the hidden Markov model to perform cluster analysis on malicious domain names, the judgment of DGA domain names could be realized, and further ideas could be provided for evidence collection and source tracing of botnet and other cyber-attacks. Experimental results show that the lightweight detection classifier used in this paper can distinguish between normal domain names and malicious domain names more clearly.

    Figures and Tables | References | Related Articles | Metrics
    Malware Detection Method Based on Improved Harris Hawks Optimization Synchronization Optimization Feature Selection
    XU Guotian, LIU Mengmeng
    2021, 21 (12):  9-18.  doi: 10.3969/j.issn.1671-1122.2021.12.002
    Abstract ( 307 )   HTML ( 17 )   PDF (11416KB) ( 93 )  

    Aiming at the difficulty of feature selection and model parameter tuning in malware detection field, a malware detection method based on improved Harris Hawks Optimization (HHO) synchronous optimization feature selection is proposed. The adaptive elite reverse learning strategy, circle chaos energy factor and random dimensional quantum revolving door mutation strategy are introduced into HHO algorithm to enhance its global exploration and local development ability and improve the convergence accuracy and stability of the algorithm. Extreme Gradient Boosting (XGBoost) is an improved Harris Hawks optimization (IHHO) algorithm for simultaneous optimization of classification parameters and feature selection, in order to build a malware detection model based on network traffic characteristics. Finally, the improved algorithm is used to extract feature subset and optimize model parameters of CICInvesAndMal2019 dataset. The results show that IHHO can select higher quality feature subset and improve the classification ability of malware detection model.

    Figures and Tables | References | Related Articles | Metrics
    The Digital File Confidential Cabinet Based on Symmetric Encryption
    WANG Wei, HUANG Shuhua
    2021, 21 (12):  19-24.  doi: 10.3969/j.issn.1671-1122.2021.12.003
    Abstract ( 223 )   HTML ( 22 )   PDF (6904KB) ( 85 )  

    Information security has become a heated topic in the field of computer science. In order to facilitate the users and managers of computer to protect their data better, this paper proposed a confidential mechanism for digital files. A digital file confidential cabinet based on symmetric encryption algorithm was designed to protect the local files from illegal acquisition by unauthorized persons. The digital file confidential cabinet provided a more secure protection mechanism for the users. The user could read and write a file transparently and encrypt this file at the same time. To protect sensitive files from being maliciously copied and transferred, the files located in the digital file confidential cabinet can only be used in the local computer while errors will occur in the remote use. The digital file confidential cabinet saves the safety management of the users on the file, simplifies the process of encryption software, and provides good performance of anti-crack. The digital file confidential cabinet provides an independent safety which is not rely on the third parties, but also plays a positive role in promoting its security in the process of the development of the public security intranet.

    Figures and Tables | References | Related Articles | Metrics
    Analysis on Characteristics of Victims of Telecom Network Fraud Based on Bayesian Network
    LUO Wenhua, ZHANG Yaowen
    2021, 21 (12):  25-30.  doi: 10.3969/j.issn.1671-1122.2021.12.004
    Abstract ( 423 )   HTML ( 40 )   PDF (6322KB) ( 162 )  

    As a typical non-contact crime, the prevention and control of telecom network fraud emphasizes the combing and analysis of the characteristics of victims. However, most of the existing research results are carried out for the single characteristics of victims, and rely on a small number of cases, which is difficult to fully and deeply reflect the characteristics and laws, and the application is weak. This paper took the self characteristics and case characteristics of telecom network fraud victims as indicators, constructs Bayesian network and establishes victim characteristic analysis model. Then, starting from the types of cases, this paper discussed the vulnerable groups. Starting from the characteristic population, this paper expounds its gullible types.

    Figures and Tables | References | Related Articles | Metrics
    Adjoint Relation Mining Model of Key Personnel Based on Discrete Trajectory
    KANG Wenjie, ZHAO Wei, LIU Xuchong, SU Xin
    2021, 21 (12):  31-37.  doi: 10.3969/j.issn.1671-1122.2021.12.005
    Abstract ( 308 )   HTML ( 21 )   PDF (8235KB) ( 91 )  

    This paper proposes a method for mining key personnel adjoint relations based on discrete space trajectory matrix analysis. A mapping matrix between people and addresses is constructed for discrete space trajectories. The adjoint relations are identified through correlation analysis of the personnel address relationship matrix, and the discrete spatio-temporal trajectories are constructed. An adjoint relationship mining model based on effective distance judgments can mine the adjoint relationship of key personnel through features such as distance, time, and space. The experimental results show that the analysis method based on the discrete space trajectory matrix can quickly identify the people who have an adjoint relationship in the crowd, and given a certain key person, you can quickly find the people who have an adjoint relationship with them, and deal with these people. The number of adjoint persons is sorted, which is convenient for security personnel to trace and track in the future. In addition, the number of adjoint pairs is directly proportional to the effective distance to a certain extent, and the number of adjoint pairs is positively correlated with the increase of the amount of data.

    Figures and Tables | References | Related Articles | Metrics
    Research on Forensics Technology of Malicious Code Based on Deleted PE File Header
    LI Pengchao, LIU Yanfei
    2021, 21 (12):  38-43.  doi: 10.3969/j.issn.1671-1122.2021.12.006
    Abstract ( 276 )   HTML ( 32 )   PDF (6809KB) ( 110 )  

    In particular, malware removes the headers of executable file and copy them to the memory pages which have the execute protection to prevent code exposure during the memory forensic analysis. This paper proposed a method to detect executable files without headers by searching the Section table in the memory dump. Therefore, this paper explore the Section header signatures and check whether the offset intervals among them are a multiple of the Section header size to detect Section tables. We select the non-private pages with execute protection in Virtual Address Descriptor (VAD) which are highly likely to be hidden by malicious code and scan the Section Tables. In addition, this paper verified the detection performance by implementing the proposal as a plug-in that can be executed in Volatility 3 Framework and analyzing the memory of the system infected with Ursnif.

    Figures and Tables | References | Related Articles | Metrics
    Research on iPhone Forensic Method Based on Checkm8 Vulnerability
    CHEN Guangxuan, WU Jiajian, CAO Danni, XIE Qingquan
    2021, 21 (12):  44-50.  doi: 10.3969/j.issn.1671-1122.2021.12.007
    Abstract ( 388 )   HTML ( 24 )   PDF (7900KB) ( 165 )  

    The Checkm8 vulnerability is a hardware vulnerability based on the device firmware upgrade(DFU) mode of the iPhone firmware. This paper proposed a method of using Checkm8 vulnerability to bypass password verification to extract iPhone data, and demonstrated the exploitation of the vulnerability, digital data mining and extraction, data decryption analysis and evidence display. At the same time, the heap vulnerabilities were utilized to upgrade the highest authority, obtain the authority of port communication and transmission on the iPhone in the locked state, which could solve the problem of data extraction in the absence of passwords. This method has high practical value for forensic science.

    Figures and Tables | References | Related Articles | Metrics
    Reputation Evaluation Model in Social Network Based on Information Behavior
    XIONG Jianying
    2021, 21 (12):  51-59.  doi: 10.3969/j.issn.1671-1122.2021.12.008
    Abstract ( 193 )   HTML ( 18 )   PDF (9544KB) ( 89 )  

    In order to promote self-discipline and autonomy of social network users and improve the credibility of social network, a dynamic reputation evaluation method based on user information behavior supervision and feedback is studied. The comprehensive reputation contains identity and behavior reputation, set evaluation period for a new node and update mechanism in different stage. Identity reputation is calculated by information disclosure and network characteristics; behavior reputation is calculated by information release and forwarding, and rewards or punishments will be given to self correction of information behavior or blocking of bad information. The simulation results show that compared with the traditional trust evaluation mechanism, setting rewards and punishments guidance can improve the accuracy of reputation evaluation. Reputation incentive can also inhibit the interaction of bad information.

    Figures and Tables | References | Related Articles | Metrics
    Research on Authentication Method of WeChat Evidence
    NI Xueli, WANG Qun, LIANG Guangjun
    2021, 21 (12):  60-69.  doi: 10.3969/j.issn.1671-1122.2021.12.009
    Abstract ( 382 )   HTML ( 42 )   PDF (11074KB) ( 173 )  

    In recent years, WeChat evidence appears increasingly frequently in the court trial. Compared with the traditional evidence, the authenticity of WeChat evidence is questioned due to the virtuality of the subject and content. The existing WeChat evidence review practice lacks clear rules and the distinguishing technology is not perfect. Based on the characteristics of WeChat account and the storage and encryption principles of WeChat database, this paper proposed an authentication model for WeChat evidence. The model creatively combined legal dimensions with the authentication of the subject, the integrity of the message, the authentication of the content and so on. Furthermore, this model covered the whole process of evidence preservation, analysis and identification. It reflected the effective combination of procedural rules and technical measures. Finally, the tamper detection experiment of WeChat messages based on WeChat Index database is carried out to verify the correctness and feasibility of the model.

    Figures and Tables | References | Related Articles | Metrics
    Revocable Encryption Scheme Based on Accountability Attribute under Cloud Data
    ZHANG Shuqing, CAI Zhiwen
    2021, 21 (12):  70-77.  doi: 10.3969/j.issn.1671-1122.2021.12.010
    Abstract ( 201 )   HTML ( 8 )   PDF (8232KB) ( 69 )  

    In view of the problem that most encryption schemes in the current cloud big data over relies on bilinear mapping for decryption and low decryption efficiency, a revocable encryption scheme based on accountability attribute was proposed. Firstly, the scheme adopted single attribute authority architecture, and the decryption process no longer depended on bilinear mapping, and the decryption overhead was reduced. Secondly, establishing an attribute revocation mechanism based on the attribute group idea, reducing the computational complexity of ciphertext re-encryption. Thirdly, the accountability list was constructed with authoritative attributes, and the user information was embedded in the private key. With the help of decryption user information verification mechanism, malicious users were accountable quickly. Finally, the performance of this encryption scheme was compared with the other four similar encryption schemes. The results show that compared with the other four encryption schemes, this encryption scheme not only realizes the immediate revocation of attributes and the accountability of malicious users, but also greatly reduces the revocation and decryption overhead.

    Figures and Tables | References | Related Articles | Metrics
    Research on Security Evaluation Index System for Video Monitoring Network
    GAO Jian, WANG Kaiyue, HUANG Shuhua
    2021, 21 (12):  78-85.  doi: 10.3969/j.issn.1671-1122.2021.12.011
    Abstract ( 210 )   HTML ( 14 )   PDF (9074KB) ( 89 )  

    Video monitoring network plays an important role in maintaining national security. At present, there are more attacks against video network. By studying the security evaluation index system and evaluation model for video monitoring network, this paper proposed to transform the traditional system oriented and equipment oriented security evaluation into the evaluation method based on capability verification, and subdivided the video monitoring network into five capabilities—access sensing, internal and external sensing, threat blocking, data encryption and attack immunity. The corresponding collection indexes of each capability index were put forward. Using AHP to determine the weight of each evaluation index, and quantify each evaluation index. Finally, this model is applied to the inspection results of video monitoring network in two cities in 2018. The quantitative score can reflect the network security state of video monitoring network intuitively and scientifically.

    Figures and Tables | References | Related Articles | Metrics
    An Encryption Algorithm for Police Image
    HU Gangyi, PENG Jin
    2021, 21 (12):  86-90.  doi: 10.3969/j.issn.1671-1122.2021.12.012
    Abstract ( 169 )   HTML ( 24 )   PDF (6009KB) ( 98 )  

    This paper proposes a police image encryption algorithm based on the combination of asymmetric encryption and the cellular neural networks encryption. It uses the chaotic random sequence generated by the chaotic system of cellular neural networks to encrypt the police image, and uses the asymmetric encryption algorithm to protect the input key value of the chaotic system. The experimental results show that this algorithm is simple, and have large key space with strong sensitivity. It has high security and high robustness for the encryption and protection of police images, and has a good prospect of utilization.

    Figures and Tables | References | Related Articles | Metrics
    The Security Risk Analysis Method for Video Private Network Based on Bayesian Network
    ZHU Rongchen, LI Xin, LIN Xiaonuan
    2021, 21 (12):  91-101.  doi: 10.3969/j.issn.1671-1122.2021.12.013
    Abstract ( 208 )   HTML ( 11 )   PDF (12701KB) ( 73 )  

    The public security video private network is a special network established by the public security department for the networking and application of video surveillance systems, and is a way for improving the efficiency of public security work and assisting in the detection of cases. Effective assessment can guide the allocation of security protection resources and fill in shortcomings. At present, there is insufficient research on the security risk assessment of public security video private network. This paper proposed a method for evaluating the security risk of a video private network, which considered the security risk of the private network from the perspective of the security situation of the private video network, the level of security protection and the consequences of security incidents. With the help of Bayesian network, event tree and fuzzy set theory, the risk factors were summarized in a fine-grained manner, and the risk value was dynamically analyzed and quantified. The methods of scenario analysis, partial verification and case studies were used to verify the rationality and effectiveness of the method. The results show that this method can improve the security risk perception, analysis and assessment capabilities of the public security department on the video private network.

    Figures and Tables | References | Related Articles | Metrics
    Research on Chinese Question Answering Matching Based on Mutual Attention Mechanism and Bert
    DAI Xiang, SUN Haichun, NIU Shuo, ZHU Rongchen
    2021, 21 (12):  102-108.  doi: 10.3969/j.issn.1671-1122.2021.12.014
    Abstract ( 264 )   HTML ( 8 )   PDF (7562KB) ( 68 )  

    Question and answer matching task is one of the key technologies of question and answer system. Focusing on the problems that the traditional question and answer matching model is not accurate enough in the representation of Chinese word vector and insufficient extraction of interactive features between texts, a bi-directional encoder representation algorithm based on attention is proposed. In Chinese vector representation, transfer learning is used to introduce the pretrained Chinese BERT model parameters, and further finetune the training set to obtain the optimal parameters. The Chinese character vector is represented by the BERT model, so as to solve the problem of insufficient representation ability of the traditional word vector model in Chinese vocabulary. At the text interaction layer, the interactive features of questions and answers are extracted by using the mutual attention mechanism, and the generated interactive features are combined with the input vector of the attention mechanism to form a feature combination. Then BiLSTM is used for reasoning combination, reducing the feature dimension and integrating the context semantic information. Finally, it is tested on the Chinese legal data set. The experimental results show that the model is better than many traditional models. Compared with ESIM, it improves the accuracy of Top-1 by 3.55%, MAP by 5.21% and MRR by 4.05%.

    Figures and Tables | References | Related Articles | Metrics
    A Deep Forgery Video Detection Model Based on Improved Xception Network
    MA Rui, CAI Manchun, PENG Shufan
    2021, 21 (12):  109-117.  doi: 10.3969/j.issn.1671-1122.2021.12.015
    Abstract ( 599 )   HTML ( 19 )   PDF (10059KB) ( 197 )  

    In recent years, with the development of deep forgery technology, deep forged content have become more difficult to identify, which has brought severe challenges to the security of information network. Aiming at resolving the difficulty of identifying the content of deep forgery and tampering, as well as the insufficient facial featured extraction and excessive parameter amount in the existing deep forgery detection methods, this paper proposes a deep forgery detection model i_Xception that integrates Xception network, SENet and WSDAN. The model embeds the SE module in the Xception network to extract features, and then uses the WSDAN module to enhance the training images with the guidance of attention, and feeds the augmented images back to the network for training, which improves the detection accuracy of the model. On this basis, this paper designs a lightweight network model i_miniXception by reasonably reducing the depth and width of the Xception network and fusing the above methods, which greatly reduces the parameters of the model. It is verified on the two types of datasets FaceSwap and DeepFakes of FaceForensics++, which are currently widely used in the field of deep forgery detection. The accuracy of i_Xception detection reaches 99.50% and 98.83%, and the accuracy of i_miniXception detection reaches 99.17% and 98.50% respectively, which are better than existing main algorithms.

    Figures and Tables | References | Related Articles | Metrics
    Tor Anonymous Traffic Identification Method Based on Weighted Stacking Ensemble Learning
    WANG Xirui, LU Tianliang, ZHANG Jianling, DING Meng
    2021, 21 (12):  118-125.  doi: 10.3969/j.issn.1671-1122.2021.12.016
    Abstract ( 256 )   HTML ( 20 )   PDF (9087KB) ( 174 )  

    The Tor network is often utilized by criminals to engage in various illegal activities, so it is important to identify the tor traffic efficiently for network supervision and fighting against crime. In this paper, based on the integrated learning idea, the weighted stacking model for tor traffic identification was proposed to solve the problem of sparse tor traffic and low recognition accuracy in real environment. Based on the data flow, time correlation characteristics of the flow were extracted, and the first 14 features of the information gain were calculated to form the input data set. KNN, SVM and XGBoost were weighted differently and used as base learners. XGBoost was used as the meta learners to construct two-layer stacking model. Compared with 10 algorithms on the open data set, the experimental results show that the recognition model proposed in this paper is superior to most algorithms in accuracy and has a lower missed rate, which is more in line with the target of tor traffic recognition in real network environment.

    Figures and Tables | References | Related Articles | Metrics