Netinfo Security

Malicious Domain Detection Method Based on Multivariate Time-Series Features

YAO Yuan, FAN Zhaoshan, WANG Qing, TAO Yuan

2023, 23 (11): 1-8. doi: 10.3969/j.issn.1671-1122.2023.11.001

Abstract ( 298 )

HTML ( 59 )

PDF (10488KB) ( 213 )

At present, malicious domains as the main attack vector are widely abused in a variety of network attack activities. To address the problems of complex design of detection features in malicious domain detection, the need for empirical knowledge assistance and the ease of targeted bypassing by attackers, the paper proposed a malicious domain detection method based on multivariate temporal features. The method uses a deep learning model based on fused long and short-term memory networks and full convolutional neural networks to automatically extract multivariate temporal embedding features from client requests and domain resolution traffic, respectively, and learn low-dimensional temporal representations of malicious domain behaviors. Compared with traditional time-statistical feature schemes or time-series local pattern discrimination schemes, this method can establish long-term domain activity patterns and distinguish the behavior sequences of malicious domains from normal domains, which has more powerful malicious domain detection capability. Meanwhile, the method supports the fusion of multivariate time-series embedding features and generic malicious domain detection features to characterize malicious behavior information in multiple dimensions, improving detection performance as well as model robustness and scalability.

Figures and Tables | References | Related Articles | Metrics

Design of Certificate Transparency Log System Based on SM2 Algorithm

CHEN Liquan, XUE Yuxin, JIANG Yinghua, ZHU Yaqing

2023, 23 (11): 9-16. doi: 10.3969/j.issn.1671-1122.2023.11.002

Abstract ( 235 )

HTML ( 36 )

PDF (9387KB) ( 134 )

The certificate transparency log system is an important mechanism for ensuring the security of digital certificates and addressing malicious issuances. The local encryption algorithm, SM2, which is independently developed in our country and has become an international standard, has a wide range of potential applications in the field of digital certificates. However, the current certificate transparency log systems mostly rely on RSA, ECC and they cannot recognize SSL certificates based on the SM2 algorithm. In this paper, a design method for a certificate transparency log system based on the SM2 algorithm is proposed. The system utilized the SM2 algorithm to generate the log system's signature key and to digitally sign the certificate transparency log data and the SM3 algorithm was used as the digest algorithm required by the system to calculate the hash value. This implementation enables the support of SM2 SSL certificates in the certificate transparency log system, thereby ensuring the security and trustworthiness of these SM2 SSL certificates.

Figures and Tables | References | Related Articles | Metrics

A Robust Wireless Key Generation Method for IoT Devices Based on Autonomous Discarding and Calibration

HUAN Xintao, MIAO Kaitao, CHEN Wen, WU Changfan

2023, 23 (11): 17-26. doi: 10.3969/j.issn.1671-1122.2023.11.003

Abstract ( 210 )

HTML ( 22 )

PDF (12247KB) ( 51 )

Considering the constrained resources and large-scale deployment of the IoT devices, traditional key pre-sharing methods and advanced key distribution methods are not suitable for IoT devices due to their difficulty in updating and high computational complexity. The wireless key generation method based on wireless channel characteristics has the advantages of low complexity and low resource requirements, and, thus, well suits the key sharing for IoT devices. This paper proposed a wireless key generation method for IoT devices based on autonomous abandonment and calibration, which could achieve robust wireless key generation at the expense of only a small increase in overhead. This paper proposed an autonomous calibration reset mechanism that eliminated the impact of accidental restarts on both sides’ wireless key generation and further realized the synchronous collection of channel characteristic data. This paper proposed a timeout selective discarding mechanism to address the issue of mismatching of channel characteristic data between communication parties in case of packet losses. The proposed method can significantly improve the robustness of the wireless key generation process. Practical experiments on a real IoT testbed demonstrate the effectiveness and stability of the proposed method.

Figures and Tables | References | Related Articles | Metrics

Image Classification Method Based on Secure Multiparty Computation

SUN Yongqi, SONG Zewen, ZHU Weiguo, ZHAO Sicong

2023, 23 (11): 27-37. doi: 10.3969/j.issn.1671-1122.2023.11.004

Abstract ( 160 )

HTML ( 14 )

PDF (12798KB) ( 146 )

This paper focused on researching image classification methods based on secure multiparty computation. To solve the problem that the PaddleFL method based on the ABY³ protocol cannot support some network encryption operations in complex models, this paper proposed an encryption method for dimension transformation and compression operations based on the repeated secret sharing of the ABY³ protocol. To solve the model collapse problem of the CrypTen method based on the Beaver protocol during ciphertext training, this paper proposed a detection method based on a flag to discard abnormal values to avoid wrap-around errors during training, and introduce a ciphertext calculation method based on threshold restriction for the softmax function to eliminate approximation calculation errors, meeting the requirement of ciphertext calculation of a larger numerical range. Experimental results on public datasets show that the proposed method can effectively protect user data privacy while ensuring model accuracy.

Figures and Tables | References | Related Articles | Metrics

An Adaptive IoT SSH Honeypot Strategy Based on Game Theory Opponent Modeling

SONG Lihua, ZHANG Jinwei, ZHANG Shaoyong

2023, 23 (11): 38-47. doi: 10.3969/j.issn.1671-1122.2023.11.005

Abstract ( 171 )

HTML ( 20 )

PDF (11520KB) ( 97 )

The proliferation of IoT devices has led to an increasing number of attacks against the Internet of things, it’s urgent for cybersecurity personnel to use proactive defense techniques to turn reactive defense into proactive defense. The introduction of SSH (secure shell) honeypot technology allows defenders to capture learn attackers’ interaction informationacting strategy, which is of great significance for IoT security. However, traditional honeypots are easily identified and exploited by attackers because of their fixed characteristics or behavioral patterns. From the perspective of game theory, this paper established an interaction model between honeypots and attackers, and we calculated the best response strategy of the defender by useing SAC (soft actor-critic) algorithm. Simulation results show that adaptive honeypot by combining reinforcement learning and game theory can quickly find the optimal interaction strategy in a variety of scenarios, and the reinforcement learning method added to the policy network is better than the traditional reinforcement learning method based on the value network alone.

Figures and Tables | References | Related Articles | Metrics

A Selective Encryption Scheme for Audio and Video Based on the National Cryptographic Algorithm

XU Shengwei, DENG Ye, LIU Changhe, TAN Li

2023, 23 (11): 48-57. doi: 10.3969/j.issn.1671-1122.2023.11.006

Abstract ( 216 )

HTML ( 23 )

PDF (11474KB) ( 157 )

Aiming to address the current issues of imperfect encryption schemes based on national cryptographic algorithm in audio and video data, balancing encryption efficiency and security, this paper designed a selective audio-video encryption scheme within the TRTC audio-video architecture, based on national cryptographic algorithms. The scheme proposed an identity authentication mechanism combining password authentication and collaborative signature, tailored to the characteristics and requirements of audio-video applications. By analyzing the features of the SM4 algorithm and H.264 encoding method, the scheme employed SM4-CFB mode to encrypt key syntax elements such as IPM, MVD, and residual coefficients within encoded frames, achieving efficient selective encryption of audio-video data. Experimental results demonstrate that this approach effectively reduces encrypted data volume, enhances encryption speed, and maintains high levels of cryptographic security and perceptual security.

Figures and Tables | References | Related Articles | Metrics

Fast Multi-Agent Collaborative Exploration Algorithm Based on Boundary Point Filtering

YAO Changhua, XU Hao, FU Shu, LIU Xin

2023, 23 (11): 58-68. doi: 10.3969/j.issn.1671-1122.2023.11.007

Abstract ( 124 )

HTML ( 4 )

PDF (12999KB) ( 49 )

In this research, the optimization problem of autonomous cooperative exploration tasks for multiple agents in an unknown environment without prior knowledge was addressed. To tackle this problem, an optimization model for multiple agents’ cooperative exploration in an unknown environment was constructed, and a novel algorithm called multiple agent obstacle frontier point filter (MAOFPF) was proposed. The MAOFPF algorithm tooks into account the relative distribution between boundary points and obstacles, explored the distance threshold for filtering boundary points, and consequently improved the selection of exploration tasks and resource allocation for multiple agents. Simulation results demonstrate that the proposed algorithm effectively filters out interference data from boundary points in various scenarios, ensuring smooth system operation. As a result, the optimized system exhibits enhanced disturbance resistance and generalization ability. Furthermore, the algorithm achieves a higher map coverage rate compared to the original algorithm, with an average efficiency improvement of 25.22%.

Figures and Tables | References | Related Articles | Metrics

Targeted Poisoning Attacks against Multimodal Contrastive Learning

LIU Gaoyang, WU Weiling, ZHANG Jinsheng, WANG Chen

2023, 23 (11): 69-83. doi: 10.3969/j.issn.1671-1122.2023.11.008

Abstract ( 218 )

HTML ( 14 )

PDF (17648KB) ( 106 )

In recent years, the applications of pre-trained models constructed with contrastive learning techniques on large-scale unlabeled data have gained widespread adoption, such as lane detection and face recognition. However, the security and privacy issues of contrastive learning models have increasingly attracted the attention of researchers. This paper focused on the poisoning attack against the multimodal contrastive learning models. Poisoning attack injected carefully crafted data into the training set to change the behavior of victim models. To tackle the issue of existing attacks primarily targeting either text or image encoders individually and failing to fully leverage other modality-related information, this paper proposed a specific targeted poisoning attack, which poisoned both the text and image encoders simultaneously. Firstly, this paper employed a generator utilizing the Beta distribution to produce opacity values, which were used to automatically watermark the images. Subsequently, this paper calculated the number of instances to be collected based on the Euclidean distance between the watermarking instance and the target instance. Following the watermarking process, this paper optimized the instances to generate poisoning instances. Compared with the state-of-the-art attacks, this method achieves a lower poisoning rate, and a better model accuracy.

Figures and Tables | References | Related Articles | Metrics

A Large Language Model Based SQL Injection Attack Detection Method

HUANG Kaijie, WANG Jian, CHEN Jiongyi

2023, 23 (11): 84-93. doi: 10.3969/j.issn.1671-1122.2023.11.009

Abstract ( 498 )

HTML ( 74 )

PDF (12178KB) ( 322 )

The SQL injection attack, widely employed by attackers, poses a significant threat to cyberspace security. Traditional detection methods for SQL injection attacks include rule-based and machine learning-based method, suffering from limited applicability and high false positive rates. This paper proposed a large language model-based method for detecting SQL injection attacks. By applying prompt engineering and instruction fine-tuning techniques, a specialized large language model for SQL injection attack detection was developed; Additionally, the impact of iteration rounds, the number of fine-tuning samples and inference parameters on model performance was analyzed to enhance the detection capability of large language models; Leveraging the robust semantic understanding capability of the large language model significantly reduced the false positive rate. This paper conduct experimental analysis on a specialized large language model for SQL injection attack detection that we proposed, using the Kaggle dataset. The model achievedes an accuracy rate of over 99.85%, a false alarm rate of less than 0.2%, and an F1 score of 0.999. Compared to the current state-of-the-art methods for SQL injection attack detection, our model demonstrates a significant improvement in detection performance.

Figures and Tables | References | Related Articles | Metrics

IoT Anomaly Detection Model Based on Cost-Sensitive Learning

LIAO Liyun, ZHANG Bolei, WU Lifa

2023, 23 (11): 94-103. doi: 10.3969/j.issn.1671-1122.2023.11.010

Abstract ( 204 )

HTML ( 19 )

PDF (11849KB) ( 81 )

Aiming at the problem of data imbalance in current abnormal detection algorithms for Internet of Things (IoT), which leads to incomplete feature learning and subsequently affects the detection performance of minority class attack samples, this article proposed a cost-sensitive abnormal detection model for IoT, called CS-CTIAD. The model used convolutional neural networks and Transformers to comprehensively learn the spatial and temporal features of IoT traffic, alleviating the problem of incomplete feature learning of minority class attack samples by a single model; at the same time, cost sensitive learning was introduced in the model training process, dynamically adjusting the loss weights of minority and majority classes to prevent the classifier from ignoring minority class attack samples due to data imbalance, thus improving the recognition rate of minority class attack samples. The test results on the CSE-CIC-IDS2018 and IoT-23 datasets demonstrate a significant improvement in the detection performance of minority class attack samples. Compared with existing work, the proposed method achieves the best overall evaluation metrics (accuracy, precision, recall, F1).

Figures and Tables | References | Related Articles | Metrics

Malicious Code Classification Method Based on BiTCN-DLP

LI Sicong, WANG Jian, SONG Yafei, HUANG Wei

2023, 23 (11): 104-117. doi: 10.3969/j.issn.1671-1122.2023.11.011

Abstract ( 233 )

HTML ( 9 )

PDF (17143KB) ( 113 )

To cope with the escalating malicious code variants, this article proposed a malicious code classification method (BiTCN-DLP) based on a bidirectional temporal convolution network (BiTCN) and double layer pooling (DLP) to address the problems of insufficient feature extraction and degradation of classification accuracy of existing malicious code classification methods. First, the method fused malicious code opcode and bytecode features to show different details, built BiTCN models to take advantage of the backward and forward dependencies of the features, and introduced a pooling fusion mechanism to further explore the deep dependencies within the malicious code data. Then, the model was validated on the Kaggle dataset. The experimental results show that the accuracy of malicious code classification based on BiTCN-DLP can reach 99.54% with fast convergence and low classification error. Finally, the effectiveness of the model was proved by comparison experiments and ablation experiments.

Figures and Tables | References | Related Articles | Metrics

Table of Content