Loading...
Netinfo Security

Table of Content

    10 April 2024, Volume 24 Issue 4 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    A Review of Network Anomaly Detection Based on Semi-Supervised Learning
    ZHANG Hao, XIE Dazhi, HU Yunsheng, YE Junwei
    2024, 24 (4):  491-508.  doi: 10.3969/j.issn.1671-1122.2024.04.001
    Abstract ( 363 )   HTML ( 52 )   PDF (22842KB) ( 236 )  

    The acquisition of network traffic data is relatively easy, while marking the traffic data is comparatively challenging. Semi-supervised learning utilizes a small amount of labeled data and a large amount of unlabeled data for training, reducing the demand for labeled data and effectively adapting to anomaly detection in massive network traffic data. This paper conducted an in-depth investigation into the field of semi-supervised network anomaly detection in recent years. Firstly, it introduced some basic concepts and thoroughly analyzes the necessity of using semi-supervised learning strategies in network anomaly detection. Then, from the perspectives of semi-supervised machine learning, semi-supervised deep learning, and the combination of semi-supervised learning with other paradigms, it analyzed and compared the recent literature on semi-supervised network anomaly detection and summarized the findings. Finally, the current status and future prospects of the field of semi-supervised network anomaly detection were analyzed.

    Figures and Tables | References | Related Articles | Metrics
    Application Layer DDoS Detection Method Based on Spatio-Temporal Graph Neural Network
    WANG Jian, CHEN Lin, WANG Kailun, LIU Jiqiang
    2024, 24 (4):  509-519.  doi: 10.3969/j.issn.1671-1122.2024.04.002
    Abstract ( 201 )   HTML ( 44 )   PDF (12364KB) ( 132 )  

    Distributed denial of service (DDoS) attacks have emerged as one of the principal threats to cybersecurity, among which application layer DDoS attacks stand as a primary mode of assault. Application layer DDoS attacks target specific application services and exhibit normal behavior at the network layer, rendering traditional security devices ineffective against them. Moreover, existing detection methods for application layer DDoS attacks are insufficient in detection capability and struggle to adapt to the changing patterns of attacks. In response, this paper proposed a detection method for application layer DDoS attacks based on spatio-temporal graph neural network (STGNN). This method utilized the characteristics of application layer services, starting from application layer data and protocol interaction information. It introduced an attention mechanism and combined multiple GraphSAGE layers to learn the patterns of entity interactions across different time windows. Consequently, it calculated the deviation between the detection traffic and normal traffic to accomplish attack detection. The method effectively identified application layer DDoS attacks using only five dimensional data, including time, source IP, destination IP, communication frequency, and average packet size. According to the experimental results, this method achieves higher Recall and F1 scores compared to benchmark methods, even with a smaller number of attack samples.

    Figures and Tables | References | Related Articles | Metrics
    Design and Implementation of Malicious Traffic Detection Model
    TU Xiaohan, ZHANG Chuanhao, LIU Mengran
    2024, 24 (4):  520-533.  doi: 10.3969/j.issn.1671-1122.2024.04.003
    Abstract ( 213 )   HTML ( 32 )   PDF (17797KB) ( 98 )  

    With the increasing sophistication and diversification of cyber attack methods, traditional security defenses face a significant challenge in accurately identifying malicious traffic. This study addresses common issues in malicious traffic detection, such as numerous ineffective features, data imbalance, and the complexity of attack methods, by developing an efficient detection method. The main contributions include: proposing a data cleansing and Firstly, this paper balancing technique to effectively enhance the quality of traffic feature data; Secondly, innovatively the combination of a simple recurrent neural network with a multi-head attention mechanism, enabled proposed the detection model to precisely handle sequential data, effectively captured and identified various types of information and their dependencies, thereby significantly improved the accuracy of feature extraction; Finaly, the advantages of ensemble learning, deep learning, and machine learned to enable the detection model to efficiently learn from limited samples and quickly adapt to different network characteristics. Through experimental validation, this method demonstrates prominent detection performance on multiple public datasets.

    Figures and Tables | References | Related Articles | Metrics
    An eBPF-Based Threat Observability System for Cloud-Oriented Environment
    LIU Sinuo, RUAN Shuhua, CHEN Xingshu, ZHENG Tao
    2024, 24 (4):  534-544.  doi: 10.3969/j.issn.1671-1122.2024.04.004
    Abstract ( 97 )   HTML ( 16 )   PDF (14402KB) ( 57 )  

    As the types of threats in the cloud and the diversity of attack vectors increase, single-dimensional threat data struggles to accurately portray complex and ever-changing threat behaviors. This paper proposed ETOS (eBPF-based threat observability system), a multi-level threat observation system tailored for cloud environments. By assessing the risk of each action within threat behaviors, ETOS strategically setd up observation points for hierarchical classification of critical actions, dynamically activates eBPF probes as needed on the target machines, and thus acquiring multi-dimensional structured threat behavior data. This approach effectively represents threat behaviors in cloud environments, significantly reduces the preprocessing cost for data analysis. We also designed a generic eBPF threat probe template to automate the expansion of the probe library. ETOS was examined on a container cloud platform by reproducing 18 container escape CVE and observing their threat behaviors. The experimental results show that ETOS is capable of observing threat behaviors on multiple levels, collecting multi-dimensional structured threat data. The introduced overhead on the system and network remains below 2%, meeting the operational requirements of cloud platforms.

    Figures and Tables | References | Related Articles | Metrics
    Defense Scheme for Removing Deep Neural Network Backdoors Based on JSMA Adversarial Attacks
    ZHANG Guanghua, LIU Yichun, WANG He, HU Boning
    2024, 24 (4):  545-554.  doi: 10.3969/j.issn.1671-1122.2024.04.005
    Abstract ( 96 )   HTML ( 13 )   PDF (11949KB) ( 59 )  

    Deep learning models lack transparency and interpretability, and the abnormal behavior triggered by malicious attacks during the inference stage can lead to a decline in their performance. In response to this issue, this paper proposed a defense scheme for removing deep neural network (DNN) backdoors based on JSMA adversarial attacks. Firstly, the hidden backdoor trigger was restored using special disturbances generated by simulations of JSMA, and this foundation formed the basis for simulating the restoration of the backdoor trigger pattern. Secondly, a heatmap was used to locate the weight position of the restored hidden trigger. Finally, a ridge regression function was used to reset the weights to zero effectively removing the backdoor in the DNN. This paper tested the model on the MNIST and CIFAR10 datasets, and evaluated the performance of the model after the backdoor removal. The experimental results show that this scheme can effectively remove the backdoors in DNN models, with only less than a 3% decrease in the testing accuracy of the DNN.

    Figures and Tables | References | Related Articles | Metrics
    Multi-Receiver Chaotic Key Generation Scheme Based on SM9
    ZHANG Xuefeng, CHEN Tingting, MIAO Meixia, CHENG Yexia
    2024, 24 (4):  555-563.  doi: 10.3969/j.issn.1671-1122.2024.04.006
    Abstract ( 105 )   HTML ( 13 )   PDF (10571KB) ( 59 )  

    Aiming at the key management problem involved in secure communication during information transmission, combined with the chaotic secure communication model, a multi-receiver chaotic key generation scheme based on SM9 was proposed. This scheme extended the key encapsulation mechanism of the SM9 identification encryption algorithm to construct a multi-receiver key encapsulation mechanism. That is, the encapsulator selected a group of designated recipients, used their identity information to generate and encapsulate the key, and sent the ciphertext. Only the recipients in the user set can use the private key to decrypt the ciphertext to obtain the key. In order to ensure that the communication party can carry out chaotic secure communication, a data conversion method that converted binary numbers to floating points was proposed, and multiple floating point numbers could be generated according to the number of parameters. The sender and the receiver realized key synchronization through data conversion processing of the key, which caid the foundation for chaotic secure communication. This scheme realized that the key was generated from the identification information of multiple receivers, which ensured the security and confidentiality of the key. Under the random oracle model, it is proved that this scheme has good efficiency and performance,and satisfies the security of IND-sID-CCA.

    Figures and Tables | References | Related Articles | Metrics
    Periodically Deniable Ring Signature Scheme Based on SM2 Digital Signature Algorithm
    ZHANG Yanshuo, YUAN Yuqi, LI Liqiu, YANG Yatao, QIN Xiaohong
    2024, 24 (4):  564-573.  doi: 10.3969/j.issn.1671-1122.2024.04.007
    Abstract ( 99 )   HTML ( 14 )   PDF (11772KB) ( 78 )  

    Periodically deniable ring signature enables ring members to deny their identity selectively as signers within the ring after each time period. This transformation, implemented periodically, established a self-controlled mechanism, enhancing the privacy protection for ring members while also fostering cooperation with regulatory authorities. Traditional digital signatures possess non-repudiation properties, ensuring the integrity and authenticity of the signature’s source and content. In contrast, deniable signatures offer repudiation properties, allowing individual members within a circle to confirm or disclaim their association with the signature without relying on a trusted third party. This article presented a periodically deniable ring signature scheme based on SM2, extending the work of BAO Zijian et al., to advance the use of domestic cryptographic algorithms. The scheme supported periodic confirmation and revocation of signatures, meeting the substantial demand for privacy protection. The formal proof provided demonstrates the scheme’s correctness, non-forgeability, anonymity, traceability, and non-repudiation properties.

    Figures and Tables | References | Related Articles | Metrics
    ACCQPSO: An Improved Quantum Particle Swarm Optimization Algorithm and Its Applications
    SUN Junfeng, LI Chenghai, SONG Yafei
    2024, 24 (4):  574-586.  doi: 10.3969/j.issn.1671-1122.2024.04.008
    Abstract ( 112 )   HTML ( 10 )   PDF (15235KB) ( 60 )  

    In order to solve the problems of quantum particle swarm optimization (QPSO), such as easy to fall into local extreme point in the early stage and low accuracy in the later stage, a chaotic quantum particle swarm optimization algorithm with adaptive crossover operator (ACCQPSO) was proposed and used in the hyper-parameter optimization of the BP neural network. Firstly, the initial population of Logistics map was used as chaotic sequence to search the optimal solution, which enhanced the randomness and ergodicity of the initial population and improved the optimization ability of the algorithm. Secondly, the information of individuals in the population was exchanged through vertical crossover operation, and the adaptive crossover probability formula was introduced to increase the population diversity and improved the optimization accuracy of the algorithm. In the experiment, on the one hand, eight functions were selected for validation in both high and low dimensions, while Wilcoxon rank sum test analysis and ablation experiments were performed to verify the effectiveness of the algorithm compared to other algorithms; on the other hand, the parameters optimization of BP neural network were applied to the network security situation prediction task, and the results show that the convergence speed is greatly improved compared with the contrast algorithm.

    Figures and Tables | References | Related Articles | Metrics
    Online/Off line Cross-Domain Identity Authentication Scheme Based on Blockchain in Vehicle to Grid
    SHI Runhua, YANG Jingyi, WANG Pengbo, LIU Huawei
    2024, 24 (4):  587-601.  doi: 10.3969/j.issn.1671-1122.2024.04.009
    Abstract ( 116 )   HTML ( 13 )   PDF (16461KB) ( 63 )  

    Aiming at the problems of poor real-time and privacy leakage easily caused by cross-domain identity authentication in Vehicle to Grid, this paper proposed an efficient cross-domain authentication scheme based on blockchain. Firstly, it adopted online/offline signature technology to sign, offline signature when the vehicle was not in use, when the vehicle was in another area for cross-domain authentication only in the offline signature on the basis of the online signature, reduced the system's computational overhead, shortened the authentication time; it used aggregated signature and verification technology, and introduced the idea of batch verification, which improved the verification efficiency. Then, the use of smart contract technology to store the vehicle public key and offline signature and other information on the blockchain reduced the storage burden of the vehicle and also protected the security of the key. Finally, by comparing with other schemes and experimental simulations, the results show that the scheme reduces the time overhead of signing and verification and has less overhead of storing information on the blockchain using smart contracts. Based on the intractability of the q-Strong Diffie-Hellman problem, the scheme is proved to be semantically secure and is shown to fulfill all expectations and security requirements.

    Figures and Tables | References | Related Articles | Metrics
    Research on 3D-Location Privacy Publishing Algorithm Based on Policy Graph
    YIN Chunyong, JIA Xukang
    2024, 24 (4):  602-613.  doi: 10.3969/j.issn.1671-1122.2024.04.010
    Abstract ( 68 )   HTML ( 5 )   PDF (12617KB) ( 28 )  

    With the popularization of mobile smart terminals, the application of location-based services has seen explosive growth, and high-rise indoor buildings are one of the important application scenarios of LBS. However, most of the existing location privacy protection algorithms are applicable to 2D location data. The research on location privacy protection for large indoor 3D scenes is still insufficient and lacks personalizable 3D privacy policies. To address this problem, this paper proposed a 3D-location privacy publishing algorithm based on policy graph. Firstly, a customizable policy graph-based location privacy protection framework was designed, which could dynamically customize suitable privacy policies according to specific scene requirements. Secondly, two 3D-oriented differential privacy variant mechanisms were designed in combination with customized policy graph to realize location privacy protection in 3D scenes. Finally, simulation experiments were conducted on 3D datasets. The results demonstrate that, compared to other 3D location privacy preserving algorithms, the proposed algorithm has better stability and utility.

    Figures and Tables | References | Related Articles | Metrics
    A Non-Cooperative Game Model for Optimizing EFIS Data Source Defense Deployment
    GU Zhaojun, ZHANG Yinuo, YANG Xueying, SUI He
    2024, 24 (4):  614-625.  doi: 10.3969/j.issn.1671-1122.2024.04.011
    Abstract ( 69 )   HTML ( 9 )   PDF (28673KB) ( 44 )  

    The Electronic Flight Instrument System (EFIS), characterized by high safety requirements and an extreme operating environment, faces severe limitations in the allocation of defense strategy resources. The lack of a rational defense strategy deployment can significantly impact the overall security of the system. This paper proposed a limited defense strategy deployment optimization model in conjunction with the periodic maintenance of EFIS, drawing on the perspectives of attack-defense decision-making and non-cooperative game theory within the integrated framework of security considerations. The methodology began by establishing a dual-attribute Attack Defense Tree (ADT) to construct the space of attack-defense strategies. Subsequently, employing the perspective transformation approach, a non-cooperative game analysis was conducted from the attacker’s viewpoint to reveal the distribution of attack strategies intending to compromise system security. Finally, based on the results of the attacker’s game results, a game analysis was performed for defense strategies. The feasibility of enhancing the security attributes of defender strategies is validated, providing a reliable theoretical foundation for the allocation of security resources. The model successfully addresses the defense strategy deployment problem under non-cooperative games using Monte Carlo simulation. The optimized deployment scheme for defense strategies, maximizing the expected utility, is obtained. This approach avoids redundant additions of defense measures, effectively enhancing the overall security of the system.

    Figures and Tables | References | Related Articles | Metrics
    Clean Energy Data Traceability Mechanism Based on Blockchain
    HU Haiyang, LIU Chang, WANG Dong, WEI Xu
    2024, 24 (4):  626-639.  doi: 10.3969/j.issn.1671-1122.2024.04.012
    Abstract ( 122 )   HTML ( 13 )   PDF (19045KB) ( 74 )  

    The world is currently in a trend of low-carbon development, and clean energy is the core of low-carbon development and the key to solving climate problems. At present, the traceability methods for clean energy data, such as centralized databases, electronic labels, and energy certificates, have problems such as centralization, opaque data sources and processing, which cannot guarantee the credibility and security of data and traceability results. In contrast, blockchain has the characteristics of decentralization, transparency, and immutability, which can effectively solve the above problems. Therefore, this paper proposed a clean energy data traceability mechanism based on blockchain. Firstly, this paper proposed an improved Provenance Vocabulary model (ProVOC) to achieve trusted traceability of clean energy data throughout its lifecycle. By combining blockchain and graph databases, the lightweight storage of data was achieved and traceability efficiency was improved. Secondly, this paper proposed a data privacy protection mechanism based on zero-knowledge proof, introducing revocable mechanisms in user data privacy protection, and combining homomorphic encryption in traceability data privacy protection to achieve more secure data sharing. Finally, functional verification and performance analysis were conducted on the proposed data traceability mechanism. Compared to existing data traceability frameworks, the experimental results show that the mechanism proposed in this paper has certain advantages in terms of security and other aspects.

    Figures and Tables | References | Related Articles | Metrics
    Malicious Software Adversarial Defense Model Based on Feature Severity Ranking
    XU Zirong, GUO Yanping, YAN Qiao
    2024, 24 (4):  640-649.  doi: 10.3969/j.issn.1671-1122.2024.04.013
    Abstract ( 121 )   HTML ( 14 )   PDF (12443KB) ( 46 )  

    The application of deep learning models in the detection of Android malware can continuously improved the accuracy of detection. However, with the proposal of adversarial examples, these examples can easily evade detection by deep learning models, leading to questions about the detection capabilities of deep learning models. To counteract adversarial attacks on Android malicious software, current approaches often employ adversarial training for defense. This paper addressed the limitation of adversarial training in dealing with various types of adversarial examples and proposed the concept of feature maliciousness. Feature maliciousness involved ranking features based on their malicious nature, and this ranked feature set was utilized to construct a malicious software adversarial defense model with adversarial defense capabilities, termed the feature maliciousness processing (FMP) detector. This model extracted high-maliciousness features from the software under consideration, mitigating the problem of model misclassification caused by adversarial perturbations. On the open-source dataset DefenceDroid, the feature selection method employed by the FMP detector significantly enhances the detection rates for various types of adversarial examples compared to adversarial training and other feature selection methods. Under multiple adversarial example attacks, the FMP detector demonstrats the highest level of robust performance.

    Figures and Tables | References | Related Articles | Metrics