Loading...
Netinfo Security

Table of Content

    10 May 2024, Volume 24 Issue 5 Previous Issue    Next Issue
    CONTENTS

    For Selected: Toggle Thumbnails
    CONTENTS
    CONTENTS
    2024, 24 (5):  0-0. 
    Abstract ( 66 )   PDF (1713KB) ( 49 )  
    Related Articles | Metrics
    Linux Malicious Application Detection Scheme Based on Virtual Machine Introspection
    WEN Weiping, ZHANG Shichen, WANG Han, SHI Lin
    2024, 24 (5):  657-666.  doi: 10.3969/j.issn.1671-1122.2024.05.001
    Abstract ( 179 )   HTML ( 30 )   PDF (13952KB) ( 97 )  

    With the rapid development of the Internet of things and cloud computing technology, the number and type of Linux malware have increased dramatically. Therefore, how to effectively detect Linux malware has become one of the important research directions in the security field. To solve this problem, this paper proposed a Linux malicious application detection scheme based on virtual machine introspection. This scheme utilized the virtual machine introspection technology to securely obtain the internal running status outside the sandbox, realized all-round monitoring while avoiding the anti-dynamic analysis technology of malware at the same time. Compared to other sandbox monitoring methods, this scheme improved malware performance in the sandbox. In order to pay more attention to the timing between features, a timing processing model was used to model and train the feature information obtained by the sandbox, aiming to judge whether a Linux application was malicious. In this paper, three kinds of neural network were used, including recurrent neural network, long short-term memory network and gated recurrent unit network. The experimental results show that the long short-term memory network works better in this application scenario, with an accuracy rate of 98.02% and a higher recall rate. The innovation of this paper is that the combination of virtual machine introspection technology and neural network model is applied to malicious application detection, which can not only monitor the inside of the virtual machine outside the virtual machine, but also pay attention to the timing between features.

    Figures and Tables | References | Related Articles | Metrics
    Lightweight Detection Method for IoT Mirai Botnet
    LI Zhihua, CHEN Liang, LU Xulin, FANG Zhaohui, QIAN Junhao
    2024, 24 (5):  667-681.  doi: 10.3969/j.issn.1671-1122.2024.05.002
    Abstract ( 119 )   HTML ( 13 )   PDF (16754KB) ( 52 )  

    Aiming at the shortcomings of traditional detection methods for IoT Mirai botnet traffic data, which include long detection times, high resource consumption, and inadequate accuracy due to the high dimensionality and large scale of data, this study researched and proposed an IoT botnet traffic detection (IBTD-EFS) method based on integrated feature selection. Firstly, to reduce the feature dimension of network traffic data samples and obtain an optimal subset of features, an integrated feature selection (EFS-FGGA) algorithm combining feature grouping and genetic algorithm was proposed. Then, to efficiently detect Mirai botnet traffic, an IoT botnet traffic classification (IBTC-XGB) algorithm based on extreme gradient boosting was introduced. Lastly, by combining the aforementioned EFS-FGGA and IBTC-XGB algorithms, the IBTD-EFS method for IoT botnet traffic detection was further proposed. Experimental results indicate that the IBTD-EFS method can overcome the heterogeneity of IoT devices, achieving a detection accuracy of 99.95% for Mirai botnet traffic and keeps the time overhead low. It is evident that the IBTD-EFS method provides an efficient solution for IoT Mirai botnet traffic detection.

    Figures and Tables | References | Related Articles | Metrics
    Python Sandbox Escape Defense Mechanism Based on Third-Party Library Isolation
    YANG Zhipeng, WANG Juan, MA Chenjun, KANG Yunfeng
    2024, 24 (5):  682-693.  doi: 10.3969/j.issn.1671-1122.2024.05.003
    Abstract ( 102 )   HTML ( 10 )   PDF (15407KB) ( 31 )  

    The PaaS platform has become a popular cloud service due to its ability to provide Python services. PaaS platform utilizes Python sandboxes to ensure security, while also allowing users to use optimized Python C-modules to reduce the impact of Python on performance. However, attackers can exploit vulnerabilities in Python sandbox policies to escape and harm the underlying system. Most of the existing Python sandboxes are used for defense at the code level, lacking supervision and protection of Python C-modules. This paper analyzed the underlying principles of Python C-modules and the characteristics of Python sandbox escapes. Targeting the specific dangerous functions executed after the sandbox escape, this paper proposed a Python sandbox escape defense mechanism based on third-party library isolation and implemented a prototype system. The prototype system leveraged GOT Hook technology to take over C-module import and dangerous function call in Python. Therefore, the system was capable of checking and isolating C-modules before they were imported. Moreover, when dangerous functions were called, the system checked the parameters. The experimental results demonstrate that the system effectively mitigates attacker’s abusively use of custom C-modules to escape Python sandboxes and calling dangerous functions with malicious parameter. The mechanism has negligible overheads in normal Python applications, with an average time overhead of less than 5%.

    Figures and Tables | References | Related Articles | Metrics
    A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion
    GU Guomin, CHEN Wenhao, HUANG Weida
    2024, 24 (5):  694-708.  doi: 10.3969/j.issn.1671-1122.2024.05.004
    Abstract ( 168 )   HTML ( 14 )   PDF (16852KB) ( 123 )  

    To evade detection, advanced persistent threat(APT) attackers often employ strategies such as encrypted malicious traffic and covert tunnels to conceal malicious activities, thereby increasing the difficulty of detection. Currently, most methods for detecting DNS covert tunnels are based on characteristics such as statistics, frequency, and packets. These methods are not well-suited for real-time detection, which can lead to data leaks. Therefore, it is necessary to detect based on individual DNS requests rather than performing statistical analysis on traffic, to achieve real-time and reliable detection. When the system determines that a single DNS request is tunnel traffic, it can respond accordingly to prevent data leaks. However, existing methods for detecting encrypted malicious traffic have issues such as the inability to fully extract traffic feature information, limited means of feature extraction, and underutilization of features. Thus, this paper proposed a method for detecting covert tunnel malicious encrypted traffic based on multi-model fusion. For DNS covert tunnels, the paper proposed a detection method that fused MLP, 1D-CNN, and RNN models and calculates the fusion results based on a proposed mathematical model. This method can monitor covert tunnels in real-time, further improving the overall detection accuracy. For encrypted malicious traffic, the paper proposed a parallel fusion detection method combining 1D-CNN and LSTM models. The parallel fusion model can more comprehensively extract feature information and reflect the full scope of the traffic data, thereby enhancing the detection accuracy of the model.

    Figures and Tables | References | Related Articles | Metrics
    A Hierarchical Lightweight Authentication Scheme Based on Merkle Tree and Hash Chain
    SHEN Zhuowei, WANG Renbo, SUN Xianjun
    2024, 24 (5):  709-718.  doi: 10.3969/j.issn.1671-1122.2024.05.005
    Abstract ( 89 )   HTML ( 5 )   PDF (11430KB) ( 55 )  

    Distributed systems such as cloud computing and the Internet of Things are widely used in various critical application domains, and their security issues are receiving increasing attention. Due to the complex deployment environment, the characteristics such as decentralization, heterogeneity, and dynamics, the security guarantee of distributed systems faces severe challenges. Traditional authentication schemes usually have the limitations of high computational cost, complex certificate management, and untimely member dynamic updates, which cannot meet the requirements of large-scale distributed systems. In this paper, aiming at the typical application scenarios where a large number of clients interact with application servers, a hierarchical lightweight authentication scheme based on Merkle tree and hash chain was proposed. In this scheme, there were several neighborhoods in the system, each client belongs to a neighborhood, and an authentication proxy node was set in each neighborhood to manage the clients in the neighborhood and report authentication information to the application server. The scheme adopted both Merkle tree and hash chain to realize identity authentication for the client, one-time pad encryption, and message authentication, and used efficient operations of hash and XOR to achieve lower computational costs. Security analysis and performance analysis show that the scheme has comprehensive security and better performance.

    Figures and Tables | References | Related Articles | Metrics
    A Reputation Evaluation Method for Vehicle Nodes in V2X
    TIAN Zhao, NIU Yajie, SHE Wei, LIU Wei
    2024, 24 (5):  719-731.  doi: 10.3969/j.issn.1671-1122.2024.05.006
    Abstract ( 92 )   HTML ( 7 )   PDF (15222KB) ( 44 )  

    The advancements in Vehicular Networks communication technologies facilitate the exchange and sharing of traffic information, thereby significantly enhancing travel efficiency. However, the openness of V2X networks increases the vulnerability of traffic entities to attacks from malicious vehicles, potentially leading to severe consequences. Addressing this issue, this paper proposed a reputation evaluation method for vehicle nodes in V2X. Initially, a partitioned blockchain network for vehicle nodes in Vehicular Networks was introduced. Subsequently, local reputation values were calculated based on trust among vehicle nodes and auxiliary trust from infrastructures, combined with the use of deep learning for dynamically computing global reputation values. This enabled the identification of optimal data sharing nodes based on global reputation scores. Finally, to enhance storage technology, partitioned blockchain technology was employed to ensure the integrity and traceability of reputation values and traffic information. Simulation results demonstrated that the proposed method outperformed comparative methods in accurately identifying malicious nodes, as evidenced by higher precision and recall rates.

    Figures and Tables | References | Related Articles | Metrics
    Electronic Voting Scheme Based on Public Key Cryptography of Quantum Walks
    SHI Runhua, DENG Jiapeng, YU Hui, KE Weiyang
    2024, 24 (5):  732-744.  doi: 10.3969/j.issn.1671-1122.2024.05.007
    Abstract ( 68 )   HTML ( 5 )   PDF (13260KB) ( 35 )  

    In order to solve the problem of poor realizability to prepare complex entanglement resources and perform difficult entanglement state measurements in current quantum voting protocols, this paper designed an electronic voting scheme based on public key encryption of quantum walks. Quantum walks can generate any form of entanglement between particles and avoid entanglement state measurements, and therefore, the proposed solution can be achieved by initially preparing single particles and finally performing single-particle measurements. The quantum walks has been implemented on a variety of systems. In addition, the security analysis shows that the proposed scheme can achieve information-theoretical security. So, it is feasible and secure under current technology. This paper uses one particle to represent n-bit voting information, efficiency higher than existing solutions.

    Figures and Tables | References | Related Articles | Metrics
    A Dynamic (t,n) Threshold Quantum Secret Sharing Scheme with Cheating Identification
    GUO Jiansheng, GUAN Feiting, LI Zhihui
    2024, 24 (5):  745-755.  doi: 10.3969/j.issn.1671-1122.2024.05.008
    Abstract ( 83 )   HTML ( 6 )   PDF (12036KB) ( 32 )  

    Based on homogeneous linear feedback shift register(LFSR) sequences and d-dimensional single quantum states, this paper proposed a dynamical (t,n) threshold quantum secret sharing scheme with cheating identification. In this scheme, a trusted dealer determined the shared secret and distributed shared to the participants, and the participants recovered the secret by performing the corresponding unitary operation on the transmitted particles. In the secret reconstruction phase, by performing quantum state digital signatures, not only the existence of cheating behavior could be detected, but also the specific cheater could be identified and removed, and finally the participants could verify the correctness of the recovered secret. The scheme allowed dynamic updating of participants without changing the shares of old participants and without the help of other participants. Security analysis shows that the scheme is resistant to common external and internal attacks.

    Figures and Tables | References | Related Articles | Metrics
    Analysis Method of Monero Payment Protocol Based on Tamarin
    LI Yuxin, HUANG Wenchao, WANG Jionghan, XIONG Yan
    2024, 24 (5):  756-766.  doi: 10.3969/j.issn.1671-1122.2024.05.009
    Abstract ( 57 )   HTML ( 5 )   PDF (12918KB) ( 29 )  

    Monero, as a highly anonymous cryptocurrency protocol based on blockchain technology, aims to provide robust privacy protection for users. Unlike other cryptocurrencies, Monroe coin enhances user transaction privacy protection through its unique payment protocol. However, security vulnerabilities within the payment protocol may lead attackers to analyze or intercept transaction information, thereby posing a threat to user privacy. Currently, research on the Monero payment protocol primarily focuses on attacks targeting anonymity vulnerabilities, often starting from external features and lacks exploration of the intrinsic mechanisms of Monero itself, which insufficiently ensuring the security and untraceability of the payment process. Therefore, a more systematic analysis is needed to comprehensively evaluate the security and untraceability of the Monero payment protocol. This paper provided a detailed modeling of the Monero payment protocol from various perspectives, including model rules and attribute definitions. The study utilized the existing Tamarin tool to verify relevant properties. The research findings reveal multiple vulnerabilities in the Monero payment protocol and offer optimization recommendations.

    Figures and Tables | References | Related Articles | Metrics
    An Automatic Discovery Method for Heuristic Log Templates
    ZHANG Shuya, CHEN Liangguo, CHEN Xingshu
    2024, 24 (5):  767-777.  doi: 10.3969/j.issn.1671-1122.2024.05.010
    Abstract ( 67 )   HTML ( 15 )   PDF (14625KB) ( 31 )  

    Log is an important source of data in the field of security analytics. However, unstructured raw log can’t be used directly for security analysis, so parsing log into structured templates is a critical first step. Most of the existing log parsing methods assume that the log messages belonging to the same log template have the same log length, but the log messages belonging to the same template are incorrectly extracted into different templates due to the variable length of the log. Therefore, this paper proposed an automatic log template discovery method, KeyParse, which firstly calculated the similarity between logs and templates based on the longest common subsequence algorithm, so as to ignore the differential influence caused by variables, so as to achieve the matching of logs and templates. Secondly, the log template grouping was realized based on the highest frequency items to avoid the log messages belonging to the same event and different lengths being divided into different template groups, which reduced the template redundancy and improved the template matching efficiency. Finally, the HeavyGuardian algorithm was used to realize the statistics of the highest frequency items of streaming log messages. It solved the problem that the traditional frequency statistics method was difficult to adapt to the dynamic change of the word frequency of streaming log messages. Experimental results show that KeyParse has higher accuracy in the face of various types of log sets, with an average parsing accuracy of 0.968, and has higher performance when parsing large log sets.

    Figures and Tables | References | Related Articles | Metrics
    A Survey of Large Language Models in the Domain of Cybersecurity
    ZHANG Changlin, TONG Xin, TONG Hui, YANG Ying
    2024, 24 (5):  778-793.  doi: 10.3969/j.issn.1671-1122.2024.05.011
    Abstract ( 405 )   HTML ( 50 )   PDF (20073KB) ( 332 )  

    In recent years, with the rapid advancement of large language model technology, its application potential in various fields such as healthcare and law has become evident, simultaneously pointing to new directions for progress in the field of cybersecurity. This paper began by providing an overview of the foundational theories behind the design principles, training mechanisms, and core characteristics of large language models, offering the necessary background knowledge to readers. It then delved into the role of large language models in enhancing the capabilities to identify and respond to the growing threats online, detailing research progress in areas such as penetration testing, code security audit, social engineering attacks, and the assessment of professional cybersecurity knowledge. Finally, it analyzed the challenges related to security, cost, and interpretability of this technology, and looked forward to the future development direction.

    Figures and Tables | References | Related Articles | Metrics
    Research on Softwaization Techniques for ERT Trusted Root Entity in Railway Operation Environment
    WANG Wei, HU Yongtao, LIU Qingtao, WANG Kailun
    2024, 24 (5):  794-801.  doi: 10.3969/j.issn.1671-1122.2024.05.012
    Abstract ( 53 )   HTML ( 3 )   PDF (9129KB) ( 27 )  

    In order to guarantee the information security of railway system, the article proposed a software-based technology of entity of root of Trust(ERT) in railway operation environment, which implemented the mandatory access control function in kernel, and realized a more fine-grained and powerful privilege management through the modification or extension of operating system kernel. Meanwhile, considering the problems of weak computing capability, limited storage space and unstable power supply of some devices in lightweight scenarios, a lightweight trusted computing system is proposed to maximally meet the requirements of trusted computing. Through the implementation of kernel-level mandatory access control and the transformation of the lightweight trusted computing system, the threat of unknown risks to critical infrastructure is mitigated, and a solid guarantee is provided for the security of the railroad system.

    Figures and Tables | References | Related Articles | Metrics
    Research on Railway Network Security Performance Based on APT Characteristics
    GUO Zimeng, ZHU Guangjie, YANG Yijie, SI Qun
    2024, 24 (5):  802-811.  doi: 10.3969/j.issn.1671-1122.2024.05.013
    Abstract ( 98 )   HTML ( 10 )   PDF (10413KB) ( 45 )  

    In order to explore the impact of APT attacks on railway network security under the new network security situation, the article first analyzed the characteristics of APT attack, proposed the killing chain model integrating APT process, and summarized the characteristics of APT and its possible impact on railway network security based on this. Then analyzed the railway network architecture, selected the railway external network architecture. Finally, based on the proposed railway network model diagram, conducted APT attack modeling, analyzed the connection process and connection index in detail, reflected network performance through the connection index, and then demonstrated the impact of network attacks on network security performance. The simulation experiment results indicate that, the initiation of APT attacks has a significant adverse impact on network performance, After the APT attack, the average network connection index of illegal users increased by more than 5 times. Comparative experiments have shown that, after the occurrence of APT attacks, the connection index of illegal users is more than twice that of ordinary network attacks on average, indicating that the impact of APT attacks is more severe.

    Figures and Tables | References | Related Articles | Metrics