Loading...
Netinfo Security

Table of Content

    10 September 2025, Volume 25 Issue 9 Previous Issue    Next Issue
    For Selected: Toggle Thumbnails
    Cross-Function Behavior Analysis and Constraint Technology for Serverless Applications
    ZHAN Dongyang, HUANG Zilong, TAN Kai, YU Zhaofeng, HE Zheng, ZHANG Hongli
    2025, 25 (9):  1329-1337.  doi: 10.3969/j.issn.1671-1122.2025.09.001
    Abstract ( 193 )   HTML ( 51 )   PDF (11232KB) ( 113 )  

    Applications in Serverless computing are decomposed into functions and run in different containers, they have the advantage of being lightweight and was widely used, but they also brings security risks. This architecture exposes the internal interfaces of the program to the network, increases the attack surface and security risks such as unauthorized access, and threatens the integrity of the control flow and data flow. However, existing security monitoring methods are difficult to protect the integrity of the control flow and data flow between containers (or functions) in Serverless computing. As a result, this paper proposed a cross-function behavior analysis and constraint technology for Serverless applications, by studying the extraction method of the complete access model between functions based on static analysis, real-time access control across functions was performed. Experimental results show that the method achieves an average of 97.54% as well as 92.87% for the anomalous control flow and data flow identification rate, and reduces the monitoring false alarms by more than 10%, which is able to improve the security of Serverless computing.

    Figures and Tables | References | Related Articles | Metrics
    Small-Sample APT Attack Event Extraction Method Based on Large Model
    CAO Jun, XIANG Ga, REN Yawei, TAN Zicheng, YANG Qunsheng
    2025, 25 (9):  1338-1347.  doi: 10.3969/j.issn.1671-1122.2025.09.002
    Abstract ( 218 )   HTML ( 49 )   PDF (11734KB) ( 130 )  

    The detection and defense of APT attacks are relatively difficult. Automatically extracting APT attack events and key information from threat intelligence is of great significance for improving proactive defense capabilities and building high-quality threat intelligence. This capability enhances proactive defense strategies and supports the development of high-quality threat intelligence. However, threat intelligence related to APT often spans multiple attack stages and involves complex techniques with intricate semantics. Training accurate extraction models is hindered by the scarcity of high-quality datasets and limited sample sizes. This paper proposed a small-sample APT attack event extraction method based on large model. First, this method designed a data augmentation method for attack events based on large models. Using this method, the APTCNEE dataset and a Chinese corpus of APT attack events were created. Then, an ERNIE-BiLSTM-CRF model based on prompt learning was constructed. The experiment verifies the effectiveness of the method, with the F1 score higher than the baseline models, and data augmentation significantly boosts the performance of both trigger word and argument extraction.

    Figures and Tables | References | Related Articles | Metrics
    Automated Exploitation of Vulnerabilities in Vehicle Network Security
    HU Yucui, GAO Haotian, ZHANG Jie, YU Hang, YANG Bin, FAN Xuejian
    2025, 25 (9):  1348-1356.  doi: 10.3969/j.issn.1671-1122.2025.09.003
    Abstract ( 166 )   HTML ( 32 )   PDF (10591KB) ( 90 )  

    With the rapid development of connected vehicle technology, the complexity of in-vehicle systems has surged, and the hazards posed by security vulnerabilities (such as remote control, privacy breaches, and driving safety threats) have become increasingly severe. The verification and remediation of software vulnerabilities in connected vehicle have become a hot and challenging topic in security research both domestically and internationally. The validation and remediation of software security vulnerabilities heavily rely on proof-of-concept (PoC) exploit codes, but manual construction is inefficient and constrained by the unstructured deficiencies in vulnerability reports. Therefore, this article proposed an automated PoC exploit code generation and verification method based on large language models (LLMs). The innovation lied in combining large language models (LLMs) with static and dynamic analysis techniques for exploit generation, producing candidate PoC exploit codes and validating and refining them, enabling end-to-end automation from vulnerability descriptions to verifiable PoCs. This method can enhance the efficiency of vulnerability mining research in connected vehicle, reduce labor costs, provide targeted test cases for in-vehicle system security testing, and meet the urgent demand for automated attack-defense exercises in connected vehicle scenarios.

    Figures and Tables | References | Related Articles | Metrics
    Intelligent Binary Analysis Method Based on Enhanced Semantic Program Dependency Graph
    XUE Lei, ZHANG Jican, DU Pingxin
    2025, 25 (9):  1357-1366.  doi: 10.3969/j.issn.1671-1122.2025.09.004
    Abstract ( 86 )   HTML ( 25 )   PDF (12155KB) ( 46 )  

    In the field of software security analysis, binary program analysis technology faces the dual challenges of complex compiler optimization and a lack of structural information. Traditional toolchains commonly suffer from fragmented analysis processes, reliance on manual operations, and insufficient semantic expression, making them unable to meet the demands of structured, automated vulnerability discovery. This paper proposed an intelligent binary analysis method based on an enhanced Semantic Program Dependence Graph (SPDG). By uniformly modeling control flow (CFG), data dependency (DDG), and symbolic path constraint information, SPDG achieves a three-dimensional structured representation of program semantics. In experimental evaluations, SPDG demonstrates significant performance advantages. At the unoptimized level of the OpenSSL project, SPDG recoveres 60.5% more basic blocks and 42.5% more control edges than Ghidra. SPDG also improves data dependency tracing by 287.1% over Ghidra, recovering over 130,000 data dependency chains. Furthermore, SPDG achieves 64.7% symbolic execution coverage at the unoptimized level of OpenSSL, surpassing Angr’s 60%. In the vulnerability detection task, SPDG successfully identifies nine vulnerability examples with only one false positive, achieving an accuracy rate of 90.0%, which is significantly higher than other tools.

    Figures and Tables | References | Related Articles | Metrics
    Research on Transformer-Based Super-Resolution Network Adversarial Sample Defense Method
    XU Ruzhi, WU Xiaoxin, LYU Changran
    2025, 25 (9):  1367-1376.  doi: 10.3969/j.issn.1671-1122.2025.09.005
    Abstract ( 108 )   HTML ( 32 )   PDF (12086KB) ( 61 )  

    The security vulnerability of deep learning models to carefully crafted adversarial attacks has garnered significant attention. Although existing defense methods against adversarial attacks have made some progress, they still suffer from poor generality, exhibiting strong defense performance against specific attack types while showing limited or ineffective protection against others. This paper proposed a universal defense method based on a Transformer architecture for super-resolution networks. First, the dynamic enhancement of high-frequency image information was achieved through self-attention mechanisms to improve image quality. Second, multi-scale feature fusion techniques were employed to effectively suppress adversarial perturbations. Finally, an innovative diversified window partitioning strategy was introduced, significantly reducing computational complexity while maintaining long-range pixel dependencies. Experimental results demonstrate that the proposed method achieved an average defense success rate of 90% against multiple attack types, surpassing existing baseline methods while exhibiting stronger robustness.

    Figures and Tables | References | Related Articles | Metrics
    Jailbreak Detection for Large Language Model Based on Deep Semantic Mining
    LIU Hui, ZHU Zhengdao, WANG Songhe, WU Yongcheng, HUANG Linquan
    2025, 25 (9):  1377-1384.  doi: 10.3969/j.issn.1671-1122.2025.09.006
    Abstract ( 152 )   HTML ( 28 )   PDF (10070KB) ( 59 )  

    Jailbreak attacks on large language model (LLM) often involve disguising user prompts to evade built-in safety mechanisms. Common strategies include semantic encoding and prefix injection, which induce LLM to generate unethical or harmful content. To address this issue, we proposed a jailbreak detection method based on deep semantic mining. By uncovering the latent intent embedded in user prompts, our approach effectively activated the model’s safety protocols, enabling accurate identification of malicious prompts. We evaluated the proposed method across 3 representative jailbreak techniques on 3 mainstream LLM. Experimental results show that the proposed method achieves an average detection accuracy of 96.48%, reducing the jailbreak attack success rate from 33.75% to 1.38%. Compared to the latest existing detection methods, it improves defense performance by 4%, demonstrating strong capability in mitigating jailbreak attacks.

    Figures and Tables | References | Related Articles | Metrics
    Intelligent Reverse Analysis Method of Firmware Program Interaction Relationships Based on Taint Analysis and Textual Semantics
    WANG Lei, CHEN Jiongyi, WANG Jian, FENG Yuan
    2025, 25 (9):  1385-1396.  doi: 10.3969/j.issn.1671-1122.2025.09.007
    Abstract ( 85 )   HTML ( 24 )   PDF (13891KB) ( 32 )  

    To address the challenges of low automation, limited accuracy and inefficiency in reverse-engineering interaction relationships among embedded firmware programs, this paper proposed an intelligent reverse analysis method based on taint analysis and textual semantics. The approach introduced a taint-analysis-based associated function code slicing algorithm, which combined with the semantic comprehension capabilities of large language models, enabled precise extraction of interaction-related information from binary programs and intelligent localization of relevant code segments. Furthermore, a dedicated interaction extraction method was designed for script and configuration files, significantly enhancing the ability of method to process unstructured textual data. The experimental results demonstrate that the proposed method achieves an interaction detection accuracy of 93.2%. The findings provide robust support for program functionality comprehension, communication control, and vulnerability discovery in practical applications.

    Figures and Tables | References | Related Articles | Metrics
    Research and Implementation of Ransomware Detection Technology Based on Hardware Performance Counters
    ZHAO Wenyu, DANG Chenxi, DU Zhenhua, ZHANG Jian
    2025, 25 (9):  1397-1406.  doi: 10.3969/j.issn.1671-1122.2025.09.008
    Abstract ( 69 )   HTML ( 20 )   PDF (11915KB) ( 20 )  

    To address the challenge posed by modern ransomware techniques—such as code obfuscation, dynamic encryption/decryption, and process splitting—which aim to evade detection by concealing behavioral features and thereby render traditional behavior-based detection methods ineffective, this paper proposed a ransomware detection approach based on Hardware Performance Counters (HPCs) and a transformer architecture. The method first collected time-series HPCs data from program executions within a KVM virtualized environment to extract microarchitectural features. Then, it applied a multi-head attention mechanism for hierarchical modeling of the HPCs sequences, combined with positional encoding to enhance the model’s ability to capture temporal dependencies, thereby overcoming the limitations of traditional dynamic behavior analysis. A dataset comprising 9,900 ransomware samples and 9,900 benign software samples was collected. After feature selection, five HPCs events strongly associated with ransomware behavior were used as inputs. Experimental results show that the proposed method achieves an accuracy of 99.36% within a 500 ms time window, offering strong support for the efficient identification and defense against ransomware.

    Figures and Tables | References | Related Articles | Metrics
    Dynamic Three-Factor Authentication Key Agreement Protocol for IoT Scenarios
    YANG Yukun, XIAO Weien, LIANG Boxuan, HUANG Xin
    2025, 25 (9):  1407-1417.  doi: 10.3969/j.issn.1671-1122.2025.09.009
    Abstract ( 67 )   HTML ( 17 )   PDF (12229KB) ( 35 )  

    In recent years, the widespread adoption of Internet of Things (IoT) devices has significantly enhanced both the quality of life and work efficiency. However, the data sharing between IoT devices occurs over networks, making it susceptible to attacks and breaches. This paper aims to enhance the security of data exchange among IoT devices, focusing on Multi-Factor Authentication and Key Agreement (MFAKA) protocols. The research was centered on the security of data sharing between IoT devices, utilizing BioHash technology and Elliptic Curve Cryptography (ECC), and conducting theoretical analysis based on the Real-Or-Random (ROR) model in provable security. A novel dynamic three-factor authentication and key agreement protocol, named D3FAKAP, was proposed. This protocol integrated BioHash technology and ECC to achieve genuine three-factor authentication, This ensures user anonymity and unlinkability during the login process. Additionally, the proposed scheme is proven to be semantically secure under the Real-Or-Random model. Performance analysis indicates that the proposed scheme is well-suited for IoT environments in terms of security and resource efficiency.

    Figures and Tables | References | Related Articles | Metrics
    Overview of Backdoor Attacks and Defenses in Personalized Federated Learning
    CHEN Xianyi, WANG Xuebo, CUI Qi, FU Zhangjie, WANG Qianqian, ZENG Yifu
    2025, 25 (9):  1418-1438.  doi: 10.3969/j.issn.1671-1122.2025.09.010
    Abstract ( 141 )   HTML ( 21 )   PDF (25639KB) ( 37 )  

    As an emerging paradigm in federated learning, personalized federated learning (PFL) aims to furnish each client with personalized models specifically tailored to their unique data distributions, in order to effectively mitigate the adverse impacts of data heterogeneity. However, the distributed nature and personalization requirements of PFL render it susceptible to backdoor attack threats. Furthermore, model drift arising from data heterogeneity, intertwined with the personalization objective, significantly exacerbates the stealthiness of attacks and the difficulty of defense. Therefore, in-depth research into backdoor attack mechanisms and defense strategies within the PFL environment is crucial. Firstly, the research background and core concepts of PFL and backdoor attacks were introduced. Then, PFL backdoor attack strategies encompassing black-box and white-box scenarios, along with defense mechanisms operating at various stages, were systematically reviewed and critically analyzed, while also dissecting their respective applicability and limitations. Finally, key challenges and future research directions faced by PFL backdoor attacks and defenses were discussed.

    Figures and Tables | References | Related Articles | Metrics
    Secure Multi-Party Computation Protocol Based on Trusted Execution Environment
    SHI Yijuan, ZHOU Danping, FAN Lei, LIU Yin
    2025, 25 (9):  1439-1446.  doi: 10.3969/j.issn.1671-1122.2025.09.011
    Abstract ( 95 )   HTML ( 18 )   PDF (8964KB) ( 32 )  

    As data becomes increasingly valuable in information systems, privacy protection must be addressed alongside data utilization. Secure multi-party computation enables collaborative computation without direct data sharing between parties, serving as a crucial technology for privacy-preserving. Traditional multi-party computation relies on complex cryptographic protocols, incurring high communication and computational overheads that hinder practical deployment. This paper proposed an outsourced multi-party computation protocol based on the native security mechanisms of trusted execution environment. It not only ensures security properties such as privacy, correctness, and input independence, but also achieves high efficiency and scalability. The proposed protocol offers a new technical path for secure and practical multi-party computation systems, and lowers deployment barriers. It provides the practical meaning for the privacy computing.

    Figures and Tables | References | Related Articles | Metrics
    Improved Consensus Algorithm Based on HotStuff and Multi-Ary Trees
    YANG Jianxin, WANG Xiaoding, LIN Hui
    2025, 25 (9):  1447-1455.  doi: 10.3969/j.issn.1671-1122.2025.09.012
    Abstract ( 70 )   HTML ( 17 )   PDF (10150KB) ( 16 )  

    This paper presented an improved consensus algorithm based on HotStuff and multi-ary trees to address the issues of high communication complexity, poor scalability, and leader censorship in Byzantine fault-tolerant consensus protocols for blockchain. This algorithm introduced BLS signature into the signature mechanism to achieve aggregation verification, significantly reducing message overhead. Using multi-ary trees structure to achieve load balancing and improved the parallelism of block processing. By optimizing the voting and submission stages through pipeline technology, consensus latency had been reduced, and adopted an active leadership rotation strategy to address the system performance degradation caused by malicious or inefficient leaders. The results show that with a total of 100 system nodes, this algorithm consensus algorithm achieves a throughput five times higher than the traditional HotStuff consensus algorithm. Moreover, when round-trip time increases from 50ms to 400ms, throughput only decreases by 9% and still maintained high stability. Meanwhile, in various network environments, this algorithm exhibits lower transaction confirmation latency. Therefore, this algorithm has significant advantages in reducing communication complexity, enhancing fault tolerance, and improving performance, providing reference for the design and application of high-performance blockchain systems.

    Figures and Tables | References | Related Articles | Metrics
    A Multi-Scale and Multi-Level Feature Fusion Approach for Deepfake Face Detection
    CHEN Yonghao, CAI Manchun, ZHANG Yiwen, PENG Shufan, YAO Lifeng, ZHU Yi
    2025, 25 (9):  1456-1464.  doi: 10.3969/j.issn.1671-1122.2025.09.013
    Abstract ( 77 )   HTML ( 23 )   PDF (9804KB) ( 30 )  

    With the advancement of deepfake technology, current forged facial features exhibit multi-scale characteristics, and forgery artifacts persist across feature hierarchies. However, existing detection approaches generally fail to fully leverage these features. To address this issue, the paper proposed a deepfake detection method based on multi-scale and multi-level feature fusion. First, an overlapping window attention unit was integrated into Swin Transformer to extract multi-scale forgery features. Next, an innovative multi-scale feature fusion module was designed, which can fuse features of different scales extracted from various levels, thereby obtaining more expressive and robust multi-level feature representations. Finally, the effectiveness of the proposed method was validated on the FaceForensics++ (FF++) and Celeb-DF(V2) datasets.

    Figures and Tables | References | Related Articles | Metrics
    Bayesian Optimized DAE-MLP Malicious Traffic Identification Model
    WANG Xinmeng, CHEN Junbao, YANG Yitao, LI Wenjin, GU Dujuan
    2025, 25 (9):  1465-1472.  doi: 10.3969/j.issn.1671-1122.2025.09.014
    Abstract ( 83 )   HTML ( 24 )   PDF (8890KB) ( 31 )  

    With the rapid development of Internet technology, the issue of network security has become increasingly serious, and malicious traffic has emerged as a significant problem in the field of network security. This paper first preprocessed and fused the NSL-KDD, CSIC 2010, and CICIDS2017 network intrusion detection datasets to form the research dataset for this study. Then, it investigated a malicious traffic feature extraction algorithm based on DAE, which effectively extracted traffic features with strong robustness. The hyperparameters of the malicious traffic identification algorithm based on DAE-MLP were optimized and adjusted using bayesian optimization. Comparative experimental analyses were conducted on several typical machine learning and deep learning algorithms. Compared with traditional machine learning and deep learning methods, the malicious traffic identification method proposed in this paper has stronger data representation and automatic feature learning capabilities, lower computational complexity, and can better capture complex patterns in the data, while also being interpretable.

    Figures and Tables | References | Related Articles | Metrics