Wireless mesh network is a new emerging field with its potential applications in extremely unpredictable and dynamic environments.However,it is particularly vulnerable due to its features of open medium,dynamic changi...Wireless mesh network is a new emerging field with its potential applications in extremely unpredictable and dynamic environments.However,it is particularly vulnerable due to its features of open medium,dynamic changing topology, cooperative routing algorithms.The article surveys the state of the art in security for wireless mesh networks.Firstly,we analyze various possible threats to security in wireless mesh networks.Secondly,we introduce some representative solutions to these threats,including solutions to the problems of key management,secure network routing,and intrusion detection.We also provide a comparison and discussion of their respective merits and drawbacks,and propose some improvements for these drawbacks.Finally,we also discuss the remaining challenges in the area.展开更多
With increased cyber attacks over years,information system security assessment becomes more and more important.This paper provides an ontology-based attack model,and then utilizes it to assess the information system s...With increased cyber attacks over years,information system security assessment becomes more and more important.This paper provides an ontology-based attack model,and then utilizes it to assess the information system security from attack angle.We categorize attacks into a taxonomy suitable for security assessment.The proposed taxonomy consists of five dimensions,which include attack impact,attack vector,attack target,vulnerability and defense.Afterwards we build an ontology according to the taxonomy.In the ontology,attack related concepts included in the five dimensions and relationships between them are formalized and analyzed in detail.We also populate our attack ontology with information from national vulnerability database(NVD)about the vulnerabilities,such as common vulnerabilities and exposures(CVE),common weakness enumeration(CWE),common vulnerability scoring system(CVSS),and common platform enumeration(CPE).Finally we propose an ontology-based framework for security assessment of network and computer systems,and describe the utilization of ontology in the security assessment and the method for evaluating attack efect on the system when it is under attack.展开更多
The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round ...The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round efficiency (only three rounds), and its resources required for computation are relatively few. However, we find that the leakage of values VA and VB in the CLC protocol will make a man-in-the-middle attack feasible in practice, where VA and VB are the authentication information chosen by the server for the participants A and B. In this paper, we describe our attack on the CLC protocol and further present a modified 3PAKE protocol, which is essentially an improved CLC protocol. Our protocol can resist attacks available, including man-in-the-middle attack we mount on the initial CLC protocol. Meanwhile, we allow that the participants choose their own pass- words by themselves, thus avoiding the danger that the server is controlled in the initialization phase. Also, the computational cost of our protocol is lower than that of the CLC protocol.展开更多
To avoid the scalability of the existing systems that employed centralized indexing,index flooding or query flooding,we proposed an efficient peer-to-peer information retrieval system SPIRS (Semantic P2P-based Informa...To avoid the scalability of the existing systems that employed centralized indexing,index flooding or query flooding,we proposed an efficient peer-to-peer information retrieval system SPIRS (Semantic P2P-based Information Retrieval System) that supported state-of-the-art content and semantic searches. SPIRS distributes document indices through P2P network hierarchically by Latent Semantic Indexing (LSI) and organizes nodes into a hierarchical overlay through CAN and TRIE. Comparing with other P2P search techniques,those based on simple keyword matching,SPIRS has better accuracy for considering the advanced relevance among documents. Given a query,only a small number of nodes are needed for SPIRS to identify the matching documents. Furthermore,both theoretical analysis and experimental results show that SPIRS possesses higher accuracy and less logic hops.展开更多
Modeling of network traffic is a fundamental building block of computer science. Measurements of network traffic demonstrate that self-similarity is one of the basic properties of the network traffic possess at large ...Modeling of network traffic is a fundamental building block of computer science. Measurements of network traffic demonstrate that self-similarity is one of the basic properties of the network traffic possess at large time-scale. This paper investigates the change of non-stationary self-similarity of network traffic over time,and proposes a method of combining the discrete wavelet transform (DWT) and Schwarz information criterion (SIC) to detect change points of self-similarity in network traffic. The traffic is segmented into pieces around changing points with homogenous characteristics for the Hurst parameter,named local Hurst parameter,and then each piece of network traffic is modeled using fractional Gaussian noise (FGN) model with the local Hurst parameter. The presented experimental performance on data set from the Internet Traffic Archive (ITA) demonstrates that the method is more accurate in describing the non-stationary self-similarity of network traffic.展开更多
Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against mal...Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against malware and userspace programs.However,the synchronization signal block that the UE relies on to measure the wireless environment configured by a base station is not authenticated.As a result,the UE will likely gauge the wrong wireless environment configured by a false base station(FBS)and transmit the corresponding MR to the serving base station,which poisons the data used for 5G SONs.Therefore,the serving base stations must verify the authenticity of the MR.The 3GPP has advocated numerous solutions for this issue,including the use of public key certificates,identity-based keys,and group keys.Although the solution leveraging group keys have better efficiency and practicality than the other two,they are vulnerable to security threats caused by key leaks via insiders or malicious UE.In this paper,we analyze these security issues and propose an improved group key protocol that uses a new network function,called a broadcast message authentication network function(BMANF),which validates broadcasted messages on behalf of the UE.The protocol operates in two phases:initial and verification.During the initial phase,the 5G core network distributes a shared secret key to the BMANF and UE,allowing the latter to request an authentication ticket from the former.During the verification phase,the UE requests the BMANF to validate the broadcasted messages received from base stations using the ticket and its corresponding shared key.For evaluation,we formally verified the proposed protocol,which was then compared with alternative methods in terms of computing cost.As a result,the proposed protocol fulfills the security requirements and shows a lower overhead than the alternatives.展开更多
Cloud storage,a core component of cloud computing,plays a vital role in the storage and management of data.Electronic Health Records(EHRs),which document users’health information,are typically stored on cloud servers...Cloud storage,a core component of cloud computing,plays a vital role in the storage and management of data.Electronic Health Records(EHRs),which document users’health information,are typically stored on cloud servers.However,users’sensitive data would then become unregulated.In the event of data loss,cloud storage providers might conceal the fact that data has been compromised to protect their reputation and mitigate losses.Ensuring the integrity of data stored in the cloud remains a pressing issue that urgently needs to be addressed.In this paper,we propose a data auditing scheme for cloud-based EHRs that incorporates recoverability and batch auditing,alongside a thorough security and performance evaluation.Our scheme builds upon the indistinguishability-based privacy-preserving auditing approach proposed by Zhou et al.We identify that this scheme is insecure and vulnerable to forgery attacks on data storage proofs.To address these vulnerabilities,we enhanced the auditing process using masking techniques and designed new algorithms to strengthen security.We also provide formal proof of the security of the signature algorithm and the auditing scheme.Furthermore,our results show that our scheme effectively protects user privacy and is resilient against malicious attacks.Experimental results indicate that our scheme is not only secure and efficient but also supports batch auditing of cloud data.Specifically,when auditing 10,000 users,batch auditing reduces computational overhead by 101 s compared to normal auditing.展开更多
Traditional steganography conceals information by modifying cover data,but steganalysis tools easily detect such alterations.While deep learning-based steganography often involves high training costs and complex deplo...Traditional steganography conceals information by modifying cover data,but steganalysis tools easily detect such alterations.While deep learning-based steganography often involves high training costs and complex deployment.Diffusion model-based methods face security vulnerabilities,particularly due to potential information leakage during generation.We propose a fixed neural network image steganography framework based on secure diffu-sion models to address these challenges.Unlike conventional approaches,our method minimizes cover modifications through neural network optimization,achieving superior steganographic performance in human visual perception and computer vision analyses.The cover images are generated in an anime style using state-of-the-art diffusion models,ensuring the transmitted images appear more natural.This study introduces fixed neural network technology that allows senders to transmit only minimal critical information alongside stego-images.Recipients can accurately reconstruct secret images using this compact data,significantly reducing transmission overhead compared to conventional deep steganography.Furthermore,our framework innovatively integrates ElGamal,a cryptographic algorithm,to protect critical information during transmission,enhancing overall system security and ensuring end-to-end information protection.This dual optimization of payload reduction and cryptographic reinforcement establishes a new paradigm for secure and efficient image steganography.展开更多
Mobile ad hoc networking (MANET) has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to...Mobile ad hoc networking (MANET) has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, and lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. A distributed intrusion detection approach based on timed automata is given. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then the timed automata is constructed by the way of manually abstracting the correct behaviours of the node according to the routing protocol of dynamic source routing (DSR). The monitor nodes can verify the behaviour of every nodes by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, the approach is much more efficient while maintaining the same level of effectiveness. Finally, the intrusion detection method is evaluated through simulation experiments.展开更多
The nature of adhoc networks makes them vulnerable to security attacks. Many security technologies such as intrusion prevention and intrusion detection are passive in response to intrusions in that their countermea- s...The nature of adhoc networks makes them vulnerable to security attacks. Many security technologies such as intrusion prevention and intrusion detection are passive in response to intrusions in that their countermea- sures are only to protect the networks, and there is no automated network-wide counteraction against detected intrusions, the architecture of cooperation intrusion response based multi-agent is propose. The architecture is composed of mobile agents. Monitor agent resides on every node and monitors its neighbor nodes. Decision agent collects information from monitor nodes and detects an intrusion by security policies. When an intruder is found in the architecture, the block agents will get to the neighbor nodes of the intruder and form the mobile firewall to isolate the intruder. In the end, we evaluate it by simulation.展开更多
Online reviews and comments are important information resources for people.A new model,called Sentiment Vector Space Model(SVSM),for feature selection and weighting is proposed to predict the sentiment orientation of ...Online reviews and comments are important information resources for people.A new model,called Sentiment Vector Space Model(SVSM),for feature selection and weighting is proposed to predict the sentiment orientation of comments and reviews,e.g.,sorting out positive reviews from negative ones.Different from that of topic-oriented classification,feature selection of sentiment orientation prediction focuses on language characteristics.Different from traditional algorithms for sentiment classification,this model integrates grammatical knowledge and takes topic correlations into account.Features are extracted,and the similarity between these features and the topic are also computed.The feature similarity is taken as a factor when evaluating the polarity of opinions.The experimental results show that the proposed model is more effective in identifying sentiment orientation than most of the traditional techniques.展开更多
Mobile ad hoc networks are particularly vulnerable to denial of service (DOS) attacks launched through compromised nodes or intruders. In this paper, we present a new DOS attack and its defense in ad hoc networks. T...Mobile ad hoc networks are particularly vulnerable to denial of service (DOS) attacks launched through compromised nodes or intruders. In this paper, we present a new DOS attack and its defense in ad hoc networks. The new DOS attack, called AA hoc Flooding Attack(AHFA), is that intruder broadcasts mass Route Request packets to exhaust the communication bandwidth and node resource so that the valid communication can not be kept. After analyzed AM hoc Flooding Attack, we develop Flooding Attack Prevention (FAP), a genetic defense against the AM hoc Flooding Attack. When the intruder broadcasts exceeding packets of Route Request, the immediate neighbors of the intruder record the rate of Route Request. Once the threshold is exceeded, nodes deny any future request packets from the intruder. The results of our implementation show FAP can prevent the AM hoe Flooding attack efficiently.展开更多
Dear Editor, We developed a GPU-based analytical method, named as SHEsisEpi, which purely focuses on risk epistasis in a genome-wide association study (GWAS) of complex traits, excluding the contamination of margin...Dear Editor, We developed a GPU-based analytical method, named as SHEsisEpi, which purely focuses on risk epistasis in a genome-wide association study (GWAS) of complex traits, excluding the contamination of marginal effects caused by single-locus association. We analyzed the Wellcome Trust Case Control Consortium's (WTCCC) GWAS data of bipolar disorder (BPD) with 500K SNPs.展开更多
Wireless Mesh Networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, Lack of centralized monitoring and management point. The traditional way of protec...Wireless Mesh Networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, Lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer suffi- cient and effective for those features. In this paper, we propose a distributed intrusion detection ap- proach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we con- struct the Finite State Machine (FSM) by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by the Finite State Ma- chine (FSM), and validly detect real-time attacks without signatures of intrusion or trained data.Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.展开更多
This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in wireless mesh networks.In this approach,the immunity-based agents m...This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in wireless mesh networks.In this approach,the immunity-based agents monitor the situation in the network.These agents can take appropriate actions according to the underlying security policies.Specifically,their activities are coordinated in a hierarchical fashion while sensing,communicating,determining and generating responses.Such an agent can learn about and adapt to its environment dynamically and can detect both known and unknown intrusions.The proposed intrusion detection architecture is designed to be flexible,extendible,and adaptable so that it can perform real-time monitoring.This paper provides the conceptual view and a general framework of the proposed system.In the end,the architecture is illustrated by an example and by simulation to show it can prevent attacks efficiently.展开更多
The key exposure problem is a practical threat for many security applications. In wireless sensor networks (WSNs), keys could be compromised easily due to its limited hardware protections. A secure group key managemen...The key exposure problem is a practical threat for many security applications. In wireless sensor networks (WSNs), keys could be compromised easily due to its limited hardware protections. A secure group key management scheme is responsible for secure distributing group keys among valid nodes of the group. Based on the key-insulated encryption (KIE), we propose a group key management scheme (KIE-GKMS), which integrates the pair-wise key pre-distribution for WSN. The KIE-GKMS scheme updates group keys dynamically when adding or removing nodes. Moreover, the security analysis proves that the KIE-GKMS scheme not only obtains the semantic security, but also provides the forward and backward security. Finally, the theoretical analysis shows that the KIE-GKMS scheme has constant performance on both communication and storage costs in sensor nodes.展开更多
Highly security-critical system should possess features of continuous service. We present a new Robust Disaster Recovery System Model (RDRSM). Through strengthening the ability of safe communications, RDRSM guarante...Highly security-critical system should possess features of continuous service. We present a new Robust Disaster Recovery System Model (RDRSM). Through strengthening the ability of safe communications, RDRSM guarantees the secure and reliable command on disaster recovery. Its self-supervision capability can monitor the integrality and security of disaster recovery system itself. By 2D and 3D rea-time visible platform provided by GIS, GPS and RS, the model makes the using, management and maintenance of disaster recovery system easier. RDRSM possesses predominant features of security, robustness and controllability. And it can be applied to highly security-critical environments such as E-government and bank. Conducted by RDRSM, an important E-government disaster recovery system has been constructed successfully. The feasibility of this model is verified by practice. We especially emphasize the significance of some components of the model, such as risk assessment, disaster recovery planning, system supervision and robust communication support.展开更多
Cyberattacks on the Industrial Control System(ICS)have recently been increasing,made more intelligent by advancing technologies.As such,cybersecurity for such systems is attracting attention.As a core element of contr...Cyberattacks on the Industrial Control System(ICS)have recently been increasing,made more intelligent by advancing technologies.As such,cybersecurity for such systems is attracting attention.As a core element of control devices,the Programmable Logic Controller(PLC)in an ICS carries out on-site control over the ICS.A cyberattack on the PLC will cause damages on the overall ICS,with Stuxnet and Duqu as the most representative cases.Thus,cybersecurity for PLCs is considered essential,and many researchers carry out a variety of analyses on the vulnerabilities of PLCs as part of preemptive efforts against attacks.In this study,a vulnerability analysis was conducted on the XGB PLC.Security vulnerabilities were identified by analyzing the network protocols and memory structure of PLCs and were utilized to launch replay attack,memory modulation attack,and FTP/Web service account theft for the verification of the results.Based on the results,the attacks were proven to be able to cause the PLC to malfunction and disable it,and the identified vulnerabilities were defined.展开更多
To deal with the key-exposure problem in signature systems, a new framework named parallel key-insulated signature (PKIS) was introduced, and a concrete PKIS scheme was proposed. Compared with traditional key-insulate...To deal with the key-exposure problem in signature systems, a new framework named parallel key-insulated signature (PKIS) was introduced, and a concrete PKIS scheme was proposed. Compared with traditional key-insulated signature (KIS) schemes, the proposed PKIS scheme allows a frequent updating for temporary secret keys without increasing the risk of helper key-exposure. Moreover, the proposed PKIS scheme does not collapse even if some (not all) of the helper keys and some of the temporary secret keys are simultaneously exposed. As a result, the security of the PKIS scheme is greatly enhanced, and the damage caused by key-exposure is successfully minimized.展开更多
With the growth of the scale of the market for Internet banking and e-commerce,the number of Internet-based financial markets has been increasing.Meanwhile,hacking incidents continuously affect Internet-banking servic...With the growth of the scale of the market for Internet banking and e-commerce,the number of Internet-based financial markets has been increasing.Meanwhile,hacking incidents continuously affect Internet-banking services.For this reason,a countermeasure is required to improve the security of the online identification process.The current security and authentication mechanisms applied to financial services,such as Internet banking services for 5G-enabled IoT,do not ensure security.In this paper,a transaction-linkage technique with which the designated terminal is combined is proposed to solve this fundamental problem.The technique improves the security of online identification mechanisms because it is possible to counteract all of the existing security threats.The proposed technique supports mutual authentication and is safe from eavesdropping attacks,replay attacks,spoofing attacks,and service-denial attacks.Moreover,the technique supports non-repudiation by storing the transaction history in a transaction-linkage device.We believe that the security of Internet-banking services for 5G-enabled IoT will be increased through the utilization of the proposed technique.展开更多
基金Project supported by the Shanghai Minicipal Natural Science Foundation(Grant No09ZR1414900)the National High Technology Development 863 Program of China(Grant No2006AA01Z436,No2007AA01Z452,No2009AA01Z118)
文摘Wireless mesh network is a new emerging field with its potential applications in extremely unpredictable and dynamic environments.However,it is particularly vulnerable due to its features of open medium,dynamic changing topology, cooperative routing algorithms.The article surveys the state of the art in security for wireless mesh networks.Firstly,we analyze various possible threats to security in wireless mesh networks.Secondly,we introduce some representative solutions to these threats,including solutions to the problems of key management,secure network routing,and intrusion detection.We also provide a comparison and discussion of their respective merits and drawbacks,and propose some improvements for these drawbacks.Finally,we also discuss the remaining challenges in the area.
基金the National Basic Research Program(973)of China(No.2010CB731403)the Information Network Security Key Laboratory Open Project of the Ministry of Public Security of China(No.C09603)the Shanghai Key Scientific and Technological Project(No.11511504302)
文摘With increased cyber attacks over years,information system security assessment becomes more and more important.This paper provides an ontology-based attack model,and then utilizes it to assess the information system security from attack angle.We categorize attacks into a taxonomy suitable for security assessment.The proposed taxonomy consists of five dimensions,which include attack impact,attack vector,attack target,vulnerability and defense.Afterwards we build an ontology according to the taxonomy.In the ontology,attack related concepts included in the five dimensions and relationships between them are formalized and analyzed in detail.We also populate our attack ontology with information from national vulnerability database(NVD)about the vulnerabilities,such as common vulnerabilities and exposures(CVE),common weakness enumeration(CWE),common vulnerability scoring system(CVSS),and common platform enumeration(CPE).Finally we propose an ontology-based framework for security assessment of network and computer systems,and describe the utilization of ontology in the security assessment and the method for evaluating attack efect on the system when it is under attack.
基金Supported by the National High Technology Research and Development Program of China (863 Program)(2006AA01Z405)
文摘The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round efficiency (only three rounds), and its resources required for computation are relatively few. However, we find that the leakage of values VA and VB in the CLC protocol will make a man-in-the-middle attack feasible in practice, where VA and VB are the authentication information chosen by the server for the participants A and B. In this paper, we describe our attack on the CLC protocol and further present a modified 3PAKE protocol, which is essentially an improved CLC protocol. Our protocol can resist attacks available, including man-in-the-middle attack we mount on the initial CLC protocol. Meanwhile, we allow that the participants choose their own pass- words by themselves, thus avoiding the danger that the server is controlled in the initialization phase. Also, the computational cost of our protocol is lower than that of the CLC protocol.
基金the Nartional Basic Research Programof China(Grant No.2002CB312002)the Science and Technology Commission of Shanghai Munic-ipality Project(Grant No.03dz15027 and 03dz15028).
文摘To avoid the scalability of the existing systems that employed centralized indexing,index flooding or query flooding,we proposed an efficient peer-to-peer information retrieval system SPIRS (Semantic P2P-based Information Retrieval System) that supported state-of-the-art content and semantic searches. SPIRS distributes document indices through P2P network hierarchically by Latent Semantic Indexing (LSI) and organizes nodes into a hierarchical overlay through CAN and TRIE. Comparing with other P2P search techniques,those based on simple keyword matching,SPIRS has better accuracy for considering the advanced relevance among documents. Given a query,only a small number of nodes are needed for SPIRS to identify the matching documents. Furthermore,both theoretical analysis and experimental results show that SPIRS possesses higher accuracy and less logic hops.
基金the National High Technology Research and Development Program (863) of China(Nos. 2005AA145110 and 2006AA01Z436)the Natural Science Foundation of Shanghai of China(No. 05ZR14083)the Pudong New Area Technology Innovation Public Service Platform of China(No. PDPT2005-04)
文摘Modeling of network traffic is a fundamental building block of computer science. Measurements of network traffic demonstrate that self-similarity is one of the basic properties of the network traffic possess at large time-scale. This paper investigates the change of non-stationary self-similarity of network traffic over time,and proposes a method of combining the discrete wavelet transform (DWT) and Schwarz information criterion (SIC) to detect change points of self-similarity in network traffic. The traffic is segmented into pieces around changing points with homogenous characteristics for the Hurst parameter,named local Hurst parameter,and then each piece of network traffic is modeled using fractional Gaussian noise (FGN) model with the local Hurst parameter. The presented experimental performance on data set from the Internet Traffic Archive (ITA) demonstrates that the method is more accurate in describing the non-stationary self-similarity of network traffic.
基金This work was supported by Institute of Information&communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2020-0-00952,Development of 5G Edge Security Technology for Ensuring 5G+Service Stability and Availability,100%)。
文摘Network operators are attempting many innovations and changes in 5G using self-organizing networks(SON).The SON operates on the measurement reports(MR),which are obtained from user equipment(UE)and secured against malware and userspace programs.However,the synchronization signal block that the UE relies on to measure the wireless environment configured by a base station is not authenticated.As a result,the UE will likely gauge the wrong wireless environment configured by a false base station(FBS)and transmit the corresponding MR to the serving base station,which poisons the data used for 5G SONs.Therefore,the serving base stations must verify the authenticity of the MR.The 3GPP has advocated numerous solutions for this issue,including the use of public key certificates,identity-based keys,and group keys.Although the solution leveraging group keys have better efficiency and practicality than the other two,they are vulnerable to security threats caused by key leaks via insiders or malicious UE.In this paper,we analyze these security issues and propose an improved group key protocol that uses a new network function,called a broadcast message authentication network function(BMANF),which validates broadcasted messages on behalf of the UE.The protocol operates in two phases:initial and verification.During the initial phase,the 5G core network distributes a shared secret key to the BMANF and UE,allowing the latter to request an authentication ticket from the former.During the verification phase,the UE requests the BMANF to validate the broadcasted messages received from base stations using the ticket and its corresponding shared key.For evaluation,we formally verified the proposed protocol,which was then compared with alternative methods in terms of computing cost.As a result,the proposed protocol fulfills the security requirements and shows a lower overhead than the alternatives.
基金supported by National Natural Science Foundation of China(No.62172436)Additionally,it is supported by Natural Science Foundation of Shaanxi Province(No.2023-JC-YB-584)Engineering University of PAP’s Funding for Scientific Research Innovation Team and Key Researcher(No.KYGG202011).
文摘Cloud storage,a core component of cloud computing,plays a vital role in the storage and management of data.Electronic Health Records(EHRs),which document users’health information,are typically stored on cloud servers.However,users’sensitive data would then become unregulated.In the event of data loss,cloud storage providers might conceal the fact that data has been compromised to protect their reputation and mitigate losses.Ensuring the integrity of data stored in the cloud remains a pressing issue that urgently needs to be addressed.In this paper,we propose a data auditing scheme for cloud-based EHRs that incorporates recoverability and batch auditing,alongside a thorough security and performance evaluation.Our scheme builds upon the indistinguishability-based privacy-preserving auditing approach proposed by Zhou et al.We identify that this scheme is insecure and vulnerable to forgery attacks on data storage proofs.To address these vulnerabilities,we enhanced the auditing process using masking techniques and designed new algorithms to strengthen security.We also provide formal proof of the security of the signature algorithm and the auditing scheme.Furthermore,our results show that our scheme effectively protects user privacy and is resilient against malicious attacks.Experimental results indicate that our scheme is not only secure and efficient but also supports batch auditing of cloud data.Specifically,when auditing 10,000 users,batch auditing reduces computational overhead by 101 s compared to normal auditing.
基金supported in part by the National Natural Science Foundation of China under Grants 62102450,62272478 and the Independent Research Project of a Certain Unit under Grant ZZKY20243127。
文摘Traditional steganography conceals information by modifying cover data,but steganalysis tools easily detect such alterations.While deep learning-based steganography often involves high training costs and complex deployment.Diffusion model-based methods face security vulnerabilities,particularly due to potential information leakage during generation.We propose a fixed neural network image steganography framework based on secure diffu-sion models to address these challenges.Unlike conventional approaches,our method minimizes cover modifications through neural network optimization,achieving superior steganographic performance in human visual perception and computer vision analyses.The cover images are generated in an anime style using state-of-the-art diffusion models,ensuring the transmitted images appear more natural.This study introduces fixed neural network technology that allows senders to transmit only minimal critical information alongside stego-images.Recipients can accurately reconstruct secret images using this compact data,significantly reducing transmission overhead compared to conventional deep steganography.Furthermore,our framework innovatively integrates ElGamal,a cryptographic algorithm,to protect critical information during transmission,enhancing overall system security and ensuring end-to-end information protection.This dual optimization of payload reduction and cryptographic reinforcement establishes a new paradigm for secure and efficient image steganography.
基金the National High Technology Development "863" Program of China (2006AA01Z436, 2007AA01Z452)the National Natural Science Foundation of China(60702042).
文摘Mobile ad hoc networking (MANET) has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, and lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. A distributed intrusion detection approach based on timed automata is given. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then the timed automata is constructed by the way of manually abstracting the correct behaviours of the node according to the routing protocol of dynamic source routing (DSR). The monitor nodes can verify the behaviour of every nodes by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, the approach is much more efficient while maintaining the same level of effectiveness. Finally, the intrusion detection method is evaluated through simulation experiments.
基金This project was supported by the National Natural Science Foundation of China (60672068)the National High Technology Development 863 Program of China (2006AA01Z436, 2007AA01Z452.)
文摘The nature of adhoc networks makes them vulnerable to security attacks. Many security technologies such as intrusion prevention and intrusion detection are passive in response to intrusions in that their countermea- sures are only to protect the networks, and there is no automated network-wide counteraction against detected intrusions, the architecture of cooperation intrusion response based multi-agent is propose. The architecture is composed of mobile agents. Monitor agent resides on every node and monitors its neighbor nodes. Decision agent collects information from monitor nodes and detects an intrusion by security policies. When an intruder is found in the architecture, the block agents will get to the neighbor nodes of the intruder and form the mobile firewall to isolate the intruder. In the end, we evaluate it by simulation.
基金supported by National Natural Science Foundation of China under Grant No. 60703032,and Science and Technology Development Center of the Ministry of Education,China
文摘Online reviews and comments are important information resources for people.A new model,called Sentiment Vector Space Model(SVSM),for feature selection and weighting is proposed to predict the sentiment orientation of comments and reviews,e.g.,sorting out positive reviews from negative ones.Different from that of topic-oriented classification,feature selection of sentiment orientation prediction focuses on language characteristics.Different from traditional algorithms for sentiment classification,this model integrates grammatical knowledge and takes topic correlations into account.Features are extracted,and the similarity between these features and the topic are also computed.The feature similarity is taken as a factor when evaluating the polarity of opinions.The experimental results show that the proposed model is more effective in identifying sentiment orientation than most of the traditional techniques.
基金This project was supported by the National"863"High Technology Development Programof China (2003AA148010) Key Technologies R&D Programof China (2002DA103A03 -07)
文摘Mobile ad hoc networks are particularly vulnerable to denial of service (DOS) attacks launched through compromised nodes or intruders. In this paper, we present a new DOS attack and its defense in ad hoc networks. The new DOS attack, called AA hoc Flooding Attack(AHFA), is that intruder broadcasts mass Route Request packets to exhaust the communication bandwidth and node resource so that the valid communication can not be kept. After analyzed AM hoc Flooding Attack, we develop Flooding Attack Prevention (FAP), a genetic defense against the AM hoc Flooding Attack. When the intruder broadcasts exceeding packets of Route Request, the immediate neighbors of the intruder record the rate of Route Request. Once the threshold is exceeded, nodes deny any future request packets from the intruder. The results of our implementation show FAP can prevent the AM hoe Flooding attack efficiently.
文摘Dear Editor, We developed a GPU-based analytical method, named as SHEsisEpi, which purely focuses on risk epistasis in a genome-wide association study (GWAS) of complex traits, excluding the contamination of marginal effects caused by single-locus association. We analyzed the Wellcome Trust Case Control Consortium's (WTCCC) GWAS data of bipolar disorder (BPD) with 500K SNPs.
基金Acknowledgements Project supported by the National Natural Science Foundation of China (Grant No.60932003), the National High Technology Development 863 Program of China (Grant No.2007AA01Z452, No. 2009AA01 Z118 ), Project supported by Shanghai Municipal Natural Science Foundation (Grant No.09ZRI414900), National Undergraduate Innovative Test Program (091024812).
文摘Wireless Mesh Networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, Lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer suffi- cient and effective for those features. In this paper, we propose a distributed intrusion detection ap- proach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we con- struct the Finite State Machine (FSM) by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by the Finite State Ma- chine (FSM), and validly detect real-time attacks without signatures of intrusion or trained data.Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.
基金supported by National Natural Science Foundation of China under Grant No.60932003National High Technical Research and Development Program of China(863 program) Grant No.2007AA01Z452,No.2009AA01Z118+1 种基金Shanghai Municipal Natural Science Foundation under Grant No.09ZR1414900National Undergraduate Innovative Test Program under Grant No.091024812
文摘This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in wireless mesh networks.In this approach,the immunity-based agents monitor the situation in the network.These agents can take appropriate actions according to the underlying security policies.Specifically,their activities are coordinated in a hierarchical fashion while sensing,communicating,determining and generating responses.Such an agent can learn about and adapt to its environment dynamically and can detect both known and unknown intrusions.The proposed intrusion detection architecture is designed to be flexible,extendible,and adaptable so that it can perform real-time monitoring.This paper provides the conceptual view and a general framework of the proposed system.In the end,the architecture is illustrated by an example and by simulation to show it can prevent attacks efficiently.
基金Project(61100201) supported by National Natural Science Foundation of ChinaProject(12ZZ019) supported by Technology Innovation Research Program,Shang Municipal Education Commission,China+1 种基金Project(LYM11053) supported by the Foundation for Distinguished Young Talents in Higher Education of Guangdong Province,ChinaProject(NCET-12-0358) supported by New Century Excellent Talentsin University,Ministry of Education,China
文摘The key exposure problem is a practical threat for many security applications. In wireless sensor networks (WSNs), keys could be compromised easily due to its limited hardware protections. A secure group key management scheme is responsible for secure distributing group keys among valid nodes of the group. Based on the key-insulated encryption (KIE), we propose a group key management scheme (KIE-GKMS), which integrates the pair-wise key pre-distribution for WSN. The KIE-GKMS scheme updates group keys dynamically when adding or removing nodes. Moreover, the security analysis proves that the KIE-GKMS scheme not only obtains the semantic security, but also provides the forward and backward security. Finally, the theoretical analysis shows that the KIE-GKMS scheme has constant performance on both communication and storage costs in sensor nodes.
基金Supported by the 10th Five Year High-Tech Researchand Development Plan of China (2002AA1Z67101)
文摘Highly security-critical system should possess features of continuous service. We present a new Robust Disaster Recovery System Model (RDRSM). Through strengthening the ability of safe communications, RDRSM guarantees the secure and reliable command on disaster recovery. Its self-supervision capability can monitor the integrality and security of disaster recovery system itself. By 2D and 3D rea-time visible platform provided by GIS, GPS and RS, the model makes the using, management and maintenance of disaster recovery system easier. RDRSM possesses predominant features of security, robustness and controllability. And it can be applied to highly security-critical environments such as E-government and bank. Conducted by RDRSM, an important E-government disaster recovery system has been constructed successfully. The feasibility of this model is verified by practice. We especially emphasize the significance of some components of the model, such as risk assessment, disaster recovery planning, system supervision and robust communication support.
基金This work was supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MSIT:Ministry of Science and ICT)(Nos.NRF-2016M2A8A4952280 and NRF-2020R1A2C1012187).
文摘Cyberattacks on the Industrial Control System(ICS)have recently been increasing,made more intelligent by advancing technologies.As such,cybersecurity for such systems is attracting attention.As a core element of control devices,the Programmable Logic Controller(PLC)in an ICS carries out on-site control over the ICS.A cyberattack on the PLC will cause damages on the overall ICS,with Stuxnet and Duqu as the most representative cases.Thus,cybersecurity for PLCs is considered essential,and many researchers carry out a variety of analyses on the vulnerabilities of PLCs as part of preemptive efforts against attacks.In this study,a vulnerability analysis was conducted on the XGB PLC.Security vulnerabilities were identified by analyzing the network protocols and memory structure of PLCs and were utilized to launch replay attack,memory modulation attack,and FTP/Web service account theft for the verification of the results.Based on the results,the attacks were proven to be able to cause the PLC to malfunction and disable it,and the identified vulnerabilities were defined.
基金The National Natural Science Foundation of China (No. 90704003, 60573030, 60673077, 60703030)
文摘To deal with the key-exposure problem in signature systems, a new framework named parallel key-insulated signature (PKIS) was introduced, and a concrete PKIS scheme was proposed. Compared with traditional key-insulated signature (KIS) schemes, the proposed PKIS scheme allows a frequent updating for temporary secret keys without increasing the risk of helper key-exposure. Moreover, the proposed PKIS scheme does not collapse even if some (not all) of the helper keys and some of the temporary secret keys are simultaneously exposed. As a result, the security of the PKIS scheme is greatly enhanced, and the damage caused by key-exposure is successfully minimized.
基金This work was partially supported by the National Research Foundation of Korea(NRF)grant funded by the Korean government(MSIT)(No.2018R1A4A1025632)the Soonchunhyang University Research Fund.
文摘With the growth of the scale of the market for Internet banking and e-commerce,the number of Internet-based financial markets has been increasing.Meanwhile,hacking incidents continuously affect Internet-banking services.For this reason,a countermeasure is required to improve the security of the online identification process.The current security and authentication mechanisms applied to financial services,such as Internet banking services for 5G-enabled IoT,do not ensure security.In this paper,a transaction-linkage technique with which the designated terminal is combined is proposed to solve this fundamental problem.The technique improves the security of online identification mechanisms because it is possible to counteract all of the existing security threats.The proposed technique supports mutual authentication and is safe from eavesdropping attacks,replay attacks,spoofing attacks,and service-denial attacks.Moreover,the technique supports non-repudiation by storing the transaction history in a transaction-linkage device.We believe that the security of Internet-banking services for 5G-enabled IoT will be increased through the utilization of the proposed technique.
