With the emphasis on user privacy and communication security, encrypted traffic has increased dramatically, which brings great challenges to traffic classification. The classification method of encrypted traffic based...With the emphasis on user privacy and communication security, encrypted traffic has increased dramatically, which brings great challenges to traffic classification. The classification method of encrypted traffic based on GNN can deal with encrypted traffic well. However, existing GNN-based approaches ignore the relationship between client or server packets. In this paper, we design a network traffic topology based on GCN, called Flow Mapping Graph (FMG). FMG establishes sequential edges between vertexes by the arrival order of packets and establishes jump-order edges between vertexes by connecting packets in different bursts with the same direction. It not only reflects the time characteristics of the packet but also strengthens the relationship between the client or server packets. According to FMG, a Traffic Mapping Classification model (TMC-GCN) is designed, which can automatically capture and learn the characteristics and structure information of the top vertex in FMG. The TMC-GCN model is used to classify the encrypted traffic. The encryption stream classification problem is transformed into a graph classification problem, which can effectively deal with data from different data sources and application scenarios. By comparing the performance of TMC-GCN with other classical models in four public datasets, including CICIOT2023, ISCXVPN2016, CICAAGM2017, and GraphDapp, the effectiveness of the FMG algorithm is verified. The experimental results show that the accuracy rate of the TMC-GCN model is 96.13%, the recall rate is 95.04%, and the F1 rate is 94.54%.展开更多
With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods...With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods have gained attention due to their ability to leverage diverse feature sets from encrypted traffic,improving classification accuracy.However,existing research predominantly relies on late fusion techniques,which hinder the full utilization of deep features within the data.To address this limitation,we propose a novel multimodal encrypted traffic classification model that synchronizes modality fusion with multiscale feature extraction.Specifically,our approach performs real-time fusion of modalities at each stage of feature extraction,enhancing feature representation at each level and preserving inter-level correlations for more effective learning.This continuous fusion strategy improves the model’s ability to detect subtle variations in encrypted traffic,while boosting its robustness and adaptability to evolving network conditions.Experimental results on two real-world encrypted traffic datasets demonstrate that our method achieves a classification accuracy of 98.23% and 97.63%,outperforming existing multimodal learning-based methods.展开更多
In the system of Computer Network Collaborative Defense(CNCD),it is difficult to evaluate the trustworthiness of defense agents which are newly added to the system,since they lack historical interaction for trust eval...In the system of Computer Network Collaborative Defense(CNCD),it is difficult to evaluate the trustworthiness of defense agents which are newly added to the system,since they lack historical interaction for trust evaluation.This will lead that the newly added agents could not get reasonable initial trustworthiness,and affect the whole process of trust evaluation.To solve this problem in CNCD,a trust type based trust bootstrapping model was introduced in this research.First,the division of trust type,trust utility and defense cost were discussed.Then the constraints of defense tasks were analyzed based on game theory.According to the constraints obtained,the trust type of defense agents was identified and the initial trustworthiness was assigned to defense agents.The simulated experiment shows that the methods proposed have lower failure rate of defense tasks and better adaptability in the respect of defense task execution.展开更多
The kernel of the Linux server is analyzed to find out the main cause of the server’s denial of service when it is attacked. In the kernel, when the connection request information memory is full, the new connection r...The kernel of the Linux server is analyzed to find out the main cause of the server’s denial of service when it is attacked. In the kernel, when the connection request information memory is full, the new connection request is discarded. Therefore, the printk function was used to alert the kernel output log when the memory was full, the processing of discarding the connection request in the kernel was changed, and the function tcp_syn_flood_action was applied to full memory processing. In the function tcp_syn_flood_action, the free function was used to release the memory according to the condition, so that the new connection request has a storage space, thereby offering the server’s normal service. Finally, the proposed defense technology is verified to be effective.展开更多
Conditional proxy re-encryption(CPRE)is an effective cryptographic primitive language that enhances the access control mechanism and makes the delegation of decryption permissions more granular,but most of the attribu...Conditional proxy re-encryption(CPRE)is an effective cryptographic primitive language that enhances the access control mechanism and makes the delegation of decryption permissions more granular,but most of the attribute-based conditional proxy re-encryption(AB-CPRE)schemes proposed so far do not take into account the importance of user attributes.A weighted attribute-based conditional proxy re-encryption(WAB-CPRE)scheme is thus designed to provide more precise decryption rights delegation.By introducing the concept of weight attributes,the quantity of system attributes managed by the server is reduced greatly.At the same time,a weighted tree structure is constructed to simplify the expression of access structure effectively.With conditional proxy re-encryption,large amounts of data and complex computations are outsourced to cloud servers,so the data owner(DO)can revoke the user’s decryption rights directly with minimal costs.The scheme proposed achieves security against chosen plaintext attacks(CPA).Experimental simulation results demonstrated that the decryption time is within 6–9 ms,and it has a significant reduction in communication and computation cost on the user side with better functionality compared to other related schemes,which enables users to access cloud data on devices with limited resources.展开更多
Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schem...Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.展开更多
In the traditional Intemet Protocol (IP) architecture, there is an overload of IP sermntic problems. Existing solutions focused mainly on the infrastructure for the fixed network, and there is a lack of support for ...In the traditional Intemet Protocol (IP) architecture, there is an overload of IP sermntic problems. Existing solutions focused mainly on the infrastructure for the fixed network, and there is a lack of support for Mobile Ad Hoc Networks (MANETs). To improve scalability, a routing protocol for MANETs is presented based on a locator named Tree-structure Locator Distance Vector (TLDV). The hard core of this routing method is the identifier/locator split by the Distributed Hash Table (DHT) method, which provides a scalable routing service. The node locator indicates its relative location in the network and should be updated whenever topology changes, kocator space ks organized as a tree-structure, and the basic routing operation of the TLDV protocol is presented. TLDV protocol is compared to some classical routing protocols for MANETs on the NS2 platform Results show that TLDV has better scalability. Key words:展开更多
The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict dete...The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.展开更多
Direct dynamics simulations are a useful and general approach for studying the atomistic properties of complex chemical systems because they do not require fitting an analytic potential energy function.Hessian-based p...Direct dynamics simulations are a useful and general approach for studying the atomistic properties of complex chemical systems because they do not require fitting an analytic potential energy function.Hessian-based predictor-corrector integrators are a widely used approach for calculating the trajectories of moving atoms in direct dynamics simulations.We employ a monodromy matrix to propose a tool for evaluating the accuracy of integrators in the trajectory calculation.We choose a general velocity Verlet as a different object.We also simulate molecular with hydrogen(CO_2) and molecular with hydrogen(H_2O) motions.Comparing the eigenvalues of monodromy matrix,many simulations show that Hessian-based predictor-corrector integrators perform well for Hessian updates and non-Hessian updates.Hessian-based predictor-corrector integrator with Hessian update has a strong performance in the H_2O simulations.Hessian-based predictor-corrector integrator with Hessian update has a strong performance when the integrating step of the velocity Verlet approach is tripled for the predicting step.In the CO_2 simulations,a strong performance occurs when the integrating step is a multiple of five.展开更多
In a recent paper, Hu et al. defined the complete weight distributions of quantum codes and proved the Mac Williams identities, and as applications they showed how such weight distributions may be used to obtain the s...In a recent paper, Hu et al. defined the complete weight distributions of quantum codes and proved the Mac Williams identities, and as applications they showed how such weight distributions may be used to obtain the singleton-type and hamming-type bounds for asymmetric quantum codes. In this paper we extend their study much further and obtain several new results concerning the complete weight distributions of quantum codes and applications. In particular, we provide a new proof of the Mac Williams identities of the complete weight distributions of quantum codes. We obtain new information about the weight distributions of quantum MDS codes and the double weight distribution of asymmetric quantum MDS codes. We get new identities involving the complete weight distributions of two different quantum codes. We estimate the complete weight distributions of quantum codes under special conditions and show that quantum BCH codes by the Hermitian construction from primitive, narrow-sense BCH codes satisfy these conditions and hence these estimate applies.展开更多
We aim to explore all possible scenarios of(1→2)(where one wing is untrusted and the others two wings are trusted)and(2→1)(where two wings are untrusted,and one wing is trusted)genuine tripartite Einstein-Podolsky-R...We aim to explore all possible scenarios of(1→2)(where one wing is untrusted and the others two wings are trusted)and(2→1)(where two wings are untrusted,and one wing is trusted)genuine tripartite Einstein-Podolsky-Rosen(EPR)steering.The generalized Greenberger-Horne-Zeilinger(GHZ)state is shared between three spatially separated parties,Alice,Bob and Charlie.In both(1→2)and(2→1),we discuss the untrusted party and trusted party performing a sequence of unsharp measurements,respectively.For each scenario,we deduce an upper bound on the number of sequential observers who can demonstrate genuine EPR steering through the quantum violation of tripartite steering inequality.The results show that the maximum number of observers for the generalized GHZ states can be the same with that of the maximally GHZ state in a certain range of state parameters.Moreover,both the sharpness parameters range and the state parameters range in the scenario of(1→2)steering are larger than those in the scenario of(2→1)steering.展开更多
In MILCOM 2015,Kelly et al.proposed the authentication encryption algorithm MK-3,which applied the 16-bit S-box.This paper aims to implement the 16-bit S-box with less circuit area.First,we classifed the irreducible p...In MILCOM 2015,Kelly et al.proposed the authentication encryption algorithm MK-3,which applied the 16-bit S-box.This paper aims to implement the 16-bit S-box with less circuit area.First,we classifed the irreducible polynomials over F_(2n)into three kinds.Then we compared the logic gates required for multiplication over the fnite feld constructed by the three types of irreducible polynomials.According to the comparison result,we constructed the composite felds, F_((2^(4))^(2))and F_((2^(8))^(2)).Based on the isomorphism of fnite felds,the operations over F_(2)^(16)can be conducted over F_((2^(8))^(2)).Similarly,elements over F28 can be mapped to the corresponding elements over F_((2^(4)))^(2).Next,the SAT solver was used to optimize the operations over smaller feld F_(2)^(4).At last,the architecture of the optimized MK-3 S-box was worked out.Compared with the implementation proposed by the original designer,the circuit area of the MK-3 S-box in this paper is reduced by at least 55.9%.展开更多
Network security policy and the automated refinement of its hierarchies aims to simplify the administration of security services in complex network environments. The semantic gap between the policy hierarchies reflect...Network security policy and the automated refinement of its hierarchies aims to simplify the administration of security services in complex network environments. The semantic gap between the policy hierarchies reflects the validity of the policy hierarchies yielded by the automated policy refinement process. However, little attention has been paid to the evaluation of the compliance between the derived lower level policy and the higher level policy. We present an ontology based on Ontology Web Language (OWL) to describe the semantics of security policy and their implementation. We also propose a method of estimating the semantic similarity between a given展开更多
A round function based on chaos is designed combining Feistel structure’s pseudo-randomness, chaotic system’s parameter sensitivity and image data characteristics. The round function composes of two parts--data tran...A round function based on chaos is designed combining Feistel structure’s pseudo-randomness, chaotic system’s parameter sensitivity and image data characteristics. The round function composes of two parts--data transformation based on Feistel(abbreviated as FST) and sampling output based on chaos(abbreviated as SMP). FST bases on Feistel structure and several efficient operations including bitwise xor, permutation and circulating shift. SMP is a chaos based pseudo-random sampling algorithm. It is from theoretical analysis that the round function is a pseudo-random function. The upper bounds of the average maximum differential probability and average maximum linear probability are p^2 and q^2 respectively. Finally, the good pseudo-randomness of the round function is examined with the NIST random test. The design of this round function provides an important cryptographic component for the design of chaotic image encryption algorithm.展开更多
Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzi...Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.展开更多
Sensors produce a large amount of multivariate time series data to record the states of Internet of Things(IoT)systems.Multivariate time series timestamp anomaly detection(TSAD)can identify timestamps of attacks and m...Sensors produce a large amount of multivariate time series data to record the states of Internet of Things(IoT)systems.Multivariate time series timestamp anomaly detection(TSAD)can identify timestamps of attacks and malfunctions.However,it is necessary to determine which sensor or indicator is abnormal to facilitate a more detailed diagnosis,a process referred to as fine-grained anomaly detection(FGAD).Although further FGAD can be extended based on TSAD methods,existing works do not provide a quantitative evaluation,and the performance is unknown.Therefore,to tackle the FGAD problem,this paper first verifies that the TSAD methods achieve low performance when applied to the FGAD task directly because of the excessive fusion of features and the ignoring of the relationship’s dynamic changes between indicators.Accordingly,this paper proposes a mul-tivariate time series fine-grained anomaly detection(MFGAD)framework.To avoid excessive fusion of features,MFGAD constructs two sub-models to independently identify the abnormal timestamp and abnormal indicator instead of a single model and then combines the two kinds of abnormal results to detect the fine-grained anomaly.Based on this framework,an algorithm based on Graph Attention Neural Network(GAT)and Attention Convolutional Long-Short Term Memory(A-ConvLSTM)is proposed,in which GAT learns temporal features of multiple indicators to detect abnormal timestamps and A-ConvLSTM captures the dynamic relationship between indicators to identify abnormal indicators.Extensive simulations on a real-world dataset demonstrate that the proposed algorithm can achieve a higher F1 score and hit rate than the extension of existing TSAD methods with the benefit of two independent sub-models for timestamp and indicator detection.展开更多
Identity-based encryption with equality test(IBEET)is proposed to check whether the underlying messages of ciphertexts,even those encrypted with different public keys,are the same or not without decryption.Since peopl...Identity-based encryption with equality test(IBEET)is proposed to check whether the underlying messages of ciphertexts,even those encrypted with different public keys,are the same or not without decryption.Since people prefer to encrypt before outsourcing their data for privacy protection nowadays,the research of IBEET on cloud computing applications naturally attracts attention.However,we claim that the existing IBEET schemes suffer from the illegal trapdoor sharing problem caused by the inherited key escrow problem of the Identity-Based Encryption(IBE)mechanism.In traditional IBEET,the private key generator(PKG)with the master secret key generates trapdoors for all authorized cloud servers.Considering the reality in practice,the PKG is usually not fully trusted.In this case,the Private-Key Generator(PKG)may generate,share,or even sell any trapdoor without any risk of being caught,or not being held accountable,which may lead to serious consequences such as the illegal sharing of a gene bank's trapdoors.In this paper,to relieve the illegal trapdoor sharing problem in IBEET,we present a new notion,called IBEET Supporting Accountable Authorization(IBEET-AA).In IBEET-AA,if there is a disputed trapdoor,the generator will be distinguished among the PKG and suspected testers by an additional tracing algorithm.For the additional tracing function,except for the traditional indistinguishability(IND)and one-way(OW)security models in IBEET,we define three more security models to protect the tracing security against dishonest authorizers,PKG,and testers,respectively.Based on Gentry's IBE scheme,we instantiate IBEET-AA and give a specific construction along with a formalized security proof with random oracles.展开更多
Satisfiability problem of authorization require- ments in business process asks whether there exists an as- signment of users to tasks that satisfies all the requirements, and methods were proposed to solve this probl...Satisfiability problem of authorization require- ments in business process asks whether there exists an as- signment of users to tasks that satisfies all the requirements, and methods were proposed to solve this problem. However, the proposed methods are inefficient in the sense that a step of the methods is searching all the possible assignments, which is time-consuming. This work proposes a method to solve the satisfiability problem of authorization requirements with- out browsing the assignments space. Our method uses im- proved separation of duty algebra (ISoDA) to describe a sat- isfiability problem of qualification requirements and quan- tification requirements (Separation of Duty and Binding of Duty requirements). Thereafter, ISoDA expressions are re- duced into multi-mutual-exclusive expressions. The satisfia- bilities of multi-mutual-exclusive expressions are determined by an efficient algorithm proposed in this study. The experiment shows that our method is faster than the state-of-the-art methods.展开更多
Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and sign...Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.展开更多
As cloud computing technology turning to mature,cloud services have become a trust-based service.Users'distrust of the security and performance of cloud services will hinder the rapid deployment and development of...As cloud computing technology turning to mature,cloud services have become a trust-based service.Users'distrust of the security and performance of cloud services will hinder the rapid deployment and development of cloud services.So cloud service providers(CSPs)urgently need a way to prove that the infrastructure and the behavior of cloud services they provided can be trusted.The challenge here is how to construct a novel framework that can effective verify the security conformance of cloud services,which focuses on fine-grained descriptions of cloud service behavior and security service level aggreements(SLAs).In this paper,we propose a novel approach to verify cloud service security conformance,which reduces the description gap between the CSP and users through modeling cloud service behavior and security SLA,these models enable a systematic integration of security constraints and service behavior into cloud while using UPPAAL to check the performance and security conformance.The proposed approach is validated through case study and experiments with real cloud service based on Open-Stack,which illustrates CloudSec approach effectiveness and can be applied on realistic cloud scenario.展开更多
基金supported by the National Key Research and Development Program of China No.2023YFA1009500.
文摘With the emphasis on user privacy and communication security, encrypted traffic has increased dramatically, which brings great challenges to traffic classification. The classification method of encrypted traffic based on GNN can deal with encrypted traffic well. However, existing GNN-based approaches ignore the relationship between client or server packets. In this paper, we design a network traffic topology based on GCN, called Flow Mapping Graph (FMG). FMG establishes sequential edges between vertexes by the arrival order of packets and establishes jump-order edges between vertexes by connecting packets in different bursts with the same direction. It not only reflects the time characteristics of the packet but also strengthens the relationship between the client or server packets. According to FMG, a Traffic Mapping Classification model (TMC-GCN) is designed, which can automatically capture and learn the characteristics and structure information of the top vertex in FMG. The TMC-GCN model is used to classify the encrypted traffic. The encryption stream classification problem is transformed into a graph classification problem, which can effectively deal with data from different data sources and application scenarios. By comparing the performance of TMC-GCN with other classical models in four public datasets, including CICIOT2023, ISCXVPN2016, CICAAGM2017, and GraphDapp, the effectiveness of the FMG algorithm is verified. The experimental results show that the accuracy rate of the TMC-GCN model is 96.13%, the recall rate is 95.04%, and the F1 rate is 94.54%.
基金supported by the National Key Research and Development Program of China No.2023YFB2705000.
文摘With the rise of encrypted traffic,traditional network analysis methods have become less effective,leading to a shift towards deep learning-based approaches.Among these,multimodal learning-based classification methods have gained attention due to their ability to leverage diverse feature sets from encrypted traffic,improving classification accuracy.However,existing research predominantly relies on late fusion techniques,which hinder the full utilization of deep features within the data.To address this limitation,we propose a novel multimodal encrypted traffic classification model that synchronizes modality fusion with multiscale feature extraction.Specifically,our approach performs real-time fusion of modalities at each stage of feature extraction,enhancing feature representation at each level and preserving inter-level correlations for more effective learning.This continuous fusion strategy improves the model’s ability to detect subtle variations in encrypted traffic,while boosting its robustness and adaptability to evolving network conditions.Experimental results on two real-world encrypted traffic datasets demonstrate that our method achieves a classification accuracy of 98.23% and 97.63%,outperforming existing multimodal learning-based methods.
基金supported by the National Natural Science Foundation of China under Grant No.61170295
文摘In the system of Computer Network Collaborative Defense(CNCD),it is difficult to evaluate the trustworthiness of defense agents which are newly added to the system,since they lack historical interaction for trust evaluation.This will lead that the newly added agents could not get reasonable initial trustworthiness,and affect the whole process of trust evaluation.To solve this problem in CNCD,a trust type based trust bootstrapping model was introduced in this research.First,the division of trust type,trust utility and defense cost were discussed.Then the constraints of defense tasks were analyzed based on game theory.According to the constraints obtained,the trust type of defense agents was identified and the initial trustworthiness was assigned to defense agents.The simulated experiment shows that the methods proposed have lower failure rate of defense tasks and better adaptability in the respect of defense task execution.
文摘The kernel of the Linux server is analyzed to find out the main cause of the server’s denial of service when it is attacked. In the kernel, when the connection request information memory is full, the new connection request is discarded. Therefore, the printk function was used to alert the kernel output log when the memory was full, the processing of discarding the connection request in the kernel was changed, and the function tcp_syn_flood_action was applied to full memory processing. In the function tcp_syn_flood_action, the free function was used to release the memory according to the condition, so that the new connection request has a storage space, thereby offering the server’s normal service. Finally, the proposed defense technology is verified to be effective.
基金Programs for Science and Technology Development of Henan Province,grant number 242102210152The Fundamental Research Funds for the Universities of Henan Province,grant number NSFRF240620+1 种基金Key Scientific Research Project of Henan Higher Education Institutions,grant number 24A520015Henan Key Laboratory of Network Cryptography Technology,grant number LNCT2022-A11.
文摘Conditional proxy re-encryption(CPRE)is an effective cryptographic primitive language that enhances the access control mechanism and makes the delegation of decryption permissions more granular,but most of the attribute-based conditional proxy re-encryption(AB-CPRE)schemes proposed so far do not take into account the importance of user attributes.A weighted attribute-based conditional proxy re-encryption(WAB-CPRE)scheme is thus designed to provide more precise decryption rights delegation.By introducing the concept of weight attributes,the quantity of system attributes managed by the server is reduced greatly.At the same time,a weighted tree structure is constructed to simplify the expression of access structure effectively.With conditional proxy re-encryption,large amounts of data and complex computations are outsourced to cloud servers,so the data owner(DO)can revoke the user’s decryption rights directly with minimal costs.The scheme proposed achieves security against chosen plaintext attacks(CPA).Experimental simulation results demonstrated that the decryption time is within 6–9 ms,and it has a significant reduction in communication and computation cost on the user side with better functionality compared to other related schemes,which enables users to access cloud data on devices with limited resources.
基金supported in part by the National Key R&D Program of China(Grant No.2019YFB2101700)the National Natural Science Foundation of China(Grant No.62272102,No.62172320,No.U21A20466)+4 种基金the Open Research Fund of Key Laboratory of Cryptography of Zhejiang Province(Grant No.ZCL21015)the Qinghai Key R&D and Transformation Projects(Grant No.2021-GX-112)the Natural Science Foundation of Nanjing University of Posts and Telecommunications(Grant No.NY222141)the Natural Science Foundation of Jiangsu Higher Education Institutions of China under Grant(No.22KJB520029)Henan Key Laboratory of Network Cryptography Technology(No.LNCT2022-A10)。
文摘Ciphertext-Policy Attribute-Based Encryption(CP-ABE)enables fine-grained access control on ciphertexts,making it a promising approach for managing data stored in the cloud-enabled Internet of Things.But existing schemes often suffer from privacy breaches due to explicit attachment of access policies or partial hiding of critical attribute content.Additionally,resource-constrained IoT devices,especially those adopting wireless communication,frequently encounter affordability issues regarding decryption costs.In this paper,we propose an efficient and fine-grained access control scheme with fully hidden policies(named FHAC).FHAC conceals all attributes in the policy and utilizes bloom filters to efficiently locate them.A test phase before decryption is applied to assist authorized users in finding matches between their attributes and the access policy.Dictionary attacks are thwarted by providing unauthorized users with invalid values.The heavy computational overhead of both the test phase and most of the decryption phase is outsourced to two cloud servers.Additionally,users can verify the correctness of multiple outsourced decryption results simultaneously.Security analysis and performance comparisons demonstrate FHAC's effectiveness in protecting policy privacy and achieving efficient decryption.
基金Acknowledgements This work was supported by the Hi-Tech Research and Development Program of China under Grant No.2007AA01Z407 the Co-Funding Project of Beijing Municipal education Commission under Grant No.JD100060630+3 种基金 National Foundation Research Project the National Natural Science Foundation Project under Grant No. 61170295 the Project of Aeronautical Science Foundation of China under Caant No.2011ZC51024 and the Fundamental Research Funds for the Central Universities.
文摘In the traditional Intemet Protocol (IP) architecture, there is an overload of IP sermntic problems. Existing solutions focused mainly on the infrastructure for the fixed network, and there is a lack of support for Mobile Ad Hoc Networks (MANETs). To improve scalability, a routing protocol for MANETs is presented based on a locator named Tree-structure Locator Distance Vector (TLDV). The hard core of this routing method is the identifier/locator split by the Distributed Hash Table (DHT) method, which provides a scalable routing service. The node locator indicates its relative location in the network and should be updated whenever topology changes, kocator space ks organized as a tree-structure, and the basic routing operation of the TLDV protocol is presented. TLDV protocol is compared to some classical routing protocols for MANETs on the NS2 platform Results show that TLDV has better scalability. Key words:
基金supported by the National Nature Science Foundation of China under Grant No.61170295 the Project of National ministry under Grant No.A2120110006+2 种基金 the Co-Funding Project of Beijing Municipal Education Commission under Grant No.JD100060630 the Beijing Education Committee General Program under Grant No. KM201211232010 the National Nature Science Foundation of China under Grant NO. 61370065
文摘The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.
基金Project(2016JJ2029)supported by Hunan Provincial Natural Science Foundation of ChinaProject(2016WLZC014)supported by the Open Research Fund of Hunan Provincial Key Laboratory of Network Investigational TechnologyProject(2015HNWLFZ059)supported by the Open Research Fund of Key Laboratory of Network Crime Investigation of Hunan Provincial Colleges,China
文摘Direct dynamics simulations are a useful and general approach for studying the atomistic properties of complex chemical systems because they do not require fitting an analytic potential energy function.Hessian-based predictor-corrector integrators are a widely used approach for calculating the trajectories of moving atoms in direct dynamics simulations.We employ a monodromy matrix to propose a tool for evaluating the accuracy of integrators in the trajectory calculation.We choose a general velocity Verlet as a different object.We also simulate molecular with hydrogen(CO_2) and molecular with hydrogen(H_2O) motions.Comparing the eigenvalues of monodromy matrix,many simulations show that Hessian-based predictor-corrector integrators perform well for Hessian updates and non-Hessian updates.Hessian-based predictor-corrector integrator with Hessian update has a strong performance in the H_2O simulations.Hessian-based predictor-corrector integrator with Hessian update has a strong performance when the integrating step of the velocity Verlet approach is tripled for the predicting step.In the CO_2 simulations,a strong performance occurs when the integrating step is a multiple of five.
基金the National Natural Science Foundation of China (Grant Nos. 61972413, 61901525, and 62002385)the National Key R&D Program of China (Grant No. 2021YFB3100100)RGC under Grant No. N HKUST619/17 from Hong Kong, China。
文摘In a recent paper, Hu et al. defined the complete weight distributions of quantum codes and proved the Mac Williams identities, and as applications they showed how such weight distributions may be used to obtain the singleton-type and hamming-type bounds for asymmetric quantum codes. In this paper we extend their study much further and obtain several new results concerning the complete weight distributions of quantum codes and applications. In particular, we provide a new proof of the Mac Williams identities of the complete weight distributions of quantum codes. We obtain new information about the weight distributions of quantum MDS codes and the double weight distribution of asymmetric quantum MDS codes. We get new identities involving the complete weight distributions of two different quantum codes. We estimate the complete weight distributions of quantum codes under special conditions and show that quantum BCH codes by the Hermitian construction from primitive, narrow-sense BCH codes satisfy these conditions and hence these estimate applies.
基金Project supported by the National Natural Science Foundation of China(Grant Nos.62171056 and 61973021)Henan Key Laboratory of Network Cryptography Technology(Grant No.LNCT2022-A03)。
文摘We aim to explore all possible scenarios of(1→2)(where one wing is untrusted and the others two wings are trusted)and(2→1)(where two wings are untrusted,and one wing is trusted)genuine tripartite Einstein-Podolsky-Rosen(EPR)steering.The generalized Greenberger-Horne-Zeilinger(GHZ)state is shared between three spatially separated parties,Alice,Bob and Charlie.In both(1→2)and(2→1),we discuss the untrusted party and trusted party performing a sequence of unsharp measurements,respectively.For each scenario,we deduce an upper bound on the number of sequential observers who can demonstrate genuine EPR steering through the quantum violation of tripartite steering inequality.The results show that the maximum number of observers for the generalized GHZ states can be the same with that of the maximally GHZ state in a certain range of state parameters.Moreover,both the sharpness parameters range and the state parameters range in the scenario of(1→2)steering are larger than those in the scenario of(2→1)steering.
基金supported by the Open Project of Henan Key Laboratory of Network Cryptography Technology(NO.LNCT2021-A09)the Advanced Discipline Construction Project of Beijing Universities(20210101Z0401).
文摘In MILCOM 2015,Kelly et al.proposed the authentication encryption algorithm MK-3,which applied the 16-bit S-box.This paper aims to implement the 16-bit S-box with less circuit area.First,we classifed the irreducible polynomials over F_(2n)into three kinds.Then we compared the logic gates required for multiplication over the fnite feld constructed by the three types of irreducible polynomials.According to the comparison result,we constructed the composite felds, F_((2^(4))^(2))and F_((2^(8))^(2)).Based on the isomorphism of fnite felds,the operations over F_(2)^(16)can be conducted over F_((2^(8))^(2)).Similarly,elements over F28 can be mapped to the corresponding elements over F_((2^(4)))^(2).Next,the SAT solver was used to optimize the operations over smaller feld F_(2)^(4).At last,the architecture of the optimized MK-3 S-box was worked out.Compared with the implementation proposed by the original designer,the circuit area of the MK-3 S-box in this paper is reduced by at least 55.9%.
基金the National Natural Science Foundation of China
文摘Network security policy and the automated refinement of its hierarchies aims to simplify the administration of security services in complex network environments. The semantic gap between the policy hierarchies reflects the validity of the policy hierarchies yielded by the automated policy refinement process. However, little attention has been paid to the evaluation of the compliance between the derived lower level policy and the higher level policy. We present an ontology based on Ontology Web Language (OWL) to describe the semantics of security policy and their implementation. We also propose a method of estimating the semantic similarity between a given
基金the National Natural Science Foundation of China (Grant No. 61601517)basic and advanced technology research project of Henan Province, China (Grant No. 2014302703)
文摘A round function based on chaos is designed combining Feistel structure’s pseudo-randomness, chaotic system’s parameter sensitivity and image data characteristics. The round function composes of two parts--data transformation based on Feistel(abbreviated as FST) and sampling output based on chaos(abbreviated as SMP). FST bases on Feistel structure and several efficient operations including bitwise xor, permutation and circulating shift. SMP is a chaos based pseudo-random sampling algorithm. It is from theoretical analysis that the round function is a pseudo-random function. The upper bounds of the average maximum differential probability and average maximum linear probability are p^2 and q^2 respectively. Finally, the good pseudo-randomness of the round function is examined with the NIST random test. The design of this round function provides an important cryptographic component for the design of chaotic image encryption algorithm.
基金the National Key Research and Development Program of China under Grant No.2016QY07X1404National Natural Science Foundation of China(NSFC)under Grant No.61602035 and 61772078+1 种基金Beijing Science and Technology Project under Grant No.Z191100007119010,CCF-NSFOCUS Kun-Peng Scientific Research FoundationOpen Found of Key Laboratory of Network Assessment Technology,Institute of Information Engineering,Chinese Academy of Sciences.
文摘Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.
基金supported in part by the National Natural Science Foundation of China under Grant 62272062the Researchers Supporting Project number.(RSP2023R102)King Saud University+5 种基金Riyadh,Saudi Arabia,the Open Research Fund of the Hunan Provincial Key Laboratory of Network Investigational Technology under Grant 2018WLZC003the National Science Foundation of Hunan Province under Grant 2020JJ2029the Hunan Provincial Key Research and Development Program under Grant 2022GK2019the Science Fund for Creative Research Groups of Hunan Province under Grant 2020JJ1006the Scientific Research Fund of Hunan Provincial Transportation Department under Grant 202143the Open Fund of Key Laboratory of Safety Control of Bridge Engineering,Ministry of Education(Changsha University of Science Technology)under Grant 21KB07.
文摘Sensors produce a large amount of multivariate time series data to record the states of Internet of Things(IoT)systems.Multivariate time series timestamp anomaly detection(TSAD)can identify timestamps of attacks and malfunctions.However,it is necessary to determine which sensor or indicator is abnormal to facilitate a more detailed diagnosis,a process referred to as fine-grained anomaly detection(FGAD).Although further FGAD can be extended based on TSAD methods,existing works do not provide a quantitative evaluation,and the performance is unknown.Therefore,to tackle the FGAD problem,this paper first verifies that the TSAD methods achieve low performance when applied to the FGAD task directly because of the excessive fusion of features and the ignoring of the relationship’s dynamic changes between indicators.Accordingly,this paper proposes a mul-tivariate time series fine-grained anomaly detection(MFGAD)framework.To avoid excessive fusion of features,MFGAD constructs two sub-models to independently identify the abnormal timestamp and abnormal indicator instead of a single model and then combines the two kinds of abnormal results to detect the fine-grained anomaly.Based on this framework,an algorithm based on Graph Attention Neural Network(GAT)and Attention Convolutional Long-Short Term Memory(A-ConvLSTM)is proposed,in which GAT learns temporal features of multiple indicators to detect abnormal timestamps and A-ConvLSTM captures the dynamic relationship between indicators to identify abnormal indicators.Extensive simulations on a real-world dataset demonstrate that the proposed algorithm can achieve a higher F1 score and hit rate than the extension of existing TSAD methods with the benefit of two independent sub-models for timestamp and indicator detection.
基金supported by the National Natural Science Foundation of China under Grant Nos.62102299,62272362,62002288the Henan Key Laboratory of Network Cryptography Technology under Grant No.LNCT2022-A05,and the Youth Innovation Team of Shaanxi Universities.
文摘Identity-based encryption with equality test(IBEET)is proposed to check whether the underlying messages of ciphertexts,even those encrypted with different public keys,are the same or not without decryption.Since people prefer to encrypt before outsourcing their data for privacy protection nowadays,the research of IBEET on cloud computing applications naturally attracts attention.However,we claim that the existing IBEET schemes suffer from the illegal trapdoor sharing problem caused by the inherited key escrow problem of the Identity-Based Encryption(IBE)mechanism.In traditional IBEET,the private key generator(PKG)with the master secret key generates trapdoors for all authorized cloud servers.Considering the reality in practice,the PKG is usually not fully trusted.In this case,the Private-Key Generator(PKG)may generate,share,or even sell any trapdoor without any risk of being caught,or not being held accountable,which may lead to serious consequences such as the illegal sharing of a gene bank's trapdoors.In this paper,to relieve the illegal trapdoor sharing problem in IBEET,we present a new notion,called IBEET Supporting Accountable Authorization(IBEET-AA).In IBEET-AA,if there is a disputed trapdoor,the generator will be distinguished among the PKG and suspected testers by an additional tracing algorithm.For the additional tracing function,except for the traditional indistinguishability(IND)and one-way(OW)security models in IBEET,we define three more security models to protect the tracing security against dishonest authorizers,PKG,and testers,respectively.Based on Gentry's IBE scheme,we instantiate IBEET-AA and give a specific construction along with a formalized security proof with random oracles.
文摘Satisfiability problem of authorization require- ments in business process asks whether there exists an as- signment of users to tasks that satisfies all the requirements, and methods were proposed to solve this problem. However, the proposed methods are inefficient in the sense that a step of the methods is searching all the possible assignments, which is time-consuming. This work proposes a method to solve the satisfiability problem of authorization requirements with- out browsing the assignments space. Our method uses im- proved separation of duty algebra (ISoDA) to describe a sat- isfiability problem of qualification requirements and quan- tification requirements (Separation of Duty and Binding of Duty requirements). Thereafter, ISoDA expressions are re- duced into multi-mutual-exclusive expressions. The satisfia- bilities of multi-mutual-exclusive expressions are determined by an efficient algorithm proposed in this study. The experiment shows that our method is faster than the state-of-the-art methods.
基金This work is supported by the Key Laboratory of Network Assessment Technology,Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology,as well as Beijing Municipal Science and Technology Project(No.Z181100002718002)National Natural Science Foundation of China(No.61572481 and 61602470,61772308,61472209,61502536,and U1736209)and Young Elite Scientists Sponsorship Program by CAST(No.2016QNRC001).
文摘Exploitability assessment of vulnerabilities is important for both defenders and attackers.The ultimate way to assess the exploitability is crafting a working exploit.However,it usually takes tremendous hours and significant manual efforts.To address this issue,automated techniques can be adopted.Existing solutions usually explore in depth the crashing paths,i.e.,paths taken by proof-of-concept(PoC)inputs triggering vulnerabilities,and assess exploitability by finding exploitable states along the paths.However,exploitable states do not always exist in crashing paths.Moreover,existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.In this paper,we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit.Technically,we utilize oriented fuzzing to explore diverging paths from vulnerability point.For userspace programs,we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit.For kernel UAF,we leverage a lightweight symbolic execution to identify,analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.We have developed a prototype system and evaluated it on a set of 19 CTF(capture the flag)programs and 15 realworld Linux kernel UAF vulnerabilities.Experiment results showed it could generate exploit for most of the userspace test set,and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.
基金supported by the National Natural Sci-ence Foundation of China(Grant Nos.U1636208,NO 61862008).
文摘As cloud computing technology turning to mature,cloud services have become a trust-based service.Users'distrust of the security and performance of cloud services will hinder the rapid deployment and development of cloud services.So cloud service providers(CSPs)urgently need a way to prove that the infrastructure and the behavior of cloud services they provided can be trusted.The challenge here is how to construct a novel framework that can effective verify the security conformance of cloud services,which focuses on fine-grained descriptions of cloud service behavior and security service level aggreements(SLAs).In this paper,we propose a novel approach to verify cloud service security conformance,which reduces the description gap between the CSP and users through modeling cloud service behavior and security SLA,these models enable a systematic integration of security constraints and service behavior into cloud while using UPPAAL to check the performance and security conformance.The proposed approach is validated through case study and experiments with real cloud service based on Open-Stack,which illustrates CloudSec approach effectiveness and can be applied on realistic cloud scenario.
