ISSN 1000-1239 CN 11-1777/TP

Table of Content

15 July 2014, Volume 51 Issue 7
Survey of Android OS Security
Zhang Yuqing, Wang Kai, Yang Huan, Fang Zhejun, Wang Zhiqiang, and Cao Chen
2014, 51(7):  1385-1396. 
Asbtract ( 2453 )   HTML ( 20)   PDF (1800KB) ( 1851 )  
Related Articles | Metrics
Android is an operating system applied to smart mobile device which claims a huge market share. The study of its security has attracted wide attention. In this paper, we introduce Android’s system architecture and security mechanism, discuss its security performance and the current research situation from two perspectives: system security and application security. Android’s system security includes kernel security, architecture security and user authentications mechanism security. The threats on kernel security and architecture security are mainly from vulnerability. The study of kernel security is focused on how to introduce SELinux into the kernel to improve the security performance, and the study of architecture security is focused on how to improve the performance of permission mechanism and how to implement APIs (application programming interface) securely and to guide developers to use APIs normatively. User authentications mechanism is closely related to user’s privacy security and can be implemented flexibly, so that the study on its security has received wide attention. Android’s application security includes two technologies which are malicious application detection and vulnerability mining. We discuss on malicious application detection from the counterfeit technology of malicious applications and detection technology of malicious application at installation or running process, and discuss on vulnerability mining from component exposed vulnerabilities and security APIs related vulnerabilities. Finally, we summarize current research situation of Android’s security study and propose the issues which are worth further study.
Secure and Privacy-Preserving Data Storage Service in Public Cloud
Li Hui1, Sun Wenhai1, Li Fenghua2, and Wang Boyang1
2014, 51(7):  1397-1409. 
Asbtract ( 1778 )   HTML ( 21)   PDF (1700KB) ( 1739 )  
Related Articles | Metrics
Cloud computing has been gradually considered the most significant turning point in the development of information technology during past few years. People reap the benefits from cloud, such as ubiquitous and flexible access, considerable capital expenditure savings, pay-as-you-go computing resources configuration, etc. Many companies, organizations, and individual users have adopted the public cloud storage service to facilitate their business operations, research, or everyday needs. However, in the outsourcing cloud computing model, users’ physical control of the underlying infrastructure including the system hardware and lower levels of software stack, is shifted to third-party public cloud service providers, such as Dropbox, Google Drive, Microsoft SkyDrive and so on. In addition, the sensitive data of users are also outsourced to and stored in the cloud, e.g., they may upload emails, photos, financial reports, and health records to the cloud. Thus, the potential private information leakage and integrity of the outsourced data is one of the primary concerns for the cloud users. To build users’ confidence in such cloud storage service paradigm, tons of attentions have been drawn and a number of related problems have been studied extensively in the literature, such as fine-grained cloud data access control mechanism, secure search over encrypted cloud data, outsourced data integrity auditing, secure deletion for cloud data, etc., which ensure that cloud users enjoy the convenience the cloud offers in a privacy-preserving way. Otherwise, the cloud will become merely a remote storage which provides limited values to all parties. This paper focuses on the enabling and critical cloud computing security protection techniques and surveys on the recent researches in these areas. In addition, we further point out some unsolved but important challenging issues and hopefully provides insight into their possible solutions.
Proofs of Data Possession of Multiple Copies
Fu Yanyan1, Zhang Min1, Chen Kaiqu2, and Feng Dengguo1
2014, 51(7):  1410-1416. 
Asbtract ( 770 )   HTML ( 1)   PDF (1329KB) ( 818 )  
Related Articles | Metrics
Cloud storage services have quickly gained enormous popularity. They offer great convenience for data storage and sharing. However, since all user data are kept on remote servers and out of user’s control, user may concern about data status. In order to expand storage service, data integrity verification is one of the critical security requirements for cloud storage service to fulfill. In order to verify the integrity status of files on remote cloud servers, many mechanisms have been proposed, such as PDP and POR. However, these methods can only ensure that the remote server holds ONE COPY of user data correctly. In fact, user needs to make sure that there are multiple copies kept on remote servers, incase that the corrupted file parts could not be recovered with a right copy. In this paper, we propose a multi-copy integrity checking scheme, which enables user to verify that HOW MANY COPIES are actually correct in the server. And this scheme could also identify the corrupted file blocks, thus to guide data recovery. Experimental results show that it has better performance comparing with the one copy schemes, owing to the distributing computations to multiple servers.
A Secure Electronic Document Self-Destructing Scheme in Cloud Computing
Yao Zhiqiang1,2, Xiong Jinbo2, Ma Jianfeng1, Li Qi1, and Liu Ximeng3
2014, 51(7):  1417-1423. 
Asbtract ( 747 )   HTML ( 1)   PDF (948KB) ( 787 )  
Related Articles | Metrics
The timed-released electronic documents stored in cloud servers for a long time become increasingly easy to leak privacy information to the Internet. To overcome this problem, we develop a novel two-step scheme for self-destructing electronic document by using identity-based timed-release encryption (ITE), referred to as ESITE. In the first step, we use symmetric key to encrypt the electronic document. Thus, we can obtain an extracted ciphertext and an encapsulated ciphertext by using an extraction algorithm. Secondly, we use ITE algorithm to encrypt the symmetric key. On one hand, we get the ciphertext shares and distribute it into the distributed Hash table (DHT) network by combining key’s ciphertext and the extracted ciphertext. On the other hand, the encapsulated ciphertext is stored in cloud servers after being encapsulated into a self-destructing object. There are two advantages for the proposed scheme. First, we can only access the protected electronic document when the desired release time arrived . Second, the original decryption key cannot be recovered after a certain period of time. The reason is that DHT network will discard the stored ciphertext shares automatically, so the function of self-destruction is implemented safely. Security analysis shows that the proposed ESITE scheme is able to resist against cryptanalysis attacks from the cloud servers and the Sybil attacks from the DHT network. Experimental results demonstrate that the computational overheads of the proposed scheme is much lower than existing schemes.
CACDP: A Cryptographic Access Control for Dynamic Policy in Cloud Storage
Zhang Hao, Zhao Lei, Feng Bo, Yu Rongwei, and Liu Weijie
2014, 51(7):  1424-1435. 
Asbtract ( 688 )   HTML ( 0)   PDF (2895KB) ( 846 )  
Related Articles | Metrics
With the rapid development of cloud computing technology, many enterprises will gradually delegate confidential data to the cloud storage service providers. The confidentiality of data becomes a crucial issue in cloud storage environments, and the ciphertext-based access control technology is an important approach to resolve this issue. However, among the current access control schemes based on the ciphertext, the high security requirements of the cloud data and the high frequence of policy update make excessive cost on updating permissions, and then seriously restrict the overall efficiency of the system. To solve this problem, we propose a cryptographic access control strategy for dynamic policy in cloud storage (CACDP), which presents a key management tree of binary Trie based on key derivation, enhancing the security of the key and reducing the number of keys maintained by data owner and user. Based on this, we use the proxy re-encryption mechanism based on ELGamal and double-encryption strategy to transfer partial mission of updating key and data to the cloud servers, in order to reduce the administrative burden of date owners. Finally, the experimental verification shows that the proposed solution significantly improves the processing efficiency and effectively lowers the performance overhead on policy update for data owners.
Research on Direct Anonymous Attestation Scheme Based on Trusted Mobile Platform
Yang Bo1,2, Feng Dengguo1, Qin Yu1, Zhang Qianying1,2, Xi Li1,2, and Zheng Changwen3
2014, 51(7):  1436-1445. 
Asbtract ( 1030 )   HTML ( 4)   PDF (1804KB) ( 807 )  
Related Articles | Metrics
Direct anonymous attestation (DAA) adopted by trusted platform module (TPM) provides a platform with remote anonymous identity attestation. However, there is currently no universal and efficient DAA solution frame for mobile platform, while remote anonymous attestation is evidently required by mobile devices. To address this issue, we propose a DAA scheme frame applied for trusted mobile platform. By fully considering the background of mobile applications, we design the frame according to several elliptic curve based DAA (ECC-DAA) schemes, and adapt the frame to TPM 2.0 API and technology specification. The entity of mobile device manufacture as well as credential embedding and rejoining procedures are added into the frame and the revocation procedure is redesigned accordingly. Moreover, we present the architecture of trusted mobile platform based on TrustZone and TPM Emulator, which acts as one of important entities of the frame. The issues about sensitive information management and credential revocation are discussed. Four kinds of ECC-DAA schemes including CF08, BCL08, BL10 and CPS10 and three kinds of elliptic curves including MNT, BN and super singular curve are finally compared, implemented and analyzed. The experiment results indicate that the frame can be well compatible with these schemes and curves with high-speed computing performance.
An Anti-Obfuscation Method for Detecting Similarity Among Android Applications in Large Scale
Jiao Sibei, Ying Lingyun, Yang Yi, Cheng Yao, Su Purui, and Feng Dengguo
2014, 51(7):  1446-1457. 
Asbtract ( 1081 )   HTML ( 8)   PDF (3534KB) ( 691 )  
Related Articles | Metrics
Code obfuscation exerts a huge impact on similarity detection among Android applications based on behavior characteristics. In order to deal with the situation, we propose a novel way of similarity detection among Android applications based on file content characteristics, which computes the similarity of file content features and can be applied to large-scale scenario in real world. Our method is not subject to code obfuscation or file obfuscation. We choose to utilize the characteristics of image, audio and layout files which are shown in our statistics as the most representative features in Android applications. Meanwhile, different weights are given to these features through machine learning, which further enhances the accuracy of our method. In addition, we implement a prototype system and particularly optimize each step to speed up the calculation, making our system suitable for large-scale scenario and give a good calculation performance. The experiments dataset contains 59 000 applications. And for both legitimate application and malware applications, our system successfully detects those repackaged pirate applications and those with the similar malicious component, which prove the effectiveness of our method. The experiment results demonstrate that similarity detection based on file content characteristics could resist the file obfuscation and give better performance in both accuracy and efficiency.
Description of Android Malware Feature Based on Dalvik Instructions
Li Ting1, Dong Hang2, Yuan Chunyang1, Du Yuejin1, and Xu Guoai2
2014, 51(7):  1458-1466. 
Asbtract ( 788 )   HTML ( 0)   PDF (2129KB) ( 983 )  
Related Articles | Metrics
In order to achieve an efficient detection of malicious software on Android, a method to analyze the malware in Android devices using Dalvik instructions has been proposed. The Dalvik executable format (DEX) files are segmented based on its format without decompile. Through the formalize description of Dalvik instructions the features of the program can be simplified and extracted. Using the MOSS algorithm and the Minkowski distance algorithm, it can be determined that whether the current software which will be tested contains malicious code based on the similarity threshold. Finally, a prototype system is built to validate the method with large amounts of random samples. Taking applications which in Android application stores as example, the extraction and description of signatures using this method proves that not only can this static detection method based on Dalvik instructions detect malicious code quickly, but also has a very low rate of false positives and false negatives. Experiments results confirm that the method proposed by this paper is feasible and credible and it is applicable for rapid detection of Android malicious code.
Modified Matrix Encoding Based on the Spatial Distortion Model and Its Improvement
Han Tao1,2, Zhu Yuefei1,2, Lin Sisi3, and Wu Yang1,2
2014, 51(7):  1467-1475. 
Asbtract ( 629 )   HTML ( 0)   PDF (1906KB) ( 530 )  
Related Articles | Metrics
Steganographic coding is a common and effective method to improve the security of steganography. In the meantime, how to define a suitable distortion model for different cover objects is another crucial problem in the design of steganography. In this paper, we define a new and simple distortion model for spatial images and apply it to the MME (modified matrix encoding). It is used to choose the pixels whose modifications introduce the minimal embedding distortion. In addition, an efficient and simple steganographic code, based on the LSBMR (least significant bit matching revisited), is proposed to further decrease the changes of the cover elements, which is used to improve the MME based on the spatial distortion model. At the same time, the idea of the proposed method can be similarly extended to the STC (syndrome-trellis codes) and the widespread block codes based matrix embedding schemes such as BCH (Bose-Chaudhuri-Hochquenghem) codes. The experimental results demonstrate the rationality of the proposed distortion model for spatial images and the efficiency of the proposed steganographic code. Moreover, when resisting some common and efficient steganalyzers, the proposed steganographic algorithms, tested on 10 000 grayscale images of BossBase1.01 image library, perform better than some previous papers.
A Distributed Rational Secret Sharing Scheme with Hybrid Preference Model
Peng Changgen1,2, Liu Hai1,2, Tian Youliang1,2,3, Lü Zhen1,2, and Liu Rongfei1,2
2014, 51(7):  1476-1485. 
Asbtract ( 593 )   HTML ( 1)   PDF (963KB) ( 748 )  
Related Articles | Metrics
In traditional secret sharing schemes, players are either honest or malicious. An honest player follows the protocol perfectly but a malicious player always deviate from the protocol. However, players behavior is selfish and they follow the protocol only if their expected utility is satisfied in rational secret sharing scheme. In that sense, rational secret sharing has more applicability. In the existence of rational secret sharing schemes, the preference models only focus on immediate interests or long-term interests, and the secrets distributions rely on the dealer. But such dealer may not exist in some special settings. After analyzing the traditional distributed secret sharing schemes, a general formalization of distributed rational secret sharing scheme is proposed. In our setting, a new hybrid preference model which simultaneously considers the immediate interests and the long-term interests of rational participants is discussed. Meanwhile, combining with the strategy-proof mechanisms of mechanism design theory, the bargaining reputation mechanism is designed with the incentive compatibility, which is effectively to restrict the behavior of the rational players, so that a fair (t,n) (t,n≥2) distributed rational secret sharing scheme is realized. Finally, some advantages of our scheme are showed by comparing with current rational secret sharing schemes in communication channel types, the requirement of on-line or off-line dealer, universality and the rational players preference model.
A Secure Routing Protocol for MWNs Based on Cross-Layer Dynamic Reputation Mechanism
Lin Hui1, Ma Jianfeng2, and Xu Li1
2014, 51(7):  1486-1496. 
Asbtract ( 736 )   HTML ( 0)   PDF (3722KB) ( 690 )  
Related Articles | Metrics
Multi-hop wireless networks (MWNs) face various attacks threats, especially the internal multi-layer attacks and bad mouthing attack aiming to the routing security. As an effective method to evaluate the trust relationship between the nodes and against internal attacks, reputation mechanisms have been introduced into MWNs to preserve the routing security. Although there are a multitude of research work, most of them are based on the layered design and only considering the single layer attacks, thus ignoring the multi-layer attacks. And they also ignore the bad mouthing attack and the creditability of the recommended nodes and recommended information, which reduces the reliability of the reputation evaluation results. To solve the above problem, this paper first proposes a new reliable recommendation based cross layer dynamic reputation mechanism named CRM, and then proposes a secure routing protocol RPCSR based on the CRM. Simulation results and performance analysis demonstrate that the proposed secure routing protocol RPCSR can implement routing security preserving against the internal multi-layer attacks and bad mouthing attack effectively.
Efficient and Provably-Secure Certificate-Based Key Encapsulation Mechanism in the Standard Model
Lu Yang and Li Jiguo
2014, 51(7):  1497-1505. 
Asbtract ( 607 )   HTML ( 0)   PDF (821KB) ( 702 )  
Related Articles | Metrics
Certificate-based cryptography is a new cryptographic paradigm that provides an interesting balance between identity-based cryptography and traditional public-key cryptography. It not only eliminates the third-party query problem and simplifies the complicated public-key certificate management problem in the traditional public-key infrastructure, but also solves the key escrow and key distribution problems inherent in identity-based cryptography. As an extension of key encapsulation mechanism in the certificate-based setting, certificate-based key encapsulation mechanism preserves some of the most attractive features of certificate-based cryptography. In this paper, we propose an efficient certificate-based key encapsulation mechanism from bilinear pairings which is provably-secure without the random oracle model. Under the hardness of the truncated decision q-augmented bilinear Diffie-Hellman exponent problem and the decision 1-bilinear Diffie-Hellman inversion problem, we prove in the standard model that the proposed scheme achieves indistinguishable security under adaptive chosen-ciphertext attacks. The proposed scheme is quite efficient in the computation. Its performance is competitive with the existing certificate-based key encapsulation mechanism in the random oracle model. Compared with the existing certificate-based key encapsulation mechanism in the standard model, the proposed scheme enjoys less computation cost and lower communication bandwidth, and hence, it outperforms the known standard-model certificate-based key encapsulation mechanism in the literature.
RFID Lightweight Authentication Protocol Based on PRF
Jin Yongming1, Wu Qiying2, Shi Zhiqiang1, Lu Xiang1,3, and Sun Limin1
2014, 51(7):  1506-1514. 
Asbtract ( 716 )   HTML ( 2)   PDF (1305KB) ( 865 )  
Related Articles | Metrics
Radio frequency identification (RFID) is a wireless automatic identification and data capture technology that uses radio signals to identify a product, animal or person without the need for physical access or line of sight. The wide deployment of RFID systems in a variety of applications has raised many concerns about the security and privacy. RFID authentication protocol can implement the identification between the reader and the tag, and ensure only legitimate reader to access the tag’s data. Because of cost constraints of the tag, the design of lightweight RFID authentication protocol is the main challenge. In order to achieve the unpredictability of privacy, the tag requires at least having the ability of pseudorandom function (PRF). In this paper, a framework of RFID lightweight authentication protocol based on PRF is described abstractly. Based on the implementation of message authentication function F\-i, a new RFID lightweight authentication protocol, ELAP, is proposed. Compared with the existing protocol, the new protocol can achieve mutual authentication between reader and tag, and resistant to all known attacks. In the efficiency, the tag need only two-time message digest computing, thus the computational cost of the tag is the minimum.
LWE Problem with Uniform Secret and Errors and Its Application
Sun Xiaochao, Li Bao, and Lu Xianhui
2014, 51(7):  1515-1519. 
Asbtract ( 1255 )   HTML ( 6)   PDF (536KB) ( 675 )  
Related Articles | Metrics
The learning with errors (LWE) assumption has been widely applied in cryptography for its unique properties in complexity. It is viewed as linear random decoding problem in Euclidian norm. Many variants of its average hardness are given in recent years. We introduce a variant of learning with errors problem in which the coordinates of secret and errors are all chosen from the uniform distribution over a small interval, where we use a transformation technique given by Applebaum et al. It maps LWE samples with uniform secret to LWE samples with the secret which accords to the same distribution of the errors. Meanwhile, there are only a small number of samples lost. The average hardness of our variant is based on the LWE with uniform errors. It enjoys a worst-to-average-case reduction and removes the gaussian sampler. We also construct a public-key encryption with key-dependent message security based on our new LWE variant. It is a variant of Regevs LWE-based schemes. Our scheme reduces the computational overhead of algorithms of key-generation and encryption by replacing the gaussian sampler, which costs a lot of time and space in practice, with the uniform sampler in small interval.
Related-Key Impossible Differential Cryptanalysis on LBlock
Wei Hongru and Yin Guangli
2014, 51(7):  1520-1526. 
Asbtract ( 1581 )   HTML ( 1)   PDF (714KB) ( 605 )  
Related Articles | Metrics
LBlock is a lightweight block cipher aiming at constrained resources, which was proposed in ACNS 2011. It is known that 14 round differential rules and 15 round related-key differential rules have been proposed not long ago, based on which the best results using impossible differential attack on LBlock reach to the maximum round of 22. To analyze the impossible differential property of LBlock cipher, combining with the characteristic of the key schedule and structure of round function, four 15-round related-key differential rules are constructed. Then, using the differential rule to extend the 4-round forward, and 3-round afterward, 22-round LBlock is proposed. On the basis of the existing related-key impossible differential attack, the S-boxes in the round function are discussed, and two kinds of related-key differential rules are applied. Based on the technology of partial key-byte guessing to reduce the time complexity, it is show that the attack on 22-round requires the data complexity of 2\+{61} chosen plaintexts and time complexity of 2\+{59.58} 22-round encryptions.
Rational Fair Computation with Computational Sequential Equilibrium
Wang Yilei1,2, Zheng Zhihua3, Wang Hao3, and Xu Qiuliang2
2014, 51(7):  1527-1537. 
Asbtract ( 859 )   HTML ( 1)   PDF (1412KB) ( 656 )  
Related Articles | Metrics
In secure multi-party computation, the property of fairness means that corrupted parties should receive their outputs if and only if the honest parties also receive their outputs. It is hardly achieved when the number of malicious parties is more than half number of the participants. Therefore, fairness is often ignored in secure multi-party computation. Parties in traditional secure computation consist of honest parties, semi-honest parties and malicious parties. Honest parties always follow the protocol. Semi-honest parties also follow the protocol. However, they may keep an internal state of all the corrupted parties attempting to use this to learn private information. Malicious parties arbitrarily deviate from the protocol. Rational parties are neither of them but only want to maximize their utilities. Rational secure computation means that rational parties are allowed to participate in the computation, which opens a new avenue to achieve this desirable property. In this paper, we consider a more realistic rational protocol where parties may have asymmetric information such as utilities and types, which make our protocol distinct with previous ones. On account of these distinctions, a stronger equilibrium named computational sequential equilibrium, which consists of computational sequentially rational and consistent, is put forward to guarantee fairness. At the end of this paper, an simulator is constructed to prove the security of the protocol.
A Tor Anonymous Communication System with Security Enhancements
Zhou Yanwei1,2, Yang Qiliang3, Yang Bo2, and Wu Zhenqiang1,2
2014, 51(7):  1538-1546. 
Asbtract ( 1078 )   HTML ( 1)   PDF (2134KB) ( 697 )  
Related Articles | Metrics
The improvement of network users’ awareness of protecting private information promotes the wide application of anonymous communications systems, such as Tor, Crowds, Anoymizer, which can secure users’ information. Studies have offered the evidence that security vulnerability existes in the Tor anonymous communications system. Thus, in order to improve its security, an enhanced system is proposed to improve the security of directory server and ensure the credibility of users and anonymous link through the trusted computing technology. Based on the trusted anonymous authentication protocol, the directory server of the enhanced system realizes mutual authentication between users and the server, and implements the credibility evaluation of the server on user platforms. Therefore, the bad effects of malicious forwarding nodes on the security and anonymity of anonymous link can be prevented; meanwhile, session key agreement reinforces its anti-attacking ability, because the anonymous communications link of the enhanced system is completely constructed by credible nodes. Compared with the original system, the enhanced one not only ensures credibility, but also has higher security and better anti-attack capability, thus the security risks are eliminated. Furthermore the simulation analysis proves that the proposed scheme can meet users’ need of anonymity.
Plaintext Recovery Based on Memory Dependence Measurement
Wei Qiang, Wu Zehui, and Wang Qingxian
2014, 51(7):  1547-1554. 
Asbtract ( 662 )   HTML ( 1)   PDF (1623KB) ( 740 )  
Related Articles | Metrics
Software analysis has had a devastating effect on software security. In the area of software analysis, data flow analysis can effectively identify the data processing and recognize the bounds of data structures, which helps us better understand the behavior of the program. However, for the programs that use data encryption technology for communication, data flow analysis will encounter great difficulties because it cannot automatically extract decrypted data, and hence cannot effectively track data processing which is pivotal for software analysis. In this work we propose memory dependence measurement, a novel approach for finding and extracting decrypted data on commodity software. While previous work focuses on the recognition of decryption functions and instructions, our method shifts the focus to identifying the memory address of decrypted data. We implement our memory dependence technique in a tool called EncMemCheck. Experiments show that EncMemCheck has more accuracy on real-word encryption algorithm. It is proved that our approach is more practical by testing it on community software UnrealIrcd which adopts encryption technology during communication.
Towards Analysis of Security in I2P’s Path Selection
Liu Peipeng1,2,3,4, Wang Lihong4, Shi Jinqiao2,4, and Tan Qingfeng2,4
2014, 51(7):  1555-1564. 
Asbtract ( 1287 )   HTML ( 2)   PDF (3223KB) ( 803 )  
Related Articles | Metrics
With the growing concerns for privacy, anonymous communication has been getting more and more attentions. One of the most popular anonymous communication systems is the invisible Internet project (I2P). Similar with the onion router (Tor, the most popular anonymous communication system), I2P uses garlic routing to protect the identities of both sides of a communication. The implementation of garlic routing in I2P is called tunnel, and a tunnel usually contains three hops, so every single hop in the tunnel can’t get the identities of both the sender and recipient. However, if an attacker can compromise the two endpoints of a tunnel or can simultaneously observe the traffics entering and leaving the I2P network, the attacker can use traffic analysis to correlate the sender and recipient of an I2P communication. This paper makes an analysis of security in I2P’s path selection from the perspectives of both an internal attacker and a network attacker. The results show that there still exist potential threats against I2P’s anonymity given the current I2P’s path selection algorithm.
Algorithm of Optimal Security Hardening Measures Against Insider Threat
Chen Xiaojun1,2,3, Shi Jinqiao2, Xu Fei2, Pu Yiguo2, and Guo Li2
2014, 51(7):  1565-1577. 
Asbtract ( 694 )   HTML ( 4)   PDF (4441KB) ( 830 )  
Related Articles | Metrics
Attacks from insiders usually disguise themselves as normal behaviors, which causes the uncertainty of the results based on anomaly detection models. Attack graph model is frequently used to describe the causal relationships among the steps in multiple attack progress, yet the uncertainty of events represented by the current observations is rarely considered in calculating the optimal security hardening measures, neither the impact of the probability of the attack success is depicted from the angle of probability after the implementation of the security measures. In this paper, we discuss completly three kinds of uncertainty in attack graph, and add the security hardening nodes into the probability attack graph model based on previous studies, and clarify the influence of the transition probability by security hardening measures. For the first time we put forward measures probability attack graph (MPAG) and apply it to the calculation of the optimal security hardening measures for insider threat risk analysis and mitigation. Based on this model, we prove that the calculation for optimal security hardening measures is an NP-hard problem, furthermore, we propose a greedy algorithm to calculate dynamically the approximate optimal security hardening measures set. Finally the paper proves in real network environment that the algorithm can calculate the approximate optimal security hardening measures set under certain cost constraints, given current observables sequence and the responding confidence probability.
UML-Based Modeling Method of Network Security Infrastructure
Bu Ning1, Liu Yuling2, Lian Yifeng2, and Huang Liang2
2014, 51(7):  1578-1593. 
Asbtract ( 806 )   HTML ( 1)   PDF (4677KB) ( 720 )  
Related Articles | Metrics
Under the guidance of existing laws, regulations and standards, a general framework of network security infrastructure is proposed. The proposed infrastructure discusseds the relations between security objectives, security boundary, security infrastructure elements and security risk assessment. Based on this infrastructure, we present our modeling approaches of security objectives, security boundary and security infrastructure elements using UML’s standard and powerful modeling ability. Our modeling methods can eliminate the ambiguity in communication and make the representation of security system be standardized. Using our analysis methods, security administrators can validate how the business processes meet to the business goals and get the security risk of the system. By modeling an online banking, the proposed security framework and modeling methods’ validity and rationality are verified. The proposed approach can help security administrators model the network security system in a visualization method. Based on modal logic, security administrators can deduce the logical relationships between each element and the results can guide security administrators to deploy proper security measures. Compared with the existing methods, the method of this paper is more comprehensive and has stronger guiding significance.
Multi-Addresses Amplification DoS Attacks by Native IPv6 and IPv6Tunnels
Cui Yu, Zhang Hongli, Tian Zhihong, and Fang Binxing
2014, 51(7):  1594-1603. 
Asbtract ( 652 )   HTML ( 0)   PDF (2200KB) ( 507 )  
Related Articles | Metrics
DoS attacks pose serious threats for the security of IPv4 Internet. With the rapid development of IPv6, similar security problems have progressively appeared and started to influence the normal operation of IPv6 services and networks. This paper studies the multi-addresses property of native IPv6 and IPv6 tunnel hosts. Pointed out that by exploiting this property, attackers could configure huge amount of legal IPv6 addresses and perform DoS attacks on the target by pretending to be normal connections from different hosts. As a result of the huge range of addresses and the control by the same real host, by using new addresses at intervals and coordinating between different connections, this kind of attack could effectively avoid the typical detection and defense processes based on IP addresses. The quantity of virtual attacking hosts could be amplified and the quantity of actual attacking hosts could be reduced. To defense this kind of attack, the method of “defense framework based on addresses classification” (DFAC) is presented. By classifying addresses with different property and constructing property sets, DFAC could perform detection and defense on this kind of amplification attack. Experimental results by proto-system show that DFAC effectively alleviates the influence on system payload caused by these DoS attacks.
Action-Based Multi-level Access Control Model
Su Mang1, Li Fenghua2, and Shi Guozhen3
2014, 51(7):  1604-1613. 
Asbtract ( 899 )   HTML ( 1)   PDF (2149KB) ( 807 )  
Related Articles | Metrics
The developments of communication, computer, and multimedia technologies have speeded up information transmission. The information has been becoming multi-dimensional. The multi-level security could not only ensure the correctness of information transmission, but also keep the integrality and confidentiality of the data. The traditional multi-level security models have been implemented with the classic access control models, such as RBAC (role-based access control), which solve the problems of multi-level access control to some extent. But they could not accommodate the users’ requirements of multi-level permission management at anytime and anywhere with the consideration of the temporal and environmental factors in the existing multi-level security access control mechanisms. How to implement the multi-level access control with the consideration of time and environment has become a problem to be solved. Firstly, we present an action-based multi-level access control model, which integrates the BLP and ABAC (action-based access control) together by extending the security level to action. Secondly, in order to solve the problem of permission specification with time and environment, we make the description of security level more detailed by defining the reading level (lr) and writing level (lw). The corresponding security rules and proof have been given. Finally, we give the implementing scheme of our model. By integrating the temporal state and environmental state together for the current complicated network, our scheme could solve the problems of the multi-level management and access control.
Sybil Group Attack Detection in Kad Network
Li Qiang1, Li Zhoujun1, Zhou Changbin1, and Yu Jie2
2014, 51(7):  1614-1623. 
Asbtract ( 725 )   HTML ( 0)   PDF (2838KB) ( 526 )  
Related Articles | Metrics
Sybil attack is a routine attack in P2P systems, which could crack the normal operations of P2P network. Kad is one of the most popular P2P file share systems. The current Kad software limits the number of IP addresses in a routing table, for rejecting the peers with the same IP. Consequently, the attacker must use multiple hosts to launch Sybil group attack, such that the traditional Sybil detection methods based on the same IP addresses do not work. As an alternative, this paper designs a novel method by leveraging routing table information in the malicious peer. Generally, the routing tables of Sybil in the same group have the similar structures. The peers in the same Sybil group are closely connected to each other, whereas the connections between different Sybil groups are sparse. Community detection in social network has the same features with Sybil groups. Therefore we employ CNM algorithm to detect the Sybil groups. In order to reduce the input size of CNM, several preprocessing methods are needed, such as pre-identifying the malicious peers, collecting their routing table items and peers clustering. The proposed approach is verified by inserting Sybil groups on Kad. And the experiment results show that our method is able to discover Sybil groups that have hundreds of peers. This method has been applied on Kad network and found several Sybil groups.
Detection of XSS Vulnerabilities in Online Flash
Liu Qixu1, Wen Tao2, and Wen Guanxing1
2014, 51(7):  1624-1632. 
Asbtract ( 851 )   HTML ( 0)   PDF (1549KB) ( 786 )  
Related Articles | Metrics
Popular websites such as YouTube, Yahoo! and CNN, contain a large number of Flash files to deliver dynamic contents. However, many Flash objects are exposed to cross-site scripting (abbreviated as XSS, a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites) vulnerabilities as they are usually coded without properly purifying their inputs. In this paper, we study the technology of XSS in online Flash and introduce an engine called FXD (Flash XSS Detector), which is designed to automatically scramble webpages with embedded Flash objects and check whether or not they are vulnerable to XSS attacks. We evaluate FXD on a large collection of XSS vulnerable Flash testing samples we created, which cover all common Flash XSS vulnerabilities. FXD performs efficiently in detecting Flash XSS by providing wide coverage of different kinds of Flash XSS which is higher than all related works we know. We also use FXD to test real-world websites, and find that there are still many embedded Flash objects vulnerable to XSS even in Alexa Top 100 websites. Finally, we discover a new trend that Flash XSS nowadays is mainly caused by combination of key functions in different categories.
Security Architecture to Deal with APT Attacks: Abnormal Discovery
Du Yuejin1,2, Zhai Lidong1, Li Yue1, and Jia Zhaopeng1,3
2014, 51(7):  1633-1645. 
Asbtract ( 871 )   HTML ( 6)   PDF (3141KB) ( 868 )  
Related Articles | Metrics
Threat is a potential damage to specific systems, organizations and their assets. It exists in the process of various prolonged attacks to the targets by attackers in light of their task requirement. Facing advanced persistent threat (APT), the existing security architecture cannot help the victims to detect the threat in time before serious economic losses are caused. Based on the in-depth analysis of the denotation and connotation of threat, this paper explores defense models to threat in details and proposes a theoretic security and defense framework to deal with the APT: abnormal discovery, so as to solve the problem of threats detection. As the prerequisite of defensing policy and protective deployment, abnormal discovery can provide the necessary information for making an effective and targeted defensing policy through discovering the abnormal in the environment in real time and in multi dimension, unscrambling unknown thread and analyzing the attackers purpose. “Wizeye”, a security architecture based on abnormal discovery is designed and proposed. With high and low monitoring technology coordination, it can monitor and detect the APT from its source, pathway and terminal.