基于 ECC算法的TLS协议设计与优化

为解决TLS协议存在的握手交互次数多、密钥计算开销大等诸多性能问题,在对TLS协议进行分析的基础上,设计了一种基于ECC算法的TLS协议,用ECC算法代替原协议中的RSA算法,充分发挥ECC算法的优越性,提高协议的性能。使用缓存握手参数的方法对协议交互过程进行优化,通过SVO逻辑对优化后的协议进行形式化证明,证明协议是安全的。通过实验将改进后的协议与原协议进行了比较分析,结果表明,随着协议安全等级的提高,改进后的协议在性能上具有明显的优越性。     

防御链接预测攻击的隐私保护方法

为解决现有的防御链接预测攻击的隐私保护方法的不足,提出一种基于积分梯度的局部扰动算法LDIG (local disturbance algorithm based on integral gradient)。利用敏感链接的闭合子图确定扰动范围,根据扰动范围内链接的积分梯度迭代扰动链接,同时将链接预测对扰动图中敏感链接的预测结果作为扰动结束的判断依据。实验结果表明,LDIG算法的计算复杂度较低,适用于大规模社交网络的隐私保护,扰动链接的数量较少,提高了数据的效用性。     

Design research of the DES against power analysis attacks based on FPGA

Aiming at the DES design scheme against power analysis attacks introduced by Standart et al., an improved scheme is presented in this paper. In the improved scheme, eight dummy S-Boxes are proposed to make the power consumption of the DES S-Box logic gates constant instead of random, and it can make the same difficulties for power analysis attackers consuming 98% less memories as compared with the previous scheme. By analyzing the improved scheme in theory and using an accurate circuit simulator, the secure efficacy of the improved one is verified. The verification results indicate that the improved scheme can satisfy the practical applications against power analysis attacks, and it can be also introduced into the FPGA implementations of other cryptographic algorithms’ S-Box against power analysis attacks.     

基于虚拟环的源位置隐私保护路由协议

针对无线传感器网络(WSNs)中源节点位置隐私保护问题,提出了基于随机虚拟环的源位置隐私保护路由协议,可以避免失效路径的产生,同时,随机变化的虚拟环将路由路径扩展到源节点所在的环形区域内,极大地增加了路由路径的随机性和多样性,使得攻击者难以根据路由路径推测出源节点所在位置.仿真结果表明:在有限时延的情况下,协议明显提高了源位置隐私保护能力.     

An equational logic based approach to the security problem against inference attacks on object-oriented databases

A query is said to be secure against inference attacks by a user if there exists no database instance for which the user can infer the result of the query, using only authorized queries to the user. In this paper, first, the security problem against inference attacks on object-oriented databases is formalized. The definition of inference attacks is based on equational logic. Secondly, the security problem is shown to be undecidable, and a decidable sufficient condition for a given query to be secure under a given schema is proposed. The idea of the sufficient condition is to over-estimate inference attacks using over-estimated results of static type inference. The third contribution is to propose subclasses of schemas and queries for which the security problem becomes decidable. Lastly, the decidability of the security problem is shown to be incomparable with the static type inferability, although the tightness of the over-estimation of the inference attacks is affected in a large degree by that of the static type inference.     

基于ISP网络的DDoS攻击防御方法研究

针对DDoS攻击在ISP网络中的行为特点,提出了一种基于ISP网络的DDoS攻击协作防御方法.该方法从流量信息中构造出攻击会聚树,并根据攻击会聚树找出攻击数据流在ISP网络中的源,在源头对攻击数据流进行控制,从而达到在ISP网络内防御DDoS攻击的目的.该方法克服了在整个网络中防御DDoS攻击耗资巨大的缺点.实验结果表明,该方法能够快速有效了实现对DDoS攻击的防御.     

DSR-BCA协议应对DoS攻击的解决方法

Ad hoc网络的无线、自组织特点使其很容易受到DoS攻击.在已有研究成果DSR-BCA协议的基础上,增加一个应对DoS攻击的机制,参与网络路由的节点都执行路由参与验证算法,当网络数据传输的丢包率超过预设阈值时,用隔离算法找出被DoS攻击的节点并隔离它,使网络节点的有效性最大化.仿真实验表明,该方法在Ad hoc网络受到DoS攻击时的效果明显,在平均传输时延和分组投递率两方面的性能都有提高,对于DoS攻击可以起到很好的抵制作用,提升了网络的健壮性.     

Audio watermarking scheme robust against desynchronization attacks based on kernel clustering

In this paper, we propose an adaptive audio watermarking scheme based on kernel fuzzy c-means (KFCM) clustering algorithm, which possesses robust ability against common signal processing and desynchronization attacks. The original audio signal is partitioned into audio frames and then each audio frame is further divided as two sub-frames. In order to resist desynchronization attacks, we embed a synchronization code into first sub-frame of each audio frame by using a mean quantization technique in temporal domain. Moreover, watermark signal is hid into DWT coefficients of second sub-frame of each audio frame by using an energy quantization technique. A local audio feature data set extracted from all audio frames is used to train a KFCM. The well-trained KFCM is used to adaptively control quantization steps in above two quantization techniques. The experimental results show the proposed scheme is robust to common signal processing (such as MP3 lossy compression, noise addition, filtering, re-sampling, re-quantizing) and desynchronization attacks (random cropping, pitch shifting, amplitude variation, time-scale modification, jittering).     

基于验证机制的应用层DDoS攻击防御方法

针对应用层分布式拒绝服务攻击的原理和特点,提出一种基于轻量级验证机制的防御算法,在客户端与服务器的通信过程中嵌入验证码,利用客户端计算,正确识别合法请求,过滤恶意攻击.验证机制在TCP/IP协议栈中呈非对称性,服务端的过滤在IP层进行,客户端的计算在应用层进行,使算法具有低的资源消耗和对通信双方的透明.该方法在抗分布式拒绝服务攻击网关平台上实现,测试结果表明,该方法具有良好的防御效果和优异的性能表现.     

基于可信度的应用层DDoS攻击防御方法

针对应用层DDoS(application layer DDoS,App-DDoS)攻击行为的特点,提出了一种基于可信度的App-DDoS攻击防御方法.该方法从服务请求的速率和负载两个方面,统计分析正常用户的数据分布规律,并以此作为确定会话可信度的依据.调度策略再根据会话可信度实现对攻击的防御.最后,通过模拟攻击实验验证了防御方法的有效性.实验结果证明了该方法能够快速有效地实现对App-DDoS攻击的防御.     

Improved encryption protocol for secure communication in trusted MANETs against denial of service attacks

MANET(Mobile Adhoc Networks) possess the open system condition, absence of central server, mobile nodes that make helpless to security assault while conventional security components couldn’t meet MANET security prerequisites in view of restricted correspondence data transfer capacity, calculation power, memory and battery limit in addition to the vitality enabled environment. The trusted MANETs provide a reliable path and efficient communication but the secrecy of the trust values sometimes may be overheard by the masqueraders. Due to the need of the clustered MANETs the exchange of mathematical values remains to be a necessary part. In the proposed security of the trusted MANETs is focused so as to provide rigid and robust networks when additional resources are added. For clustering of the nodes LEACH protocol is suggested in which the CHs and CMs are fixed for the data transfer in the network. The energy is disseminated in the LEACH as to avoid the battery drain and network fatal. Hence to add resistance and to make an authentic network, the encryption and decoding is incorporated as a further supplementary to avoid the denial of service attacks, we have utilized DoS Pliancy Algorithm in which the acknowledgment based flooding attacks is focused. Likewise the encoded messages from the source node in one cluster can be recoded in the transmission stage itself to reproduce the messages. Contrasted with the past works, QoS of our proposed work has been made strides when tested with black hole and sink hole attacks. Simulation results shows that the DoS pliancy scheme works better and efficient when compared to the existing trust based systems.

     

Media hash-dependent image watermarking resilient against both geometric attacks and estimation attacks based on false positive-oriented detection

The major disadvantage of existing watermarking methods is their limited resistance to extensive geometric attacks. In addition, we have found that the weakness of multiple watermark embedding methods that were initially designed to resist geometric attacks is their inability to withstand the watermark-estimation attacks (WEAs), leading to reduce resistance to geometric attacks. In view of these facts, this paper proposes a robust image watermarking scheme that can withstand geometric distortions and WEAs simultaneously. Our scheme is mainly composed of three components: 1) robust mesh generation and mesh-based watermarking to resist geometric distortions; 2) construction of media hash-based content-dependent watermark to resist WEAs; and 3) a mechanism of false positive-oriented watermark detection, which can be used to determine the existence of a watermark so as to achieve a tradeoff between correct detection and false detection. Furthermore, extensive experimental results obtained using the standard benchmark (i.e., Stirmark) and WEAs, and comparisons with relevant watermarking methods confirm the excellent performance of our method in improving robustness. To our knowledge, such a thorough evaluation has not been reported in the literature before.     

MANET环境中抵御“黑洞”攻击的路由算法

介绍了adhoc网络环境中的“黑洞”攻击，并根据“黑洞”的特点提出了一种基于mobile agent的路由算法。利用mobile agent和各节点进行数据交换，得到节点连接关系的矩阵表，当数据报文需要传送时，根据矩阵表可以迅速得到最佳路径，之后通过对邻居节点数据包转发的监视，抵御“黑洞”的攻击。     

Method of security against computer attacks based on an analysis of executable machine code

The paper presents method of securing executable software code based on executing computations in an environment of virtual machines with pseudo-random architecture, the interpreter of which is protected by obfuscation transformations using Petri nets with initial states defined based on solutions of Diophantus equations.     

基于核心网的恶意脚本识别与防范系统

随着网页制作技术的不断发展,越来越多的脚本技术应用于网页之中,不仅减小了网页的规模,更提高了网页浏览的速度,丰富了网页的表现。但同时也给网络安全带来了严重的威胁,黑客们可以利用脚本技术使用户在浏览网页时,破坏用户的操作系统、撒布病毒、盗取用户信息等,网页恶意代码已经成为了影响网络信息安全的最大因素之一。然而目前对恶意代码的防护还大多停留在用户层面,即用户通过在本机安装防病毒软件进行防护,这种方式有着诸多的缺点;本文提出了一种在网络核心层防治恶意代码的解决方案,为恶意代码的防治提供了一种新的解决思路。     

基于递推总体最小二乘的北斗T-Rn型被动雷达定位

对北斗卫星作为机会辐射源的可行性进行分析,研究了北斗卫星信号Kasami码的模糊函数.仿真表明:信号有良好的距离与速度分辨力.提出基于到达时间差(TDOA)的T-Rn型被动雷达总体最小二乘TLS定位方法的理论推导,并针对TLS算法的缺点给出递推TLS(RTLS)算法.仿真表明:该算法逼近TLS算法,能够实时更新且节省硬件资源.     

Integrated robot control using manufacturing message specification protocol based on NetBIOS

An implementation of Manufacturing Message Specification (MMS) protocol has been made for robot control based on a token-ring personal computer (PC) network using NetBIOS. This paper discusses the construction of the MMS protocol data unit (PDU) and virtual manufacturing device (VMD) which are essential elements in the protocol. The session layer capability of the NetBIOS protocol provides a good basis for establishing the confirmed services in MMS. The services are implemented by utilising the extensive session control functions in NetBIOS and building on top the required presentation and application elements. The philosophy of multiple-access machine control in MMS is also made possible on a single-user operating system such as DOS by a ring buffer control scheme. The implication of these are further explored in relation to the dynamic control of robot over the network environment using the concepts of domain and program invocation in MMS.     

基于SSL协议的SET协议模拟实现

安全问题是关系到电子商务服务是否能够广泛开展的重要因素。一个安全电子支付系统需要特殊的安全机制。目前，在电子商务中使用的安全协议主要有两种，即SSL协议和SET协议。SSL协议是免费的，但是它有重大缺陷。SET协议要安全许多，然而却非常昂贵，且现有的实现缺乏灵活性。SSL协议的实现版本openssl里附带有一个非常完备的加密函数库和一整套的使用和管理CA数字证书的方法。主要讨论如何在SSL协议的基础上利用openssl开发包和组件技术来实现SET协议功能，并提高SET协议使用的灵活性。     

Install-time vaccination of Windows executables to defend against stack smashing attacks

Stack smashing is still one of the most popular techniques for computer system attack. In this work, we present an anti-stack-smashing defense technique for Microsoft Windows systems. Our approach works at install-time, and does not rely on having access to the source-code: The user decides when and which executables to vaccinate. Our technique consists of instrumenting a given executable with a mechanism to detect stack smashing attacks. We developed a prototype implementing our technique and verified that it successfully defends against actual exploit code. We then extended our prototype to vaccinate DLLs, multithreaded applications, and DLLs used by multithreaded applications, which present significant additional complications. We present promising performance results measured on SPEC2000 benchmarks: Vaccinated executables were no more than 8 percent slower than their un-vaccinated originals.