Comprehensive Analysis of Secure Data Aggregation Scheme for Industrial Wireless Sensor Network

As an Industrial Wireless Sensor Network (IWSN) is usually deployed in a harsh or unattended environment, the privacy security of data aggregation is facing more and more challenges. Currently, the data aggregation protocols mainly focus on improving the efficiency of data transmitting and aggregating, alternately, the aim at enhancing the security of data. The performances of the secure data aggregation protocols are the trade-off of several metrics, which involves the transmission/fusion, the energy efficiency and the security in Wireless Sensor Network (WSN). Unfortunately, there is no paper in systematic analysis about the performance of the secure data aggregation protocols whether in IWSN or in WSN. In consideration of IWSN, we firstly review the security requirements and techniques in WSN data aggregation in this paper. Then, we give a holistic overview of the classical secure data aggregation protocols, which are divided into three categories: hop-by-hop encrypted data aggregation, end-to-end encrypted data aggregation and unencrypted secure data aggregation. Along this way, combining with the characteristics of industrial applications, we analyze the pros and cons of the existing security schemes in each category qualitatively, and realize that the security and the energy efficiency are suitable for IWSN. Finally, we make the conclusion about the techniques and approach in these categories, and highlight the future research directions of privacy preserving data aggregation in IWSN.     

Secure lightweight password authenticated key exchange for heterogeneous wireless sensor networks

Several three-party password authenticated key exchange (3-PAKE) protocols have recently been proposed for heterogeneous wireless sensor networks (HWSN). These are efficient and designed to address security concerns in ad-hoc sensor network applications for a global Internet of Things framework, where a user may request access to sensitive information collected by resource-constrained sensors in clusters managed by gateway nodes. In this paper we first analyze three recently proposed 3-PAKE protocols and discuss their vulnerabilities. Then, based on Radio Frequency Identification technologies we propose a novel 3-PAKE protocol for HWSN applications, with two extensions for additional security features, that is provably secure, efficient and flexible.     

培训中心网络安全建设的思考

本文分析了在网络安全的严峻局面下,培训中心作为开放性的网络访问环境,面临的支撑业务与安全矛盾难题远比企业大得多。本文以网络建设的多维度分析模型方法为基础,详细分析了培训中心网络建设的难点,提出了具体落地的网络建设思路;说明培训中心网络安全建设是长期的、技术难度很高的、有价值的工作。     

基于一种云计算数据保护的多级加密算法的应用研究

云计算是分布式计算技术的一种,其最基本的概念是透过网络将庞大的计算处理程序自动分拆成无数个较小的子程序,再交由多部服务器所组成的庞大系统经搜寻、计算分析之后将处理结果回传给用户。云计算中的数据泄漏已经成为云计算的巨大威胁,据不完全统计数据,仅在2019年1年,大约有超40亿条信息被泄露。这些信息涵盖科技、医疗、政府、金融、教育、制造等十几个领域数百个行业,数据泄露已经成为云计算中数据安全的巨大威胁。主要提出了一种多级加密算法,能更好地保护云计算中的数据,并能以极小的成本在云计算中得到应用。     

基于多内核兼容的国网安全浏览器关键技术研究

为解决国家电网有限公司工作人员日常工作中操作业务系统时因浏览器版本问题遇到的各种困扰,文章研究了基于多内核兼容的国网安全浏览器关键技术。通过设计研发多内核企业级浏览器,采用Chromium多进程模型,实现Chrome和IE多内核浏览。在此基础上,详细描述使用国密算法进行浏览器安全加固技术的详细做法。测试结果表明,该安全浏览器有效解决了兼容和安全问题,实现单一浏览器兼容所有业务系统,提升客户端操作体验,降低信息化系统开发和运维成本,为国家电网有限公司信息化建设发展提供扎实基础。     

基于深度学习的安全缺陷报告预测方法实证研究

软件安全问题的发生在大多数情况下会造成非常严重的后果，及早发现安全问题，是预防安全事故的关键手段之一.安全缺陷报告预测可以辅助开发人员及早发现被测软件中潜藏的安全缺陷，从而尽早得以修复.然而，由于安全缺陷在实际项目中的数量较少，而且特征复杂（即安全缺陷类型繁多，不同类型安全缺陷特征差异性较大），这使得手工提取特征相对困难，并随后造成传统机器学习分类算法在安全缺陷报告预测性能方面存在一定的瓶颈.针对该问题，提出基于深度学习的安全缺陷报告预测方法，采用深度文本挖掘模型TextCNN和TextRNN构建安全缺陷报告预测模型；针对安全缺陷报告文本特征，使用skip-grams方式构建词嵌入矩阵，并借助注意力机制对TextRNN模型进行优化.所构建的模型在5个不同规模的安全缺陷报告数据集上展开了大规模实证研究，实证结果表明：深度学习模型在80%的实验案例中都要优于传统机器学习分类算法，性能指标F1-score平均可提升0.258，在最好的情况下甚至可以提升0.535.除此之外，针对安全缺陷报告数据集存在的类不均衡问题，对不同采样方法进行了实证研究，并对结果进行了分析.     

Sensei: Enforcing secure coding guidelines in the integrated development environment

We discuss the potential benefits, requirements, and implementation challenges of a security-by-design approach in which an integrated development environment plugin assists software developers to write code that complies with secure coding guidelines. We discuss how such a plugin can enable a company's policy-setting security experts and developers to pass their knowledge on to each other more efficiently, and to let developers more effectively put that knowledge into practice. This is achieved by letting the team members develop customized rule sets that formalize coding guidelines and by letting the plugin check the compliance of code being written to those rule sets in real time, similar to an as-you-type spell checker. Upon detected violations, the plugin suggests options to quickly fix them and offers additional information for the developer. We share our experience with proof-of-concept designs and implementations rolled out in multiple companies, and present some future research and development directions.     

增强现实中基于位置安全性的LBS位置隐私保护方法

为了解决基于位置的服务(LBS)和增强现实(AR)技术快速发展带来的用户位置隐私泄露的隐患,分析了现有的位置隐私保护方法的优缺点,提出基于位置安全性的位置隐私保护方法。将区域安全度和伪装区域引入该方法中,将提示某区域是否需要保护这一度量标准定义为区域安全度,非安全区域(即需要给予保护的区域)的区域安全度设置为1,安全区域(即不需要保护的区域)设置为0,通过扩大区域安全度和识别等级来计算位置安全度。实验结果表明,该方法与未引入位置安全性的方法相比降低了平均定位误差,提高了平均安全性,从而有效地保护了用户的位置隐私,提高了LBS的服务质量。     

Interventions for long-term software security: Creating a lightweight program of assurance techniques for developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long-lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.