A security framework for reflective Java applications

The advent of component‐based reflective applications raises the issue of protecting baselevel components from the actions performed by metalevel components. However, by their very nature, reflective applications are far more difficult to secure than non‐reflective applications, which certainly explains why the problem has received very little attention so far. In this paper we present a security framework for enforcing access control between metalevel components and the baselevel components they reflect on. Rather than designing a new security architecture from scratch, we extend the standard security architecture of Java to provide security for a fully‐functional proxy‐based MOP for Java. We implement a number of well‐known meta‐level behaviors and study their security requirements, the results of which support our design choices. Copyright © 2003 John Wiley & Sons, Ltd.     

A novel transparent user authentication approach for mobile applications

ABSTRACT

With the rapid growth of smartphones and tablets in our daily lives, securing the sensitive data stored upon them makes authentication of paramount importance. Current authentication approaches do not re-authenticate in order to re-validate the user’s identity after accessing a mobile phone. Accordingly, there is a security benefit if authentication can be applied continually and transparently (i.e., without obstructing the user’s activities) to authenticate legitimate users, which is maintained beyond the point of entry. To this end, this paper suggests a novel transparent user authentication method for mobile applications by applying biometric authentication on each service within a single application in a secure and usable manner based on the risk level. A study involving data collected from 76 users over a one-month period using 12 mobile applications was undertaken to examine the proposed approach. The experimental results show that this approach achieved desirable outcomes for applying a transparent authentication system at an intra-process level, with an average of 6% intrusive authentication requests. Interestingly, when the participants were divided into three levels of usage (high, medium and low), the average intrusive authentication request was 3% which indicates a clear enhancement and suggests that the system would add a further level of security without imposing significant inconvenience upon the user.     

A template-based data specification framework for modeling physical security systems

Simulation studies often fail to provide any useful result due to its success being highly dependent on the skills of the analyst to understand a system and then correctly identify all the required data parameters and dependent variables. This paper describes a template-based framework to help identify and specify the components and data parameters for developing models of physical security systems. The layered framework consists of 15 templates built on top of 14 data primitives representing 119 data parameters. The modeling framework has been programmed as an internet-based web application and is simulation language-independent. The usefulness of the framework was tested and shown to have a significant impact on improving the identification of system components and their associated data parameters.     

典型应用系统安全保护框架研究

以现有信息系统安全保护框架为指导,针对目前普遍使用的网站应用系统,从构建安全计算环境、安全区域边界以及安全通信网络的角度出发,研究如何建立典型应用系统的安全保护框架。给出了安全保护框架的体系结构,分析了其中所涉及的关键技术,描述了保护框架的实际应用部署和工作流程。相关安全性分析和测试表明,提出的保护框架具有更强的针对性,更高的可操作性,能够为典型应用系统提供可靠的安全支撑与保障。     

A symbolic framework for multi-faceted security protocol analysis

Verification of software systems, and security protocol analysis as a particular case, requires frameworks that are expressive, so as to properly capture the relevant aspects of the system and its properties, formal, so as to be provably correct, and with a computational counterpart, so as to support the (semi-) automated certification of properties. Additionally, security protocols also present hidden assumptions about the context, specific subtleties due to the nature of the problem and sources of complexity that tend to make verification incomplete. We introduce a verification framework that is expressive enough to capture a few relevant aspects of the problem, like symmetric and asymmetric cryptography and multi-session analysis, and to make assumptions explicit, e.g., the hypotheses about the initial sharing of secret keys among honest (and malicious) participants. It features a clear separation between the modeling of the protocol functioning and the properties it is expected to enforce, the former in terms of a calculus, the latter in terms of a logic. This framework is grounded on a formal theory that allows us to prove the correctness of the verification carried out within the fully fledged model. It overcomes incompleteness by performing the analysis at a symbolic level of abstraction, which, moreover, transforms into executable verification tools.     

混合优化策略统一结构的探讨

算法混合已成为提高优化性能和效率的一个重要而有效的途径。围绕meta-heuristic算法，通过对混合优化算法及其结构的归类与综述，提出了混合优化算法的一种统一结构，并对基若干问题进行分析探讨，为混合算法的设计与应用提供一定的指导性原则。     

Double watermarking‐based biometric access control for radio frequency identification card

The integration of data privacy and security into radio frequency identification (RFID) technology, particularly into RFID tags, has become one of the most attractive research areas. A crucial challenge in RFID technology research lies in providing an efficient protection for systems against information theft and illegitimate access. This article proposes a secure solution based on an RFID card for physical biometric access‐control applications. This is done by integrating two biometric modalities, namely face and fingerprint which are secured via a double watermarking technique. The suggested approach is ensured by two levels of watermarking. At the first level, the wavelet packet decomposition watermarking algorithm is used to insert features from the fingerprint (minutiae) in the face image of an authorized person. At the second level, the same watermarking algorithm is employed to insert the fingerprint watermark in the face features extracted by Gabor filters from the previously watermarked face image (at the first level). The obtained secured watermarked biometric data are then integrated in a 1‐kB high frequency proximity RFID card. This combination of both RFID technology and the double watermarking technique provides a biometric control access framework. Compared with the state‐of‐the‐art frameworks, the proposed one ensures a good compromise between a reduced computational complexity and a high level of data security while maintaining a small space of storage and a low cost compared to those of the marketed products.     

A framework for efficient regression tests on database applications

Regression testing is an important software maintenance activity to ensure the integrity of a software after modification. However, most methods and tools developed for software testing today do not work well for database applications; these tools only work well if applications are stateless or tests can be designed in such a way that they do not alter the state. To execute tests for database applications efficiently, the challenge is to control the state of the database during testing and to order the test runs such that expensive database reset operations that bring the database into the right state need to be executed as seldom as possible. This work devises a regression testing framework for database applications so that test runs can be executed in parallel. The goal is to achieve linear speed-up and/or exploit the available resources as well as possible. This problem is challenging because parallel testing needs to consider both load balancing and controlling the state of the database. Experimental results show that test run execution can achieve linear speed-up by using the proposed framework.     

A contribution-based framework for the creation of semantically-enabled web applications

We present Fortunata, a wiki-based framework designed to simplify the creation of semantically-enabled web applications. This framework facilitates the management and publication of semantic data in web-based applications, to the extent that application developers do not need to be skilled in client-side technologies, and promotes application reuse by fostering collaboration among developers by means of wiki plugins. We illustrate the use of this framework with two Fortunata-based applications named OMEMO and VPOET, and we evaluate it with two experiments performed with usability evaluators and application developers respectively. These experiments show a good balance between the usability of the applications created with this framework and the effort and skills required by developers.     

A two-stage anomaly detection framework: Towards low omission rate in industrial vision applications

In industrial manufacturing, there are many types of defective samples that are difficult to obtain. Practical industrial vision anomaly detection has proven to be a challenging task because techniques use only normal (non-defective) samples to train a model to detect anomalies. Currently, some reasonably effective models do not perform very well once differences between samples are large, and they ignore the fact that the cost of missing a defect is much higher than the cost of misidentifying a normal sample. To that end, in this paper, we propose a two-stage framework to construct an anomaly detector. We first train a classification network and then build a one-class classifier on learned representations using another pre-trained network. This paper innovatively proposes using the theoretical quantile as the discriminant threshold. We conduct experiments on the Nut and Motor Brush Holder datasets from real industrial production lines. The results show that our method greatly reduces missed detection of anomalous samples, achieving state-of-the-art AUROC scores of 99.3 % and 96.2 %. We also conduct experiments on the publicly available dataset Rd-MVTec AD, showing that our model has good generalizability and fast testing speed while maintaining high AUROC scores. Our model gives excellent results for nonaligned and defective data with diverse anomalous patterns, and it is easy to optimize. Therefore, not only does our technique handle industrial cold starts well, but it also meets the requirement of online updating, which indicates that our solution is highly suitable for industrial manufacturing scenarios.     

Methodology evaluation framework for dynamic evolution in composition-based distributed applications

Dynamic evolution can be used to upgrade distributed applications without shutdown and restart as a way of improving service levels while minimising the loss of business revenue caused by the downtime. An evaluation framework assessing the level of support offered by existing methodologies in composition-based application (e.g. component-based and service-oriented) development is proposed. It was developed by an analysis of the literature and existing methodologies together with a refinement based on a survey of experienced practitioners and researchers. The use of the framework is demonstrated by applying it to twelve methodologies to assess their support for dynamic evolution.     

高安全性人脸识别系统中的唇语识别算法研究

针对目前人脸识别系统面临的图片和视频攻击,构建了一种将人脸识别与口令密码相结合,并采用唇语识别技术进行活体检测的高安全性身份认证系统。首先由于汉语唇语数据的缺少,建立了CNLIP1和CNLIP2两个较大的汉语唇语数据库;其次,为了保留唇语的时序性,采用堆叠卷积独立子空间分析（ISA）深度神经网络模型来实现唇动时序特征的提取;最后提出使用迁移学习算法来训练特定人唇语识别模型。实验证明,唇动时序特征能更好的表征出数字串唇语,迁移学习训练的特定人唇语模型能够满足活体检测的需要,所构建的高安全性人脸识别系统具有较好的防攻击效果。     

可穿戴设备中基于人体通信的身份识别方法研究*

针对目前生物识别技术在穿戴式设备上应用的缺陷,提出一种可应用于可穿戴设备上的生物识别方法。利用300KHz-1.5GHz的电磁波在人体通信信道传输中产生的幅度衰减特性曲线作为生物特征。为了验证此方法的可行性,首先,利用矢量网络分析仪测量生物特征;其次,提取数据的梯度,使用支持向量机进行分类器模型训练和测试。验证结果与直接对采集的生物特征进行分析的方法对比,引入梯度的分析方法使得正确识别率从90.45%提高到94.54%、等错误率从0.95%降低到0.14%、接收者操作特征曲线下面积从0.9971增加到0.9999。因此,基于人体通信的身份识别方法可为穿戴式设备的身份认证系统研究提供一种方法。     

A framework for the governance of information security

This paper highlights the importance of protecting an organization's vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts.     

一般化通用可组合安全框架研究

分析一般化通用可组合安全框架(GUC框架)解决的关键问题及其机理.在此基础上深入研究实现GUC承诺的一个协议示例,得出GUC框架虽然要求仿真器与现实敌手共用同一个全局可信建立,但是二者对于该全局可信建立的利用程度是不同的.将GUC框架与UC框架及其改进版本进行比较,发现能实现包括安全计算在内的所有良好形式的理想功能的现有框架拥有一个共性,即仿真器的能力比现实敌手的能力强.讨论了GUC框架仍然存在的不足.     

基于网络安全知识库的入侵检测模型

在网络安全知识库系统的基础上,提出一个基于网络安全基础知识库系统的入侵检测模型,包括数据过滤、攻击企图分析和态势评估引擎。该模型采用进化型自组织映射发现同源的多目标攻击;采用时间序列分析法获取的关联规则来进行在线的报警事件的关联,以识别时间上分散的复杂攻击;最后对主机级和局域网系统级威胁分别给出相应的评估指标以及对应的量化评估方法。相比现有的IDS,该模型的结构更加完整,可利用的知识更为丰富,能够更容易地发现协同攻击并有效降低误报率。     

A continuous optimization framework for hybrid system identification

We propose a new framework for hybrid system identification, which relies on continuous optimization. This framework is based on the minimization of a cost function that can be chosen as either the minimum or the product of loss functions. The former is inspired by traditional estimation methods, while the latter is inspired by recent algebraic and support vector regression approaches to hybrid system identification. In both cases, the identification problem is recast as a continuous optimization program involving only the real parameters of the model as variables, thus avoiding the use of discrete optimization. This program can be solved efficiently by using standard optimization methods even for very large data sets. In addition, the proposed framework easily incorporates robustness to different kinds of outliers through the choice of the loss function.     

Embedding biometric identifiers in 2D barcodes for improved security

Two-dimensional (2D) barcode symbology is an emerging technology used for compactly storing and retrieving information. These barcodes can be found on the back of drivers' licenses and are encoded with secure text data. Standard 2D barcode such as PDF417 uses upper and lowercase alphabets, numeric digits and special characters for encoding. Some barcodes also include a compressed photo of the individual. The visual quality of the compressed image is usually poor and occupies a large amount of space which greatly reduces the capacity needed for encoding text. This paper presents a novel approach for embedding uncompressed images in a standard PDF417 2D barcode using a blind digital watermarking technique. The text is encoded in the standard PDF417 format with error correction, while the face and fingerprint images are watermarked in the encoded 2D barcode. Experimental results show that the proposed technique effectively increased the standard capacity of the PDF417 2D barcode without altering the contents of the encoded data. The results also show that the visual quality of the extracted photo image is high. The extracted fingerprint image when compared with the original fingerprint using an AFIS system yielded a high matching score.     

A security framework for protecting traffic between collaborative domains

In this paper, we propose a novel Secure Name Service (SNS) framework for enhancing the service availability between collaborative domains (e.g. extranets). The key idea is to enforce packet authentication through resource virtualization and utilize dynamic name binding to protect servers from unauthorized accesses, denial of service (DOS) and other attacks. Different from traditional static network security schemes such as VPN, the dynamic name binding of SNS allows us to actively protect critical resources through distributed filtering mechanisms built in collaborative domains. In this paper, we present the architecture of the SNS framework, the design of SNS naming scheme, and the design of authenticated packet forwarding. We have implemented the prototype of authenticated packet forwarding mechanism on Linux platforms. Our experimental results demonstrate that regular Linux platforms are sufficient to support the SNS authenticated packet forwarding for 100 Mbps and 1 Gbps Ethernet LANs. To further improve the performance and scalability, we have also designed and implemented unique two-layer fast name lookup schemes.