基于可信计算的防网络欺诈认证方案

由于大部分用户没有用户证书,在不安全网络环境中,基于用户名/口令的远程用户认证是最为常见的认证方式.正是基于这一点,许多攻击方式才得以成功实施.在分析了当今主要网络欺诈的方法和现有密钥保护机制的基础上,提出一种基于可信计算技术抵御网络欺诈的认证方案.该方案结合使用了可信计算保护存储机制、证书链、口令分割等多种技术,即使用户名/口令被盗,仍然能保证用户的认证安全.分析结果表明了该方法能有效抵御网络欺诈攻击.     

Hardware-assisted feature analysis and visualization of procedurally encoded multifield volumetric data

We take a new approach to interactive visualization and feature detection of large scalar, vector, and multifield computational fluid dynamics data sets that is also well suited for meshless CFD methods. Radial basis functions (RBFs) are used to procedurally encode both scattered and irregular gridded scalar data sets. The RBF encoding creates a complete, unified, functional representation of the scalar field throughout 3D space, independent of the underlying data topology, and eliminates the need for the original data grid during visualization. The capability of commodity PC graphics hardware to accelerate the reconstruction and rendering and to perform feature detection from this functional representation is a powerful tool for visualizing procedurally encoded volumes. Our RBF encoding and GPU-accelerated reconstruction, feature detection, and visualization tool provides a flexible system for visually exploring and analyzing large, structured, scattered, and unstructured scalar, vector, and multifield data sets at interactive rates on desktop PCs.     

优化认证消息流防止中间人攻击

中间人攻击是对网络协议的攻击,该攻击普遍存在并危害较大,很多安全协议也面临威胁.按照发展层次比较了对一般通信、附加认证和安全协议的通信和受保护认证通信的中间人攻击方式,分析了可以避免该攻击的几种方法.以联锁协议为基础,以受保护的认证协议为例,提出了通过改变认证消息序列避免攻击的安全认证协议构造方法.     

An integrated data preparation scheme for neural network data analysis

Data preparation is an important and critical step in neural network modeling for complex data analysis and it has a huge impact on the success of a wide variety of complex data analysis tasks, such as data mining and knowledge discovery. Although data preparation in neural network data analysis is important, some existing literature about the neural network data preparation are scattered, and there is no systematic study about data preparation for neural network data analysis. In this study, we first propose an integrated data preparation scheme as a systematic study for neural network data analysis. In the integrated scheme, a survey of data preparation, focusing on problems with the data and corresponding processing techniques, is then provided. Meantime, some intelligent data preparation solution to some important issues and dilemmas with the integrated scheme are discussed in detail. Subsequently, a cost-benefit analysis framework for this integrated scheme is presented to analyze the effect of data preparation on complex data analysis. Finally, a typical example of complex data analysis from the financial domain is provided in order to show the application of data preparation techniques and to demonstrate the impact of data preparation on complex data analysis.     

Enhanced dynamic credential generation scheme for protection of user identity in mobile-cloud computing

To improve the resource limitation of mobile devices, mobile users may utilize cloud-computational and storage services. Although the utilization of the cloud services improves the processing and storage capacity of mobile devices, the migration of confidential information on untrusted cloud raises security and privacy issues. Considering the security of mobile-cloud-computing subscribers’ information, a mechanism to authenticate legitimate mobile users in the cloud environment is sought. Usually, the mobile users are authenticated in the cloud environment through digital credential methods, such as password. Once the users’ credential information theft occurs, the adversary can use the hacked information for impersonating the mobile user later on. The alarming situation is that the mobile user is unaware about adversary’s malicious activities. In this paper, a light-weight security scheme is proposed for mobile user in cloud environment to protect the mobile user’s identity with dynamic credentials. The proposed scheme offloads the frequently occurring dynamic credential generation operations on a trusted entity to keep minimum processing burden on the mobile device. To enhance the security and reliability of the scheme, the credential information is updated frequently on the basis of mobile-cloud packets exchange. Furthermore, the proposed scheme is compared with the existing scheme on the basis of performance metrics i.e. turnaround time and energy consumption. The experimental results for the proposed scheme showed significant improvement in turnaround time and energy consumption as compared to the existing scheme.     

New attacks on secret sharing-based data outsourcing: toward a resistant scheme

In this paper, two new practical attacks on some secret sharing-based data outsourcing schemes are first introduced, and several other security and performance issues with the existing schemes are also explored. The existing and new attacks exploit the information about the share range boundaries or the correspondences between the secret values and shares. A range expansion technique is then proposed to thwart one of the attacks. It expands the ranges in every range predicate in the submitted queries in order to hide the share range boundaries from any query observer. Next, a mapping method is proposed to thwart the other attacks. It maps each secret value to a mapping value using a secret one-to-many mapping with a finite set of linear mapping rules so that the tuples of shares are generated from the mapping values rather than directly from the secret values. The proposed mapping method works as an additional layer of security and addresses any attack based on the correspondences between the secret values and shares. At the same time, it preserves the homomorphism property of secret sharing. Finally, a new secure data outsourcing scheme is elaborated on secret sharing, the proposed mapping method, and the proposed range expansion technique. The proposed scheme is resistant to various attacks and also some inferences. It supports the fully server-side or a partially server-side query execution of most types of queries. The experimental results confirm that the proposed scheme is quite practical and efficient.

     

椭圆曲线密码中抗功耗分析攻击的标量乘改进方案

椭圆曲线标量乘法运算是椭圆曲线密码(ECC)体制中最主要的计算过程,标量乘法的效率和安全性一直是研究的热点。针对椭圆曲线标量乘运算计算量大且易受功耗分析攻击的问题,提出了一种抗功耗分析攻击的快速滑动窗口算法,在雅可比和仿射混合坐标系下采用有符号滑动窗口算法实现椭圆曲线标量乘计算,并采用随机化密钥方法抵抗功耗分析攻击。与二进制展开法、密钥分解法相比的结果表明,新设计的有符号滑动窗口标量乘算法计算效率、抗攻击性能有明显提高。     

L-overlay: A layered data management scheme for peer-to-peer computing

Efficient storage and handling of data stored in a peer-to-peer (P2P) network, proves vital for various applications such as query processing and data mining. This paper presents a distributed, scalable and robust layered overlay (L-overlay) to index and manage multidimensional data in a dynamic P2P network. The proposed method distinguishes between the data and peer layers, with efficient mapping between the two. The data is organized such that semantically similar data objects are accessed hastily. Grid and tree structures are proposed for the peer layer. As application examples of L-overlay in query processing and data mining, k-nearest neighbors query processing and distributed Naïve Bayes classification algorithms, are proposed. We show the effectiveness of our scheme in static and dynamic environments using simulation. L-overlay is shown to be more efficient than SSW, an available semantic overly, in terms of maintenance and query processing costs.     

System identification with binary-valued observations under both denial-of-service attacks and data tampering attacks:defense scheme and its optimality

In this paper,we investigate the defense problem against the joint attacks of denial-of-service attacks and data tampering attacks in the framework of system identification with binary-valued observations.By estimating the key parameters of the joint attack and compensating them in the identification algorithm,a compensation-oriented defense scheme is proposed.Then the identification algorithm of system parameter is designed and is further proved to be consistent.The asymptotic normality of the algorithm is obtained,and on this basis,we propose the optimal defense scheme.Furthermore,the implementation of the optimal defense scheme is discussed.Finally,a simulation example is presented to verify the effectiveness of the main results.     

System identification with binary-valued observations under both denial-of-service attacks and data tampering attacks: defense scheme and its optimality

In this paper, we investigate the defense problem against the joint attacks of denial-of-service attacks and data tampering attacks in the framework of system identification with binary-valued observations. By estimating the key parameters of the joint attack and compensating them in the identification algorithm, a compensation-oriented defense scheme is proposed. Then the identification algorithm of system parameter is designed and is further proved to be consistent. The asymptotic normality of the algorithm is obtained, and on this basis, we propose the optimal defense scheme. Furthermore, the implementation of the optimal defense scheme is discussed. Finally, a simulation example is presented to verify the effectiveness of the main results.     

Hierarchical data management for structural analysis

The use of formal data bases management systems is becoming increasingly necessary in computer programs for structural engineering. This paper briefly reviews data base requirements and the organization of integrated computer program networks and identifies a need for hierarchical data base management in computer programs for structural analysis. The nature of the data hierarchy is illustrated with reference to a building that has been analyzed by using substructure techniques. The organization and features of the hiearchical data base manager STRATA are then described. STRATA has been developed specifically for use in structural analysis.     

An approach for detecting and preventing DDoS attacks in campus

Nowadays, Denial of Service (DoS) attacks have become a major security threat to networks and the Internet. Therefore, even a naive hacker can launch a large-scale DoS attack to the victim from providing Internet services. This article deals with the evaluation of the Snort IDS in terms of packet processing performance and detection. This work describes the aspect involved in building campus network security system and then evaluates the campus network security risks and threats, mainly analyses the attacks DoS and DDoS, and puts forward new approach for Snort campus network security solutions. The objective is to analyze the functional advantages of the solution, deployment and configuration of the open source based on Snort intrusion detection system. The evaluation metrics are defined using Snort namely comparison between basic rules with new ones, available bandwidth, CPU loading and memory usage.     

An efficient data exchange scheme for semiconductor engineering chain management system

When IC production enters into the nano-meter generation, many yield problems are related to design. The semiconductor industry is eager to have engineering chain management systems (ECMSs) to tightly share engineering data among cooperative semiconductor companies, such as IC Design House, Mask-Fabrication Company, Foundry-Service Company, and Assembly/Test Company, via Internet for increasing the yield, reducing production cost, and decreasing time to market for a new IC. Traditionally, cooperative semiconductor companies exchange data through FTP that is activated manually. In recent years, the Web Services technology has provided a new and excellent approach for automatically exchanging and integrating data among heterogeneous systems on the Internet. In this paper, an ECMS framework for semiconductor industry is presented. Also, an efficient Web-Services-based data exchange scheme is developed to solve three core problems of data exchange in ECMS: the convenience of data exchange and integration, the security protection of data transmission, and the efficiency of transmitting data, in particular large binary data. Experimental test results show that the proposed EC data exchange scheme can fulfill the desired functional requirements and demonstrate a superior performance over the traditional data transfer methods. It is believed that the proposed data exchange scheme can be an effective solution to the data exchange problem of ECMS.     

A data management scheme for effective walkthrough in large-scale virtual environments

As the complexity of virtual environments increases, it becomes a critical issue to maintain the quality of a walkthrough experience. In this paper, we propose an effective data management scheme to address this issue in client-server architecture. First, we propose using real-time scene management to manage the computing resources on the client side by reducing the amount of transmitted geometry data. Second, we propose a prioritized most likelihood movement model to prefetch potential future objects based on the users current motion intention. Lastly, a hybrid coherence cache model is proposed to take advantages of both the temporal and spatial localities of the walkthrough process. We have done extensive experiments to demonstrate how these techniques can improve the effectiveness of walkthrough in a large virtual environment.     

PCS网络位置管理方案性能分析

PCS（Personal Communication Service）网络中位置管理开销昂贵；为减小开销，研究人员提出了许多种方案。研究了基于LRA（Lazy Replication Algorithm）的位置管理方案，建立了分析模型，以相邻两次呼叫期间实现位置管理所花费的开销为指标，对IS-41和LRA两者的性能进行了比较。研究表明，对于高移动性或远离归属地的用户，LRA显著优于IS-41；另一方面，对于呼叫多发生于两个服务区间或低移动性的用户，IS-41优于LRA；从总体上看，LRA性能优于IS-41。     

Design and analysis of a replicated elusive server scheme for mitigating denial of service attacks

The paper proposes a scheme, referred to as proactive server roaming, to mitigate the effects of denial of service (DoS) attacks. The scheme is based on the concept of “replicated elusive service”, which through server roaming, causes the service to physically migrate from one physical location to another. Furthermore, the proactiveness of the scheme makes it difficult for attackers to guess when or where servers roam. The combined effect of elusive service replication and proactive roaming makes the scheme resilient to DoS attacks, thereby ensuring a high-level of quality of service. The paper describes the basic components of the scheme and discusses a simulation study to assess the performance of the scheme for different types of DoS attacks. The details of the NS2-based design and implementation of the server roaming strategy to mitigate the DoS attacks are provided, along with a thorough discussion and analysis of the simulation results.     

抵御污染攻击的双源网络编码签名算法

网络编码易遭受污染攻击的破坏,而传统的签名技术不能适用于多源网络编码。基于一种离散对数问题安全的向量哈希函数,提出一种有效抵御污染攻击的双源线性网络编码签名算法,方案中每个源节点用自己的私钥对文件签名,中间节点可用向量的合并算法线性组合来自不同源的消息,且中间（信宿）节点仅用公钥就可验证收到的签名。方案的安全性依赖于Co-Diffie、Hellman问题,并在随机预言模型下,证明能够抵抗信源节点和中间节点的攻击。     

面向云数据库服务的隐私字符串加密查询方案

面向云数据库的字符串型隐私信息的加密查询问题,提出了一个有效解决方案。为了确保字符串数据在不可信云数据库中安全性,在客户端,首先对其进行加密并为其构建特征索引。特征索引通过子字段划分、子字段值域分区、分区标识符分配等步骤,能有效地获取字符串的关键特征,而丢弃非关键特征,具有很好的安全性和有效性。然后,数据查询时,方案将定义在隐私字段上的用户查询转换为定义在索引字段上的新查询,使其可以在云数据库上正确执行,而无需解密数据,有效地提高了查询效率。最后,理论分析和实验评估验证了方案的安全性、有效性、高效性和灵活性。     

Vcard数据的动态字段解析和存储方案的实现

针对Vcard文件的数据解析出来存放到单板中存在的问题,提出了一种动态字段解析和存储方案.该方案采用在SDK层对Vcard字符流进行解析,并转换成Vcard对象模型,动态拆分成AT命令并分段下发给单板的方法.通过建立Vcard 对象模型以及AT命令的扩展,在不改变单板存储结构以及存储方式的基础上,无需实现对象交换(Ob...     

An efficient homomorphic MAC-based scheme against data and tag pollution attacks in network coding-enabled wireless networks

Recent research efforts have shown that wireless networks can benefit from network coding (NC) technology in terms of bandwidth, robustness to packet losses, delay and energy consumption. However, NC-enabled wireless networks are susceptible to a severe security threat, known as data pollution attack, where a malicious node injects into the network polluted packets that prevent the destination nodes from decoding correctly. Due to recoding, occurred at the intermediate nodes, according to the core principle of NC, the polluted packets propagate quickly into other packets and corrupt bunches of legitimate packets leading to network resource waste. Hence, a lot of research effort has been devoted to schemes against data pollution attacks. Homomorphic MAC-based schemes are a promising solution against data pollution attacks. However, most of them are susceptible to a new type of pollution attack, called tag pollution attack, where an adversary node randomly modifies tags appended to the end of the transmitted packets. Therefore, in this paper, we propose an efficient homomorphic message authentication code-based scheme, called HMAC, providing resistance against data pollution attacks and tag pollution attacks in NC-enabled wireless networks. Our proposed scheme makes use of three types of homomorphic tags (i.e., MACs, D-MACs and one signature) which are appended to the end of the coded packet. Our results show that the proposed HMAC scheme is more efficient compared to other competitive tag pollution immune schemes in terms of complexity, communication overhead and key storage overhead.