NFHP-RN:AMethod of Few-Shot Network Attack Detection Based on the Network Flow Holographic Picture-ResNet

Due to the rapid evolution of Advanced Persistent Threats(APTs)attacks,the emergence of new and rare attack samples,and even those never seen before,make it challenging for traditional rule-based detection methods to extract universal rules for effective detection.With the progress in techniques such as transfer learning and meta-learning,few-shot network attack detection has progressed.However,challenges in few-shot network attack detection arise from the inability of time sequence flow features to adapt to the fixed length input requirement of deep learning,difficulties in capturing rich information from original flow in the case of insufficient samples,and the challenge of high-level abstract representation.To address these challenges,a few-shot network attack detection based on NFHP(Network Flow Holographic Picture)-RN(ResNet)is proposed.Specifically,leveraging inherent properties of images such as translation invariance,rotation invariance,scale invariance,and illumination invariance,network attack traffic features and contextual relationships are intuitively represented in NFHP.In addition,an improved RN network model is employed for high-level abstract feature extraction,ensuring that the extracted high-level abstract features maintain the detailed characteristics of the original traffic behavior,regardless of changes in background traffic.Finally,a meta-learning model based on the self-attention mechanism is constructed,achieving the detection of novel APT few-shot network attacks through the empirical generalization of high-level abstract feature representations of known-class network attack behaviors.Experimental results demonstrate that the proposed method can learn high-level abstract features of network attacks across different traffic detail granularities.Comparedwith state-of-the-artmethods,it achieves favorable accuracy,precision,recall,and F1 scores for the identification of unknown-class network attacks through cross-validation onmultiple datasets.

Enhancing the Trustworthiness of 6G Based on Trusted Multi-Cloud Infrastructure:A Practice of Cryptography Approach

Due to the need for massive device connectivity,low communication latency,and various customizations in 6G architecture,a distributed cloud deployment approach will be more relevant to the space-air-ground-sea integrated network scenario.However,the openness and heterogeneity of the 6G network cause the problems of network security.To improve the trustworthiness of 6G networks,we propose a trusted computing-based approach for establishing trust relationships inmulti-cloud scenarios.The proposed method shows the relationship of trust based on dual-level verification.It separates the trustworthy states of multiple complex cloud units in 6G architecture into the state within and between cloud units.Firstly,SM3 algorithm establishes the chain of trust for the system’s trusted boot phase.Then,the remote attestation server(RAS)of distributed cloud units verifies the physical servers.Meanwhile,the physical servers use a ring approach to verify the cloud servers.Eventually,the centralized RAS takes one-time authentication to the critical evidence information of distributed cloud unit servers.Simultaneously,the centralized RAS also verifies the evidence of distributed RAS.We establish our proposed approach in a natural OpenStack-based cloud environment.The simulation results show that the proposed method achieves higher security with less than a 1%system performance loss.

KubeFuzzer:Automating RESTful API Vulnerability Detection in Kubernetes

RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms.Existing tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gateway checks.To address this,we propose KubeFuzzer,a black-box fuzzing tool designed for Kubernetes RESTful APIs.KubeFuzzer utilizes Natural Language Processing(NLP)to extract and integrate semantic information from API specifications and response messages,guiding the generation of more effective request sequences.Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86%to 36.34%,increases the successful response rate by 6.7%to 83.33%,and detects 16.7%to 133.3%more bugs compared to three leading techniques.KubeFuzzer identified over 1000 service crashes,which were narrowed down to 7 unique bugs.We tested these bugs on 10 real-world Kubernetes projects,including major providers like AWS(EKS),Microsoft Azure(AKS),and Alibaba Cloud(ACK),and confirmed that these issues could trigger service crashes.We have reported and confirmed these bugs with the Kubernetes community,and they have been addressed.

NCCMF:Non-Collaborative Continuous Monitoring Framework for Container-Based Cloud Runtime Status

The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.

PIMS:An Efficient Process Integrity Monitoring System Based on Blockchain and Trusted Computing in Cloud-Native Context

With the advantages of lightweight and high resource utilization,cloud-native technology with containers as the core is gradually becoming themainstreamtechnical architecture for information infrastructure.However,malware attacks such as Doki and Symbiote threaten the container runtime’s security.Malware initiates various types of runtime anomalies based on process form(e.g.,modifying the process of a container,and opening the external ports).Fortunately,dynamic monitoring mechanisms have proven to be a feasible solution for verifying the trusted state of containers at runtime.Nevertheless,the current routine dynamic monitoring mechanisms for baseline data protection are still based on strong security assumptions.As a result,the existing dynamicmonitoringmechanismis still not practical enough.To ensure the trustworthiness of the baseline value data and,simultaneously,to achieve the integrity verification of the monitored process,we combine blockchain and trusted computing to propose a process integrity monitoring system named IPMS.Firstly,the hardware TPM 2.0 module is applied to construct a trusted security foundation for the integrity of the process code segment due to its tamper-proof feature.Then,design a new format for storing measurement logs,easily distinguishing files with the same name in different containers from log information.Meanwhile,the baseline value data is stored on the blockchain to avoidmalicious damage.Finally,trusted computing technology is used to perform fine-grained integrity measurement and remote attestation of processes in a container,detect abnormal containers in time and control them.We have implemented a prototype system and performed extensive simulation experiments to test and analyze the functionality and performance of the PIMS.Experimental results show that PIMS can accurately and efficiently detect tampered processes with only 3.57% performance loss to the container.

Labeling Malicious Communication Samples Based on Semi-Supervised Deep Neural Network

The limited labeled sample data in the field of advanced security threats detection seriously restricts the effective development of research work.Learning the sample labels from the labeled and unlabeled data has received a lot of research attention and various universal labeling methods have been proposed.However,the labeling task of malicious communication samples targeted at advanced threats has to face the two practical challenges:the difficulty of extracting effective features in advance and the complexity of the actual sample types.To address these problems,we proposed a sample labeling method for malicious communication based on semi-supervised deep neural network.This method supports continuous learning and optimization feature representation while labeling sample,and can handle uncertain samples that are outside the concerned sample types.According to the experimental results,our proposed deep neural network can automatically learn effective feature representation,and the validity of features is close to or even higher than that of features which extracted based on expert knowledge.Furthermore,our proposed method can achieve the labeling accuracy of 97.64%~98.50%,which is more accurate than the train-then-detect,kNN and LPA methodsin any labeled-sample proportion condition.The problem of insufficient labeled samples in many network attack detecting scenarios,and our proposed work can function as a reference for the sample labeling tasks in the similar real-world scenarios.

Research and Practice of Dynamic Network Security Architecture for IaaS Platforms

Network security requirements based on virtual network technologies in laaS platforms and corresponding solutions were reviewed. A dynamic network security architecture was proposed, which was built on the technologies of software defined networking, Virtual Machine （VM） traffic redirection, network policy unified management, software defined isolation networks, vulnerability scanning, and software updates. The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances, and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time, according to the impacts of VM state transitions. The virtual isolation domains for tenants＇ VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances, and vulnerability scanning as a service and software update as a service were both provided as security supports. Through cooperation with IDS appliances and automatic alarm mechanisms, the proposed architecture could dynamically mitigate a wide range of network-based attacks. The experimental results demonstrate the effectiveness of the proposed architecture.

Cloud Virtual Machine Lifecycle Security Framework Based on Trusted Computing

As a foundation component of cloud computing platforms, Virtual Machines (VMs) are confronted with numerous security threats. However, existing solutions tend to focus on solving threats in a specific state of the VM. In this paper, we propose a novel VM lifecycle security protection framework based on trusted computing to solve the security threats to VMs throughout their entire lifecycle. Specifically, a concept of the VM lifecycle is presented divided up by the different active conditions of the VM. Then, a trusted computing based security protecti on framework is developed, which can exte nd the trusted relati on ship from trusted platform module to the VM and protect the security and reliability of the VM throughout its lifecycle. The theoretical analysis shows that our proposed framework can provide comprehensive safety to VM in all of its states. Furthermore, experiment results demonstrate that the proposed framework is feasible and achieves a higher level of security compared with some state-of-the-art schemes.

An Anomalous Behavior Detection Model in Cloud Computing

This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines （VMs） are one of the key components of cloud Infrastructure as a Service （laaS）. The security of such VMs is critical to laaS security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate. More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed--leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks （SDN） to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.

Trusted Attestation Architecture on an Infrastructure-as-a-Service

Trusted attestation is the main obstruction preventing large-scale promotion of cloud computing. How to extend a trusted relationship from a single physical node to an Infrastructure-as-a-Service （laaS） platform is a problem that must be solved. The laaS platform provides the Virtual Machine （VM）, and the Trusted VM, equipped with a virtual Trusted Platform Module （vTPM）, is the foundation of the trusted laaS platform. We propose a multi-dimensional trusted attestation architecture that can collect and verify trusted attestation information from the computing nodes, and manage the information centrally on a cloud management platform. The architecture verifies the laaS＇s trusted attestation by apprising the VM, Hypervisor, and host Operating System＇s （OS） trusted status. The theory and the technology roadmap were introduced, and the key technologies were analyzed. The key technologies include dynamic measurement of the Hypervisor at the process level, the protection of vTPM instances, the reinforcement of Hypervisor security, and the verification of the laaS trusted attestation. A prototype was deployed to verify the feasibility of the system. The advantages of the prototype system were compared with the Open CIT （Intel Cloud attestation solution）. A performance analysis experiment was performed on computing nodes and the results show that the performance loss is within an acceptable range.

DGA-Based Botnet Detection Toward Imbalanced Multiclass Learning

Botnets based on the Domain Generation Algorithm(DGA) mechanism pose great challenges to the main current detection methods because of their strong concealment and robustness. However, the complexity of the DGA family and the imbalance of samples continue to impede research on DGA detection. In the existing work, the sample size of each DGA family is regarded as the most important determinant of the resampling proportion;thus,differences in the characteristics of various samples are ignored, and the optimal resampling effect is not achieved.In this paper, a Long Short-Term Memory-based Property and Quantity Dependent Optimization(LSTM.PQDO)method is proposed. This method takes advantage of LSTM to automatically mine the comprehensive features of DGA domain names. It iterates the resampling proportion with the optimal solution based on a comprehensive consideration of the original number and characteristics of the samples to heuristically search for a better solution around the initial solution in the right direction;thus, dynamic optimization of the resampling proportion is realized.The experimental results show that the LSTM.PQDO method can achieve better performance compared with existing models to overcome the difficulties of unbalanced datasets;moreover, it can function as a reference for sample resampling tasks in similar scenarios.

DTA-HOC:Online HTTPS Traffic Service Identification Using DNS in Large-Scale Networks

An increasing number of websites are making use of HTTPS encryption to enhance security and privacy for their users.However,HTTPS encryption makes it very difficult to identify the service over HTTPS flows,which poses challenges to network security management.In this paper we present DTA-HOC,a novel DNS-based two-level association HTTPS traffic online service identification method for large-scale networks,which correlates HTTPS flows with DNS flows using big data stream processing and association technologies to label the service in an HTTPS flow with a specific associated domain name.DTA-HOC has been specifically designed to address three practical challenges in the service identification process:domain name ambiguity,domain name query invisibility,and data association time window size contradictions.Several experiments on datasets collected from a 10-Gbps campus network are conducted alongside offline and online testing.Results show that DTA-HOC can achieve an average online association rate on HTTPS traffic of 83%and a generic accuracy of 86.16%.Its processing time for one minute of data is less than 20 seconds.These results indicate that DTA-HOC is an efficient method for online identification of services in HTTPS flows for large-scale networks.Moreover,our proposed method can contribute to the identification of other applications which make a Domain Name System(DNS)communication before establishing a connection.

Efficient Feature Extraction Using Apache Spark for Network Behavior Anomaly Detection

Extracting and analyzing network traffic feature is fundamental in the design and implementation of network behavior anomaly detection methods. The traditional network traffic feature method focuses on the statistical features of traffic volume. However, this approach is not sufficient to reflect the communication pattern features. A different approach is required to detect anomalous behaviors that do not exhibit traffic volume changes, such as low-intensity anomalous behaviors caused by Denial of Service/Distributed Denial of Service （DoS/DDoS） attacks, Internet worms and scanning, and BotNets. We propose an efficient traffic feature extraction architecture based on our proposed approach, which combines the benefit of traffic volume features and network communication pattern features. This method can detect low-intensity anomalous network behaviors and conventional traffic volume anomalies. We implemented our approach on Spark Streaming and validated our feature set using labelled real-world dataset collected from the Sichuan University campus network. Our results demonstrate that the traffic feature extraction approach is efficient in detecting both traffic variations and communication structure changes. Based on our evaluation of the MIT-DRAPA dataset, the same detection approach utilizes traffic volume features with detection precision of 82.3% and communication pattern features with detection precision of 89.9%. Our proposed feature set improves precision by 94%.

IDEA:A Utility-Enhanced Approach to Incomplete Data Stream Anonymization

The prevalence of missing values in the data streams collected in real environments makes them impossible to ignore in the privacy preservation of data streams.However,the development of most privacy preservation methods does not consider missing values.A few researches allow them to participate in data anonymization but introduce extra considerable information loss.To balance the utility and privacy preservation of incomplete data streams,we present a utility-enhanced approach for Incomplete Data strEam Anonymization(IDEA).In this approach,a slide-window-based processing framework is introduced to anonymize data streams continuously,in which each tuple can be output with clustering or anonymized clusters.We consider the dimensions of attribute and tuple as the similarity measurement,which enables the clustering between incomplete records and complete records and generates the cluster with minimal information loss.To avoid the missing value pollution,we propose a generalization method that is based on maybe match for generalizing incomplete data.The experiments conducted on real datasets show that the proposed approach can efficiently anonymize incomplete data streams while effectively preserving utility.