Android Smartphones are proliferating extensively in the digital world due to their widespread applications in a myriad offields.The increased popularity of the android platform entices malware developers to design ma...Android Smartphones are proliferating extensively in the digital world due to their widespread applications in a myriad offields.The increased popularity of the android platform entices malware developers to design malicious apps to achieve their malevolent intents.Also,static analysis approaches fail to detect run-time behaviors of malicious apps.To address these issues,an optimal unification of static and dynamic features for smartphone security analysis is proposed.The proposed solution exploits both static and dynamic features for generating a highly distinct unified feature vector using graph based cross-diffusion strategy.Further,a unified feature is subjected to the fuzzy-based classification model to distinguish benign and malicious applications.The suggested framework is extensively experimentally validated through both qualitative and quantitative analysis and results are compared with the existing solutions.Performance evaluation over benchmarked datasets from Google Play Store,Drebin,Androzoo,AMD,and CICMalDroid2020 revealed that the suggested solution outperforms state-of-the-art methods.We achieve average detection accuracy of 98.62%and F1 Score of 0.9916.展开更多
Vehicular ad hoc network(VANET)is a self-organizing wireless sensor network model,which is extensively used in the existing traffic.Due to the openness of wireless channel and the sensitivity of traffic information,da...Vehicular ad hoc network(VANET)is a self-organizing wireless sensor network model,which is extensively used in the existing traffic.Due to the openness of wireless channel and the sensitivity of traffic information,data transmission process in VANET is vulnerable to leakage and attack.Authentication of vehicle identitywhile protecting vehicle privacy information is an advantageous way to improve the security of VANET.We propose a scheme based on fair blind signature and secret sharing algorithm.In this paper,we prove that the scheme is feasible through security analysis.展开更多
Identity-Based Encryption (IBE) has seen limited adoption, largely due to the absolute trust that must be placed in the private key generator (PKG)—an authority that computes the private keys for all the users in the...Identity-Based Encryption (IBE) has seen limited adoption, largely due to the absolute trust that must be placed in the private key generator (PKG)—an authority that computes the private keys for all the users in the environment. Several constructions have been proposed to reduce the trust required in the PKG (and thus preserve the privacy of users), but these have generally relied on unrealistic assumptions regarding non-collusion between various entities in the system. Unfortunately, these constructions have not significantly improved IBE adoption rates in real-world environments. In this paper, we present a construction that reduces trust in the PKG without unrealistic non-collusion assumptions. We achieve this by incorporating a novel combination of digital credential technology and bilinear maps, and making use of multiple randomly-chosen entities to complete certain tasks. The main result and primary contribution of this paper are a thorough security analysis of this proposed construction, examining the various entity types, attacker models, and collusion opportunities in this environment. We show that this construction can prevent, or at least mitigate, all considered attacks. We conclude that our construction appears to be effective in preserving user privacy and we hope that this construction and its security analysis will encourage greater use of IBE in real-world environments.展开更多
Future components to enhance the basic,native security of 5G networks are either complex mechanisms whose impact in the requiring 5G communications are not considered,or lightweight solutions adapted to ultrareliable ...Future components to enhance the basic,native security of 5G networks are either complex mechanisms whose impact in the requiring 5G communications are not considered,or lightweight solutions adapted to ultrareliable low-latency communications(URLLC)but whose security properties remain under discussion.Although different 5G network slices may have different requirements,in general,both visions seem to fall short at provisioning secure URLLC in the future.In this work we address this challenge,by introducing cost-security functions as a method to evaluate the performance and adequacy of most developed and employed non-native enhanced security mechanisms in 5G networks.We categorize those new security components into different groups according to their purpose and deployment scope.We propose to analyze them in the context of existing 5G architectures using two different approaches.First,using model checking techniques,we will evaluate the probability of an attacker to be successful against each security solution.Second,using analytical models,we will analyze the impact of these security mechanisms in terms of delay,throughput consumption,and reliability.Finally,we will combine both approaches using stochastic cost-security functions and the PRISM model checker to create a global picture.Our results are first evidence of how a 5G network that covers and strengthened all security areas through enhanced,dedicated non-native mechanisms could only guarantee secure URLLC with a probability of∼55%.展开更多
An enhanced optimal velocity model(EOVM)that considers driving safety is established to alleviate traffic congestion and ensure driving safety.Time headway is introduced as a criterion for determining whether the car ...An enhanced optimal velocity model(EOVM)that considers driving safety is established to alleviate traffic congestion and ensure driving safety.Time headway is introduced as a criterion for determining whether the car is safe.When the time headway is less discussed to ensure the model's safety and maintain the following state.A stability analysis of the model was carried out to determine than the minimum time headway(TH_(min))or more than the most comfortable time headway(TH_(com)),the acceleration constraints are the stability conditions of the model.The EOVM is compared with the optimal velocity model(OVM)and fuzzy car-following model using the real dataset.Experiments show that the EOVM model has the smallest error in average,maximum and median with the real dataset.To confirm the model's safety,design fleet simulation experiments were conducted for three actual scenarios of starting,stopping and uniform process.展开更多
China’s industrial manufacturing industry is well developed,but its agriculture is primitive.The only way to solve this problem is to improve through modern agriculture.The cross integration of new energy development...China’s industrial manufacturing industry is well developed,but its agriculture is primitive.The only way to solve this problem is to improve through modern agriculture.The cross integration of new energy development and modern agriculture is becoming more and more critical.However,the research on the interaction between the meteorological disaster of facility agriculture and the power supply security of the integrated energy supply system has not formed a systematic theoretical system,which challenges the collaborative security of the facility agriculture and energy system.In this paper,energy meteorology and agrometeorology are considered and modeled,and the static security of a park-level agricultural energy network is simulated and analyzed under different weather conditions.展开更多
Quantum secure direct communication provides a direct means of conveying secret information via quantum states among legitimate users.The past two decades have witnessed its great strides both theoretically and experi...Quantum secure direct communication provides a direct means of conveying secret information via quantum states among legitimate users.The past two decades have witnessed its great strides both theoretically and experimentally.However,the security analysis of it still stays in its infant.Some practical problems in this field to be solved urgently,such as detector efficiency mismatch,side-channel effect and source imperfection,are propelling the birth of a more impeccable solution.In this paper,we establish a new framework of the security analysis driven by numerics where all the practical problems may be taken into account naturally.We apply this framework to several variations of the DL04 protocol considering real-world experimental conditions.Also,we propose two optimizing methods to process the numerical part of the framework so as to meet different requirements in practice.With these properties considered,we predict the robust framework would open up a broad avenue of the development in the field.展开更多
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ...To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.展开更多
The development of the Internet of Things has facilitated the rapid development of various industries.With the improvement in people’s living standards,people’s health requirements are steadily improving.However,owi...The development of the Internet of Things has facilitated the rapid development of various industries.With the improvement in people’s living standards,people’s health requirements are steadily improving.However,owing to the scarcity of medical and health care resources in some areas,the demand for remote surgery has gradually increased.In this paper,we investigate remote surgery in the healthcare environment.Surgeons can operate robotic arms to perform remote surgery for patients,which substantially facilitates successful surgeries and saves lives.Recently,Kamil et al.proposed a secure protocol for surgery in the healthcare environment.However,after cryptanalyzing their protocol,we deduced that their protocols are vulnerable to temporary value disclosure and insider attacks.Therefore,we design an improved authentication and key agreement protocol for remote surgeries in the healthcare environment.Accordingly,we adopt the real or random(ROR)model and an automatic verification tool Proverif to verify the security of our protocol.Via security analysis and performance comparison,it is confirmed that our protocol is a relatively secure protocol.展开更多
Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source cod...Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.展开更多
Identification and resolution system of the industrial Internet is the“neural hub”of the industrial Internet for coordination.Catastrophic damage to the whole industrial Internet industry ecology may be caused if th...Identification and resolution system of the industrial Internet is the“neural hub”of the industrial Internet for coordination.Catastrophic damage to the whole industrial Internet industry ecology may be caused if the identification and resolution system is attacked.Moreover,it may become a threat to national security.Therefore,security plays an important role in identification and resolution system of the industrial Internet.In this paper,an innovative security risk analysis model is proposed for the first time,which can help control risks from the root at the initial stage of industrial Internet construction,provide guidance for related enterprises in the early design stage of identification and resolution system of the industrial Internet,and promote the healthy and sustainable development of the industrial identification and resolution system.展开更多
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment...This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.展开更多
Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHS...Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHSAS is developed for national backbone network,large network operators,large enterprises and other large-scale network.This paper describes its architecture and key technologies:Network Security Oriented Total Factor Information Collection and High-Dimensional Vector Space Analysis,Knowledge Representation and Management of Super Large-Scale Network Security,Multi-Level,Multi-Granularity and Multi-Dimensional Network Security Index Construction Method,Multi-Mode and Multi-Granularity Network Security Situation Prediction Technology,and so on.The performance tests show that YHSAS has high real-time performance and accuracy in security situation analysis and trend prediction.The system meets the demands of analysis and prediction for large-scale network security situation.展开更多
The aim of quantum secret sharing,as one of most promising components of quantum cryptograph,is one-tomultiparty secret communication based on the principles of quantum mechanics.In this paper,an efficient multiparty ...The aim of quantum secret sharing,as one of most promising components of quantum cryptograph,is one-tomultiparty secret communication based on the principles of quantum mechanics.In this paper,an efficient multiparty quantum secret sharing protocol in a high-dimensional quantum system using a single qudit is proposed.Each participant's shadow is encoded on a single qudit via a measuring basis encryption method,which avoids the waste of qudits caused by basis reconciliation.Security analysis indicates that the proposed protocol is immune to general attacks,such as the measure-resend attack,entangle-and-measure attack and Trojan horse attack.Compared to former protocols,the proposed protocol only needs to perform the single-qudit measurement operation,and can share the predetermined dits instead of random bits or dits.展开更多
The stability problem of power grids has become increasingly serious in recent years as the size of novel power systems increases.In order to improve and ensure the stable operation of the novel power system,this stud...The stability problem of power grids has become increasingly serious in recent years as the size of novel power systems increases.In order to improve and ensure the stable operation of the novel power system,this study proposes an artificial emotional lazy Q-learning method,which combines artificial emotion,lazy learning,and reinforcement learning for static security and stability analysis of power systems.Moreover,this study compares the analysis results of the proposed method with those of the small disturbance method for a stand-alone power system and verifies that the proposed lazy Q-learning method is able to effectively screen useful data for learning,and improve the static security stability of the new type of power system more effectively than the traditional proportional-integral-differential control and Q-learning methods.展开更多
In order to solve the various privacy and security problems in RFID system, a new low-cost RFID mutual authentication protocol based on ID updating mechanics is proposed. In the proposed scheme, the backend server kee...In order to solve the various privacy and security problems in RFID system, a new low-cost RFID mutual authentication protocol based on ID updating mechanics is proposed. In the proposed scheme, the backend server keeps both the current ID and potential next ID for each tag, thus to solve the possible problem of de-synchronization attack in the most ID updating-based schemes. In the security analysis section, comparing several protocols in property required and attacker resistances, the comparison results show that the proposed protocol provides strong authentication and strong integrity of the transmissions and can withstand most the possible attacks that break the security of the previous schemes. In the performance evaluation section, the analysis results also indicate that, in terms of computational cost and storage requirement, the proposed scheme is safer, more efficient, more suitable for low-cost tag and more feasible in practice.展开更多
Private comparison is the basis of many encryption technologies,and several related Quantum Private Comparison(QPC)protocols have been published in recent years.In these existing protocols,secret information is encode...Private comparison is the basis of many encryption technologies,and several related Quantum Private Comparison(QPC)protocols have been published in recent years.In these existing protocols,secret information is encoded by using conjugate coding or orthogonal states,and all users are quantum participants.In this paper,a novel semi-quantum private comparison scheme is proposed,which employs Bell entangled states as quantum resources.Two semi-quantum participants compare the equivalence of their private information with the help of a semi-honest third party(TP).Compared with the previous classical protocols,these two semi-quantum users can only make some particular action,such as to measure,prepare and reflect quantum qubits only in the classical basis fj0i;j1ig,and TP needs to perform Bell basis measurement on reflecting qubits to obtain the results of the comparison.Further,analysis results show that this scheme can avoid outside and participant attacks and its’qubit efficiency is better than the other two protocols mentioned in the paper.展开更多
Machine Learning(ML)systems often involve a re-training process to make better predictions and classifications.This re-training process creates a loophole and poses a security threat for ML systems.Adversaries leverag...Machine Learning(ML)systems often involve a re-training process to make better predictions and classifications.This re-training process creates a loophole and poses a security threat for ML systems.Adversaries leverage this loophole and design data poisoning attacks against ML systems.Data poisoning attacks are a type of attack in which an adversary manipulates the training dataset to degrade the ML system’s performance.Data poisoning attacks are challenging to detect,and even more difficult to respond to,particularly in the Internet of Things(IoT)environment.To address this problem,we proposed DISTINIT,the first proactive data poisoning attack detection framework using distancemeasures.We found that Jaccard Distance(JD)can be used in the DISTINIT(among other distance measures)and we finally improved the JD to attain an Optimized JD(OJD)with lower time and space complexity.Our security analysis shows that the DISTINIT is secure against data poisoning attacks by considering key features of adversarial attacks.We conclude that the proposed OJD-based DISTINIT is effective and efficient against data poisoning attacks where in-time detection is critical for IoT applications with large volumes of streaming data.展开更多
1 Introduction The United States,Japan,Canada,the European Union,and other developed countries and regions have all formulated climate strategies and pledged to achieve net-zero CO_(2) emissions by 2050.China,meanwhil...1 Introduction The United States,Japan,Canada,the European Union,and other developed countries and regions have all formulated climate strategies and pledged to achieve net-zero CO_(2) emissions by 2050.China,meanwhile,has announced through the“carbon-peaking and carbon neutrality targets”in September 2020 that it aims to achieve“peak carbon use”by 2030 and“carbon neutrality”by 2060[1].According to statistical data from the International Energy Agency(IEA),Fig.1 illustrates the carbon intensity of electricity generation in various regions in the Announced Pledge Scenario(APS)from 2010 to 2040[2].One can easily observe that each region aims to accomplish a sharp decrease in the carbon intensity of electricity generation after 2020.展开更多
Software reverse engineering is the process of analyzing a software system to extract the design and implementation details.Reverse engineering provides the source code of an application,the insight view of the archit...Software reverse engineering is the process of analyzing a software system to extract the design and implementation details.Reverse engineering provides the source code of an application,the insight view of the architecture and the third-party dependencies.From a security perspective,it is mostly used for finding vulnerabilities and attacking or cracking an application.The process is carried out either by obtaining the code in plaintext or reading it through the binaries or mnemonics.Nowadays,reverse engineering is widely used for mobile applications and is considered a security risk.The Open Web Application Security Project(OWASP),a leading security research forum,has included reverse engineering in its top 10 list of mobile application vulnerabilities.Mobile applications are used in many sectors,e.g.,banking,education,health.In particular,the banking applications are critical in terms of security as they are used for financial transactions.A security breach of such applications can result in huge financial losses for the customers as well as the banks.There exist various tools for reverse engineering of mobile applications,however,they have deficiencies,e.g.,complex configurations,lack of detailed analysis reports.In this research work,we perform an analysis of the available tools for reverse engineering of mobile applications.Our dataset consists of the mobile banking applications of the banks providing services in Pakistan.Our results indicate that none of the existing tools can carry out the complete reverse engineering process as a standalone tool.In addition,we observe significant differences in terms of the execution time and the number of files generated by each tool for the same file.展开更多
文摘Android Smartphones are proliferating extensively in the digital world due to their widespread applications in a myriad offields.The increased popularity of the android platform entices malware developers to design malicious apps to achieve their malevolent intents.Also,static analysis approaches fail to detect run-time behaviors of malicious apps.To address these issues,an optimal unification of static and dynamic features for smartphone security analysis is proposed.The proposed solution exploits both static and dynamic features for generating a highly distinct unified feature vector using graph based cross-diffusion strategy.Further,a unified feature is subjected to the fuzzy-based classification model to distinguish benign and malicious applications.The suggested framework is extensively experimentally validated through both qualitative and quantitative analysis and results are compared with the existing solutions.Performance evaluation over benchmarked datasets from Google Play Store,Drebin,Androzoo,AMD,and CICMalDroid2020 revealed that the suggested solution outperforms state-of-the-art methods.We achieve average detection accuracy of 98.62%and F1 Score of 0.9916.
基金supported by Key project of Hunan Provincial Education Department(20A191)Hunan teaching research and reformproject(2019-134)+2 种基金Cooperative Education Fund of ChinaMinistry of Education(201702113002,201801193119)Hunan Natural Science Foundation(2018JJ2138)Hunan teaching research and reform project(2019).
文摘Vehicular ad hoc network(VANET)is a self-organizing wireless sensor network model,which is extensively used in the existing traffic.Due to the openness of wireless channel and the sensitivity of traffic information,data transmission process in VANET is vulnerable to leakage and attack.Authentication of vehicle identitywhile protecting vehicle privacy information is an advantageous way to improve the security of VANET.We propose a scheme based on fair blind signature and secret sharing algorithm.In this paper,we prove that the scheme is feasible through security analysis.
文摘Identity-Based Encryption (IBE) has seen limited adoption, largely due to the absolute trust that must be placed in the private key generator (PKG)—an authority that computes the private keys for all the users in the environment. Several constructions have been proposed to reduce the trust required in the PKG (and thus preserve the privacy of users), but these have generally relied on unrealistic assumptions regarding non-collusion between various entities in the system. Unfortunately, these constructions have not significantly improved IBE adoption rates in real-world environments. In this paper, we present a construction that reduces trust in the PKG without unrealistic non-collusion assumptions. We achieve this by incorporating a novel combination of digital credential technology and bilinear maps, and making use of multiple randomly-chosen entities to complete certain tasks. The main result and primary contribution of this paper are a thorough security analysis of this proposed construction, examining the various entity types, attacker models, and collusion opportunities in this environment. We show that this construction can prevent, or at least mitigate, all considered attacks. We conclude that our construction appears to be effective in preserving user privacy and we hope that this construction and its security analysis will encourage greater use of IBE in real-world environments.
基金The publication is produced within the framework of Ramon Alcarria y Borja Bordel’s research projects on the occasion of their stay at Argonne Labs(Jose Castillejo’s 2021 grant)supported by the Ministry of Science,Innovation andUniversities through the COGNOS project.
文摘Future components to enhance the basic,native security of 5G networks are either complex mechanisms whose impact in the requiring 5G communications are not considered,or lightweight solutions adapted to ultrareliable low-latency communications(URLLC)but whose security properties remain under discussion.Although different 5G network slices may have different requirements,in general,both visions seem to fall short at provisioning secure URLLC in the future.In this work we address this challenge,by introducing cost-security functions as a method to evaluate the performance and adequacy of most developed and employed non-native enhanced security mechanisms in 5G networks.We categorize those new security components into different groups according to their purpose and deployment scope.We propose to analyze them in the context of existing 5G architectures using two different approaches.First,using model checking techniques,we will evaluate the probability of an attacker to be successful against each security solution.Second,using analytical models,we will analyze the impact of these security mechanisms in terms of delay,throughput consumption,and reliability.Finally,we will combine both approaches using stochastic cost-security functions and the PRISM model checker to create a global picture.Our results are first evidence of how a 5G network that covers and strengthened all security areas through enhanced,dedicated non-native mechanisms could only guarantee secure URLLC with a probability of∼55%.
基金supported by the National Natural Science Foundation international cooperation and exchange projects(Grant No.62120106011)the Natural Science Basic Research Program of Shaanxi(Grant No.2021JM-347)+2 种基金the Shaanxi Provincial Department of Education special project(Grant No.21JC026)the general project of the Shaanxi Provincial Key Research and Development Program(Grant No.2019GY-032)the Natural Science Basic Research Program of Shaanxi(Grant No.2021JM-347).
文摘An enhanced optimal velocity model(EOVM)that considers driving safety is established to alleviate traffic congestion and ensure driving safety.Time headway is introduced as a criterion for determining whether the car is safe.When the time headway is less discussed to ensure the model's safety and maintain the following state.A stability analysis of the model was carried out to determine than the minimum time headway(TH_(min))or more than the most comfortable time headway(TH_(com)),the acceleration constraints are the stability conditions of the model.The EOVM is compared with the optimal velocity model(OVM)and fuzzy car-following model using the real dataset.Experiments show that the EOVM model has the smallest error in average,maximum and median with the real dataset.To confirm the model's safety,design fleet simulation experiments were conducted for three actual scenarios of starting,stopping and uniform process.
基金This study is supported by Chinese Universities Scientific Fund(2020RC029).
文摘China’s industrial manufacturing industry is well developed,but its agriculture is primitive.The only way to solve this problem is to improve through modern agriculture.The cross integration of new energy development and modern agriculture is becoming more and more critical.However,the research on the interaction between the meteorological disaster of facility agriculture and the power supply security of the integrated energy supply system has not formed a systematic theoretical system,which challenges the collaborative security of the facility agriculture and energy system.In this paper,energy meteorology and agrometeorology are considered and modeled,and the static security of a park-level agricultural energy network is simulated and analyzed under different weather conditions.
基金This work was supported by the National Key Research and Development Program of China under Grant No.2017YFA0303700the Key Research and Development Program of Guangdong province under Grant No.2018B030325002+1 种基金the National Natural Science Foundation of China under Grant No.11974205Beijing Advanced Innovation Center for Future Chip(ICFC).
文摘Quantum secure direct communication provides a direct means of conveying secret information via quantum states among legitimate users.The past two decades have witnessed its great strides both theoretically and experimentally.However,the security analysis of it still stays in its infant.Some practical problems in this field to be solved urgently,such as detector efficiency mismatch,side-channel effect and source imperfection,are propelling the birth of a more impeccable solution.In this paper,we establish a new framework of the security analysis driven by numerics where all the practical problems may be taken into account naturally.We apply this framework to several variations of the DL04 protocol considering real-world experimental conditions.Also,we propose two optimizing methods to process the numerical part of the framework so as to meet different requirements in practice.With these properties considered,we predict the robust framework would open up a broad avenue of the development in the field.
文摘To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.
文摘The development of the Internet of Things has facilitated the rapid development of various industries.With the improvement in people’s living standards,people’s health requirements are steadily improving.However,owing to the scarcity of medical and health care resources in some areas,the demand for remote surgery has gradually increased.In this paper,we investigate remote surgery in the healthcare environment.Surgeons can operate robotic arms to perform remote surgery for patients,which substantially facilitates successful surgeries and saves lives.Recently,Kamil et al.proposed a secure protocol for surgery in the healthcare environment.However,after cryptanalyzing their protocol,we deduced that their protocols are vulnerable to temporary value disclosure and insider attacks.Therefore,we design an improved authentication and key agreement protocol for remote surgeries in the healthcare environment.Accordingly,we adopt the real or random(ROR)model and an automatic verification tool Proverif to verify the security of our protocol.Via security analysis and performance comparison,it is confirmed that our protocol is a relatively secure protocol.
文摘Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity.The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed.To utilize the possible synergies different static analysis tools may process,this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives.Specifically,five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses(OWASP TTSW).The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios.The findings show that simply including more tools in a combination is not synonymous with better results;it depends on the specific tools included in the combination due to their different designs and techniques.
基金supported by the 2018 Industrial Internet Innovation and Development Project--Industrial Internet Identification Resolution System National Top-Level Node Construction Project (Phase Ⅰ)
文摘Identification and resolution system of the industrial Internet is the“neural hub”of the industrial Internet for coordination.Catastrophic damage to the whole industrial Internet industry ecology may be caused if the identification and resolution system is attacked.Moreover,it may become a threat to national security.Therefore,security plays an important role in identification and resolution system of the industrial Internet.In this paper,an innovative security risk analysis model is proposed for the first time,which can help control risks from the root at the initial stage of industrial Internet construction,provide guidance for related enterprises in the early design stage of identification and resolution system of the industrial Internet,and promote the healthy and sustainable development of the industrial identification and resolution system.
文摘This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.
基金This work is funded by the National Natural Science Foundation of China under Grant U1636215the National key research and development plan under Grant Nos.2018YFB0803504,2016YFB0800303.
文摘Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHSAS is developed for national backbone network,large network operators,large enterprises and other large-scale network.This paper describes its architecture and key technologies:Network Security Oriented Total Factor Information Collection and High-Dimensional Vector Space Analysis,Knowledge Representation and Management of Super Large-Scale Network Security,Multi-Level,Multi-Granularity and Multi-Dimensional Network Security Index Construction Method,Multi-Mode and Multi-Granularity Network Security Situation Prediction Technology,and so on.The performance tests show that YHSAS has high real-time performance and accuracy in security situation analysis and trend prediction.The system meets the demands of analysis and prediction for large-scale network security situation.
基金Project supported by the Doctoral Funding of Nanchang Hangkong University(Grant No.EA202204231)the National Natural Science Foundation of China(Grant Nos.61866027and 6217070290)+1 种基金the Key research project of Jiangxi Province(Grant No.20212BBE53017)the Shanghai Science and Technology Project(Grant Nos.21JC1402800 and20040501500)。
文摘The aim of quantum secret sharing,as one of most promising components of quantum cryptograph,is one-tomultiparty secret communication based on the principles of quantum mechanics.In this paper,an efficient multiparty quantum secret sharing protocol in a high-dimensional quantum system using a single qudit is proposed.Each participant's shadow is encoded on a single qudit via a measuring basis encryption method,which avoids the waste of qudits caused by basis reconciliation.Security analysis indicates that the proposed protocol is immune to general attacks,such as the measure-resend attack,entangle-and-measure attack and Trojan horse attack.Compared to former protocols,the proposed protocol only needs to perform the single-qudit measurement operation,and can share the predetermined dits instead of random bits or dits.
基金the Technology Project of China Southern Power Grid Digital Grid Research Institute Corporation,Ltd.(670000KK52220003)the National Key R&D Program of China(2020YFB0906000).
文摘The stability problem of power grids has become increasingly serious in recent years as the size of novel power systems increases.In order to improve and ensure the stable operation of the novel power system,this study proposes an artificial emotional lazy Q-learning method,which combines artificial emotion,lazy learning,and reinforcement learning for static security and stability analysis of power systems.Moreover,this study compares the analysis results of the proposed method with those of the small disturbance method for a stand-alone power system and verifies that the proposed lazy Q-learning method is able to effectively screen useful data for learning,and improve the static security stability of the new type of power system more effectively than the traditional proportional-integral-differential control and Q-learning methods.
基金supported by National Natural Science Foundation of China under Grant No. 61100205Foundation of China Information Technology Security Evaluation Center under Grant No. CNITSEC-KY-0910-019/5
文摘In order to solve the various privacy and security problems in RFID system, a new low-cost RFID mutual authentication protocol based on ID updating mechanics is proposed. In the proposed scheme, the backend server keeps both the current ID and potential next ID for each tag, thus to solve the possible problem of de-synchronization attack in the most ID updating-based schemes. In the security analysis section, comparing several protocols in property required and attacker resistances, the comparison results show that the proposed protocol provides strong authentication and strong integrity of the transmissions and can withstand most the possible attacks that break the security of the previous schemes. In the performance evaluation section, the analysis results also indicate that, in terms of computational cost and storage requirement, the proposed scheme is safer, more efficient, more suitable for low-cost tag and more feasible in practice.
基金the National Natural Science Foundation of China(Grant Nos.61402058,61572086)Major Project of Education Department in Sichuan(Grant No.18ZA0109)Web Culture Project Sponsored by the Humanities and Social Science Research Base of the Sichuan Provincial Education Department(Grant No.WLWH18-22).
文摘Private comparison is the basis of many encryption technologies,and several related Quantum Private Comparison(QPC)protocols have been published in recent years.In these existing protocols,secret information is encoded by using conjugate coding or orthogonal states,and all users are quantum participants.In this paper,a novel semi-quantum private comparison scheme is proposed,which employs Bell entangled states as quantum resources.Two semi-quantum participants compare the equivalence of their private information with the help of a semi-honest third party(TP).Compared with the previous classical protocols,these two semi-quantum users can only make some particular action,such as to measure,prepare and reflect quantum qubits only in the classical basis fj0i;j1ig,and TP needs to perform Bell basis measurement on reflecting qubits to obtain the results of the comparison.Further,analysis results show that this scheme can avoid outside and participant attacks and its’qubit efficiency is better than the other two protocols mentioned in the paper.
基金This work was supported by a National Research Foundation of Korea(NRF)grant funded by the Korea Government(MSIT)under Grant 2020R1A2B5B01002145.
文摘Machine Learning(ML)systems often involve a re-training process to make better predictions and classifications.This re-training process creates a loophole and poses a security threat for ML systems.Adversaries leverage this loophole and design data poisoning attacks against ML systems.Data poisoning attacks are a type of attack in which an adversary manipulates the training dataset to degrade the ML system’s performance.Data poisoning attacks are challenging to detect,and even more difficult to respond to,particularly in the Internet of Things(IoT)environment.To address this problem,we proposed DISTINIT,the first proactive data poisoning attack detection framework using distancemeasures.We found that Jaccard Distance(JD)can be used in the DISTINIT(among other distance measures)and we finally improved the JD to attain an Optimized JD(OJD)with lower time and space complexity.Our security analysis shows that the DISTINIT is secure against data poisoning attacks by considering key features of adversarial attacks.We conclude that the proposed OJD-based DISTINIT is effective and efficient against data poisoning attacks where in-time detection is critical for IoT applications with large volumes of streaming data.
文摘1 Introduction The United States,Japan,Canada,the European Union,and other developed countries and regions have all formulated climate strategies and pledged to achieve net-zero CO_(2) emissions by 2050.China,meanwhile,has announced through the“carbon-peaking and carbon neutrality targets”in September 2020 that it aims to achieve“peak carbon use”by 2030 and“carbon neutrality”by 2060[1].According to statistical data from the International Energy Agency(IEA),Fig.1 illustrates the carbon intensity of electricity generation in various regions in the Announced Pledge Scenario(APS)from 2010 to 2040[2].One can easily observe that each region aims to accomplish a sharp decrease in the carbon intensity of electricity generation after 2020.
基金The authors acknowledge the support of Security Testing-Innovative Secured Systems Lab(ISSL)established at University of Engineering&Technology,Peshawar,Pakistan under the Higher Education Commission initiative of National Center for Cyber Security(Grant No.2(1078)/HEC/M&E/2018/707).
文摘Software reverse engineering is the process of analyzing a software system to extract the design and implementation details.Reverse engineering provides the source code of an application,the insight view of the architecture and the third-party dependencies.From a security perspective,it is mostly used for finding vulnerabilities and attacking or cracking an application.The process is carried out either by obtaining the code in plaintext or reading it through the binaries or mnemonics.Nowadays,reverse engineering is widely used for mobile applications and is considered a security risk.The Open Web Application Security Project(OWASP),a leading security research forum,has included reverse engineering in its top 10 list of mobile application vulnerabilities.Mobile applications are used in many sectors,e.g.,banking,education,health.In particular,the banking applications are critical in terms of security as they are used for financial transactions.A security breach of such applications can result in huge financial losses for the customers as well as the banks.There exist various tools for reverse engineering of mobile applications,however,they have deficiencies,e.g.,complex configurations,lack of detailed analysis reports.In this research work,we perform an analysis of the available tools for reverse engineering of mobile applications.Our dataset consists of the mobile banking applications of the banks providing services in Pakistan.Our results indicate that none of the existing tools can carry out the complete reverse engineering process as a standalone tool.In addition,we observe significant differences in terms of the execution time and the number of files generated by each tool for the same file.