Most Read articles

    Published in last 1 year |  In last 2 years |  In last 3 years |  All

    In last 2 years
    Please wait a minute...
    For Selected: Toggle Thumbnails
    On the Exploration and Prospect of the Development Path of  Cyberspace Trusted Identity in China
    Journal of Information Security Reserach    2022, 8 (12): 1236-.  
    Abstract560)      PDF (1941KB)(99)       Save
    Reference | Related Articles | Metrics
    Research on the Application of Commercial Cryptography in 5G Network
    Journal of Information Security Reserach    2023, 9 (4): 331-.  
    Abstract530)      PDF (1197KB)(300)       Save
    As a new generation of mobile communication network infrastructure, 5G application scenarios run through all aspects of production and life, such as industrial Internet, energy industry, transportation, medical industry and education. However, unprecedented security risks have been brought to 5G networks, including massive terminal access, largescale network deployment, and massive data aggregation. 5G security has gradually become a worldwide research trend in recent years since it is crucial to social development, economic operation, and even national security. Cryptography is the core technology and basic support to assure network and information security. After more than ten years of development, national commercial cryptographic algorithms ZUC, SM4, SM3, SM2, whose independent intellectual property rights are available, have gradually exerted more indispensable effects in maintaining the security of national cyberspace. Starting from the 5G network architecture and interfaces, this paper analyzes the underlying security risks faced by the 5G networks and proposes a corresponding solution as an example in terms of the commercial cryptography application practices of the 5G network.
    Reference | Related Articles | Metrics
    ChatGPT’s Applications, Status and Trends in the Field of Cyber Security
    Journal of Information Security Reserach    2023, 9 (6): 500-.  
    Abstract528)      PDF (2555KB)(467)       Save
    ChatGPT, as a large language model technology, demonstrates extremely strong language understanding and text generation capabilities. It has not only attracted tremendous attention across various industries but also brought new transformations to the field of cybersecurity. Currently, research on ChatGPT in the cybersecurity field is still in its infancy. To help researchers systematically understand the research status of ChatGPT in cybersecurity, this paper provides the first comprehensive summary of ChatGPT’s applications in the field of cybersecurity and potential accompanying security issues. The article first outlines the development of large language model technologies and briefly introduces the technology and features of ChatGPT. Then, it discusses the enabling effects of ChatGPT in the cybersecurity field from two perspectives: assisting attacks and assisting defense. This includes vulnerability discovery, exploitation and remediation, malicious software detection and identification, phishing email generation and detection, and potential use cases in security operations scenarios. Furthermore, the article delves into the accompanying risks of ChatGPT in the cybersecurity field, including content risks and prompt injection attacks, providing a detailed analysis and discussion of these risks. Finally, the paper looks into the future of ChatGPT in the cybersecurity field from the perspectives of security enablement and accompanying security, pointing out the direction for future research on ChatGPT in the cybersecurity domain.
    Reference | Related Articles | Metrics
    Application of Penetration Testing for Industrial Control System Terminals
    Journal of Information Security Reserach    2023, 9 (4): 313-.  
    Abstract474)      PDF (3070KB)(154)       Save
    The security of industrial control system terminals is getting crucial with the development of the industrial Internet. How to conduct effective safety tests for industrial control system terminals has become a key problem to be studied and solved urgently. In this paper, the general process of penetration testing is firstly introduced, then the application of penetration testing for industrial control system terminals is examined using improper input validation vulnerability as an example. The method starts from information collection and penetration tools to deeply understand the system input verification. Then, during the stage of the vulnerability discovery, the modeling of the vulnerability to sensitive input is proposed, as well as the seed mutation pattern for the industrial control programs is designed. The experiment demonstrates the effectiveness of the proposed method and the vulnerability widely existed in the industrial control systems. This method also discovers the security threats such as data tampering, denial of service, permission access and malicious script injection caused by the input validation vulnerability. At last, this work provides security suggestions for industrial control network security protection and equipment protection.
    Reference | Related Articles | Metrics
    Key Points and Practice of Compliance Assessment for Government Data Security
    Journal of Information Security Reserach    2022, 8 (11): 1050-.  
    Abstract392)      PDF (719KB)(326)       Save
    With the development of digital government, the security of government data has become a crucial task. The state attaches great importance to the security risk prevention of government data, and has issued a series of laws, regulations and policy documents, which put forward clear requirements for strengthening the security management of government data. Based on the requirements of government data security compliance, this article proposes the evaluation method and index system of compliance assessment for government data security, which will provide reference for the manager of government data to carry out government data security compliance assessment.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (9): 856-.  
    Abstract390)      PDF (391KB)(260)       Save
    Related Articles | Metrics
    Research on a New Generation Network Security Framework for Network Security Assurance of Major Event
    Journal of Information Security Reserach    2022, 8 (5): 492-.  
    Abstract372)      PDF (5642KB)(613)       Save
    Due to the open network environment,complex information system and widespread social concern, major event faces increasing network security risks. The traditional plugin network security protection is more and more difficult to adapt to the increasingly complex network security situation of major event. Based on the network security assurance work of 2022 Beijing Winter Olympic Games and 2022 Beijing Winter Paralympic Games, this paper systematically sorts out the main characteristics of network security assurance for major event, puts forward a new generation network security framework, and analyzes the structure, characteristics and models of the framework in detail. The “zero accident” in the network security assurance work of Beijing Winter Olympic Games and Beijing Winter Paralympic Games shows that the framework can effectively guide the network security assurance work for major event, and provides a successful model for network security assurance work for major event.
    Related Articles | Metrics
    Automated Vulnerability Mining and Attack Detection
    Journal of Information Security Reserach    2022, 8 (7): 630-.  
    Abstract362)      PDF (434KB)(304)       Save
    Related Articles | Metrics
    Research on Memorycorruption Vulnerability Defense Methods  Based on Memory Protection Technology
    Journal of Information Security Reserach    2022, 8 (7): 694-.  
    Abstract361)      PDF (1030KB)(177)       Save
    Since its outbreak of COVID19 in the world, the process of digital transformation has been further accelerated in all sectors around the world. With the increasing value of information assets, information security problems follow. Vulnerability attacks are the root cause of frequent security incidents in recent years. Vulnerability defense ability directly affects the security of the system. How to prevent vulnerability exploitation without patches has become an urgent need. Vulnerability exploitation defense has also become an important research content in the field of attack and defense confrontation of information security. This paper studies the binary memorycorruption vulnerability defense methods and puts forward a new method to deal with the increasing vulnerability attacks.Key words memory protection technology; memorycorruption vulnerability; network security; behavior monitoring; vulnerability defense; endpoint security
    Related Articles | Metrics
    Journal of Information Security Reserach    2023, 9 (E1): 105-.  
    Abstract336)      PDF (1450KB)(166)       Save
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (8): 734-.  
    Abstract325)      PDF (422KB)(276)       Save
    Related Articles | Metrics
    Journal of Information Security Reserach    2023, 9 (3): 206-.  
    Abstract314)      PDF (513KB)(234)       Save
    Related Articles | Metrics
    Research on Content Detection Generated by Large Language Model  and the Mechanism of Bypassing
    Journal of Information Security Reserach    2023, 9 (6): 524-.  
    Abstract280)      PDF (1924KB)(200)       Save
    In recent years, there has been a surge in the development of large language models. AI robots like ChatGPT, although they have a largescale security confrontation mechanism inside, attackers can still elaborate questionandanswer patterns to bypass the mechanism, with their help to automatically produce phishing emails and carry out network attacks. In this case, how to identify the text generated by AI robots has also become a hot issue. In order to carry out LLMgenerated content detection experiment, our team collected a certain number of questionandanswer data samples from an Internet social platform and ChatGPT platform, and proposed a series of detection strategies according to different conditions of AI text availability. It includes text similarity analysis based on online controllable AI samples, text data mining based on statistical differences under offline conditions, adversarial analysis based on the LLM generation method under the condition that AI samples are not available, and AI model analysis based on building a classifier by finetuning the target LLM model itself. We calculated and compared the detection capabilities of the analysis engine in each case. On the other hand, we give some antikill techniques against AI text detection engines based on the characteristics of detection strategies, from the perspective of network attack and defense.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (5): 418-.  
    Abstract272)      PDF (2768KB)(208)       Save
    Most consortium blockchains now run in closed and deterministic environments, and their smart contracts cannot have IO operations with the outside world. Some application scenarios (such as crediting blockchain, carbon trading blockchain, supply chain, express tracking, etc.) require a mechanism responsible for data interaction with the outside of consortium blockchains, generally called an oracle machine. The existing oracle techniques in the consortium chain have the following shortcomings: 1) The limited data interaction mode cannot meet the needs of distributed applications; 2) With the increase in the number of distributed oracle nodes, the consensus delay will also increase. 3) The participants of the consortium blockchain usually maintain the oracle nodes in the distributed oracle system, and the behavior in the data consensus process is invisible to the blockchain, which is not conducive to data governance. To address the problems, this paper proposes the following methods: 1) Based on the eventdriven mechanism, four oracle design patterns or interaction patterns are proposed, which support Pull and Push, Inbound and Outbound, four combinations of the oracle data interactions; 2) The threshold signature algorithm is used to reach a consensus on the data, which improves the scalability of the oracle system while ensuring the credibility of the data; 3) A reputation mechanism is introduced for data governance to maintain a local and global reputation for each oracle node, and dynamic update is carried out in the data consensus process. Finally, by designing multichain scenairos in crediting blockchain and carbon trading blockchain, the applications of the four oracle design patterns, scalability, and reliability of the oracle nodes are evaluated and analyzed.
    Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (6): 522-.  
    Abstract268)      PDF (440KB)(161)       Save
    Related Articles | Metrics
    Research on Several Issues in the Construction of Network Trusted  Identity System
    Journal of Information Security Reserach    2022, 8 (9): 871-.  
    Abstract265)      PDF (2082KB)(124)       Save
    This paper works through a series of concepts related to “network identity”, extends the experience and ideas of network identity management from the ways and methods of real social identity management, analyzes the four basic stages involved in network identity life cycle management and the key problems to be solved, and puts forward the reference architecture of network trusted identity system and its system functional structure, It also puts forward relevant suggestions to promote the construction and application of network trusted identity system in China.
    Reference | Related Articles | Metrics
    Data Security Governance Practices
    Journal of Information Security Reserach    2022, 8 (11): 1069-.  
    Abstract265)      PDF (5897KB)(234)       Save
    Data security governance has been written into the Data Security Law of the People’s Republic of China. At the same time, data security governance is also one of the key points in the construction of systematic network security. This paper analyzes the data security governance concepts of Gantner and Microsoft, combines enterprise architecture, stakeholder theory, data flow security assessment, maturity security assessment and other methodologies, forms a set of data security governance concepts, and designs a data security management and operation platform for dynamic supervision and data security operation of data security governance indicators. Since 2018, this methodology and platform have been put into practice in the project to solve the construction and optimization of users’ data management and defense system.
    Reference | Related Articles | Metrics
    Key Technologies and Research Prospects of Privacy Computing
    Journal of Information Security Reserach    2023, 9 (8): 714-.  
    Abstract262)      PDF (1814KB)(158)       Save
    Privacy computing, as an important technical means taking into account both data circulation and privacy protection, can effectively break the “data island” barriers while ensuring data security, it enables open data sharing, and promotes the deep mining and use of data and crossdomain integration. In this paper, the background knowledge, basic concepts and architecture of privacy computing were introduced, the basic concepts of three key technologies of privacy computing, including secure multiparty computation, federated learning and trusted execution environment were elaborated, and studies on the existing privacy security was conducted, a multidimensional comparison and summarization of the differences of the three key technologies were made. On this basis, the future research direction of privacy computing is prospected from the technical integration of privacy computing with blockchain, deep learning and knowledge graph.
    Reference | Related Articles | Metrics
    A Novel Blockchain Privacy Preserving Scheme Based on Paillier  and FO Commitment
    Journal of Information Security Reserach    2023, 9 (4): 306-.  
    Abstract254)      PDF (934KB)(166)       Save
    The blockchain is a shared database with excellent characteristics such as high decentralization and traceability. However, data leakage is still a big problem for blockchain transactions. To order to solve the problem, this paper introduces Paillier homomorphic encryption with variable k (KPH), a privacy protection strategy that hides transaction information by the public key encryption algorithm RSA, performs zeroknowledge proof on the legitimacy of the transaction amount with FO commitment, and updates the transaction amount using the enhanced Paillier semihomomorphic encryption algorithm and verifies the transaction using the FO commitment. Unlike the typical Paillier algorithm, the KPH scheme’s Paillier algorithm includes the variable k and combines the L function and the Chinese remainder theorem to reduce the time complexity from O(|n|2+e) to O(logn), making the algorithm decryption process more efficient.

    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2023, 9 (6): 498-.  
    Abstract253)      PDF (472KB)(294)       Save
    Related Articles | Metrics
    Research on Network Security Governance and Response of  Largescale AI Model
    Journal of Information Security Reserach    2023, 9 (6): 551-.  
    Abstract244)      PDF (1101KB)(187)       Save
    With the continuous development of artificial intelligence technology, largescale AI model technology has become an important research direction in the field of artificial intelligence. The publication of ChatGPT4.0 and ERNIE Bot has rapidly promoted the development and application of this technology. However, the emergence of largescale AI model technology has also brought new challenges to network security. This paper will start with the definition, characteristics and application of largescale AI model technology, and analyze the network security situation under largescale AI model technology. The network security governance framework of largescale AI model is proposed, and the given steps can provide reference for network security work of largescale AI model.
    Reference | Related Articles | Metrics
    Research on Loop Security Problem in Binary Programs
    Journal of Information Security Reserach    2023, 9 (4): 364-.  
    Abstract244)      PDF (2829KB)(67)       Save
    Loop is a common structure in programs and improperly using loop is one of the most important reasons resulting in security problems, making detecting loop security problem is important and valuable. As the path state explosion and loop modeling problems in binary code, statically analyzing of loop security is extremely challenging, and traditional methods are unable to solve these problem. In this paper, we proposed a detecting method for loop security problems based on binary static analyzing,having the ability of detecting out of bound memory access in loop and infinite loop problem. Firstly, we present an accurate extracting and recovering method of loop factors in binary based on analyzing of loop structure and then multiple path explore strategies are utilized to solving the path state explosion and sorting problem. Moreover, we propose a function summary method based on static concrete execution to solving constraints growing problem caused by induction function invoking in loops. Finally, we proposed an inductive analysis method based on loop predicates to detect insecure loop in binary. We have applied our methods on ten real world programs and compared with Angr. The experimental results turn out that our method is capable of detecting more loop problems than Angr.
    Related Articles | Metrics
    Design and Research of Attack and Defense Platform  Based on Real Network
    Journal of Information Security Reserach    2022, 8 (9): 895-.  
    Abstract243)      PDF (2394KB)(99)       Save
    Through the research and analysis of the current situation that National Cyber Range is based on simulation technology, this paper puts forward the research goal of building a set of attack and defense platform based on real network environment, and designs a set of technical architecture of real network attack and defense platform with five modules: attack and defense capability confrontation space, attack and defense confrontation security control, security situation analysis and display, command and dispatching wall chart operation and secure big data platform. This paper also expounds the application practice of the architecture, and finally improves the network security comprehensive defense ability of security personnel.
    Reference | Related Articles | Metrics
    Survey of Coverage-guided Grey-box Fuzzing
    Journal of Information Security Reserach    2022, 8 (7): 643-.  
    Abstract240)      PDF (1745KB)(192)       Save
    In recent years, coverageguided greybox fuzzing has become one of the most popular techniques for vulnerability mining, which plays an increasingly important role in the software security industry. With the increasing variety of application scenarios and complexity of test applications, the performance requirements of coverageguided greybox fuzzing are further improved. This paper studies the existing coverageguided greybox fuzzing methods, summarizes its general framework, and analyzes its challenges and the development status. The experimental results of these methods are summarized and the problems existing in the experimental evaluation are discussed. Finally, the future development trend of coverageguided greybox fuzzing is prospected.Key words fuzzing; hole mining; coverageguided; greybox; software security

    Related Articles | Metrics
    Research on the Application of Commercial Cryptography to Cloud Computing
    Journal of Information Security Reserach    2023, 9 (4): 375-.  
    Abstract238)      PDF (3447KB)(205)       Save
    Cloud computing, as a new information processing method, enables users to access information and communication resource services through the network, and it has become an inevitable trend in the development of information technology industry. Users, data, and information resources are highly concentrated, highly dependent on the continuity of cloud platform services, and the scalability of virtualized resources bring inevitable security risks to cloud computing., and the scalability of virtualized resources bring inevitable security risks to cloud computing. Therefore, how to eliminate the security risks of cloud computing by using commercial cryptography technology has become the current research hotspot. This paper starts from the cloud computing network architecture, anlyzes the cryptography application requirements of cloud computing. The paper proposes the corresponding commercial cryptography application scheme for cloud computing scenarios on this basis. The research results provide a theoretical guidance and reference for the application practice of commercial cryptography in cloud computing scenarios, and are expected to solve the key problems of cloud computing security.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (5): 484-.  
    Abstract236)      PDF (1191KB)(205)       Save
    Smart contract is the program code that can be shared on the blockchain, involving account address, digital assets and other information. In recent years, smart contracts develop rapidly, expanding the blockchain platform from a simple distributed ledger system to a rich decentralized operating system, leading the era of blockchain 2.0. However, smart contracts are facing a serious problem of privacy disclosure, which limits the further development and application of smart contract technology. This paper analyzes four smart contract privacy protection key technologies of zero knowledge proof, secure multiparty computing, homomorphic encryption and trusted execution environment, summarizes the latest research results of current smart contract privacy protection solutions, and prospects the future research direction.
    Related Articles | Metrics
    Analysis on the Division of Data Security Management Responsibilities  and Accountability Mechanism
    Journal of Information Security Reserach    2023, 9 (1): 73-.  
    Abstract235)      PDF (1038KB)(136)       Save
    Strengthening the awareness of security and responsibility is the primary condition for data security management. People are the most important factor in the construction of data security. All data security management specifications and technical measures are based on people. From the perspective of data security compliance, this article fully analyzes the corporate data security protection obligations in accordance with the Data Security Law, and innovatively designs the corporate data security responsibility matrix and data security incident accountability matrix to provide enterprises with the construction of data security compliance management. The design ideas for the key functions required by each stakeholder in the system process, and a practical accountability plan based on the key functions, can implement the Data Security Law for various industries and units, and build a data security organization. And the incident accountability mechanism to provide sufficient reference.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (8): 751-.  
    Abstract234)      PDF (2071KB)(256)       Save
    ATT&CK framework, as an attack perspective framework of network security in recent years, has attracted extensive research in the industry. This paper introduces the existing network security evaluation and detection technologies based on ATT&CK framework, and gives its own research results on this basis. In terms of evaluation, an automatic evaluation system based on ATT&CK framework is proposed. In terms of detection, the data source standardization method, attack analysis framework and attack chain analysis framework based on knowledge graph which are required by detection based on ATT&CK framework are proposed. This paper provides specific idea and implementation scheme for the application of ATT&CK framework in network security evaluation and detection.

    Related Articles | Metrics
    Research on Personal Privacy Data Sharing Technology Based on  Blockchain Traceability
    Journal of Information Security Reserach    2023, 9 (2): 109-.  
    Abstract224)      PDF (1327KB)(130)       Save
    Personal privacy data on the Internet, as an one of the important information resources, involves a series of security issues. Centralized or distributed servers are usually used to centrally manage personal privacy data. The data storage is not transparent, and it is prone to problems such as single point of failure and information theft. This paper combines blockchain technology with the improved CPABE algorithm, uses IPFS to store private data, and designs a flexible finegrained personal privacy data sharing scheme PPSSBC based on improved CPABE algorithm. The proposed scheme supports the accountability of malicious users who leak their private keys and realizes dynamic access control. The paper proves the security of the scheme. Experimental analysis shows that the scheme is effective.
    Reference | Related Articles | Metrics
    Towards a Privacy-preserving Research for AI and Blockchain Integration
    Journal of Information Security Reserach    2023, 9 (6): 557-.  
    Abstract221)      PDF (1307KB)(158)       Save
    With the widespread attention and application of artificial intelligence (AI) and blockchain technologies, privacy protection techniques arising from their integration are of notable significance. In addition to protecting the privacy of individuals, these techniques also guarantee the security and dependability of data. This paper initially presents an overview of AI and blockchain, summarizing their combination along with derived privacy protection technologies. It then explores specific application scenarios in data encryption, deidentification, multitier distributed ledgers, and kanonymity methods. Moreover, the paper evaluates five critical aspects of AIblockchainintegration privacy protection systems, including authorization management, access control, data protection, network security, and scalability. Furthermore, it analyzes the deficiencies and their actual cause, offering corresponding suggestions. This research also classifies and summarizes privacy protection techniques based on AIblockchain application scenarios and technical schemes. In conclusion, this paper outlines the future directions of privacy protection technologies emerging from AI and blockchain integration, including enhancing efficiency and security to achieve more comprehensive privacy protection of AI privacy.
    Reference | Related Articles | Metrics
    Research on Invulnerability of Standard IoT Based on Cascading Failures
    Journal of Information Security Reserach    2022, 8 (5): 506-.  
    Abstract219)      PDF (1113KB)(90)       Save
    The IEEE P21451 standard family defines the architecture of the next generation Internet of Things. In order to improve the invulnerability of IEEE P21451 standard IoT, a clustering standard IoT network model is proposed based on the characteristics of the IEEE P21451 standard IoT terminal nodes. Then a cascading failure model with adjustable load distribution range is established based on the load and function characteristics of the standard IoT, and the relationship between the key parameters of the model and the network invulnerability is discussed. The model divides the node load into sensing load and transferable load. Considering the influence of local and global information of the network comprehensively, the initial transferable load of the node is constructed by combining the node degree and the node invulnerability. The simulation results prove the stronger invulnerability of the proposed model towards cascading failures, which provides theoretical guidance and reference for improving the invulnerability of the IEEE P21451 standard IoT.Key wordsInternet of things; IEEE P21451; invulnerability; cascading failure; load
    Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (8): 831-.  
    Abstract218)      PDF (719KB)(206)       Save
    At present, open source has become one of the best organizing methods for human superlargescale intellectual collaboration, and has also become the "main battlefield" of technological innovation, ushering in great development worldwide. At the same time, open source software has also become a mature target for software supply chain attacks, facing security vulnerabilities, intellectual property rights, open source regulation and other risks. This paper analyzes the current security situation and risks of open source software supply chain, puts forward open source software development security solutions, and puts forward suggestions for the development of open source software supply chain.
    Related Articles | Metrics
    A Survey of SQL Injection Attack Detection and Defense Technology
    Journal of Information Security Reserach    2023, 9 (5): 412-.  
    Abstract216)      PDF (2612KB)(204)       Save
    In the era of “Internet+”, data is the most valuable resource of the Internet. Attackers often use SQL injection attacks to destroy the database in order to obtain important data information in the database. The threat to database security is becoming more and more serious. At present, the research on SQL injection attacks mostly focuses on traditional SQL injection attacks, but lacks the cognition of new advanced SQL injection technology with stronger concealment and higher risk, and the research on related detection and defense technology. In response to this phenomenon, this paper analyzes and evaluates traditional and advanced SQL injection attack technologies and their technical characteristics based on the classification of SQL injection technologies; summarizes existing detection and defense technologies, and evaluates the advantages and disadvantages of these methods for defense effectiveness; finally The problems existing in the current research field are sorted out, and suggestions for future research directions are put forward.

    Reference | Related Articles | Metrics
    Research on the Progress of Crossborder Data Flow Governance
    Journal of Information Security Reserach    2023, 9 (7): 624-.  
    Abstract209)      PDF (1036KB)(88)       Save
    While promoting the sharing of global data resources, the crossborder data flow will inevitably threaten data sovereignty and national security. The competition for the right to speak in international data with crossborder data flow governance as the game will become the focus of competition in the international community in the future. This paper introduces the background knowledge and constraints of crossborder data flow, investigates and compares the crossborder data flow governance models of the United States, the European Union, Russia, Japan, and Australia, and analyzes the current policy status and challenges of crossborder data flow governance in our country, on this basis, countermeasures and suggestions are proposed for the governance of crossborder data flow in our country from the perspective of data sovereignty, including promoting the classification supervision of crossborder data flow, innovating and developing crossborder data flow governance models, improving countermeasures against extraterritorial “longarm jurisdiction”, and actively participating in and leading the formulation of international governance rules.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (6): 545-.  
    Abstract208)      PDF (1253KB)(95)       Save
    With the rapid development of automotive intelligence, onboard system changes the landscape of vehicle behavior automation. Various firmware and hardware devices can interact or exchange information with the onboard intelligent system. The Internet of vehicles carries the automatic control of software, ECU and hardware via the onboard intelligent system. Instate providing users with daytoday driving functionality, the onboard system been evolved and increase its complexity. There is no clear boundary between system security and functional safety. This paper gives an overview of the onboard intelligent system of the Internet of vehicles based on experimental modeling. It also emphasizes that under the scenario of the Internet of vehicles, the vulnerability and system failure of the intelligent vehicle system will directly affect the functional safety, which means it can threaten the safety of passengers. Therefore, the onboard system security of the Internet of vehicles becomes more and more important. This paper discusses the relationship between system security and functional safety in the Internet of vehicles based on an existing issue. In order to locate the actual system security in the Internet of vehicles, the existing defense indicates that the importance to find a balance point between vehicle performance and system security within the limited resource, this paper proposed a method about prereinforcement learning defense mechanism based on pseudo defense.Key words Internet of vehicles security; endogenous security; mimicry defense; reinforcement learning; information system security

    Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (8): 777-.  
    Abstract207)      PDF (1830KB)(124)       Save
    With the rapid growth of mobile applications and their users, the security of mobile applications has increasingly become the primary concern of the users. At present, there are more and more variants of malware based on the Android platform. There is an urgent need for efficient and effective malware detection methods to ensure the security and reliability of the Android app platform. To address these concerns, we present our lightweight solution ISEDroid which is based on the Instruction Sequence Embedding method to detect Android malware. ISEDroid extracts the instruction execution sequences from the Dalvik code fragments of Android apps, which are used to represent all executable and traceable paths of malware during runtime. Then, it transforms the instruction sequence into a low dimensional numerical vector through the embedding method in natural language processing, and then generates the semantic summary of the sample code behaviors using the average pooling algorithm. Finally, by evaluating different machine learning algorithms, adjusting the dimension of embedded vectors, and optimizing various hyperparameters, we ensure that the parameters of the model are all optimal, so as to achieve the best classification performance. A large number of experiments show that the method proposed in this paper can accurately identify Android malware, and achieved an F1 score of 0.952.

    Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (8): 812-.  
    Abstract201)      PDF (4751KB)(144)       Save
    Because deep learning can freely extract and combine features, an increasing number of academics are using it to perform sidechannel attacks without taking into consideration preprocessing processes like choosing sites of interest and alignment. The sidechannel attack model based on deep learning is built with multilayer perceptron networks, convolution neural networks, and recurrent neural networks, but it has several issues in the training stage, such as overfitting, gradient disappearance, and sluggish convergence speed. Meanwhile, the selfattention mechanism is capable of extracting characteristics in natural language processing, computer vision, and other domains. To make the selfattentiveness mechanism accessible to the area of deep learning sidechannel attacks, we present SADLSCA, a deep learning sidechannel attack model based on the selfattentiveness mechanism, based on the features of deep learningbased sidechannel attacks. SADLSCA addresses the issues of fast overfitting, gradient disappearance, and slow convergence of deep learningbased sidechannel attack models during training, and experimentally verifies that the energy traces required for a successful attack on public datasets ASCAD and CHES CTF 2018 are reduced by 23.1% and 41.7%, respectively.
    Related Articles | Metrics
    ChatGPT’s Security Threaten Research
    Journal of Information Security Reserach    2023, 9 (6): 533-.  
    Abstract200)      PDF (1801KB)(170)       Save
    With the rapid development of deep learning technology and natural language processing technology, the large language model represented by ChatGPT came into being. However, while showing surprising capabilities in many fields, ChatgPT also exposed many security threats, which aroused the concerns of academia and industry. This paper first introduces the development history, working mode, and training methods of ChatGPT and its series models, then summarizes and analyzes various current security problems that ChatGPT may encounter and divides it into two levels: user and model. Then, countermeasures and solutions are proposed according to the characteristics of ChatGPT at each stage. Finally, this paper looks forward to developing a safe and trusted ChatGPT and a large language model.
    Reference | Related Articles | Metrics
    A Survey of IoT Firmware Vulnerability Security Detection
    Journal of Information Security Reserach    2022, 8 (12): 1146-.  
    Abstract199)      PDF (1780KB)(187)       Save
    With the advent of the Internet of everything, the security issues of the IoT have become more and more important, especially the economic losses caused by security risks and attacks caused by firmware vulnerabilities in the IoT. Efficient firmware vulnerability detection technology has increasingly become the key to ensuring the security of IoT devices. Therefore, studying the methods and technologies related to firmware vulnerability security detection in the IoT has essential theoretical significance and practical value. This paper analyzes the reasons for the frequent security problems of IoT firmware, summarizes the main security threats faced by IoT firmware, and targets the firmware. Based on the challenges faced by vulnerability analysis, the existing firmware vulnerability detection methods are reviewed. Through the analysis of the advantages and disadvantages of different methods, it provides guidance for further improving the intelligence, precision, automation, effectiveness, and scalability of the firmware security defect detection method. Finally, future research in IoT firmware vulnerability security detection is prospected.
    Reference | Related Articles | Metrics
    Journal of Information Security Reserach    2022, 8 (7): 715-.  
    Abstract198)      PDF (581KB)(182)       Save
    Building a digital government is an inevitable requirement to improve the efficiency of government governance under the background of the indepth development of informatization. Economic governance is an important part of government functions, which is directly related to the highquality development of economy and society. The construction of digital government is a systematic project, which is not a simple “government management+informatization”, nor “informatization+government management”. Coordinating the construction of digital government and the government's performance of economic governance function is an important prerequisite for consolidating the benign interaction between the two. To better serve economic governance, it is the key for digital government is to summarize successful experiences and cases, identify application scenarios and actively and steadily promote them, optimize functions and promote indepth integration in the process of meeting scenario needs.Key words digital government; government governance; macroeconomic governance; digitization; fuse
    Related Articles | Metrics