Table of Content

01 April 2023, Volume 9 Issue 4

Previous Issue   

A Novel Blockchain Privacy Preserving Scheme Based on Paillier  and FO Commitment

2023, 9(4):  306. 

Asbtract ( )   PDF (934KB) ( )  

References | Related Articles | Metrics

The blockchain is a shared database with excellent characteristics such as high decentralization and traceability. However, data leakage is still a big problem for blockchain transactions. To order to solve the problem, this paper introduces Paillier homomorphic encryption with variable k (KPH), a privacy protection strategy that hides transaction information by the public key encryption algorithm RSA, performs zeroknowledge proof on the legitimacy of the transaction amount with FO commitment, and updates the transaction amount using the enhanced Paillier semihomomorphic encryption algorithm and verifies the transaction using the FO commitment. Unlike the typical Paillier algorithm, the KPH scheme’s Paillier algorithm includes the variable k and combines the L function and the Chinese remainder theorem to reduce the time complexity from O(|n|2+e) to O(logn), making the algorithm decryption process more efficient.





Application of Penetration Testing for Industrial Control System Terminals

2023, 9(4):  313. 

Asbtract ( )   PDF (3070KB) ( )  

References | Related Articles | Metrics

The security of industrial control system terminals is getting crucial with the development of the industrial Internet. How to conduct effective safety tests for industrial control system terminals has become a key problem to be studied and solved urgently. In this paper, the general process of penetration testing is firstly introduced, then the application of penetration testing for industrial control system terminals is examined using improper input validation vulnerability as an example. The method starts from information collection and penetration tools to deeply understand the system input verification. Then, during the stage of the vulnerability discovery, the modeling of the vulnerability to sensitive input is proposed, as well as the seed mutation pattern for the industrial control programs is designed. The experiment demonstrates the effectiveness of the proposed method and the vulnerability widely existed in the industrial control systems. This method also discovers the security threats such as data tampering, denial of service, permission access and malicious script injection caused by the input validation vulnerability. At last, this work provides security suggestions for industrial control network security protection and equipment protection.

Research on Integrated Scheduling Method of Safety and Security  Tasks for Intelligent Instruments in Industrial Internet

2023, 9(4):  321. 

Asbtract ( )   PDF (2474KB) ( )  

References | Related Articles | Metrics

With the indepth application of Industrial Internet, industrial control systems are faced with security risks while changing from closed isolation systems to open interconnection systems. The traditional industrial control system cannot resist unknown and new information attacks in the industrial Internet only by means of firewall and other protection means. Attacks can penetrate and spread in the system and endanger the intelligent instrument. Therefore, the intelligent instruments itself should have attack detection and intrusion response capabilities, requiring it to achieve security protection through task scheduling. However, there are potential conflicts between security tasks and functional safety tasks, which require coordinated scheduling to ensure stable operation of instruments. Aiming at the coordination and scheduling requirements of intelligent instrument tasks, this paper proposes an integrated scheduling method for instrument tasks. Through unified formal description of instrument tasks, redundant and conflicting relationships between tasks are coordinated. Staticdynamic hybrid scheduling algorithm is designed to achieve integrated realtime scheduling of tasks. Finally, the effectiveness and feasibility of this method are verified through experiments.

Research on the Application of Commercial Cryptography in 5G Network

2023, 9(4):  331. 

Asbtract ( )   PDF (1197KB) ( )  

References | Related Articles | Metrics

As a new generation of mobile communication network infrastructure, 5G application scenarios run through all aspects of production and life, such as industrial Internet, energy industry, transportation, medical industry and education. However, unprecedented security risks have been brought to 5G networks, including massive terminal access, largescale network deployment, and massive data aggregation. 5G security has gradually become a worldwide research trend in recent years since it is crucial to social development, economic operation, and even national security. Cryptography is the core technology and basic support to assure network and information security. After more than ten years of development, national commercial cryptographic algorithms ZUC, SM4, SM3, SM2, whose independent intellectual property rights are available, have gradually exerted more indispensable effects in maintaining the security of national cyberspace. Starting from the 5G network architecture and interfaces, this paper analyzes the underlying security risks faced by the 5G networks and proposes a corresponding solution as an example in terms of the commercial cryptography application practices of the 5G network.

Research on Adversarial Examples Generation Technology Based on  Text Keywords

2023, 9(4):  338. 

Asbtract ( )   PDF (2165KB) ( )  

References | Related Articles | Metrics

Deep learning models have been widely used to deal with natural language tasks, but the latest research shows that adversarial attacks will seriously reduce the accuracy of the classification model and make the model classification function ineffective. Aiming at the vulnerability of deep learning models when dealing with natural language tasks, a new adversarial examples generation method, KeywordsAttack, is proposed. The method uses a statistical algorithm to select some words to form a text keyword set. And then it iteratively replaces the keywords according to the contribution of the model classification results until the classification model is successfully misled or the number of replacements reaches the set value. According to the characteristics of Chinese, this method generates adversarial examples by splitting Chinese characters and replacing pinyin. Finally, using the public hotel shopping review dataset to conduct experiments, the results show that the average modification magnitude of adversarial examples accounts for 18.2% of the original text and the classification accuracy of attacking the BERT model is reduced by about 43%, and the classification accuracy of attacking the LSTM model is reduced by about 30%. These data show that the KeywordsAttack method can successfully mislead the classification model by making small perturbations to the text. At the same time, the number of query models in the process of generating adversarial examples is small.

Core Isolation Method of ARM Processor for OutofOrder Execution  Vulnerability Test

2023, 9(4):  347. 

Asbtract ( )   PDF (1904KB) ( )  

References | Related Articles | Metrics

With the discovery of processor microarchitecture vulnerabilities represented by spectre and meltdown, microarchitecture security vulnerabilities have gradually attracted the attention of academia, and automatic testing schemes for related microarchitecture vulnerabilities have also been proposed. However, in the real test environment, the test microarchitecture environment will be interrupted and disturbed by the scheduling system, resulting in the omission of effective test cases. Therefore, this paper proposes an arm processor core isolation method for outoforder execution test. By using the management mechanism of interrupt and scheduling between ARM processor and Linux kernel and designing the corresponding process synchronization mechanism, this method can isolate the processor core from the interrupt and scheduling system during the test process, so as to ensure that the operation of test instruction block will not be interrupted by interrupt and scheduling program. The corresponding synchronization mechanism is designed to ensure that the process switching process will not be inserted and executed by other processes, so as to ensure the effectiveness of the test.

On the Right to Erasure of Personal Information: Characteristics,  Dilemmas and Improvement Paths —From the Perspective of COVID19 Prevention and Control

2023, 9(4):  356. 

Asbtract ( )   PDF (1078KB) ( )  

References | Related Articles | Metrics

The right to erasure of personal information is an important right enjoyed by individuals in the process of processing personal information under the Personal Information Protection Law. The right to erasure of personal information is both public and private law attributes. From the nature of the public health emergency of the COVID19 and the relevant normative documents issued by China during the epidemic prevention and control period, it can be seen that the current social state can be equivalent to a state of emergency in essence. In this social context, identifying the right to erasure of personal information as a right in public law can effectively play the role of defense and objective law, and then protect the rights and interests of personal information through the protection obligation of public power. Under such logical path, through the establishment of the model of “requested by individualnoticed by power”, the use of the government information disclosure system to disclose personal information processing standards to improve the system design of the right to erasure of personal information, to solve the problems of high cost of exercising rights by COVID19 infected persons and difficulty in performing the obligations of personal information processors in practice.

Research on Loop Security Problem in Binary Programs

2023, 9(4):  364. 

Asbtract ( )   PDF (2829KB) ( )  

Related Articles | Metrics

Loop is a common structure in programs and improperly using loop is one of the most important reasons resulting in security problems, making detecting loop security problem is important and valuable. As the path state explosion and loop modeling problems in binary code, statically analyzing of loop security is extremely challenging, and traditional methods are unable to solve these problem. In this paper, we proposed a detecting method for loop security problems based on binary static analyzing，having the ability of detecting out of bound memory access in loop and infinite loop problem. Firstly, we present an accurate extracting and recovering method of loop factors in binary based on analyzing of loop structure and then multiple path explore strategies are utilized to solving the path state explosion and sorting problem. Moreover, we propose a function summary method based on static concrete execution to solving constraints growing problem caused by induction function invoking in loops. Finally, we proposed an inductive analysis method based on loop predicates to detect insecure loop in binary. We have applied our methods on ten real world programs and compared with Angr. The experimental results turn out that our method is capable of detecting more loop problems than Angr.

Research on the Application of Commercial Cryptography to Cloud Computing

2023, 9(4):  375. 

Asbtract ( )   PDF (3447KB) ( )  

References | Related Articles | Metrics

Cloud computing, as a new information processing method, enables users to access information and communication resource services through the network, and it has become an inevitable trend in the development of information technology industry. Users, data, and information resources are highly concentrated, highly dependent on the continuity of cloud platform services, and the scalability of virtualized resources bring inevitable security risks to cloud computing., and the scalability of virtualized resources bring inevitable security risks to cloud computing. Therefore, how to eliminate the security risks of cloud computing by using commercial cryptography technology has become the current research hotspot. This paper starts from the cloud computing network architecture, anlyzes the cryptography application requirements of cloud computing. The paper proposes the corresponding commercial cryptography application scheme for cloud computing scenarios on this basis. The research results provide a theoretical guidance and reference for the application practice of commercial cryptography in cloud computing scenarios, and are expected to solve the key problems of cloud computing security.

Evaluation Method of Power Terminal Security Based on Fuzzy  AHPDEMATELVIKOR

2023, 9(4):  382. 

Asbtract ( )   PDF (1091KB) ( )  

References | Related Articles | Metrics

Aiming at the problem that the semantic ambiguity and the correlation between indicators are not considered in the process of power terminal security evaluation, a weight determination method based on fuzzy AHPDEMATEL method is proposed, and then the security of power terminals is evaluated by VIKOR method. Firstly, the fuzzy theory is introduced into the AHP method and DEMATEL to solve the defect of the deviation caused by the semantic ambiguity and the strong subjectivity. At the same time, the centrality is calculated to judge the importance degree of the index in the evaluation system and solve the influence of the coupling between indicators on the evaluation result. Fuzzy AHP and DEMATEL method are integrated to determine the comprehensive weight. Then, based on VIKOR method, the security of five different power terminals is evaluated considering the preference of decision makers. Finally, through case analysis and method comparison, it is shown that the method proposed in this paper considers the uncertainty caused by semantic ambiguity in the evaluation and the coupling between security indicators, which is more objective to evaluate the security of power terminals





Research on Intranet Security Integrated Protection Architecture in  Energy Enterprises Under Complex Network Threat Environment

2023, 9(4):  390. 

Asbtract ( )   PDF (2901KB) ( )  

References | Related Articles | Metrics

Under the background of complex network threats，the construction and improvement of enterprise Intranet security protection capability is imminent. At present, many enterprises still have problems of eradicating the botnet in the Intranet, insufficient ability to resist advanced persistent threat attacks and difficult to defend against network horizontal attacks. This paper analyzes the current complex network threats faced by energy enterprises, and then puts forward models for comprehensive security protection of the Intranet of energy enterprises, such as improving the ability of asset mapping and discovery, establishing an Intranet unified access authorization system, dividing Intranet finegrained Intranet Security Policy, building attack identification models, and system guarantee and expert talent training.

Safety Management of Electronic Display Screen in  Public Areas

2023, 9(4):  397. 

Asbtract ( )   PDF (629KB) ( )  

References | Related Articles | Metrics