Threat adjudication based on the judge method of ruling difference is an important mechanism for the mimic defense system to shield and block the threat of attacks.However,the existing mimic adjudication mechanism cannot conduct effective inductive analysis and threat control on the security situation of the mimic defense systems.Therefore,taking the mimic Web service system as an example,and integrating the network situation awareness technology into the mimic defense architecture,this paper proposes an improved Web threat situation analysis method.The data association is performed on the multi-level mimic adjudication alarm log.The feature data information extracted by fusion is deeply mined and classified.Different types of classification data are visually displayed.Experimental results show that the method can display the security state of the mimic defense systems,and is informed of the running state of the abnormal execution body in time,so as to realize the analysis and evaluation of the security situation of the mimic defense systems.

This paper proposes a algebraic fault attack method based on optimized fault location against SIMECK cipher.By analyzing encryption diffusion defect of the SIMECK round function and the failure cause,the deterministic propagation characteristics of faults are extracted,and the differential characteristic table of deterministic faults is constructed to achieve accurate fault location.It creates an equivalent equation set for the encryption process and fault information,and converts the equations into SAT problems and solve the key.Experimental results show that the method can inject a random single-bit fault into the left register in the 28th round of SIMECK32/64,and only need 8 fault injections to recover the complete 64 bit master key.The attack success rate is 99.61%.Compared with the existing fault attack method,the proposed method requires fewer fault samples and has a higher attack success rate,creation of equations more automated.

Scheduling is an important mechanism for the Web server with mimic structure.Most of the existing scheduling algorithms lack consideration about heterogeneity and Quality of Service(QoS) of the Web server with mimic structure,and do not solve the problems of security and service quality instability caused by the scheduling mechanism.Therefore,a scheduling algorithm called Random Seed algorithm based on Maximum heterogeneity and Web QoS(RSMHQ)is proposed.All the thresholds of the Web servers with mimic structure are calculated.The seed executor is randomly selected,and the scheduling scheme is determined according to the maximum heterogeneity and QoS.Simulation results show that compared with the random scheduling algorithm,the proposed algorithm has better scheduling effects and achieves an excellent balance between security,Web service quality and dynamic behaviour.

In order to construct samples that conform to language norms in fuzzy testing of language interpreter,and get abnormal test results as far as possible to find vulnerabilities,the improved Probabilistic Context Free Grammar(PCFG) model is used to control the variation process of samples,and the undefined variables in the variation results are modified to increase the ratio of samples that conform to language norms.On this basis,the language interpreter is tested by fuzzy testing.Results show that the ratio of samples generated by the test that conform to the grammatical and semantic norms is as high as 96%.

Aiming at the problem that an attacker can issue pirated software by re-signing the vulnerabilities in the self-signature process of Android system application program,this paper analyses the digital signature and verification process of Android system application program,proposes an online signature comparison scheme based on MD5 value,and increases the difficulty of attacker's decompilation through code obfuscation technology to ensure the security of the signature scheme.Experimental results show that the scheme can help users to judge whether the application is authentic or not,and can effectively prevent the local signature from being tampered with.

In order to achieve accurate identification of malware encrypted C&C communication traffic,this paper analyzes the https communication process of normal Webpage browsing access and C&C communication,discovers the server independence feature of malware C&C communication and proposes a sequence modeling method of https communication.Based on the behaviour characteristics of encrypted communication,a vector representation method for hexadecimal characters of ciphertext is used to implement a vectorized expression of encrypted traffic.Multi-window Convolutional Neural Network(CNN) is used to extract the pattern characteristics of encrypted C&C communication and realize the identification and classification of encrypted C&C communication data traffic.Experimental results show that the accuracy of identifying the encrypted C&C communication traffic of malware is 91.07%.

In order to study the impact of the difference of input rates and removal rates of nodes in the network on worm virus propagation,this paper analyzes the transformation relationship between each compartment based on the idea of compartment modeling and constructs a worm virus propagation SEIR model with different input rates and removal rates.It calculates the equilibrium point and basic regeneration number of the model,gives the stable specification of equilibrium point,and uses the Hurwitz theorem,the LaSlle invariance principle and the Bendixson theorem to prove the stability of equilibrium point.On this basis,this paper verifies the results of theoretical analysis by numerical simulation and analyzes the key factors that affect the worm virus propagation,then proposes some suggestions and measures to suppress the worm virus propagation.

A Botnet that combining worms,backdoors,and Trojans has become the backing of Advanced Persistent Threat(APT) attacks because it can be used by attackers to send spam,perform denial of service attacks,and steal sensitive information.Existing Botnet detection methods are mostly limited to specific Botnet types and cannot effectively process data near the boundary.Therefore,a Botnet identification method based on network traffic similarity is proposed.This method does not rely on packet content and can handle encrypted traffic.By extracting the statistical features of the data stream and the packet,each feature is fuzzy clustered,the feature boundary of the fuzzy category is discriminated,and the Botnet traffic is judged based on the principle of maximum affiliation degree.According to the support degree and confidence degree,associate rules are filtered to determine the specific Botnet type.Experimental results show that the method can effectively identify Botnet traffic and predict the type of Botnet.

The main causes of threats to cyberspace security are vulnerabilities and backdoor problems.In order to solve the threats based on unknown vulnerabilities,backdoor or virus Trojans in cyberspace,a probabilistic mathematical model is established for the typical architecture of mimic defense,Dynamic Heterogeneous Redundancy(DHR) system.The security of the system is discussed from the perspective of output consistency rate and system attack success rate.Through the solution and analysis of the model,the expression of the attack success rate of the DHR system is obtained,and some properties of the DHR system are analyzed.Analysis results show that the DHR system has better anti-attack capability than the static heterogeneous redundant system.

Aiming at the problem of the failure rate and low detection efficiency in the XSS dynamic detection method,a new XSS vulnerability detection model is proposed.The model is divided into five parts:load cell generation,bypassing rule selection,exploratory load test,load unit combination test and load unit separate test.According to the location and function type of the load unit,the attack load is cut into different types of units,and the rules of combined attack load are formulated.The probe load is used to determine whether there is any vulnerabilities to be detected,it puts the payload unit and the bypassing rules into the detection point with combination test and separate test,and generates attack loads based on the test results.Experimental results show that this model uses fewer test requests to complete the test of more attack loads,and maintains a high detection efficiency while effectively reducing the failure rate.

In order to solve the problem of high delay,low efficiency and indistinguishes communication service types in the existing address mutation technology,a service awareness based address mutation method is proposed in the SDN environment.With the feature of subsection IP continuous segmentation,an efficient random address generation algorithm is adopted to make the address mutation technology more efficient.At the same time,a communication authentication algorithm is used to provide different mutation modes according to the architecture and reliability requirements of both sides.Experimental results show that,compared with the OF-RHM and PPAH-SPD method,this method can effectively guarantee the communication parties from the sniffer attack,provide more efficient and flexible address random mutation effect and address mutation mode,reduce the time delay of 30%~60% and reduce the jitter.

In the era of big data,traditional hidden hyperlink detection technology cannot quickly and accurately identify websites that encounter “hidden hyperlink attacks” on massive Web pages.To solve this problem,this paper introduces machine learning to the detection method for hidden hyperlink,which combines the characteristics of hidden hyperlink related texts,hidden hyperlink domains and the hidden structure of hidden hyperlink.The three models are constructed and compared using Classification and Regression Tree (CART),Gradient Boosted Decision Tree (GBDT) and Random Forest (RF).based on the proposed method.Experimental results show that the proposed method has high accuracy and reliability,and the classification accuracy of the detection model constructed by RF can reach 0.984.

With the exhaustion of IPv4 addresses,the domestic network has gradually shifts to IPv6 from IPv4,which leads to the rapid expansion of large-scale network traffic based on IPv6.The security risks and attack threats faced by IPv6 networks becomes an urgent problem to be solved in network development.Therefore,in the actual IPv6 network environment,the real-time acquisition of large-scale IPv6 data traffic based on IPv6 dual protocol stack is studied,and traffic classification and anofmaly traffic routine detection are carried out.The k_means network anomaly detection algorithm based on sliding time window is proposed.It designs a network abnormal traffic detection system based on IPv6 protocol,analyzes system performance and gives test results.Experimental results show that the algorithm can effectively detect anomaly traffic in the network and provide a good experimental platform for subsequent research and anomaly detection based on IPv6 network traffic.

Mimic defense techniques can effectively solve the security problems in real-time systems,but its heterogeneous redundancy will increase the system delay.To solve this problem,based on the architecture of the mimic processor,a hard time and aperiodic tasks fault tolerant scheduling algorithm is proposed in the dynamic heterogeneous multi-mode redundancy scenario,combining the specific voting strategy and implementing the cleaning handover tasks.Simulation results show that compared with the static-heterogeneous-model-based DRFTS algorithm,this algorithm can improve the guarantee ratio under the condition of hard real-time.

In order to guarantee the integrity,confidentiality and accessibility of outsourcing data,a secure data outsourcing and sharing scheme is proposed based on the vector commitment primitive and the proxy re-encryption technology.By introducing a digital signature of the commitment value,any third party can verify the integrity of the outsourcing data without the data owner and service provider being fully trusted,and the data owner can perform efficient execution of the outsourcing data adding,deleting,modifing,and accessing authorization actions.Performance and safety analysis results show the feasibility of the scheme.