With the advent of the era of big data, cloud computing, Internet of things, and other information industries continue to develop. There is an increasing amount of unstructured data such as pictures, audio, and video on the Internet. And the distributed object storage system has become the mainstream cloud storage solution. With the increasing number of distributed applications, data security in the distributed object storage system has become the focus. For the distributed object storage system, traditional defenses are means that fix discovered system vulnerabilities and backdoors by patching, or means to modify the corresponding structure and upgrade. However, these two kinds of means are hysteretic and hardly deal with unknown security threats. Based on mimic defense theory, this paper constructs the principle framework of the distributed object storage system and introduces the dynamic redundancy and heterogeneous function in the distributed object storage system architecture, which increases the attack cost, and greatly improves the security and availability of data.

Hardware Trojans in integrated circuit chips have the characteristics of being covert, destructive, and difficult to protect, which have seriously endangered the security of the chips themselves and the information systems to which they belong. Existing solutions generally rely on passive detection techniques. In this paper, a hardware Trojans active defense mechanism is designed for network switching chips based on the principle of encryption algorithm. By encoding the data entering the chip, the argot hidden in the data cannot trigger the hardware Trojans that may exist in the chip, so that the chip can work normally even if it is implanted with a hardware Trojans. The proposed method is proved to be effective in preventing hardware Trojans with different trigger characteristics by simulation tests and practical tests on our secure switching chip.

As an active defenses technique, multi-variant execution(MVX) can detect attacks by monitoring the consistency of heterogeneous variants with parallel execution. ompared with patch-style passive defense, MVX can defend against known and even unknown vulnerability-based attacks without relying on attack feature information. However, variants generated with software diversity technologies will introduce new vulnerabilities when they execute in parallel. First, we analyze the security of MVX theory from the perspective of formal description. Then we summarize the general forms and techniques for attacks against MVX, and analyze the new vulnerabilities arising from the combination of variant generation technologies. We propose SecMVX, a secure MVX architecture and variant generation technology. Experimental evaluations based on CVEs and SPEC 2006 benchmark show that SecMVX introduces 11.29% of the average time overhead, and avoids vulnerabilities caused by the improper combination of variant generation technologies while keeping the defensive ability of MVX.

The 5G IoT (Internet of Things, IoT) is easier to implement in location privacy-preserving research. The terminals in distributed network architecture blur their accurate locations into a spatial cloaking region but most existing spatial cloaking algorithms cannot work well because of man-in-the-middle attacks, high communication overhead, time consumption, and the lower success rate. This paper proposes an algorithm that can recommend terminal’s privacy requirements based on getting terminal distribution information in the neighborhood after cross-layer authentication and therefore help 5G IoT terminals find enough collaborative terminals safely and quickly. The approach shows it can avoid man-in-the-middle attacks and needs lower communication costs and less searching time than 520ms at the same time. It has a great anonymization success rate by 93% through extensive simulation experiments for a range of 5G IoT scenarios.

Adaptive packet scheduling can efficiently enhance the performance of multipath Data Transmission. However, realizing precise packet scheduling is challenging due to the nature of high dynamics and unpredictability of network link states. To this end, this paper proposes a distributed asynchronous deep reinforcement learning framework to intensify the dynamics and prediction of adaptive packet scheduling. Our framework contains two parts: local asynchronous packet scheduling and distributed cooperative control center. In local asynchronous packet scheduling, an asynchronous prioritized replay double deep Q-learning packets scheduling algorithm is proposed for dynamic adaptive packet scheduling learning, which makes a combination of prioritized replay double deep Q-learning network (P-DDQN) to make the fitting analysis. In distributed cooperative control center, a distributed scheduling learning and neural fitting acceleration algorithm to adaptively update neural network parameters of P-DDQN for more precise packet scheduling. Experimental results show that our solution has a better performance than Random weight algorithm and Round--Robin algorithm in throughput and loss ratio. Further, our solution has 1.32 times and 1.54 times better than Random weight algorithm and Round--Robin algorithm on the stability of multipath data transmission, respectively.

Software-Defined Networking (SDN) provides flexible and global network management by decoupling control plane from data plane, and multiple controllers are deployed in the network in a logically centralized and physically distributed way. However, the existing approaches generally deploy the controllers with the same type in the network, which easily causes homogeneous controller common-mode fault. To this end, this paper proposes heterogeneous controller deployment in the SDN, considering the different types of controllers and relevant criteria (e.g., delay, control link interruption rate, and controller fault rate). Then, we introduce a Safe and Reliable Heterogeneous Controller Deployment (SRHCD) approach, consisting of two stages. Stage 1 determines the type and the number of heterogeneous controllers required for the SDN network based on the dynamic programming. Stage 2 divides the SDN network into multiple subnets by k-means algorithm and improves the genetic algorithm to optimize the heterogeneous controller deployment in these SDN subnets to ensure reliable switch-controller communications. Finally, the simulation results show that the proposed approach can effectively reduce the control plane fault rate and increase the attack difficulties. Besides, the switch- controller delay has been lowered by 16.5% averagely.

Trapdoor is a key component of public key cryptography design which is the essential security foundation of modern cryptography. Normally, the traditional way in designing a trapdoor is to identify a computationally hard problem, such as the NPC problems. So the trapdoor in a public key encryption mechanism turns out to be a type of limited resource. In this paper, we generalize the methodology of adversarial learning model in artificial intelligence and introduce a novel way to conveniently obtain sub-optimal and computationally hard trapdoors based on the automatic information theoretic search technique. The basic routine is constructing a generative architecture to search and discover a probabilistic reversible generator which can correctly encoding and decoding any input messages. The architecture includes a trapdoor generator built on a variational autoencoder (VAE) responsible for searching the appropriate trapdoors satisfying a maximum of entropy, a random message generator yielding random noise, and a dynamic classifier taking the results of the two generator. The evaluation of our construction shows the architecture satisfying basic indistinguishability of outputs under chosen-plaintext attack model (CPA) and high efficiency in generating cheap trapdoors.

Based on the diversified technology and the cross-validation mechanism, the N-variant system provides a secure service architecture for cloud providers to protect the cloud applications from attacks by executing multiple variants of a single software in parallel and then checking their behaviors' consistency. However, it is complex to upgrade current Software as a Service (SaaS) applications to adapt N-variant system architecture. Challenges arise from the inability of tenants to adjust the application architecture in the cloud environment, and the difficulty for cloud service providers to implement N-variant systems using existing API gateways. This paper proposes SecIngress, an API gateway framework, to overcome the challenge that it is hard in the cloud environment to upgrade the applications based on N-variants system. We design a two-stage timeout processing method to lessen the service latency and an Analytic Hierarchy Process Voting under the Metadata mechanism (AHPVM) to enhance voting accuracy. We implement a prototype in a testbed environment and analyze the security and performance metrics before and after deploying the prototype to show the effectiveness of SecIngress. The results reveal that SecIngress enhances the reliability of cloud applications with acceptable performance degradation.

Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.