Time filter

Source Type

Zhang Y.,University of Chinese Academy of Sciences | Zhang Y.,National Engineering Research Center for Information Security | Feng D.,University of Chinese Academy of Sciences | Feng D.,CAS Institute of Software
Jisuanji Yanjiu yu Fazhan/Computer Research and Development | Year: 2010

With the development of space technology, people pay more and more attention to the use of space data. Space data cannot be accessed without any restriction. So the access control models of space data are becoming more and more important. This is also a hot spot in current research in the world. Presented in this paper is an STS-RBAC model, which is an improvement of traditional RBAC model. STS-RBAC model is based on the spatial database operations and it includes the attributes of space, time and scale. It can also be used in vector data and raster data. This model can manage the problems of multi-scale spatial objects as well. Scale, as is all known, is a basic element in the security of spatial data such as time and space. STS-RBAC model focuses on the special character of spatial data, and introduces role hierarchies based on the constraints of position and time, which guarantees the reliability in spatial database access. STS-RBAC model also defines the transmissibility and partial order in permissions, which makes it possible that authorizations can be inferred from others. This decreases the time and space when spatial database is accessed. With the help of STS-RBAC model, it is possible to access spatial data more efficiently and securely. Source

Wu D.,CAS Institute of Software | Wu D.,University of Chinese Academy of Sciences | Wu D.,Third Security | Feng D.-G.,CAS Institute of Software | And 3 more authors.
Ruan Jian Xue Bao/Journal of Software | Year: 2012

The efficiency evaluation of information system's security measures is important to improve the information system security. Conventional evaluation methods did not consider the interactivity and inter-influence of the business dataflow, attack flow, and security measures factors when evaluating system's security measures. Thus, they can not ensure the effectiveness of the evaluation process and results. An efficiency evaluating approach for information system's security measures under the given vulnerability set is presented in this paper. It employs colored Petri-Net tools to uniform modeling and simulates the interaction among the system's workflow, attack flow, and security measures. Based on this modeling method, the paper proposes an inter-nodes vulnerabilities exploiting graph generation algorithm and improves Dijkstra algorithm to identify shortest-attack-paths, which can cause damage to the information system's security attributes. Next, it constructs a hierarchical model to evaluate the effectiveness of the security measures and employs a gray multiple attributes decision-making algorithm to choose the best effectiveness-improving alternatives. By using this approach, the dependency on evaluators' subjectivity in the process of the evaluation of information system's security measures can be alleviated. Also, it helps to ensure the consistency and traceability of the evaluation results. Finally, a practical Web business system is taken as a case study to validate the correctness and effectiveness of the evaluation model. © 2012 ISCAS. Source

Chen K.,CAS Institute of Software | Chen K.,University of Chinese Academy of Sciences | Lian Y.,CAS Institute of Software | Lian Y.,National Engineering Research Center for Information Security | Zhang Y.,CAS Institute of Software
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2010

Vulnerabilities in software threaten safety of hosts. Generating patches could overcome this problem. Patches are usually generated with human intervention, which is very time-consuming and needs a lot of experience. A few heuristic methods can generate patches automatically. But they usually have high false negative and/or false positive rate. We proposed a novel solution and implemented a real system called PatchGen that can automatically generate patches for vulnerabilities. PatchGen innovatively combines several techniques: (1) It can automatically generate patches for Windows x86 binaries without any need for source code, debugging information or human intervention. (2) Attribute-based taint analysis method (ATAM) is proposed to find attack point and overflow point with no need to record or analyze program execution traces, which saves both analysis time and memory. (3) PatchGen automatically tunes the candidate position to find the most suitable position to patch. We made several experiments on PatchGen. The results show that PatchGen can successfully generate patches for buffer overflow vulnerabilities in several minutes. The running overhead of the patched applications is less than 1% in average. © 2010 Springer-Verlag. Source

Wu D.,CAS Institute of Software | Wu D.,University of Chinese Academy of Sciences | Wu D.,Third Security | Lian Y.-F.,CAS Institute of Software | And 4 more authors.
Jisuanji Xuebao/Chinese Journal of Computers | Year: 2012

Business system's security management needs to assess the system security situation by using network attack graph. It also needs to analyze the threats exploiting security vulnerabilities. Current security threat identification and analysis methods cannot handle the upper two problems very well at the same time. It cannot handle uncertainties occurred in the process of vulnerability exploiting threat analysis, either. A security threat identification and analysis method is proposed in this paper. The network attack graph is defined via Colored Petri Net (CPN) and an algorithm named NAGG is proposed to construct network attack graph based on the simulation results. We also give an algorithm named NAGD to simultaneously decompose network attack graph into several sub-attack-graphs, each corresponding to a specific vulnerability exploiting threat. The graph is loop-free and its longest attack path is limited to a certain predefined value. In order to prioritize all security threats for disposal, a vulnerability exploiting threat evaluating method named VETE is given to convert sub-attack graph into uncertain inference rule set. This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph. At last, a typical Web application system is used as an example to validate the effectiveness of the proposed method. Source

Wang R.,University of Chinese Academy of Sciences | Wang R.,CAS Institute of Software | Su P.-R.,CAS Institute of Software | Yang Y.,CAS Institute of Software | And 3 more authors.
Tien Tzu Hsueh Pao/Acta Electronica Sinica | Year: 2011

Malware variants are one of the major challenges in malware detecting today. Obfuscation, as a most popular technology to generate these variants, can change the signatures of malware to avoid the current signature-based malware preventing method, which is a big threat to information system. This paper proposes a novel anti-obfuscate malware detecting method. By making use of dynamic taint analysis methods and trigger-based behavior processing engine, this method can abstract the essential behavior logic of malware in fine-grained and form it as signatures of a class of malware, and identify variants more precisely associated with signature merging optimizing process and fuzzy matching methods. Experiment results show that the detecting method in this paper can identify malwares and its variants efficiently. Source

Discover hidden collaborations