Review for personal use, the content is quite complicated~
Cyberspace Security Overview
Information Age and Information Security
There is no national security without network security, and there is no modernization without informatization.
Information Age and Information Security: Information technology and industry are experiencing unprecedented prosperity, and the information security situation is grim.
Features: Information has become an important strategic resource, and quantum information technology is developing rapidly
New Moore's Law: Chip integration/CPU processing power doubles every 18 months; Internet network development speed doubles every 6 months; IT industry talents are updated every 18 months
Gilder's Law: Dry network communication bandwidth doubles every 6 months
The Thousand-fold Law: High-performance computing power increases 1,000 times every 10 years
Current situation: Insufficient strategic planning, lack of information security legislation, awareness of security concerns needs to be enhanced, and professional education is relatively backward Cyberspace capabilities reflect the country’s overall competitiveness in future cyberspace, and maintenance The prosperity and security of cyberspace will be the basic mission of every country "Personal Information Protection Law" in August 2021; "Thirty-year Action Plan for High-Quality Development of the Cybersecurity Industry" in July 2021 ( 2021-2023) (Draft for Comment)"; "The 14th Five-Year Plan" my country will strengthen the national security system and capacity building, and comprehensively strengthen the network security system and capacity building
The information security situation is severe: sabotage by hostile forces, hacker attacks, virus intrusions, use of computers to commit economic crimes, proliferation of harmful content on the Internet, serious privacy protection issues, information warfare cyber warfare, new challenges arising from scientific and technological progress, core technologies in the information field Disparities add to severity
Relevant national policies and measures
May 28 Academician Conference of the two academies/The 10th National Congress of the China Association for Science and Technology: Key core and cutting-edge areas of high-end chips and integrated circuits
On March 1, the Ministry of Industry and Information Technology: Increase tax cuts for integrated circuit companies, further strengthen and enhance the foundation of the chip industry, and provide a good ecological environment for the integrated circuit industry
16th CPC National Congress: Information security is an important part of national security
The 18th National Congress of the Communist Party of China: Pay close attention to ocean, space, and cyberspace security
On February 27, 2014, the Central Network Security and Informatization Leading Group was announced.
On December 31, 2015, the Strategic Support Force was established
On November 7, 2016, the "Cybersecurity Law" was passed and came into effect on June 1, 2017.
In December 2016, the Cyberspace Administration of China issued the National Cyberspace Security Strategy
On March 1, 2017, the Ministry of Foreign Affairs and the Cyberspace Administration of China issued the National Cyberspace International Cooperation Strategy.
On October 18, 2017, the 19th National Congress of the Communist Party of China called for accelerating the construction of an innovative country and a powerful cyber nation to ensure the security of our country’s cyberspace.
On March 21, 2018, the Central Cybersecurity and Informatization Leading Group was reorganized into the Central Cybersecurity and Informatization Commission.
On October 26, 2019, the Cryptozoology Law was passed
A brief discussion on the subject of cyberspace security
Cyberspace: first proposed in 1982, a virtual information space created by computers 2008, United States: Cyberspace is a global domain in the information environment my country: Cyberspace is the information environment that people rely on to survive in the information age, and is a collection of all information systems
Information security: Information is the basic need for its living environment; the system is the carrier, information is the connotation, and information cannot exist without the system; information only has three states: storage, transmission, and processing.
Equipment security: the material basis of information systems, the primary issue of information system security; stability, reliability, availability
Data Security: Avoid unauthorized disclosure, tampering, destruction; Confidentiality, Integrity, Availability
Behavioral safety: Examine the process and results of the subject’s behavior; confidentiality, integrity, controllability
Content safety: The requirement at the political, legal and moral level is security at the semantic level; it is politically healthy, the content is legal, and the content is ethical.
Security measures: System engineering, hardware system and operating system security are the foundation, cryptography technology and network security technology are the key
three laws
Universality: Where there is information, there is information security
Compromise: Safety and convenience are a contradiction
Just low security: Information system security depends on the security of the weakest part
Discipline: Research on information security issues in information acquisition, information storage, information transmission, and information processing
Cryptography: Coding (encoding information to achieve information concealment), analysis (obtaining corresponding plaintext information through ciphertext) Symmetric cryptography, public key cryptography, Hash function, Cryptographic protocols, biological cryptography, quantum cryptography, chaos cryptography, key management, cryptography applications
Network security: Take protective measures at all levels and scope of the network to detect and discover various security threat models and take corresponding response measures Network security Threats, communications security, protocol security, network protection, intrusion detection and situational awareness, emergency response and disaster recovery, trusted network, network security management
System security: Consider security threats and protection from the overall system System security threats, system equipment security, hardware subsystem security, software subsystem security, access control, trusted computing , system security evaluation and certification, system security level protection, application information system security
Information content security: requirements at the political, legal and moral level Content security threats, content acquisition, content analysis and identification, content management, information hiding, privacy protection, content security laws Guarantee
Information confrontation: The essence is that the two parties use electromagnetic waves and information to compete for the effective use and control of the electromagnetic spectrum and information Communication confrontation, radar confrontation, photoelectric confrontation, and computer network confrontation
Theoretical basis
Mathematics: Logic is the theoretical basis for network protocol security; Game Theory
Information theory: the theoretical basis of cryptography and information hiding
Systems theory: overall concept, barrel principle
Cybernetics: How dynamic systems maintain a stable state under changing environments; PDR strategies (protect-detect-response)
Computational theory (computability, computational complexity): Theoretical foundations of cryptography and information system security
cryptography, access control theory
Methodological basis: theoretical analysis, reverse analysis, experimental verification, technical implementation Adhere to the people-centered approach, emphasize underlying and systematic nature, combine qualitative analysis with quantitative analysis, and implement synthesis Governance
Cyberspace security laws and regulations
Information security laws and regulations: necessary links in the information security assurance system, clarifying the basic principles and basic systems of information security, information security-related behavioral norms, the rights and obligations of all parties in information security, and violations of information security. Clarify the corresponding penalties for these behaviors 
information security standards
Information security standards: Technical specifications and technical basis to ensure the consistency, reliability, and controllability of information security products and systems in the design, research and development, production, construction, use, and evaluation.
Major standardization organizations: IEC International Electrotechnical Commission, ISO International Organization for Standardization, SC27 (JTC1, First Joint Technical Committee); TC260 National Information Security Standardization Technical Committee, CSTC Cryptocurrency Industry Standardization Technical Committee
"Measures for the Administration of the Hierarchical Protection of Information Systems Involving State Secrets" is divided into secret level, confidential level, and top secret level; the State Administration of Secrecy is the competent authority for the hierarchical protection of confidential information systems.
The core of the "Basic Requirements for Information System Security Level Protection" is hierarchical protection; the content can be divided into system rating, system filing, construction rectification, rating evaluation, and supervision and inspection.
Commercial cryptographic standards
ZUC: Adopted by 3GPP LTE in September 2011, the 4th generation mobile communication encryption standard; National encryption industry standard in March 2012; National standard in October 2016
SM2 elliptic curve public key cryptography algorithm, SM9 identity cryptography algorithm: November 2017 digital signature part ISO international standard
Basics of cryptography
Overview of cryptography
classical cipher
type
question
Caesar cipher
Single table substitution
Exhaustive method to crack
virginia cipher
Multiple representation substitution
The common factor of the same letter interval infers the key length.
Playfair code
multi-letter substitution
Dual frequency method cracking
Grid transposition/rectangular transposition
replacement
Fully preserve character statistics
fernham cipher
One password at a time
The workload is huge and key distribution is difficult
The theoretical foundation of modern cryptography: Shannon's "Communication Theory of Secrecy Systems" in 1949, a new direction in information theory research on cryptography, laid the foundation of modern cryptography theory
Mathematical model of secure communication system
Distinguish between information confidentiality (encryption processing) and information hiding (hidden information existence form)
Duality between cryptographic systems and communication systems
Combination (the combination of simple cryptosystems to construct a complex system); Diffusion (each bit of plaintext and key affects as many bits of ciphertext as possible, concealing statistical characteristics); Confusion (minimization of statistical correlation)
Theoretical foundation of cryptography: large integer decomposition, modular arithmetic, finite fields, (extended) Euclidean algorithm, CRT (Chinese Remainder Theorem), elliptic curve
cryptographic algorithm
Sequence cipher: Finite state automaton generates a pseudo-random sequence; the encryption and decryption processes are the same and reciprocal; security depends on the strength of the random sequence
Block cipher: Group output is of equal length, in line with Shannon's secret design ideas (diffusion, confusion) The block length is large enough, the key length is large enough, the algorithm is complex enough, encryption and decryption The algorithm is simple, software/hardware is easy to implement, there is no data expansion, and error propagation is as small as possible
Public key cryptography: solves the problem of key release and management; security relies on mathematical problems, encryption and decryption speed is slow; used for symmetric encryption key exchange, message encryption, digital signature
RSA: Large integer factorization puzzle
Rabin: Modular sum square root problem
ElGamal: Discrete Logarithm Problem (DLP)
ECC: Elliptic Curve Discrete Logarithm Problem (ECDLP)
Chinese cryptography: SM1 group symmetry, SM2 elliptic curve, SM3Hash function, SM4 group symmetry, SM7 group symmetry, SM9 bilinear pair identification, ZUC sequence symmetry
New developments in cryptography
Identity-based public key: user private key is generated through a trusted third party (PKG); better solves the complex problem of PKI certificate management; widely used in secure email and Ad Hoc network key management Disadvantages: Key escrow has security issues Advantages: No public key certificate required, no certificate authority required
Attribute-based public key cryptography: encryption, attribute authority (AA); signature, developed from fuzzy identity signature, with anonymity; effectively realizes non-interactive fine-grained access control
Homomorphic cryptography: secure cloud computing and delegated computing, remote file storage Advantages: Keyless party calculation processing Disadvantages: only To achieve single-bit encryption (low efficiency), the difficulty assumption has not been demonstrated, and additional noise elimination algorithms are required (unnatural homomorphism)
Quantum-resistant cryptography: based on physics, biological DNA, and difficult mathematical problems
Lightweight password: Customize exclusive password solutions for resource-constrained devices; require low storage and computing overhead, low energy consumption, and a certain degree of security
Main research directions in cryptography
Basic cryptography theory, symmetric cryptography design and analysis, public key cryptography design and analysis. Cipher protocol design and analysis, new cryptography design and analysis
Potential threats: eavesdropping, traffic analysis, operator inadvertent information leakage, media waste causing information leakage
Protective measures: physical security, personnel security, management security, media security, radiation safety, life cycle control
Security attacks: Passive attacks (information leakage, traffic analysis), active attacks (masquerade attacks, replay impacts, message tampering, denial of service)
Network attacks
Password theft Guessing attack: Use known or assumed passwords to try to log in, make guesses based on stolen password files, eavesdrop on a session between legitimate terminals and record the password used< /span> Disadvantage solution: Based on token mechanism, such as OTP (One-Time Password) Defense method: Prevent the selection of low-level passwords, strictly protect password files
Spoofing Attacks: Phishing Emails
Flaws and backdoor attacks Network worm propagation: sending new code to the daemon, injecting large amounts of data into the read buffer Buffer overflow attack ( Stack smashing): Disturbing the program, pointer confusion occurs when executing code on the stack Defect: Some codes in the program cannot meet specific needs, take corresponding steps to reduce the possibility of occurrence
Authentication failure: invalidating the identity authentication measures taken by the system for visitors, and the server is deceived by the attacker
Protocol flaws: TCP sequence number attacks, DNS and RPC protocol sequence number attacks, IEEE802.11 WEP protocol flaws
Information leakage: Finger protocol, DNS
Exponential attack: Use programs to quickly copy and spread, worms (programs spread by themselves), viruses (spread by relying on other programs)
Denial of Service: Excessive use of services, exhaustion of software or hardware resources, exceeding network connection capacity, causing shutdown or system paralysis or reducing service quality DDoS (Ditributed Denial-of -Service): Inject Trojans into many undefended hosts on the network and launch attacks simultaneously according to instructions
Security services: Authentication (peer entity authentication, data origin authentication), access control, data confidentiality (connection confidentiality, connectionless confidentiality, selected domain confidentiality, traffic confidentiality), data integrity (connection with recovery function) Integrity, connection integrity without recovery, selected domain connection integrity, no connection integrity), non-repudiation (non-repudiation at the source, non-repudiation at the destination)
Security mechanism General: trust functionality, security flags, event detection, security audit trail, security recovery Specific (can be embedded as appropriate OSI layer): encryption, digital signature, access control, data integrity, authentication exchange, traffic filling, routing control, notarization ISO model: Physical layer (1), Data link layer (2 ), network layer (3), transport layer (4), session layer (5), presentation layer (6), application layer (7)
Network security protection technology
Firewall: Filter the data flows in and out of the network boundary according to access control rules Security policy requirements: All incoming and outgoing network data flows must pass through the firewall, and only authorized data flows are allowed to pass through the firewall. , the firewall itself is immune to intrusions Development: first-generation packet filtering, second-generation circuit-level gateway, third-generation application-level gateway, fourth-generation dynamic packet filtering, fifth-generation kernel proxy or Adaptive agent, sixth generation unified threat management (UTM: anti-virus, firewall, IDS) Category: Packet filtering, circuit-level gateway, application-level gateway
Firewall design structure
Static packet filtering: Receive data packets, use filtering rules to check the IP header and transmission field content (data source address, destination address, application or protocol, source port number, destination port number), if no rule matches, the default rule will be applied
Dynamic packet filtering: Dynamically maintain established connections and rule tables, record the identity of data packets, and be able to detect the difference between new connections and established connections Real-time changes to normal Packet filter rule set, or use a similar circuit-level gateway method to forward data packets
Circuit-level gateway: usually records and caches data as part of the application proxy server, uses a C/S structure to filter and forward data packets, and works at the session layer. IP data packets do not realize end-to-end flow.
Application-level gateway: The proxy server acts at the application layer, inspects and filters data packets one by one, and runs a proxy for each service. It is currently one of the most secure firewall structures.
Status inspection packet filtering: Understand and learn various protocols and applications, collect status information from the application process and store it in the status table. The detection module is located in the system kernel and analyzes the data packets before they reach the gateway.
Switch proxy: Acts as a circuit-level proxy when establishing a connection to verify the three-way handshake recommended by RFC, switches to dynamic packet filtering to start data transmission
Air gap (physical isolation): Cut off direct connection, exchange data through high-speed hard disk reading and writing SCSI interface
Intrusion: illegally obtain system control, use system vulnerabilities to collect information, and destroy information systems Intrusion detection: detect unauthorized access to the system, monitor the system running status to ensure the confidentiality of resources Sexual integrity availability, identifying illegal attacks on the system Detection development: Intrusion detection concept, intrusion detection expert system, new IDES, network security monitor
Intrusion detection system tasks
Information collection: system and network log files, abnormal changes in directories and files, abnormal behavior in program execution, physical form of intrusion information
Information analysis: pattern matching, statistical analysis (operating model, variance, multivariate model, Markov process model, time series analysis), integrity analysis
NIDS (network-based): intercept packets, extract features and compare with known attack signatures in the knowledge base
HIDS (host-based): Monitoring and analysis of logs and audit records to detect misuse after attacks
DIDS (distributed): NIDS+HIDS
Detection strategy
Misuse Detection: Collecting information and comparing it to a database
Anomaly detection: Measured property averages compared to system behavior
Integrity analysis: whether it has been tampered with
Anomaly detection principle: Assume that the attack is significantly different from normal legitimate behavior Methods: Statistics, feature selection, Bayesian inference, Bayesian network, pattern prediction
NIDS: Network adapter running in random mode to monitor and analyze all traffic passing through the network Technologies: Attack pattern/expression/byte matching, low-level event correlation Characteristics, frequency or threshold crossing, statistically unusual phenomenon Advantages: Low cost of ownership, ability to detect unsuccessful attack attempts, difficulty for attackers to transfer evidence, real-time detection and response, operating system Independent Principle: Detect data header information and valid data content
VPN: Networks physically distributed in different locations are connected through a public network to form a logical virtual subnet Features: low cost, security, quality of service (QoS), Scalability and flexibility, manageability Category: Gateway to gateway, remote access Key technologies: Tunnel technology, encryption and decryption technology, key management technology , identity authentication technology, access control
IPSec: A three-layer tunnel encryption protocol that ensures the security and confidentiality of uploaded data Principle: The gateway decides to process the received IP data packets by querying the SPD (Security Policy Database) Forwarding/dropping/IPSec processing Working mode: AH authentication, ESP encapsulation; transmission mode, tunnel mode (generating new IP header)
Computer virus: Article 28 of the "Computer Information System Security Protection Regulations" is a set of computer instructions or program codes prepared or inserted into a computer program that destroys computer functions or destroys data, affects the use of the computer, and can replicate itself Characteristics: destructive, contagious, covert Category: Trojan type, infection type, worm type, backdoor type, malware Detection development: a single dedicated killing tool for simple signature scanning and killing, comprehensive anti-virus software for spectral signature scanning and active defense and interception, Internet scanning and killing using cloud/artificial intelligence/big data technology Detection principle: sampling, matching, benchmark
Virus detection technology
Feature code: fixed sampling position, precise matching method; simple technology, easy to implement, accurate detection and killing; slow speed, unable to detect and kill unknown viruses
Behavior: Better detection capabilities for hidden viruses, and can kill unknown viruses
Cloud technology: Matching and benchmarking are performed in the cloud; response speed is fast and terminal resource usage is reduced
Big Data and Artificial Intelligence: Matching and benchmarking are done in the cloud; known and unknown viruses can be matched based on models
Vulnerability scanning: identify security risks and implement targeted protection or patching Category: 1day (the latest vulnerabilities discovered and disclosed), Nday (historical vulnerabilities disclosed), 0day (Undisclosed vulnerability) Vulnerability management standards: MITER CVE, CWE, NIST NVD, Symantec BUGTRAQ; CNNVD, CNCVE, CNVD
Scanning effect depends on factors
Is the vulnerability POC public? Proof of principle for the existence of common vulnerabilities
System fingerprint information collection accuracy: In principle, by identifying the target system, you can determine whether the corresponding vulnerability exists
Whether the vulnerability EXP exists: According to the principle of general vulnerabilities and defects, exploit them according to the corresponding instances.
Scanning Technology Classification
System scan: POC principle (EXP) verification, version detection; operating system, network equipment, protocol/port, service application
Survival judgment: detect whether the target system is alive
Port scan: Detect the ports enabled by the host
System and service identification: black box testing, fingerprint judgment system for identification of response forms to various probes
Vulnerability detection: Based on the identified system and service information, call the built-in or user plug-in password dictionary to guess the password, and start a remote non-login vulnerability scan at the same time
Principle detection: Send a request to the relevant port of the target machine to construct a special data packet, and judge based on the returned result.
Version detection: System scanning is implemented in accordance with the vulnerability standard library, and there is a correlation between vulnerabilities and system versions.
Cybersecurity Engineering and Management
Security level protection: Article 21 of the "Cybersecurity Law" The network is divided into five levels of security protection
level
Legitimate rights and interests of relevant citizens, legal persons, and other organizations
social order and public interest
National Security
network level
first level
damage
Not harmful
Not harmful
general network
second level
serious damage
harm
Not harmful
general network
Level 3
extremely serious damage
Serious harm
harm
important network
Level 4
-
Particularly serious hazard
Serious harm
particularly important network
Level 5
-
-
Particularly serious hazard
extremely important network
Security rating process: Determine the rating object → \to → Determine the object affected when business information (system service) is damaged → \to → Comprehensive assessment of the degree of infringement on the object → \to → Business information (system service) security level → \to → Determine the security protection level of the rated protection object
Network security management: Integrate scattered network security technical factors and human factors through policy and rule coordination to serve the goal of network security.
"Law on the Protection of State Secrets" State secrets are a form of information expression of national security and interests, and are also an important strategic resource of the country; leakage will directly endanger national security and directly damage the fundamental interests of the broad masses of the people; keeping state secrets is a state act. National responsibility; confidentiality capability is an important manifestation and guarantee of national capabilities
ISMS (cybersecurity management system): ISO/IEC 2007X standard ISO/IEC 20072 standard 14 aspects of management control strategy: network security strategy, network security organization, human resources security , Asset Management, Access Control, Cryptography, Physical and Environmental Security, Operational Security, Communications Security, System Acquisition Development and Maintenance, Supplier Relations, Cybersecurity Incident Management, Cybersecurity Aspects of Business Continuity Management, Compliance
Network security incident classification (GB/Z 20986-2007 "Information Security Technology Information Security Incident Classification and Grading Guidelines"): Harmful program incidents, network attack incidents, information destruction incidents, information content security incidents, equipment and facility failures, catastrophic events, others Cyber security incident
Classification of cybersecurity incidents ("National Cybersecurity Incident Emergency Plan"): extremely major incidents (Level I), major incidents (Level II), major incidents (Level III), general incidents (Level IV)
Information system disaster recovery: the recovery of information systems from failure or paralysis caused by disasters to normal usable status Key processes: demand determination, strategy formulation, strategy implementation, plan formulation and implementation Management
Emerging network and security technologies
Industrial Internet: An open global industrial network platform closely integrates all parties Security challenges: Security protection measures are relatively lagging behind. Traditional attack methods are more harmful and integrate multiple types of different system attacks. More entrances Security protection: security personnel training, security requirement formulation and implementation plan, security hardware and software design, security solution deployment, information feedback testing and upgrade
Mobile Internet: Based on mobile communication technology Components: terminal technology, communication network, application, related technology
Internet of Things: Perception and identification layer, network construction layer, management service layer, comprehensive application layer Security issues: communication compatibility check, personal privacy leakage, rigid architecture, multi-agent collaboration cost High, equipment security issues
System security basics
System Security Overview
System: A unified whole composed of interacting or interdependent elements or components, internally composed of the constituent elements and externally represented by the environment Reductionism: decomposition of the system into its component parts; whole Theory: Treat the system as a complete unity Comprehensive properties: properties that can be decomposed into component parts; Emergent properties: properties that are irreducible to component parts Operation Systems: Process management, memory management, device management, file management, processor management Systems Engineering: Technical aspects with associated activities and tasks covering the system life cycle (applying analysis and design principles to build systems) and A collection of non-technical processes (to ensure the smooth implementation of system construction projects through engineering management) System safety engineering: Strive to ensure the security of the system throughout the entire system life cycle System security thinking: Use holism to analyze security issues, measure system security throughout the system's life cycle, and establish and maintain system security through system security engineering measures
System security principles
Basic principles of system security
Restrictive principles: principle of least privilege, fail-safe default principle, full arbitration principle, separation of privileges principle, trust minimization principle
Principle of simplicity: principle of mechanism economy, principle of minimization of public mechanisms, principle of minimum surprise
Methodological principles: open design principle, hierarchical principle, abstraction principle, modularity principle, complete association principle, design iteration principle
Threat Modeling: The process of identifying potential security threats and examining risk mitigation pathways
threat (intention), threat (possibility), safety (avoid or defend against)
Purpose: To clarify the essential characteristics of the system, the basic situation of potential attackers, the most likely attack angles, and the benefits that attackers most want to obtain, and provide defenders with the opportunity to analyze the system and control or defensive measures that should be taken.
Main questions: What is the weakest point to be attacked; what are the most relevant attacks; what should be done to counter these attacks
Main links: Outline the abstract model of the system, visually represent the model, identify and enumerate potential threats, and formulate risk mitigation countermeasures
Safety restraint: ( s , o , p ) (s,o,p) (s,o,p) 主体, 客体, 操作; p = r e a d , c o p y , m o d i f y , e x e c u t e p={\rm read, copy, modify, execute} p=read,copy,modify,execute Read, write, modify, execute Access control matrix policy (identity-based discretionary access control): Build access control directly for users Matrix Role allocation scheme (role-based access control): Construct an access control matrix after assigning roles to users Subject-object level allocation scheme (tag-based mandatory access Control): After assigning the confidentiality level to the subject and assigning the confidentiality level to the object, build the access control matrix
Security monitoring
Integrity check: From booting to application running, all aspects are checked to help discover whether important components of the system have been tampered with or damaged.
Virus scanning and malware detection: Scan various files in the system to help find or remove most viruses or malware that enter the system
Intrusion detection: Monitor malicious behaviors or violations of security policies, report them in a timely manner if discovered, and issue alarms when necessary
Intrusion detection classification
Monitoring objects
Host: Monitor packets flowing in and out of a single host or device
Network: Monitor the incoming and outgoing data of all devices on network strategic nodes, and perform traffic analysis on the entire subnet
Detection method
Feature-based: Find specific patterns extracted from known intrusions in monitored objects
Anomaly-based: Comparison of the behavior to be detected with a given trusted behavior model
Security Management: Identifying an organization's assets and developing, describing and implementing policies and processes to protect those assets Security Risk Management: Applying risk management principles to security threat management Medium; identify threats, evaluate effectiveness of existing threat controls, determine risk consequences, prioritize risks based on likelihood and impact ratings, classify risks and select appropriate risk strategies or risk responses Daily security management work: clarify requirements, understand models, write guidelines, security systems, use models, guide operations, continuous response, automated operations Use technology to improve management level: Data mining helps discover vulnerabilities , data analysis senses security situation, machine learning helps automatic defense
System security architecture
Hardware system security
Basic security support: Provide cryptographic calculation functions (general-purpose processors provide cryptographic operation instructions, independent secure cryptographic processors/cryptographic accelerators); provide digital fingerprints (implemented by physical unclonable function hardware devices)
Hardware Trojan: Malicious modification of the circuit system in an integrated circuit chip
Threats: Bypass or shut down the system's security defenses, leak confidential information, disrupt chip functionality, and render the entire chip inoperable
Implantation method: pre-installed in the integrated circuit; inserted into the chip by internal staff of the chip design company
Operating System Security: Establishing a Trusted Path between Applications and Hardware Functions
User management and identity authentication
Registered user profile: account name + account ID + password; user grouping
User login process: account name + password
Access control
Discretionary access control: The file owner can independently determine the access rights of any user (user group) to the file
Mandatory access control: implement multi-level security policies, access permissions are based on information level and user level
Logging function: records details of important activities that occur in the system
Database system security
Relational database management system (RDBMS): essentially a two-dimensional table, basic operations are performed through SQL language
Access control
Discretionary access control: access authorization (GRANT), revocation of authorization (REVOKE)
Mandatory access control (multi-level security): Determine the data sensitivity level and assign user sensitivity levels based on data sensitivity and user work conditions, and establish sensitivity levels based on tables/fields/records
threaten
Inference threats: originating from statistical databases, conducting illegal indirect access, deriving illegal sensitive original data based on legal non-sensitive statistical data
SQL injection attack
Application System Security(Web)
XSS (cross-site scripting) attack: tamper with display information and obtain local cookie information
Ecosystem: Expand the concept of system to the scope of ecosystem, re-understand security threats, and rebuild the security model
Key supporting technologies
Automation: Automatic response speed keeps pace with attack speed
Interoperability: Define the network community by policy rather than technical constraints, allowing members to seamlessly and dynamically collaborate in automated community defense
Certification: Establishing a foundation for online decision-making, personnel certification extends to device certification
Content security basics
Information content security overview
Information content security: Automatically obtain, identify, and analyze specific security subject information from networks that contain massive amounts of information and rapidly change. Categories: Political information security, military information security, Business information security Importance: The amount of data is growing explosively (data content has become the central focus, big data technology has become an important productivity, and the value of data content continues to increase), network intelligence acquisition has attracted attention from all countries, and the Internet has Transformation from traditional media to new media (massive spread of bad information)
Information content security threats
Information content security threats: leakage, deception, destruction, usurpation, spread of malicious content
A content-centric future Internet: Use content names instead of IP addresses as transmission content identifiers to implement information routing
Significance: Implement more optimized representations to enhance network performance and improve the intelligence level of the future Internet
Attack classification
Naming: Attackers can censor and filter content
Routing: An attacker can publish or subscribe to invalid content or routes
Caching: contaminating or destroying cache systems and violating central network privacy
Other: Unauthorized access to or alteration of content during transmission
Acquisition of network information content
Network information content acquisition: The scope of work is the entire international Internet, and the essence is to use the programming reconstruction mechanism of the network interaction process to achieve media information acquisition
Acquire information content based on browser simulation Use JSSh client to send JavaScript instructions to the web browser with embedded JSSh server Instruct web browsing The server realizes network identity authentication interaction and web page publishing and information browsing
Web crawler: a typical tool for obtaining information content, a program or script that automatically crawls Internet information
Search applications: Cover as many Internet websites as possible, and the search depth within a single website is not high.
Targeted information collection application: with high search depth and certain topic selection capabilities
Typical technologies Event and element extraction based on natural language understanding and text mining Text information and behavioral feature representation learning based on knowledge graph a> Social network user cognitive model construction technology based on graph neural network reasoning belief network Semantic text information generation technology based on natural language understanding and deep learning model
Information content feature extraction and selection: a basic issue in data mining information retrieval. Feature words extracted from information are used to quantitatively represent text information.
Text information content: mapping transformation, original selection, expert selection, model selection
Feature selection method: Vector space model describes text vectors, and representative features are found through feature selection and dimensionality reduction.
Feature selection process: The feature evaluation function calculates the feature score values and sorts them, and selects several highest score values as feature words
Audio information content
Frame-based feature classification
MFCC: Combination of human auditory perception characteristics and speech production mechanism, cepstrum coefficient based on Mel frequency
Frequency domain energy: an effective feature for distinguishing music and speech. The energy in the speech domain is greater
Subband energy ratio: divide the frequency band in a non-uniform manner
Zero-crossing rate: the number of times the audio signal passes through the zero value, reflecting a rough estimate of the spectrum
Baseband frequency: The fundamental frequency exists in periodic or quasi-periodic audio signals, reflecting the pitch of the pitch.
Fragment-based feature classification
Silent frame rate: If the energy and zero-crossing rate of a frame are less than a given threshold, it is considered a silent frame
High zero-crossing frame rate: Alternating unvoiced and voiced sounds, the speech zero-crossing rate is higher
Low energy frame rate: The proportion of energy below the threshold, the voice low energy frame rate is higher
Spectral flux: average of spectral changes between adjacent frames
Harmony: the proportion of fundamental frequencies that are not equal to 0
Image information content
Color feature extraction
Color histogram: reflects the relationship between color levels and color frequencies
Color aggregation vector: distinguishing images with similar color distribution but different spatial distribution
Color moment: color distribution characteristics
Texture feature extraction
Gray level co-occurrence matrix: gray level distribution and change amplitude
Gabor wavelet features: consistent with the human eye’s response to images
Tamura texture features: more in line with human visual perception system
Other image extraction: edge features, contour features
Information content analysis and processing
Basic processing steps of information content analysis: classification, filtering The most common needs in information retrieval and text editing applications: quickly classify user-defined patterns or phrases< a i=2> Efficient classification and filtering algorithms can make information processing fast and accurate
Linear classifier: Linear discriminant function, those with positive output are classified into one category
Fisher's linear discrimination: All samples are projected into a one-dimensional space. After projection, the two categories are as far apart as possible, and similar samples are clustered as much as possible.
Nearest neighbor classification method: does not require a complicated learning optimization process but requires a certain amount of calculation. The interface can be a curve, which solves the problem of diverse image feature distribution to a certain extent.
Support Vector Machine (SVM): Supervised learning method that simultaneously minimizes empirical error and maximizes geometric edge areas, and is a linear classifier for linearly separable data
Information filtering: retain information that meets user needs and filter out information that does not.
Proactivity: active filtering, passive filtering
Filter location: source filtering, server filtering, client filtering
Online public opinion content monitoring and early warning
Internet public opinion content monitoring and early warning: Mining and analysis of massive unstructured information to master the evolution of hot spots in Internet public opinion, providing scientific basis for Internet public opinion monitoring and guidance of some decisions
In-depth information collection for information sources: Traditional search engines use a breadth-first strategy to traverse and download documents, but the extraction rate of vertex information source information is too low
Heterogeneous information fusion analysis: Internet information has huge differences in coding/data format/structure composition. An important prerequisite is organic combination under the same expression or standard.
Structured expression of unstructured information: Unstructured information is easy for humans to understand, but it is quite difficult for computer information processing systems
Application: regional risk prediction, event evolution rules and development trend prediction, online public opinion event guidance, big data analysis visualization and assisted decision-making
Functional breakdown of network public opinion system
In-depth extraction of high-simulation information (forums, chat rooms): the basic core content of construction
Rapid extraction and classification of massive media content features based on semantics: realize information feature extraction and structural transformation functions, and complete information transformation
Self-organized aggregate expression of unstructured information: practical needs of infrastructure and typical applications
Internet public opinion content analysis: In-depth mining, using directional search methods to complete comprehensive and in-depth content extraction operations for designated information sources, to implement Internet media information monitoring for data release sources with different structures and diverse styles< a i=1> Key technologies: normalization of heterogeneous information, automatic discovery of network hot spots, network negotiation and interpersonal dialogue simulation, hot spot data report customization
Content Center Networking and Security
Content-Centric Network Model (CCN): Adopts a transmission architecture centered on content names rather than IP addresses; has fast and efficient data transmission capabilities and enhanced reliability; highly competitive in IoT and 5G networks
Content information objects: all types of objects stored and accessible
Naming: Identification of information objects, global and unique, equivalent to the IP address in the TCP/IP architecture; hierarchical naming scheme, flat naming scheme
Routing: The sender provides message digest, and the receiver provides subscription interest
Cache: Each CCN node maintains a cache table and caches received content message objects in order to respond to subsequent receipt of the same request.
Application program interface: Based on the request and delivery of content information object definitions, used for publishing and obtaining content information objects
Attacks on content-centric networks: Includes legacy attacks affecting network traffic
Routing related attacks: DDos attacks, spoofing attacks
Cache-related attacks: Popular content eviction attacks
Other attacks: impersonation attack, replay attack
Intelligent firewall model based on fog computing: Network edge isolation defense system, based on existing security policies, realizes intelligent perception and dynamic defense against interest packet flooding attacks
Application security basics
Application security overview
Application security: To ensure the security of various application systems in all aspects of information acquisition, storage, transmission, and processing
Cloud Computing: Resulting in the separation of data ownership and management rights; the credibility of cloud computing infrastructure and the security of cloud data
Industrial Internet: Form cross-device/cross-system/cross-factory/cross-region interconnection and promote the intelligence of the entire manufacturing service system; ensure the credibility and authenticity of information sources
Big data: 5V (huge volume, high-speed generation, diversity, low value density, authenticity); the scale is so large that acquisition, storage, management, and analysis are far beyond the capabilities of traditional database tools; ensure the authenticity of data sources , promote multi-source data sharing, effectively mine data value, and protect the rights and interests of data owners It is essentially a methodology that combines and analyzes multi-source heterogeneous data to make better decisions
Artificial intelligence: image recognition, natural language understanding, knowledge discovery, data mining, gaming, network security protection, password design analysis; smart cities, autonomous driving, medical diagnosis, online education, chip design< a i=1> my country's "New Generation Artificial Intelligence Development Plan" in 2017; the United States' "National Artificial Intelligence Research and Development Strategic Plan" in July 2019
Blockchain: The basic supporting technology of digital cryptocurrency, building a value Internet and establishing a new trust system; it has security issues and privacy protection issues itself, posing risks to Internet information services and financial security
Identity authentication and trust management
Authentication: Confirming that the client/server is who it claims to be
Basic approach: Known, All, Personal Characteristics
main method
Username-password authentication (known): simple and easy to use, does not require any hardware equipment; password leakage problem, weak passwords are susceptible to dictionary attacks and brute force attacks, complex strong security passwords are difficult to remember
Dynamic password/one-time password (OTP) (all): double operation factor, shared key with long validity period and random factor; based on time synchronization, event-based synchronization, SMS verification code
Challenge-response authentication (all): one-time random number to prevent replay attacks; based on hash function, based on digital signature algorithm
Based on biometric authentication: Biometric method has become the simplest and most secure method for personal identity authentication; it has high credibility, is difficult to forge, and can be carried at any time; it is not stable enough (the identification failure rate is high) and cannot be reported as lost.
Turing test: Verify human or automated execution of programs, using humans to answer quickly and machines to answer difficult questions, with the purpose of preventing the use of programs to brute force the system.
Multi-factor authentication
PKI (Public Key Infrastructure): An infrastructure that provides security services based on standard public key theory and technology Purpose: To solve online identity authentication and the integrity of electronic information and non-repudiation issues, and provide reliable security services for network applications Task: Establish a trustworthy digital identity Digital certificate: subject name, subject public key , certificate serial number, certificate validity period, trusted issuing authority (CA) Trust system: The X/509 standard adopts a tree trust system, and the CA self-signed certificate is the anchor of the entire system; the superior CA is The subordinate CA or user issues a certificate; if both parties can reach the same certificate node along the trust path, a trust relationship can be established
Mainstream standards for identity authentication
RADIUS: Remote dial-in service protocol, used for access authentication and accounting services, RFC2658 RFC2865
FIDO: Fast online authentication, based on biometrics to unlock the encryption key on the device, authenticate with the server through public key cryptography or symmetric cryptography scheme, allowing password-less login completely through local authentication
UAF Universal Identity Authentication Framework
U2F Universal Second Factor Authentication Protocol
FIM: Federation Identity Management, supports user identities to be linked across security domains
Oauth: defines four roles: resource owner, resource server, client, and authorization server.
Access control mode
DAC autonomous access control mode: Resource owners decide to grant permissions according to their own wishes. The policy is flexible but has poor security.
MAC mandatory access control mode: Divides security levels for users and data to achieve one-way flow of information, but the permission management efficiency is low and lacks flexibility
RBAC role-based access control model: the introduction of roles realizes the separation between users and permissions, simplifying authorization management
Zero Trust Model (ZTM): Any entity inside or outside the network boundary is not trusted before verification Intranet applications and services are not visible to the public network, and the enterprise intranet boundary Disappear, precise access control based on identity/device/environment authentication, providing end-to-end encryption of network communications
privacy protection
Privacy protection: Publish or share data that cannot identify specific individuals
Personal information: data related to natural persons; Privacy: personal sensitive information
K-Anonymity: Merely removing names from the data set cannot achieve an anonymizing effect. Quasi-identifiers can be re-identified when combined with other information; sensitive attributes cannot leak information about generalized sequences.
t-nearby: Privacy is the observed information gain (the difference between prior information and posterior information), that is, I ( X : y ) = H ( X ) − H ( x ∣ y ) I(X:y)=H(X)-H(x|y) I(X:y)=H(X)−H(x∣y)
Differential privacy: When performing statistical query calculations on the data set, a specific individual data cannot be inferred through multiple different query methods, that is, ∀ ε > 0 \forall \ varepsilon>0 ∀ε>0, ∀ T ⊂ R a n g e ( A ) : P r [ A ( D ) ∈ T ] P r [ A ( D ′ ) ∈ T ] ≤ e ε \forall T\subset {\rm Range}(A):\frac{
{\rm Pr}[A(D)\in T]}{
{\rm Pr}[A(D')\in T]}\leq e^\varepsilon ∀T⊂Range(A):Pr[A(D′)∈T]Pr[A(D)∈T]≤It isε; 实现 M ( ( f ( D ) ) ) = f ( D ) + σ M((f(D)))=f(D)+\sigma M((f(D)))=f(D)+σ, continuous equation Laplace ( x ∣ µ , b ) = 1 2 b exp ( − ∣ x − μ ∣ b ) {\rm Laplace}(x|\mu,b)=\frac{1}{2b}\exp(-\frac{|x-\mu|}{b}) Laplace(x∣μ,b)=2b1exp(−b∣x−μ∣).
Privacy Computing: Computing theories and methods oriented to the protection of private information throughout its life cycle; describing, measuring, evaluating, and integrating the involved private information; an important theoretical basis for protecting private information in cyberspace
Links: Private information extraction, scene description, privacy operation, solution design, effect evaluation
Full life cycle: privacy awareness, protection, extended control in exchange and communication, violation determination, destruction
Privacy Protection Laws and Regulations
HIPAA: U.S. Health Insurance Information, protecting the privacy of personal medical records
Regulation P: Federal Reserve, protecting user privacy in the financial industry
FACT: U.S. Credit Card Privacy Protection Agency
GDPR: European Union, which places stronger privacy protection on individuals and more restrictions on information technology companies and institutions.
Cybersecurity Law: my country, officially effective on June 1, 2017, personal information protection
Cloud computing and its security
Cloud computing: Based on network access, physical computing resources are supplied and managed in a manner of on-demand allocation and shared use Cloud deployment methods: private cloud, public cloud, hybrid cloud Service model: SaaS software as a service, PaaS platform as a service, IaaS infrastructure as a service
Virtualization Technology: The Basics of Cloud Computing
Architecture: Bare metal architecture (virtualization monitor on hardware), hosted architecture (virtual machine on operating system), container (operating system virtualization)
Cloud infrastructure security
Virtual machine escape: Take control of the virtual machine management system or run malware on the host machine to gain full control of other virtual machines
Side-channel attack: Using the same physical layer hardware as the target virtual machine, the behavior of the target virtual machine is inferred during alternate execution, leading to the leakage of user data in the target virtual machine.
Network Isolation: Packets move within a virtual network and monitoring and filtering tools on the physical network cannot be used
Image and snapshot security: Create a virtual machine or service instance through a specific image. If an attacker infects the image, the attack efficiency and scope of impact will be greatly improved. If the attacker illegally restores the snapshot, historical data will be cleared, and the attack behavior will be completely hidden.
Cloud data security: storage security (cloud encrypted database, ciphertext search), computing security (confidential computing based on SGC)
Blockchain and its security
Blockchain: The underlying technology of Bitcoin, an open and transparent distributed ledger, using hashes to concatenate information to achieve integrity, prevent tampering, and can be publicly verified Type: Public chain ( Free to join and exit), alliance chain (authorized to join and exit), private chain (private institution center network)
Bitcoin: Data is permanently recorded in the form of files called blocks, the timestamp records the specific data generation time, the Merkle tree stores all transaction information of the current block, and the difficulty coefficient is used to control the block generation speed (every 10 minutes generate a block)
Consensus mechanism: Even if there is a network failure or untrustworthy nodes, transactions can still be executed in the correct manner as expected, ensuring the consistency of the final results of each node PoW computing power proof mechanism/work Proof of Quantity, PoS Equity Proof Mechanism, DPoS Share Authorization Proof Mechanism, RBFT Practical Byzantine Fault Tolerance Algorithm
Smart contract: code that reads and writes to the blockchain database and can automatically execute the digital contract specified by the participating parties
Decentralized, no intermediary is required, and the agreement can be automatically executed and verified once the contract conditions are met.
Lower risk of human intervention, minimal accidental or malicious situations
Minimum trust intermediary intelligence
Observability and verifiability, reducing arbitration and enforcement costs
Low cost, reduce losses caused by default
Efficiency and real-time
Blockchain security issues
51% computing power attack: The attacker controls more than 50% of the computing power of the entire network, and can easily prevent other nodes from confirming transactions and reverse transactions that have been completed in the current block.
Privacy leakage: Public chain data can be disclosed, and big data correlation analysis can de-identify specific users.
Artificial intelligence and its security
Artificial Intelligence: Natural Language Processing, Computer Vision, Deep Learning, Data Mining
Artificial Intelligence Security Issues
Adversarial sample: Adding specific minor perturbations or subtle modifications to the sample to be predicted, causing the model to make incorrect judgments about the sample.
Model extraction: Obtain target model parameters or construct an alternative model with similar functions to the target model
Training data theft: Obtain specific samples and statistical distribution of the training data set, or determine whether a certain piece of data is in the training data set
Poisoning attack: Modify the training data set or drop carefully constructed malicious samples to interfere with the training process and reduce the judgment accuracy of the final model.
