Aiming at the lack of built-in security mechanism in Message Queue Telemetry Transport (MQTT) protocol to protect communication information between the Internet of Things (IoT) devices, as well as the problem that the credibility of MQTT broker is questioned in the new concept of zero trust security, a new solution based on proxy re-encryption for implementing secure end-to-end data transmission between publisher and subscriber in MQTT communication was proposed. Firstly, the Advanced Encryption Standard (AES) was used to symmetrically encrypt the transmitted data for ensuring the confidentiality of the data during the transmission process. Secondly, the proxy re-encryption algorithm that defines the MQTT broker as a semi-honest participant was adopted to encrypt the session key used by the AES symmetric encryption, so as to eliminate the implicit trust of the MQTT broker. Thirdly, the computation of re-encryption key generation was transferred from clients to a trusted third party for the applicability of the proposed scheme in resource-constrained IoT devices. Finally, Schnorr signature algorithm was employed to digitally sign the messages for the authenticity, integrity and non-repudiation of the data source. Compared with the existing MQTT security schemes, the proposed scheme acquires the end-to-end security features of MQTT communication at the expense of the computation and communication overhead equivalent to that of the lightweight security scheme without end-to-end security.

The identification based on behavior features is a leading technology of biometric recognition. In order to optimize the process of data processing and the way of recognition in the existing studies of identification based on gait feature, a method of extracting gait features from the data of smart phone motion sensors for identification was proposed. Firstly, a spatial transformation algorithm was used to solve the problem of sensor coordinate system drift, making the data to describe the behavior features completely and accurately. Then, Support Vector Machine (SVM) algorithm was used to classify and identify gait features change caused by user transformation. The experimental results show that, the identification accuracy of the proposed method is 95.5%. It can be used to effectively identify user transformation with reduction of space cost and implementation difficulty.

In the enterprise network, if the internal attacker obtains the user's identity authentication information, his behavior will be very difficult to distinguish with the normal user. The current research on the abnormal user detection method in enterprise network is relatively simple and the detection rate is low. The user's authentication activity information directly reflects the user's interaction with various resources or personnel in the network. Based on this, a new abnormal user detection method by using user authentication activity information was proposed. The user's authentication activity was used to generate the user authentication graph, and then the attributes in the authentication graph were extracted based on the graph analysis method, such as the size of the largest connected components of the graph and the number of isolated certificates. These attributes reflect the user's authentication behavioral characteristics in the enterprise network. Finally, a supervised Support Vector Machine (SVM) was used to model the extracted graph attributes to indirectly identify and detect abnormal users in the network. After extracting the user graph vector, the training set and the test set, the penalty parameter and the kernel function were analyzed by taking different values. Through the adjustment of these parameters, the recall, accuracy and F1-Score of the propsed method have reached more than 80%. The experimental results show that the proposed method can effectively detect abnormal users in the enterprise network.

Focusing on the problem that the existing log classification method is only applicable to the formative log, and the performance is closely related to the structure of the log, the existing log parsing algorithm LogSig (Log Signature) was extended and improved based on machine learning, and a log clustering analysis system was designed by combining data processing and result analysis in one, including raw data preprocessing, log analysis, clustering analysis and evaluation, scatter diagram display of results. This system was tested on the open source firewall log data set in VAST 2011 challenge. The experimental results show that the average accuracy of the improved algorithm in the classification of the event log reaches more than 85%; compared with the original LogSig algorithm, the log parsing accuracy is improved by 50%, and the parsing time is only 25% of the original algorithm. The proposed algorithm can be used to analyze multi-source unstructured log data efficiently and accurately in large data environment.

Since the security features described by natural language in the safety-critical software requirements specification are of inaccuracy and inconsistence, a validation method of security features based on UMLsec was proposed. The method completed the UMLsec model by customizing stereotypes, tags and constraints for security features of the core class on the basis of class diagram and sequence diagram for UML requirements model. Afterwards, the support tool for designing and implementing UMLsec was used for automatic verification of security features. The experimental results show that the proposed method can accurately describe security features in the safety-critical requirements specification and can automatically verify whether the security features meet the security requirements.