Aiming at the integrity threat of Android systems at present brought by kernel-level attacks, a method for dynamic measurement of Android kernel, namely DIMDroid (Dynamic Integrity Measurement of Android), was proposed. The hardware-assisted virtualization technology was used to provide the isolation between the measurement module and the measured Android system. First of all, the static and dynamic measurement objects were obtained by analyzing the kernel elements that affect kernel integrity in the running of the Android system. Secondly, these measurement objects were semantically reconstructed at the measurement layer. Finally, an integrity analysis was performed to determine whether the Android kernel is under attack or not. At the same time, the boot protection based on hardware-based trust chain and the runtime protection based on memory isolation were performed to ensure the security of DIMDroid itself. The experimental results show that DIMDroid can detect the rootkit which breaks Android kernel integrity in time, and the performance loss of the method is within an acceptable range.

Aiming at the problem of low-level intelligence and low utilization of audit logs of the security audit system, a secure audit system based on association rule mining was proposed. The proposed system was able to take full advantage of the existing audit logs and establish the behavior pattern database of users and the system with data mining technique. The abnormal situation was discovered in a timely manner and the security of computer system was improved. An improved E-Apriori algorithm was proposed which could narrow the scanning range of the set of transactions, lower the time complexity, and refine the operating efficiency. The experimental results indicate that the lift of recognition capability to identify the type of attack can reach 10% in the secure audit system based on association rule mining, the proposed E-Apriori algorithm clearly outperforms the traditional Apriori algorithm and FP-GROWTH algorithm, and the maximum increase can reach 51% especially in the large sparse datasets.

Based on the principle and characteristics of the Differential Power Analysis (DPA) attack, the kernel function was used to estimate the probability distribution density of the leakage of power consumption in the password chip work process. By calculating the mutual information between the attack model and the power leakage, when the guessed key was correct, this paper quantified the risk value of the password chip in the face of DPA attacks. The experiments show that the risk quantification method can be a good estimate of the correlation degree between the attack model and power leakage when the guessed key is correct and then provides important indicators to complete password chip risk evaluation.