物联网云访问凭证泄露检测技术研究

方仪伟; 龚乐; 靳泽; 何昀崴; 李浩宇; 刘奇旭

引用本文：

方仪伟,龚乐,靳泽,何昀崴,李浩宇,刘奇旭.物联网云访问凭证泄露检测技术研究[J].信息安全学报,已采用 [点击复制]
Fang Yi Wei,Gong Le,Jin Ze,He Yun Wei,Li Hao Yu,Liu Qi Xu.IoT Cloud Access Credential Leakage Detection[J].Journal of Cyber Security,Accept [点击复制]

本文已被：浏览 106次下载 0次
物联网云访问凭证泄露检测技术研究
方仪伟¹, 龚乐², 靳泽¹, 何昀崴², 李浩宇¹, 刘奇旭¹
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所;2.信息工程研究所)

摘要:

随着现代物联网云平台的兴起，物联网的安全性正面临着全新的挑战，例如近期发生的一些由物联网云访问凭证引发的大规模隐私泄露事件和设备被非法控制的安全事件。云平台提供商需要采取安全措施来保护物联网设备和其传输、存储的数据，以防止未经授权的访问和数据泄露。其中，如何对不同用户的云端访问凭证进行安全存储和维护至关重要。为此，本研究基于对诸多物联网安卓应用云服务连接过程的深入分析，开发了一套专门的检测模式，提出了一种基于先进大语言模型的物联网云访问凭证安全性检测方法，并结合思维链、检索增强生成和程序辅助语言模型等技术，构建了一款面向物联网云访问凭证的安全性检测系统——IChecker。通过对谷歌应用商店下载的两万个安卓应用程序中筛选出的279安卓应用进行分析与标注，本研究制作了云访问凭证安全问题测试数据集。在此数据集上，IChecker以高达96%的召回率成功地识别出45个未曾被发现的安全风险，充分证明了该系统的实用性与有效性，为大模型辅助漏洞挖掘这一领域发展提供有益的参考和启示。

关键词: 物联网大语言模型自动化漏洞发现

DOI：

投稿时间：2024-03-31修订日期：2024-07-10

基金项目:中国科学院青年创新促进会

IoT Cloud Access Credential Leakage Detection

Abstract:

With the rise of modern IoT cloud platforms, IoT security is facing new challenges, such as some recent security incidents involving large-scale privacy leaks caused by IoT cloud access credentials and devices being illegally controlled. Cloud platform providers need to take security measures to protect IoT devices and the data they trans-mit and store to prevent unauthorized access and data leakage. Among them, how to securely store and maintain cloud access credentials of different users is crucial. To this end, this study developed a set of specialized detection modes based on an in-depth analysis of the cloud service connection process of many IoT Android applications, and proposed an IoT cloud access credential security detection method based on the advanced large language mod-el, and combining technologies such as Chain of Thought, Retrieval Augmented Generation, and Program-Assisted Language models, a security detection system for IoT cloud access credentials—IChecker—is built. By analyzing and annotating 279 Android applications selected from 20,000 Android applications downloaded from the Google Play Store, this study produced a test data set for cloud access credential security issues. On this data set, IChecker successfully identified 45 undiscovered security risks with a recall rate of up to 96%, fully proving the practicabil-ity and effectiveness of the system, and providing useful references and inspirations for large language mod-el-assisted vulnerability mining.

Key words: Internet of Things Large language model Automated vulnerabilities discovering