局域网的维护（三）——网络安全

计算机网络系统的安全威胁主要来自黑客攻击、计算机病毒和拒绝服务攻击三个方面。网络的安全威胁方向也分为外部和内部。黑客攻击早在主机终端时代就已经出现,随着因特网的发展,现代黑客则从以系统为主的攻击转变到以网络为主的攻击。     

JuniPer无线NetScreen-5GT

Juniper网络公司能为各种规模的企业提供系列齐全的网络安全产品和解决方案。NetScreen-5GT产品是特性丰富的企业级网络安全解决方案，集成了多种安全功能一状态和深层检测防火墙、IPSec VPN、拒绝服务防护、防病毒和Web过滤等。对于应用层保护，NetScreen-5GT产品支持嵌入式病毒扫描，帮助消除网络病毒威胁。     

探究计算机网络安全性分析建模研究

随着因特网技术的快速发展,黑客入侵、拒绝服务、蠕虫病毒等网络攻击也有了更多的攻击途径,成为威胁计算机网络安全的重要问题,这些恶意攻击轻则盗取个人、企业信息,修改系统数据,重则引起大范围的网络瘫痪。对此,国内外研究人员在计算机网络安全保护方面进行了大量的研究,并建立了网络安全PPDRR模型,成为主动发现,未雨绸缪,防患于未然的重要措施。     

DDoS攻击实时检测防御系统的硬件实现

分布式拒绝服务攻击是因特网安全的头号威胁。针对DDoS攻击,本文介绍了一种基于MPC860和FPGA的实时检测防御系统的体系结构与实现原理,探讨了基于非参数累积和(CUSUM)算法检测新IP地址到达速率变化的DDoS攻击检测方法。实验结果表明该系统不仅实时检测准确性高、在线检测速度快、防御效果好,而且不损失网络信息吞吐量,保证了合法用户的正常访问。     

DDoS攻击与检测技术

分布式拒绝服务攻击已经成为网络最大的安全威胁之一,如何有效的防御DDos攻击已经引起了诸多学者的关注,文章阐述了分布式拒绝服务攻击的原理,攻击类型,检测方法和对DDos攻击防御策略。     

DDoS攻击实时检测防御系统的硬件实现

分布式拒绝服务攻击是因特网安全的头号威胁.针对DDoS攻击,本文介绍了一种基于MPC860和FPGA的实时检测防御系统的体系结构与实现原理,探讨了基于非参数累积和(CUSUM)算法检测新IP地址到达速率变化的DDoS攻击检测方法.实验结果表明该系统不仅实时检测准确性高、在线检测速度快、防御效果好,而且不损失网络信息吞吐量,保证了合法用户的正常访问.     

浅析拒绝服务攻击原理及防范措施

随着经济技术的不断发展,计算机安全技术越来越受到冲击,拒绝服务攻击已成为网络机安全最大的威胁之一,由于它的破坏性极大,因此成为网络黑客经常采用的攻击手段。该文主要分析了拒绝服务攻击的基本原理以及怎样能够更好的加以防范。     

拒绝服务攻击原理及防范

随着经济技术的不断发展,计算机安全技术越来越受到冲击,拒绝服务攻击已成为网络机安全最大的威胁之一,由于它的破坏性极大,因此成为网络黑客经常采用的攻击手段.该文主要分析了拒绝服务攻击的基本原理以及怎样能够更好的加以防范.     

DoS/DDoS拒绝服务攻击分析及防范对策

拒绝服务攻击已经成为威胁互联网安全的重要攻击手段,本文从分析DoS拒绝攻击服务的原理入手,然后对分布式拒绝服务攻击(DDoS)的原理进行了解析,最后从主机和网络两个层面分析如何去防范DoS攻击。     

专用系统避安全风险

随着网络应用越来越复杂,安全问题也呈几何级数增长,黑客和病毒给网络带来了前所未有的挑战。现在的网络攻击手段中,既有病毒攻击、隐含通道、拒绝服务攻击,还有口令攻击、路由攻击、中继攻击等多种攻击模式。不断出现的混合式攻击已经成为当前网络最大的安全威胁之一。而传统防火墙不能解决蠕虫泛滥、垃圾邮件、病毒传播以及拒绝服务所带来的安全威胁,用户迫切需要能够将多种安全防护手段集成在一起的安全解决方案。7月中旬获悉,港湾网络与启明星辰宣布联合向市场推出天清汉马防火墙/多功能安全网关产品。在NP架构高性能专用硬件平台的基…     

Security threats to Internet: a Korean multi-industry investigation

In recent years, a number of security problems with the Internet became apparent. New and current Internet users need to be aware of the likelihood of security incidents and the steps they should take to secure their sites. Before designing a secure system, it is advisable to identify the specific threats against which protection is required. The threats may be classified into interruption, interception, modification, and fabrication. The extents of these threats are examined across four industries in Korea — manufacturing, banking/financial, research institution/university, and distribution/service. Banking/financial firms generally perceive the four categories of threats more seriously than other industries. The companies in the manufacturing industry consider interruption to be the most serious. Research institutions/universities and distribution/service companies regard modification and interruption as critical threats. The appropriate security technique is recommended for each threat.     

Differentiated security levels for personal identifiable information in identity management system

With the rapid development of Internet services, identity management (IdM) has got widely attraction as the credit agency between users and service providers. It facilitates users to use the Internet service, promotes service providers to enrich services, and makes Internet more security. Personally identifiable information (PII) is the most important information asset with which identity provider (IdP) can provide various services. Since PII is sensitive to users, it has become a serious problem that PII is leaked, illegal selected, illegal accessed. In order to improve security of PII, this study develops a novel framework using data mining to forecast information asset value and find appropriate security level for protecting user PII. The framework has two stages. In the first stage, user information asset is forecasted by data mining tool (decision tree) from PII database. Then security level for user PII is determined by the information asset value assuming that the higher information asset is, the more security requirement of PII is. In the second stage, with time being, number of illegal access and attack can be accumulated. It can be used to reconstruct the decision tree and update the knowledge base combined with the result of the first stage. Thus security level of PII can be timely adjusted and the protection of PII can be guaranteed even when security threat changes. Furthermore, an empirical case was studied in a user dataset to demonstrate the protection decision derived from the framework for various PII. Simulation results show that the framework with data mining can protect PII effectively. Our work can benefit the development of e-business service.     

Web服务器安全威胁与防范技巧

WEB服务器主要是面向互联网的,随着人们对互联网服务的需求不断扩大,各种互联网应用服务日益增多,Web服务器便成为众多信息化应用中最容易遭受攻击的对象。文章中主要介绍了几种常见的Web服务器安全威胁,并提出了相应的安全防范技巧。     

Qualitative trust modeling in SOA

Trust among cooperating agents is an essential precondition for every e-business transaction. It is becoming increasingly vital in service oriented architectures (SOAs), where services from various administration domains are deployed. Traditional hard security mechanisms with different techniques of authorization, access control and information security services give a solid foundation, but they fail when cooperating entities act deceitfully. Trust as a soft social security mechanism can protect against such threats and consequently improves the quality of services and reliability of service providers. This paper presents an abstract trust model that applies complementary qualitative methodology which addresses the core of trust as socio-cognitive phenomenon. The model complements existing quantitative methodologies and is applied in the web services environment that enables trust management in SOAs.     

Provider-based deterministic packet marking against distributed DoS attacks

One of the most serious security threats on the Internet are Distributed Denial of Service (DDoS) attacks, due to the significant service disruption they can create and the difficulty in preventing them. In this paper, we propose new deterministic packet marking models in order to characterize DDoS attack streams. Such a common characterization can be used to make filtering near the victim more effective. In this direction we propose a rate control scheme that protects destination domains by limiting the amount of traffic during an attack, while leaving a large percentage of legitimate traffic unaffected. The above features enable providers to offer enhanced security protection against such attacks as a value-added service to their customers, and hence offer positive incentives for them to deploy the proposed models. We evaluate the proposed marking models using a snapshot of the actual Internet topology, in terms of how well they differentiate attack traffic from legitimate traffic in cases of full and partial deployment.     

关于计算机信息网络安全问题的探讨

计算机和互联网的出现给我们的生活和工作带了许多便利,但同时也带来了信息安全方面的隐患。本文对当前计算机信息网络安全存在的威胁与应对措施提出了一些探讨性意见。     

物联网安全分析研究

物联网的安全问题和隐私问题是制约物联网建设与发展的一个重要因素,研究了物联网目前存在的安全威胁及应对措施,通过分析物联网的三层安全体系结构,得出物联网各层安全问题所在,并针对各层存在的安全问题给出相应的安全对策,为物联网安全与隐私保护提供理论参考。     

网络移动代理系统的新型安全技术

网络的普及为发展新技术提供了基石,这些新技术能为我们带来服务的深入和使用的便利。移动代理算法是一种新型的技术,能整合网络中的计算资源以满足新应用的需求。目前学术界和产业界都对移动代理技术非常关注。然而,移动代理的安全问题严重阻碍了其发展和应用。这篇论文介绍了移动代理系统的安全隐患及其相应的解决方案,分析了各种方案的优势和缺陷。在应用方面,分析了一些目前比较普及的移动代理系统,比较了其安全方案的不同侧重点,提出了关于未来移动代理系统发展的思考。     

对外网站的安全设计

如今网络已经成为我们日常生活中重要的组成部分,而且随着网络的迅猛发展,人们越来越离不开网络。但是由于网络环境的复杂性、多变性以及信息系统的脆弱性、开放性和易受攻击性,决定了网络安全威胁的客观存在。如何防范网络风险已经成为一个我们必须要面对和解决的问题。本文将通过建设一个对外网站的实践,探索如何进行网站安全设计。     

基于身份密码系统和区块链的跨域认证协议

随着信息网络技术的快速发展和网络规模的持续扩张,网络环境中提供的海量数据和多样服务的丰富性和持久性都得到了前所未有的提升.处于不同网络管理域中的用户与信息服务实体之间频繁交互,在身份认证、权限管理、信任迁移等方面面临一系列安全问题和挑战.本文针对异构网络环境中用户访问不同信任域网络服务时的跨域身份认证问题,基于IBC身份密码系统,结合区块链技术的分布式对等网络架构,提出了一种联盟链上基于身份密码体制的跨信任域身份认证方案.首先,针对基于IBC架构下固有的实体身份即时撤销困难问题,通过加入安全仲裁节点来实现用户身份管理,改进了一种基于安全仲裁的身份签名方案mIBS,在保证功能有效性和安全性的基础上,mIBS性能较ID-BMS方案节省1次哈希运算、2次点乘运算和3次点加运算.其次,本文设计了区块链证书用于跨域认证,利用联盟链分布式账本存储和验证区块链证书,实现域间信任实体的身份核验和跨域认证.所提出的跨域认证协议通过安全性分析证明了其会话密钥安全,并且协议的通信过程有效地减轻了用户端的计算负担.通过真实机器上的算法性能测试,与现有同类方案在统一测试标准下比较,本文方案在运行效率上也体现出了明显的优势.