Admissible bilinear map-based key management protocol for HPCCS in heterogeneous network

The high-speed transfer rate and various services of the wired network have been combined with the convenience and mobility of wireless networks. This era of combined wire/wireless is being disseminated by new technology that creates new service applications and brings changes to both users and service providers. Network integration is a very important in this wire/wireless service, it is integrated by the convergence between heterogeneous networks and the integration of transmission technologies across networks. In this situation, existing security and communication technologies are difficult to apply due to the need to integrate with heterogeneous networks. Network security has many vulnerabilities. In existing homogeneous networks, user authentication and key management between heterogeneous networks are needed to be adapted to new technology. The establishment of security technologies to heterogeneous devices is also crucial between homogeneous networks. In this paper, we propose secure, efficient key management in a heterogeneous network environment. Therefore, it provides secure communication between heterogeneous network devices.     

DNDS:一种网络欺骗系统模型

网络欺骗在信息安全中正扮演越来越重要的角色,它通过在网络与信息系统中设置欺骗对象,对入侵行为实施欺骗和控制,来达到保护网络资源和取证入侵行为的目的。该文提出了一种全新的基于深度欺骗策略的网络欺骗系统模型DNDS,创建网络服务仿真、安全漏洞伪造、操作控制、文件系统镜像和信息欺骗等五重欺骗与控制架构,并在模型基础上,实现了集欺骗、控制、监视和审计于一体的原型系统NDS。     

ROI-Driven Cyber Risk Mitigation Using Host Compliance and Network Configuration

Automated cyber security configuration synthesis is the holy grail of cyber risk management. The effectiveness of cyber security is highly dependent on the appropriate configuration hardening of heterogeneous, yet interdependent, network security devices, such as firewalls, intrusion detection systems, IPSec gateways, and proxies, to minimize cyber risk. However, determining cost-effective security configuration for risk mitigation is a complex decision-making process because it requires considering many different factors including end-hosts’ security weaknesses based on compliance checking, threat exposure due to network connectivity, potential impact/damage, service reachability requirements according to business polices, acceptable usability due to security hardness, and budgetary constraints. Although many automated techniques and tools have been proposed to scan end-host vulnerabilities and verify the policy compliance, existing approaches lack metrics and analytics to identify fine-grained network access control based on comprehensive risk analysis using both the hosts’ compliance reports and network connectivity. In this paper, we present new metrics and a formal framework for automatically assessing the global enterprise risk and determining the most cost-effective security configuration for risk mitigation considering both the end-host security compliance and network connectivity. Our proposed metrics measure the global enterprise risk based on the end-host vulnerabilities and configuration weaknesses, collected through compliance scanning reports, their inter-dependencies, and network reachability. We then use these metrics to automatically generate a set of host-based vulnerability fixes and network access control decisions that mitigates the global network risk to satisfy the desired Return on Investment of cyber security. We solve the problem of cyber risk mitigation based on advanced formal methods using Satisfiability Module Theories, which has shown scalability with large-size networks.     

一种服务端口风险评估模型

网络漏洞评估方法用于决策漏洞的修补优先级。文章在CVSS评级系统基础上,综合攻击者获取权限,端口连接数量,漏洞历史等因素,提出一种服务端口风险评估模型,提高了漏洞评估的准确度。之后,根据风险值大小,利用访问控制对服务端口进行屏蔽,可以防范目前缺乏补丁的最新漏洞。     

漏洞自动发现与修复技术研究

网络安全漏洞风险问题越来越受到人们的重视。介绍网络安全漏洞风险的指标体系和量化评估技术;重点研究漏洞自动发现技术、漏洞自动修复技术的内容;介绍网络漏洞检测、评估及修复的研究方向。     

mVoIP for P2P service based authentication system using AA authentication server

VoIP (Voice over Internet Protocol), which provides voice calls as well as additional services at cheaper prices than PSTN (Public Switched Telephone Network), is gaining ground over the latter, which had been the dominant telephone network in the past. This kind of a VoIP service is evolving into a dedicated mVoIP service for the smartphone which allows calls to be made at cheap prices using a WiFi network, as the number of smartphone users is skyrocketing as of late. While an increase in the user base is expected for mVoIP, a packet network is an open network which means anyone can easily gain access and so there can be various problems. To mitigate this, in this paper an authentication system is designed which has an AA (Attribute Authority) server added to VoIP in order to increase security and discriminate user access. In this paper a system for addressing security vulnerabilities from the increase in the use of VoIP services and providing differentiated services according to user access privileges is designed. This paper is organized as follows: Chapter 1 gives the introduction; Chapter 2 is on related research; Chapter 3 describes the proposed technique and system; Chapter 4 implements the system and analyzes its the performance; and Chapter 5 gives the conclusions.     

网络攻击图的自动生成

网络攻击图是分析网络安全性的一个重要手段,对网络安全策略的制定具有重要指导意义。网络攻击图的自动生成是近年来国内外研究的一个热点。通过对大量网络弱点的分析,结合网络的特性,建立了网络安全性分析模型,设计并实现了一个网络攻击图自动生成原型系统。     

基于AIS的网络入侵检测安全策略研究

基于AIS网络入侵检测安全策略设计过程中,需要对网路入侵检测模块进行分析,通过对异常检测问题和误用检测问题研究,发现系统漏洞。通过对否定选择算法、克隆选择算法、基因库优化算法的研究,达到优化网络系统性能,提高系统安全性的目标。网络入侵检测系统设计过程中需要从框架设计入手,建立动态自体集合,从而能够更好的发生系统漏洞,产生拒绝访问,保证网络系统的安全。     

Determining Geographic Vulnerabilities Using a Novel Impact Based Resilience Metric

Various natural and man-made disasters as well as major political events (like riots) have increased the importance of understanding geographic failures and how correlated failures impact networks. Since mission critical networks are overlaid as virtual networks over a physical network infrastructure forming multilayer networks, there is an increasing need for methods to analyze multilayer networks for geographic vulnerabilities. In this paper, we present a novel impact-based resilience metric. Our new metric uses ideas borrowed from performability to combine network impact with state probability to calculate a new metric called Network Impact Resilience. The idea is that the highest impact to the mission of a network should drive its resilience metric. Furthermore, we present a state space analysis method that analyzes multilayer networks for geographic vulnerabilities. To demonstrate the methods, the inability to provision a given number of upper layer services is used as the criteria for network failure. Mapping techniques for multilayer network states are presented. Simplifying geographic state mapping techniques to reduce enumeration costs are also presented and tested. Finally, these techniques are tested on networks of varying sizes.     

基于服务功能链的多域安全服务按需适配方法

传统网络的服务管理和供应模式静态僵化,难以从全局角度为跨域数据流制定统一的安全和调度策略,无法满足多样化的安全需求。提出一种基于服务功能链（SFC）的多域安全服务按需适配方法,利用软件定义网络（SDN）和网络功能虚拟化（NFV）等技术,通过多层接口建立统一的描述模型,配置所需的安全服务资源,实例化所需的安全服务功能,并使用服务功能链将安全服务功能组合,进而实现安全服务的按需适配。最后,通过搭建原型系统,在不同的实验场景中验证所提方法的可行性。     

计算机网络安全存在问题及其防范措施研究

随着计算机网络技术的快速发展,计算机网络的应用范围在逐步的扩大,如今已经深入到了人们生产、生活的方方面面。因为计算机网络系统所具有的开放性、信息资源的共享性、通信信道的公用性以及连接形式的多样性等等,使得网络上存在有很多较为严重的脆弱点。网络安全问题以及越来越严峻,需要我们认真对待。     

一个网络安全风险评估模型的研究与设计

风险评估是综合的网络安全体系的基础和关键.在传统的风险评估中,大粒度的评测结果不能给管理员提供切实有用的信息.对此,提出了基于漏洞扫描和攻击效果评测的安全评估模型,采用自下而上、先局部后整体的层次化评估策略,利用服务和主机自身的重要性因子加权,分别计算服务、主机以及整个网络系统的风险指数,进而分析整个系统的安全态势.仿真试验测试表明,该模型能够准确评估服务、主机和网络系统3个层次的安全态势,在一定程度上提高了评估结果的准确性和一致性.     

Adaptive middleware supporting scalable performance for high-end network services

Network service-based computation is a promising paradigm for both scientific and engineering, and enterprise computing. The network service allows users to focus on their application and obtain services when needed, simply by invoking the service across the network. In this paper, we show that an adaptive, general-purpose run-time infrastructure in support of effective resource management can be built for a wide range of high-end network services running in a single-site cluster and in a Grid. The primary components of the run-time infrastructure are: (1) dynamic performance prediction; (2) adaptive intra-site resource management; and (3) adaptive inter-site resource management. The novel aspect of our approach is that the run-time system is able to dynamically select the most appropriate performance predictor or resource management strategy over time. This capability not only improves the performance, but also makes the infrastructure reusable across different high-end services. To evaluate the effectiveness and applicability of our approach, we have transformed two different classes of high-end applications—data parallel and distributed applications—into network services using the infrastructure. The experimental results show that the network services running on the infrastructure significantly reduce the overall service times under dynamically varying circumstances.     

CyberGuarder: A virtualization security assurance architecture for green cloud computing

As the sizes of IT infrastructure continue to grow, cloud computing is a natural extension of virtualisation technologies that enable scalable management of virtual machines over a plethora of physically connected systems. The so-called virtualisation-based cloud computing paradigm offers a practical approach to green IT/clouds, which emphasise the construction and deployment of scalable, energy-efficient network software applications (NetApp) by virtue of improved utilisation of the underlying resources. The latter is typically achieved through increased sharing of hardware and data in a multi-tenant cloud architecture/environment and, as such, accentuates the critical requirement for enhanced security services as an integrated component of the virtual infrastructure management strategy. This paper analyses the key security challenges faced by contemporary green cloud computing environments, and proposes a virtualisation security assurance architecture, CyberGuarder, which is designed to address several key security problems within the ‘green’ cloud computing context. In particular, CyberGuarder provides three different kinds of services; namely, a virtual machine security service, a virtual network security service and a policy based trust management service. Specifically, the proposed virtual machine security service incorporates a number of new techniques which include (1) a VMM-based integrity measurement approach for NetApp trusted loading, (2) a multi-granularity NetApp isolation mechanism to enable OS user isolation, and (3) a dynamic approach to virtual machine and network isolation for multiple NetApp’s based on energy-efficiency and security requirements. Secondly, a virtual network security service has been developed successfully to provide an adaptive virtual security appliance deployment in a NetApp execution environment, whereby traditional security services such as IDS and firewalls can be encapsulated as VM images and deployed over a virtual security network in accordance with the practical configuration of the virtualised infrastructure. Thirdly, a security service providing policy based trust management is proposed to facilitate access control to the resources pool and a trust federation mechanism to support/optimise task privacy and cost requirements across multiple resource pools. Preliminary studies of these services have been carried out on our iVIC platform, with promising results. As part of our ongoing research in large-scale, energy-efficient/green cloud computing, we are currently developing a virtual laboratory for our campus courses using the virtualisation infrastructure of iVIC, which incorporates the important results and experience of CyberGuarder in a practical context.     

基于Delphi和ANN的网络安全综合评价方法研究

网络安全评价是一复杂的系统工程，现有的安全评估工具大都只是用于对网络系统安全漏洞进行扫描、检测。为了对网络安全进行综合评价，必须要运用系统工程的思想和方法。文中采用德尔菲法（Ddphi）对影响网络安全的各种因素进行了深入研究。确立了网络安全综合评价指标体系，提出了人工神经网络（ANN）安全评价模型，并进行了计算机仿真试验。结果表明，这一模型能有效地对网络安全等级进行综合评价，从而为全面评价计算机网络安全状况提供了新的思路和方法。     

多层次的内部网安全策略研究及应用

基于安全系统的全面信息安全策略 ,从网络安全技术和网络安全管理这两个层次上研究内部网的安全性。两者相辅相成 ,互为补充 ,能够有效地保证内部网的安全。并结合网络安全产品 ,讲述多层次的内部网安全策略的应用实例。     

A planner-based approach to generate and analyze minimal attack graph

In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the methods for analyzing such security vulnerabilities in an enterprise network is the use of attack graph. It is a complete graph which gives a succinct representation of different attack scenarios, depicted by attack paths. An attack path is a logical succession of exploits, where each exploit in the series satisfies the preconditions for subsequent exploits and makes a causal relationship among them. Thus analysis of the attack graph may help in assessing network security from hackers’ perspective. One of the intrinsic problems with the generation and analysis of such a complete attack graph is its scalability. In this work, an approach based on Planner, a special purpose search algorithm from artificial intelligence domain, has been proposed for time-efficient, scalable representation of the attack graphs. Further, customized algorithms have been developed for automatic generation of attack paths (using Planner as a low-level module). The analysis shows that generation of attack graph using the customized algorithms can be done in polynomial time. A case study has also been presented to demonstrate the efficacy of the proposed methodology.     

浅谈计算机网络安全漏洞及防范措施

随着经济快速发展,信息时代日渐全球化,然而,在网络为人民服务普及过程中,网络安全问题也日益成为人们关注焦点,网络系统遭到破坏、泄露等成为困扰使用者重大问题。网络安全漏洞防范是目前网络安全技术研究热点之一。该文结合计算机网络所存在安全漏洞,从访问控制、漏洞扫描、安装防火墙及病毒防范四个方面探讨了计算机网络安全防范对策。运用文献资料,调查法等对网络安全漏洞这一问题进行浅析。