Network infrastructure security

The network is only as secure as its weakest access point. At one extreme we have the totally open network with every user having open access to every area of the network. At the other we have the ultimate secure network with no user connections so that there are no insecure access points! Somewhere in between we have a balance in the security provided to maintain an easy to use and accessible network whilst reducing the risk of breaches to security. Today computing networks span the world with thousands of entry points. Remote access technologies and the Internet or corporate intranets further extend the network to include remote and mobile users. Whilst these technologies heighten the productivity of the organization they also increase the security risks.     

基于网格技术的网上选课系统的设计

针对目前高校网上选课系统面临的拥塞问题,设计了基于网格技术的网上选课系统原型.该原型利用网格在资源管理方面的优势,充分利用了校园网内现有的闲置资源,有效地解决了选课高峰时服务响应速度下降的问题,提高了资源的利用率,具有良好的扩展性和安全性,并为今后进一步建立基于网格技术的校园网奠定了基础.     

Digital government security infrastructure design challenges

Information age technologies provide enormous opportunities for a government to transform its functions into the digital arena. Doing so taps the wellspring of information technology benefits that have driven down off-the-shelf component costs and fuelled an unprecedented improvement rate in the cost-performance ratio. We can view a digital government (DG) as an amalgam of heterogeneous information systems in which government agencies and public and private sectors exchange a high volume of information. Designing security systems for a digital government's multidomain environment requires a careful balancing act between providing convenient access and carefully monitoring permissions     

Identity-based cryptography for grid security

The majority of current security architectures for grid systems use public key infrastructure (PKI) to authenticate identities of grid members and to secure resource allocation to these members. Identity-based cryptography (IBC) has some attractive properties that seem to align well with the demands of grid computing. This paper presents a comprehensive investigation into the use of identity-based techniques to provide an alternative grid security architecture. We propose a customised identity-based key agreement protocol, which fits nicely with the grid security infrastructure (GSI). We also present a delegation protocol, which is simpler and more efficient than existing delegation methods. Our study shows that properties of IBC can be exploited to provide grid security services in a more natural and clean way than more conventional public key cryptosystems, such as RSA.     

Web服务安全基础设施的研究

对Web服务已经存在的安全问题进行了分析，研究了目前提出的Web服务安全技术，包括XML加密和签名，SAML，XACML，XKMS，WS Security等，在这基础上提出了Web服务安全基础设施架构，以确保各安全组件能协同工作。最后分析了该架构在Web服务安全中的典型协作场景。     

域名服务体系安全问题研究

域名服务是互联网的基础服务。域名服务体系不同于域名系统（DNS）,仅提高域名系统的安全并不能解决整个域名服务的安全问题。基于中国互联网络信息中心运行国家CN域名的经验,创新的提出域名服务体系的概念,并对域名服务体系的安全问题进行了论述分析。首先介绍了域名系统的基础知识及全球域名体系,然后研究分析了域名服务体系中的5个主要角色和7个主要数据流,结合数据流分析了其中主要的安全问题,并提出了安全防范措施。     

Secure communication mechanism for ubiquitous Smart grid infrastructure

Smart grid and advanced metering infrastructure (AMI) technologies have recently been the focus of rapid advancement and significant investment by many utilities and other service providers. For proper Smart grid deployment, smart energy home area network (HAN) must deploy smart meter along with other utility HAN devices and customer HAN devices. Energy service interface (ESI) is deployed as a HAN gateway which can provide two-way communications between HAN devices and utilities or service providers. However, in order to meet the envisioned functional, reliability, and scalability requirements of the Smart grid, cyber security must no longer be neglected. Thus, the development of a comprehensive security mechanism for AMI network is predominantly essential. A remote access to HAN devices may be required for either the customer that using his ubiquitous mobile device at the remote site or maintenance personals (either from utilities or service providers) those using handheld devices, which must be done securely. In this paper, we propose a security mechanism for remote access to HAN networks which is comprised of a lightweight and effective ECC-based entity authentication mechanism and ECC-based digital signature scheme. ECC-based entity authentication mechanism allows ESI as a gatekeeper to monitor the authentication process between two communicating entities. With a modified ECC-based digital signature scheme, secure data transfer between mobile devices and HAN devices has occurred. We have conducted security analysis, efficiency analysis as well as formal verification of the proposed mechanism.     

Saudi cloud infrastructure: a security analysis

The growing demand and dependence upon cloud services have garnered an increasing level of threat to user data and security. Some of such critical web and cloud platforms have become constant targets for persistent malicious attacks that attempt to breach security protocol and access user data and information in an unauthorized manner. While some of such security compromises may result from insider data and access leaks, a substantial proportion continues to remain attributed to security flaws that may exist within the core web technologies with which such critical infrastructure and services are developed. This paper explores the direct impact and significance of security in the Software Development Life Cycle (SDLC) through a case study that covers some 70 public domain web and cloud platforms within Saudi Arabia. Additionally, the major sources of security vulnerabilities within the target platforms as well as the major factors that drive and influence them are presented and discussed through experimental evaluation. The paper reports some of the core sources of security flaws within such critical infrastructure by implementation with automated security auditing and manual static code analysis. The work also proposes some effective approaches, both automated and manual, through which security can be ensured through-out the SDLC and safeguard user data integrity within the cloud.     

制造网格资源调度及安全性管理

根据制造网格发展的现状和方向,分析了网格资源调度的主要方法,并对Globus环境下的GSI体系结构做了深入研究,分析讨论了其任务提交执行过程和架构特点,对现有的GSI架构基础做了相关改进,构建了一个满足制造网格下部分特性的安全体系结构M-GSI,实现了实时认证和强授权功能,满足了制造网格部分安全需求。     

独立于网格计算经济模型的记账和支付

针对当前网格计算经济中记账和支付的不足,提出了一种能够独立于计算经济模型的记账和支付体系结构.以独立的第3方完成记账数据采集;依据GSP和GSC的支付策略实现资源选择和支付;完成了一个支付算法,实现了和现实商业银行的仿真连接.     

网格安全模型的设计

用一个实例来阐述了网格环境下的安全问题,并对安全问题进行了分析,在此基础上给出了一个网格的安全模型,较好的解决了单点登录、资源代理和资源分配.     

一种面向方面的网格安全模型研究*

通过引入面向方面的核心思想,分析了网格安全实现方案GSI中存在的结构复杂和耦合度过高问题。在传统网格安全模型的基础上,利用方面机制来实现网格安全,提出了一种新的面向方面的网格安全模型(AOGSM),并对该模型进行了详细描述。仿真实验表明,面向方面的网格安全模型通过对网格安全横切特性的分离,降低了网格安全机制的复杂度和模块间的耦合度。     

一个具有强授权特性的网格安全框架

网格安全技术主要解决网格环境中实体之间的认证和授权问题。Globus网格项目中的GSI(Grid Secudty Infrastmcture)主要基于X．509技术实现身份认证以及数据的机密性、完整性和抗否认性,重点解决了认证和消息保护问题,然而在授权问题上缺乏必要的技术支撑。在分析现有安全技术的基础上,提出了将基于X．509的PKI技术和PMI技术相结合的网格安全框架,旨在实现基于安全认证基础之上网格用户和虚拟群组实体间的安全授权机制,从而构建强认证、强授权的网格安全基础设施。     

智能电网及其信息安全分析

随着自动控制技术、信息技术、网络技术以及物联网技术的不断发展,传统的电网将逐渐被智能电网所取代,智能电网将广泛应用在社会生产和生活的各个领域。在特殊情况下,智能电网的数据传输、共享需要连接到互联网等公共网络系统中,从而面临病毒、黑客等信息安全的威胁。文中阐述了智能电网的关键技术、安全风险、主要安全技术和防范措施,探索了保障智能电网安全平稳运行的新技术和新方法。     

e-Robot网格-仿人机器人研究与应用基础设施

目前仿人机器人的研究与应用碰到了诸如:大计算量、海量存储的需求、实验设备投入大、科研人员的协作和成果融合困难等问题。而网格具有超级计算能力、海量的存储容量、能做到网格中所有软件资源、硬件资源、人力资源的协同工作和全面共享。若能基于网格技术构建一个仿人机器人研究与应用的平台,就能解决仿人机器人研究和应用中的众多障碍。这里提出的e-Robot网格就是这样一个仿人机器人研究与应用的基础设施,它采用OGSA体系结构的基础网格,并在其基础上构建庞大的仿人机器人研究与应用服务软件集合。e-Robot网格将给仿人机器人领域的研究、应用带来变革性的进步。     

网络空间公共基础设施体系及安全策略研究

以物理空间与网络空间的映射关系为研究思路,面向网络空间的对象、资源、活动等关键要素,综合考虑了网络空间设备、系统、数据及环境等方面的发展需求,构建了一种科学的网络空间公共基础设施体系,并从管理认证和应用认证的双重认证角度出发,针对用户/设备认证和访问控制等方面给出了一些相应的安全策略和实施建议.     

利用信任管理提高网格安全

网格计算系统是一个分布式的高性能计算机环境,由广域分布的异构的计算机和资源组成,目的是让用户透明的使用这些资源,为保证共享合作更加安全可靠,提出了信任的概念.信任管理是一种适用于大规模的、开放的分布式系统的授权机制.广义上讲,信任分为执行信任和代码信任.提出了一种信任管理的框架来提高网格的安全性,这种新的信任模型能捕获网格系统中存在的不同类型的信任关系,还提供了信任评价,信任推荐和信任更新的机制.     

Integrated smart grid systems security threat model

The smart grid (SG) integrates the power grid and the Information and Communication Technology (ICT) with the aim of achieving more reliable and safe power transmission and distribution to the customers. Integrating the power grid with the ICT exposes the SG to systems security threats and vulnerabilities that could be compromised by malicious users and attackers. This paper presents a SG systems threats analysis and integrated SG Systems Security Threat Model (SSTM). The reference architecture of the SG, with its components and communication interfaces used to exchange the energy-related information, is integrated with the results of SG systems security threat analysis to produce a comprehensive, integrated SG SSTM. The SG SSTM in this paper helps better depict and understand the vulnerabilities exploited by attackers to compromise the components and communication links of the SG. The SG SSTM provides a reference of the systems security threats for industrial security practitioners, and can be used for design and implementation of SG systems security controls and countermeasures.     

一种基于企业网格的网格安全模型

针对企业网格分布式、多层、多用户的特点,提出了一种基于企业网格的网格安全模型.该模型对用户采用混合式账户管理方式,具有高效、安全的特点;通过基于PKI体系的数字证书进行用户认证,根据网格用户种类的区别提供不同的单点登录方案;另外文中综合使用RBAC与ACL的访问控制机制,既能保证用户访问资源的安全,又能简化用户授权的管理.