异构网络接入认证技术研究

各种无线传输技术在覆盖面积、频谱带宽及时延方面都有一定的局限性,能有效解决上述局限性的＂异构网络高速无线接入＂概念日益受到广泛关注,但是,要对异构网络的接入认证技术进行一体化设计是一项具有挑战性的课题。重点分析如何利用动态安全关联技术改善移动认证架构,研究异构网络和移动终端的统一认证及安全接入,有效提升移动终端在不同网络间切换的安全性能。     

一种泛在网络的安全认证协议

泛在网络是标准的异质异构网络,保证用户在网络间的切换安全是当前泛在网的一个研究热点。该文对适用于异构网络间切换的认证协议EAP-AKA进行分析,指出该协议有着高认证时延,且面临着用户身份泄露、中间人攻击、DoS攻击等安全威胁,此外接入网络接入点的有效性在EAP-AKA协议中也没有得到验证,使得用户终端即使经过了复杂的认证过程也不能避免多种攻击。针对以上安全漏洞,该文提出一种改进的安全认证协议,将传统EAP-AKA的适用性从3G系统扩展到泛在网络中。新协议对传播时延和效率进行完善,为用户和接入点的身份信息提供有效性保护,避免主会话密钥泄露,采用椭圆曲线Diffie Hellman算法生成对称密钥,在每次认证会话时生成随机的共享密钥,并实现用户终端与家乡域网络的相互认证。通过开展实验,对协议进行比较分析,验证了新协议的有效性及高效率。     

面向拟态云服务的异构执行体调度算法

针对当前异构调度模型仅从空间或者时间特性进行建模设计,缺少对时空特性的综合考虑且存在动态性和异构性不够均衡的问题。为使拟态云服务系统的动态、异构和冗余特性能够平衡互补,提出一种基于优先级和时间片的执行池调度算法,该算法基于执行池相似性指标进行优先级预排序,结合时间片等策略进行方案调度。实验结果表明,所提算法有较好的动态性,结合时间片策略能够获得动态性和异构性的综合平衡,且算法耗时较低。     

Secure and efficient token based roaming authentication scheme for space-earth integration network

Aiming at the problem of prolongation and instability of satellite and terrestrial physical communication links in the space-earth integration network,a two-way token based roaming authentication scheme was proposed.The scheme used the characteristics of the computing capability of the satellite nodes in the network to advance the user authentication process from the network control center (NCC) to the access satellite.The satellite directly verified the token issued by the NCC to verify the user's identity.At the same time,the token mechanism based on the one-way accumulator achieved the user's dynamic join,lightweight user self-service customization and billing,and the introduction of Bloom Filter enabled effective user revocation and malicious access management.Compared with the existing scheme,the scheme can guarantee the security of roaming authentication and significantly reduce the calculation and communication overhead of the authentication and key negotiation process.     

Design of a lightweight authentication scheme for IEEE 802.11p vehicular networks

With the growing popularity of vehicle-based mobile devices, vehicular networks are becoming an essential part of wireless heterogeneous networks. Therefore, vehicular networks have been widely studied in recent years. Because of limited transmission range of wireless antennas, mobile vehicles should also switch their access points to maintain the connections as conventional mobile nodes. Considering the inherent characteristics of vehicular networks such as dynamic topology and high speed, the question of how to implement handoff protocol under real-time scenarios is very important. IEEE 802.11p protocol is designed for vehicular networks for the long distance transmission. To reduce handoff latency for 802.11p protocol, the authentication phase is waived during the handoff. However, security is also very important for wireless communications, and authentication can forbid access from malicious nodes and prevent wireless communications from potential attacks. Thus, in this paper, a lightweight authentication scheme is introduced to balance the security requirements and the handoff performance for 802.11p vehicular networks. In our scheme, the access points are divided into different trust groups, and the authentication process is completed in a group-based method. Once a vehicle is authenticated by an access point group, during the handoff within the same group, few extra authentication operations are needed. As a result, there is no extra overhead introduced to the authentication servers. Simulation results demonstrate that our authentication scheme only introduces small handoff latency and it is ideal for vehicular networks.     

冬端安全接入技术及发展趋势研究

终端安全接入管理变得越来越重要。过去仅依赖IP地址、MAC地址等终端身份的接入控制,很难满足当前各种办公、涉密网络对接入终端安全性检查的要求。在这种情况下,新的终端接入管理技术得到了快速发展,这种新技术是终端健康性检查、终端身份认证相结合的入网许可控制技术。主要介绍了当前终端安全接入认证的各种技术,以及它们的优缺点,最后说明这种新兴技术的应用情况。     

基于动态群签名的802.11s Mesh网络接入认证

802.11s Mesh网络作为新一代的无线局域网（WLAN）标准能有效弥补802.11b协议在易布署性和安全性方面中存在的不足。由于802.11s Mesh网络原有接入认证协议时间复杂性较高,针对性地提出了一种基于动态群签名技术的接入认证协议,在认证服务器、密钥分发者和接入点之间通过四轮交互即可实现所有接入点之间的相互认证。通过论证,该接入认证协议能有效提高接入认证过程的计算性能和通信性能,并保证接入认证过程的安全性。     

有限异构资源条件下的工业控制拟态调度算法

网络空间拟态防御技术是应对信息系统未知漏洞后门攻击的有效手段,其安全性与执行体的数量、异构化程度以及具体的裁决调度策略紧密相关。然而在工业控制领域,工业应用的生态资源相对封闭,可实现的异构执行体个数受限。针对上述问题,提出一种适用于有限异构资源约束条件下的工业控制拟态调度算法。算法通过引入执行体上线保护寄存器、周期清洗定时器等,能够根据运行环境自适应选择合适的执行体上线,可有效防范N-1模与N模攻击。实验结果表明,所提出的三余度工业控制拟态调度算法,可自适应根据环境特性选择合适的执行体上线,即使在高强度攻击环境下,依然能保持99.24%的高可用概率。     

Secure Protocol for Fast EAP Authentication in Wireless Networks

We study the problem of reducing the latency introduced by authentication and network access control processes required in heterogeneous wireless networks and based on the Extensible Authentication Protocol. We aim to reduce the time spent on providing access and smooth transition between different technologies which require to perform authentication in order to allow network access. We propose a secure protocol which reduces the number of roundtrips during authentication and verify its security properties with a formal tool.     

Dynamic defenses in cyber security: Techniques,methods and challenges

Driven by the rapid development of the Internet of Things, cloud computing and other emerging technologies, the connotation of cyberspace is constantly expanding and becoming the fifth dimension of human activities. However, security problems in cyberspace are becoming serious, and traditional defense measures (e.g., firewall, intrusion detection systems, and security audits) often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with a higher and higher degree of coordination and intelligence. By constructing and implementing the diverse strategy of dynamic transformation, the configuration characteristics of systems are constantly changing, and the probability of vulnerability exposure is increasing. Therefore, the difficulty and cost of attack are increasing, which provides new ideas for reversing the asymmetric situation of defense and attack in cyberspace. Nonetheless, few related works systematically introduce dynamic defense mechanisms for cyber security. The related concepts and development strategies of dynamic defense are rarely analyzed and summarized. To bridge this gap, we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security. Specifically, we firstly introduce basic concepts and define dynamic defense in cyber security. Next, we review the architectures, enabling techniques and methods for moving target defense and mimic defense. This is followed by taxonomically summarizing the implementation and evaluation of dynamic defense. Finally, we discuss some open challenges and opportunities for dynamic defense in cyber security.     

认知无线电网络的MAC层关键技术

认知无线电作为一种智能的频谱共享技术,已成为无线通信领域的研究热点。为达到在不干扰授权用户的条件下有效地实现机会式频谱利用,认知无线电网络的媒体接入控制（MAC）层不仅需要提供传统的服务,还要求能支持一套全新的功能。频谱检测管理通过对检测模式的选取、检测周期及检测时长的设置、检测信道的选取和检测静默期的设置等实现检测策略和参数的选取及优化。接入控制主要采用与授权用户协调接入和透明接入两种方式避免与授权用户的接入产生碰撞。动态频谱分配针对二进制干扰模型和累积干扰模型进行不确定频谱资源的优化分配。安全机制通过增加MAC帧的认证和保密以防御MAC层的安全攻击。跨层设计结合物理层和网络层、传输层等上层信息设计和实现全局优化的MAC层技术。     

一种新颖的认证机制

识别和认证是计算机安全保密的一项重要内容。识别用于区分不同的用户,认证用于鉴别用户的身份。其中认证是实施存取控制的关键,常规的基于口令的认证机制,对于防止口令猜测的进攻显得无能为力,而本文提出的认证机制具有良好的抗猜测特性,而且易于实现。     

Markov game modeling of mimic defense and defense strategy determination

Network mimic defense technology enhances the robustness of active defense through the redundancy,dynamic and diversity as well as the decision feedback mechanism.However,little work has been done for its security assessment and existing classic game models are not suitable for its dynamic characteristics and lack of universality.A Markov game model was proposed to analyze the transfer relationship between offensive and defensive status and the measurement method of safety and reliability of mimic defense,and calculated the offensive and defensive game equilibrium through non-linear programming algorithm to determine the best defensive strategy considering performance.Experiments give a comparison with the multi-target hiding technique and shows that the mimic defense has a higher defensive effect.Combining with the specific network case,the specific attack and defense path for the exploit of the system vulnerability is given and the effectiveness of the defense strategy algorithm is verified.     

一种改进的RFID系统安全协议

RFID是一种新型的非接触式自动识别技术,已经在门禁、运输系统、目标跟踪等领域得到广泛应用。但在实际应用过程中,RFID系统还存在诸多安全隐患。因此,设计和完善相关安全机制及安全认证协议对保护RFID系统来说仍然至关重要。文中通过对RFID系统结构的分析,总结了安全隐患存在的原因。介绍了RFID安全策略,主要是几种常见物理安全机制和基于密码技术的安全协议,并对其优缺点进行了简要分析。讲述了一种混合加密安全模型,进而提出了一种通过密钥更新和工作负荷转移改进混合加密安全模型的方法,增强了混合加密模型的安全性和实用性。通过对改进后协议的分析可知,该协议能够抵抗重传、跟踪等常见安全问题。     

Multi-tenant virtual domain isolation construction method based on L-DHT

Aiming at the problem of security isolation of multi-tenant data in cloud environment,a tenant virtual domain isolation construction method based on L-DHT was proposed.Firstly,through the design of multi-tenant isolation mapping algorithm based on label-hash mapping,the balanced mapping mechanism of tenant resources was constructed to realize the distributed management of tenant resources.Secondly,for the security isolation and access between tenant data mapped to the same storage node,based on the predicate encryption mechanism,through the effective binding of security labels and tenant data,a tenant data isolation storage algorithm based on label predicate encryption was designed.Finally,by the design of multi-dimensional tenant data isolation control rules and using the analysis and authentication of security labels,independent,logical and secure virtual domains between tenants were built hierarchically.The security analysis shows that the method constructs tenant virtual domains which are secure and non-interference with each other.The simulation results show that the mapping algorithm can achieve a better dynamic load balance.The efficiency and security of data access are verified by the comparative analysis of tenant data retrieval efficiency and authentication access security.     

软件定义安全模型与架构浅析

目前大多数企业已经部署了基于策略访问控制的信息安全防御体系,但是随着云计算环境部署和网络攻击技术的发展,安全正成为云计算环境下亟待解决的重要问题,诸如能轻而易举地绕过传统防火墙、突破基于黑/白名单与特征匹配的安全防御机制等高级持续性攻击,给传统安全体系带来了新的挑战.分析了传统紧耦合安全防御体系在虚实结合网络环境下面临的问题,提出了软件定义安全的模型及其框架下的关键技术,实现了虚拟的和物理的网络安全设备与它们的接入模式、部署位置解耦合,为企业云计算环境下自适应的主动安全防护提供了有益的探索.     

异构无线网络可信接入设计及实现

异构无线网络互连后的安全问题是当前网络安全研究的一个热点问题,为了解决异构网络互连后产生的接入安全问题,提出了一种基于信任模型的可信接入框架,该框架建立了异构无线网络间的信任评价体系,对接入异构无线网络用户除了进行身份验证,还必须进行用户信任度的验证,既拒绝了恶意节点接入,又确保了合法节点的安全接入,从而保证异构无线网络互连接入的安全和可信。     

基于指纹识别技术的Web访问控制

在Internet/Intranet的应用中,其安全性面临着严重的挑战,用户在进入系统时,传统方法是通过口令验证其身份,这在某种程度上虽确保了计算机系统的安全,但同时存在着记忆烦琐、易丢失、易遗忘的弊端。因此,急需找到一种更安全的方法。为此提出了基于指纹认证与密钥体制相结合的Web访问控制。并分析了该控制方法的优缺点。     

基于Acegi安全框架实现Web系统的安全控制

Acegi是一个能为基于Spring的企业应用提供强大而灵活安全访问控制解决方案的框架。它充分利用Spring的IOC和AOP功能,提供声明式安全访问控制的功能。介绍了Acegi安全框架在认证和授权的基本流程,及其在Web系统中如何灵活利用其XML配置文件的声明式方法提供系统在认证和授权上的安全性。     

基于J2EE过滤器技术的统一身份认证与访问控制技术

为了解决信息化应用系统的安全性问题，特别是用户身份认证与访问控制自身的安全性问题，通过分析、研究用户身份认证、访问控制原理及J2EE Servlet过滤器技术，在基于Web应用系统特点和J2EE Servlet过滤器技术的基础上，提出了企业信息化应用系统的统一用户身份认证与访问控制的实现方法，并在J2EE应用框架中得到了应用。结果表明：该方法满足设计要求，提高了企业信息化应用系统的安全性。