Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Kaifang Wan,Xiaoguang Gao,Xuequan Liu,Sijie Cui

DOI: https://doi.org/10.1109/ICSESS.2013.6615362

2013-01-01

Abstract:To meet the requirements of anti-stealth combat, this paper provides an overview of cloud computing technologies and discusses the superiority of its military application. A new concept of tactical cloud is proposed and based on which we put forward a Cloud Cooperative Attack System (CCAS) scheme for networking anti-stealth combat which can help promote the cooperating effectiveness significantly. To anatomize the system, the principle is described and the capabilities are indicated, and after that we design the composition expressly and provide a description of the system functions. A sample use case reveals the work process and verifies capacity of anti-stealth antagonizing of CCAS, and at last we point out some issues of CCAS and discuss how they can affect the performance of the system. The research here provides a reference to the developing of the new generation fire control system which brings it a wide prospect for further engineering application.

Hong Liang,Yufei Ge,Wenjiao Wang,Lin Chen

DOI: https://doi.org/10.1109/pic.2015.7489893

2015-01-01

Abstract:With the growing trends of cloud computing, the security issues in this area are growing at the same speed as its development. Some malicious intruders and other malware activities tend to find the inner vulnerabilities and spare no effort to control the administration or conduct the pure break-down service with curiosity or on purpose. Traditional defense systems such as firewall, intrusion detection and malware code system are still utilized in nowadays network scenes, but they may not support enough in cloud computing environment with old-fashioned architectures. Here we focus on intrusion detection system (IDS) to defend against intruders and other attacks. In this paper, we proposed a collaborative intrusion detection service and our goal is to make use of the state-of-the-art computing framework in cloud environment and to provide a rounded IDS service for both cloud providers and cloud tenants, while the collaborative architecture will help to respond to the attacks promptly. We set up our system prototype and discuss the empirical results on the preference. The experimental results demonstrate that our system does enhance the security when some network-based attacks happen and ensure that both cloud service providers and tenants are protected with satisfaction.

Wei Yu,Guobin Xu,Zhijiang Chen,Paul Moulema

DOI: https://doi.org/10.1109/cns.2013.6682765

2013-01-01

Abstract:The exponential growth of cyber space has created opportunities for world-wide web-based businesses and information sharing, but also led to the proliferation of cyber attacks. To conduct the cyber security situation awareness, a large volume of data streams from monitored devices needs to be efficiently stored and processed in real time. In this paper, we propose a cloud computing based architecture for conducting cyber security situation awareness. Particularly, we leverage the cloud infrastructure with a cost-effective data storage and investigate efficient stream processing techniques to reduce operational delays. To effectively detect threats, we present a parallel cloud based threat detection that integrates both signature-based detection and anomaly-based detection. To capture the insightful characteristics of attacks, we discuss the attack scene analysis based on spatiotemporal correlation and visualization schemes to analyze, trace, and visualize abnormal behaviors. Lastly, we present the testbed setup and the implementation workflow to validate the effectiveness of our proposed system.

Xin Dong,Jiadi Yu,Yuan Luo,Yingying Chen,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/iwqos.2013.6550281

2013-01-01

Abstract:Cloud storage services enable users to remotely store their data and eliminate excessive local installation of software and hardware. One critical issue is how to enable a secure data collaboration service including data access and update in cloud computing. A data collaboration service is to support the availability and consistency of the shared data among multi-users. In this paper, we propose a secure and efficient data collaboration scheme SECO. In SECO, we employ a two-level hierarchical identity based encryption (HIBE) to guarantee data confidentiality against untrusted cloud. This paper is the first attempt to explore secure cloud data collaboration service that precludes information leakage and enables a one-to-many encryption paradigm, data writing operation and fine-grained access control simultaneously. Security analysis indicates that the SECO enforces fine-grained access control and collusion resistant. Extensive performance analysis and experiment results demonstrate that SECO is highly efficient and low overhead on computation and communication.

Xin Dong,Jiadi Yu,Yanmin Zhu,Yingying Chen,Yuan Luo,Minglu Li

DOI: https://doi.org/10.1016/j.cose.2015.01.003

IF: 5.105

2015-01-01

Computers & Security

Abstract:Cloud storage services enable users to remotely store their data and eliminate excessive local installation of software and hardware. There is an increasing trend of outsourcing enterprise data to the cloud for efficient data storage and management. However, this introduces many new challenges toward data security. One critical issue is how to enable a secure data collaboration service including data access and update in cloud computing. A data collaboration service is to support the availability and consistency of the shared data among multi-users. In this paper, we propose a secure, efficient and scalable data collaboration scheme SECO. In SECO, we employ a multi-level hierarchical identity based encryption (HIBE) to guarantee data confidentiality against untrusted cloud. This paper is the first attempt to explore secure cloud data collaboration services that precludes information leakage and enables a one-to-many encryption paradigm, data writing operation and fine-grained access control simultaneously. Security analysis indicates that the SECO is semantically secure against adaptive chosen ciphertext attacks (IND-ID-CCA) in the random oracle model, and enforces fine-grained access control, collusion resistance and backward secrecy. Extensive performance analysis and experimental results show that SECO is highly efficient and has only low overhead on computation, communication and storage.

FAN Qigang,JIANG Zhongyuan,LI Xinghua,MA Jianfeng

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024038

2024-01-01

Abstract:Distributed computing systems based on cloud-edge-device have been successfully serving thousands of applications and have become mainstream,characterized by a wide audience,high user experience requirements,and high security expectations.However,in recent years,frequent attacks on cloud-edge-device systems have resulted in serious security risks and significant economic losses for users.The defense mechanisms of cloud-edge-device systems have been found to operate independently,leading to major differences in the ability to resist risks,which makes it difficult to eliminate global security risks.Security measures of the pre-configuration and post-event remedy type have been found to hardly meet the security needs of high-load and high real-time in cloud-edge-device collaborative networks.The root cause has been identified as the hierarchical architecture of cloud-edge-device systems being separate,and no effective collaborative defense system has been formed,leading to problems such as difficult cross-domain security governance,poor real-time performance,and difficult collaborative consistency evaluation.Firstly,a cloud-edge-device collaborative security architecture that integrates real-time perception,dynamic decision,and proactive defense was proposed.The cloud-edge-device security collaboration capability was established through rigorous theoretical consistency proofs.Secondly,a collaborative security assessment model based on the order parameter was put forward to achieve consistency of risk perception,decision,and defense.In this way,the efficient and low-cost collaborative protection of security risks could be realized to maximize systemic security benefits.Finally,the consistency theory and assessment method were verified through simulations.The results show that the proposed collaborative security system and consistency evaluation model are correct and effective.

Xiangyu Wang,Jianfeng Ma

DOI: https://doi.org/10.26599/tst.2023.9010158

2025-01-01

Abstract:The core goal of network security is to protect the security of data sharing. Traditional wireless network security technology is committed to guaranteeing end-to-end data transmission security. However, with the advancement of mobile networks, cloud computing, and Internet of Things, communication-computing integration and cloud-network integration have been important technical routes. As a result, the main application requirements of wireless networks have changed from data transmission to cloud-based information services. Traditional data transmission security technology cannot overcome the security requirements of cloud-network-end collaborative services in the new era, and secure semantic communication has become an important model. To address this issue, we propose a cloud-network-end collaborative security architecture. Firstly, we clarify security mechanisms for end system security, network connection security, and cloud services security, respectively. Next, based on the above three aspects, we elaborate on the connotation of cloud-network-end collaborative security. By giving example applications, including heterogeneous network secure convergence framework, unmanned system collaborative operations security framework, and space-air-ground integrated network security framework, we demonstrate the universality of the proposed architecture. Finally, we review the current research on end system security, network connection security, and cloud services security, respectively.

Zhen Chen,Wenyu Dong,Hang Li,Peng Zhang,Xinming Chen,Junwei Cao

DOI: https://doi.org/10.1109/tst.2014.6733211

2014-01-01

Abstract:A data center is an infrastructure that supports Internet service. Cloud computing is rapidly changing the face of the Internet service infrastructure, enabling even small organizations to quickly build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network, enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used in a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet inspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for intelligence flow processing to protect from possible network attacks inside a data center network.

Cen Chen,Yangfan Li,Qinyu Wang,Xulei Yang,Xiaokang Wang,Laurence T. Yang

DOI: https://doi.org/10.1109/mnet.2023.3321923

IF: 10.294

2023-01-01

IEEE Network

Abstract:The rapid growth of IoT (Internet of Things) and smart services facilitate many CPS (Cyber-Physical Systems) such as smart health, smart grid and so on. Nevertheless, the communication security issues in CPS are becoming more and more important with the growing complexity of the CPS network and the increasing dependency of critical network infrastructure on cyber-based technologies. In recent years, deep learning technology has shown its superiority in detecting communication security attacks, but its high computational complexity and the massive amount of data generated by IoT devices have brought challenges to traditional cloud computing technology in terms of bandwidth and computing resources. In this paper, we have analyzed the characteristics of heterogeneity and hierarchy in attacks on CPS. We have also analyzed the role of edge intelligence in handling the security of large-scale data communication in CPS. Furthermore, we proposed a CPS communication attack detection framework based on edge cloud collaboration, aiming to improve the parallel efficiency of hardware resources when executing detection tasks. We aim to enhance the intelligence of physical devices and the degree of cloud collaboration, satisfying the real-time processing requirements of large-scale, hierarchical CPS attack detection. Furthermore, through simple simulation experiments, we verified the effectiveness of the proposed edge cloud collaboration framework in CPS attack detection.

Tzung-Han Jeng,Wen-Yang Luo,Chuan-Chiang Huang,Chien-Chih Chen,Kuang-Hung Chang,Yi-Ming Chen,Chen,Yi-Ming

DOI: https://doi.org/10.4018/IJGHPC.2021070102

2021-05-11

International Journal of Grid and High Performance Computing

Abstract:As the application of network encryption technology expands, malicious attacks will also be protected by encryption mechanism, increasing the difficulty of detection. This paper focuses on the analysis of encrypted traffic in the network by hosting long-day encrypted traffic, coupled with a weighted algorithm commonly used in information retrieval and SSL/TLS fingerprint to detect malicious encrypted links. The experimental results show that the system proposed in this paper can identify potential malicious SSL/TLS fingerprints and malicious IP which cannot be recognized by other external threat information providers. The network packet decryption is not required to help clarify the full picture of the security incident and provide the basis of digital identification. Finally, the new threat intelligence obtained from the correlation analysis of this paper can be applied to regional joint defense or intelligence exchange between organizations. In addition, the framework adopts Google cloud platform and microservice technology to form an integrated serverless computing architecture.

David W. Chadwick,Wenjun Fan,Gianpiero Costantino,Rogerio de Lemos,Francesco Di Cerbo,Ian Herwono,Mirko Manea,Paolo Mori,Ali Sajjad,Xiao-Si Wang

DOI: https://doi.org/10.1016/j.future.2019.06.026

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:Cyber-attacks affect every aspect of our lives. These attacks have serious consequences, not only for cyber-security, but also for safety, as the cyber and physical worlds are increasingly linked. Providing effective cyber-security requires cooperation and collaboration among all the entities involved. Increasing the amount of cyber threat information (CTI) available for analysis allows better prediction, prevention and mitigation of cyber-attacks. However, organizations are deterred from sharing their CTI over concerns that sensitive and confidential information may be revealed to others. We address this concern by providing a flexible framework that allows the confidential sharing of CTI for analysis between collaborators. We propose a five-level trust model for a cloud-edge based data sharing infrastructure. The data owner can choose an appropriate trust level and CTI data sanitization approach, ranging from plain text, through anonymization/pseudonymization to homomorphic encryption, in order to manipulate the CTI data prior to sharing it for analysis. Furthermore, this sanitization can be performed by either an edge device or by the cloud service provider, depending upon the level of trust the organization has in the latter. We describe our trust model, our cloud-edge infrastructure, and its deployment model, which are designed to satisfy the broadest range of requirements for confidential CTI data sharing. Finally we briefly describe our implementation and the testing that has been carried out so far by four pilot projects that are validating our infrastructure.

Xinming Chen,Beipeng Mu,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.94

2011-01-01

Abstract:Malicious attacks are frequently launched to make specified network service unavailable, compromising end hosts for political or business purpose. Though network security appliances are widely deployed to resist these attacks, there is a lack of dynamic and collaborative platform to flexibly configure and manage all the security elements. In this paper, we present NetSecu, a platform based on Java and Click Router, which can dynamically enable, disable and configure security elements such as firewall, IPS and AV. Furthermore, a collaborate module is implemented to integrate individual NetSecu platform into a Secure Overlay Network, providing collaborative traffic control against DDoS attack. Equipped with collaborate module, NetSecu platforms are organized in a tree hierarchy where each level node is registered to its father node. A Central Management Site acts as the root node for large scale deployment. The policy is distributed from higher level to lower level NetSecu nodes, while security events are aggregated from lower level to higher level. Performance evaluation shows that our NetSecu system can achieve line rate with and without security function. Finally we deploy the NetSecu platform in multiple sites, where our design is fully demonstrated and tested.

Jiawei Zhang,Teng Li,Zuobin Ying,Jianfeng Ma

DOI: https://doi.org/10.1109/tcc.2022.3147226

IF: 5.697

2022-01-01

IEEE Transactions on Cloud Computing

Abstract:Cloud-Fog-Assisted Internet-of-Things (IoT) is a convincing paradigm to provide users with on-demand and low-latency services through Fog nodes in the edge of multiple clouds (Multi-Cloud). Multi-Cloud is a scalable multi-domain service-oriented net-centric system and can respond to complicated user requirements leveraging Multi-Cloud Service Composition (MCSC). However, in MCSC, user security can be easily compromised by untrusted and curious cloud service providers that may collect and violate the privacy and other essential assets of cloud users. Although many trust-based MCSC solutions have been proposed to seek a trustworthy composite service with highest trust level, most of them are vulnerable to malicious users intending to break through the clouds and inflict serious data leakage or asset damage. Considering these security concerns on both malicious users and untrusted service providers, in this article, we present a trust-based secure multi-cloud collaboration framework for Cloud-Fog-Assisted IoT systems. Specifically, to guarantee the security of users, we develop a role-based trust evaluation method to enhance the trustworthiness of MCSC. To preserve the security of services, we design an efficient user authentication scheme and a secure collaboration scheme to provide collaborative user authentication and access control mechanism for MCSC. We develop a proof of concept implementation for our framework and demonstrate its practicability by performance evaluation with extensive experiments.

computer science, information systems, theory & methods

Hootan Alavizadeh,Hooman Alavizadeh,Julian Jang-Jaccard

DOI: https://doi.org/10.1109/trustcom50675.2020.00171

2020-12-01

Abstract:The cloud model allows many enterprises able to outsource computing resources at an affordable price without having to commit the expense upfront. Although the cloud providers are responsible for the security of the cloud, there are still many security concerns due to inherently complex model the cloud providers operate on (e.g.,multi-tenancy). In addition, the enterprises whose services have migrated into the cloud have a preference for their own cybersecurity situation awareness capability on top of the security mechanisms provided by the cloud providers. In this way, the enterprises can monitor the performance of the security offerings of the cloud and have a choice to decide and select potential response strategies more appropriate to the enterprise in the presence of the attack where the defense provided by the cloud doesn't work for them. However, some response strategies, such as Moving Target Defense (MTD) techniques shown to be effective to secure cloud, cannot be deployed by the enterprise themselves. In this paper, we propose a framework that enables better collaboration between enterprises and cloud providers. Our proposed framework, which offers more in-depth security analysis based on the set of most advanced security metrics, allows the security experts of the enterprise to obtain better situational awareness in the cloud. With better and more effective situation awareness of cloud security, our framework can support better decision-making and further allows to deploy more appropriate threat responses to protect the outsourced resources. We also propose a secure protocol which can facilitate more secure communication between the enterprises and cloud provider. Using our proposed secure protocol, which is based on authentication and key exchange mechanism, the enterprises can send a secure request to the cloud provider to perform a selected defensive strategy.

Xiaochen Liu,Chunhe Xia,Tianbo Wang,Li Zhong

DOI: https://doi.org/10.1109/bigdatacongress.2017.87

2017-01-01

Abstract:In the process of big data analysis and processing, a key concern blocking users from storing and processing their data in the cloud is their misgivings about the security and performance of cloud services. There is an urgent need to develop an approach that can help each cloud service provider (CSP) to demonstrate that their infrastructure and service behavior can meet the users' expectations. However, most of the prior research work focused on validating the process compliance of cloud service without an accurate description of the basic service behaviors, and could not measure the security capability. In this paper, we propose a novel approach to verify cloud service security conformance called CloudSec, which reduces the description gap between the cloud provider and customer through modeling cloud service behaviors (CloudBeh Model) and security SLA (SecSLA Model). These models enable a systematic integration of security constraints and service behavior into cloud while using UPPAAL to check the conformance, which can not only check CloudBeh performance metrics conformance, but also verify whether the security constraints meet the SecSLA. The proposed approach is validated through case study and experiments with a cloud storage service based on OpenStack, which illustrates CloudSec approach effectiveness and can be applied in real cloud scenarios.

Beipeng Mu,Xinming Chen,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.130

2011-01-01

Abstract:Network Security Appliances are deployed at the vantage point of the Internet to detect security events and prevent attacks. However, these appliances are not so effective when it comes to distributed attacks such as DDoS. This paper presents a design and implementation of collaborative network security management system (CNSMS), which organize the NetSecu nodes into a hybrid P2P and hierarchy architecture to share the security knowledge. NetSecu nodes are organized into a hierarchy architecture so they could realize different management or security functions. In each level, nodes formed a P2P networks for higher efficiency. To guarantee identity trustworthy and information exchange secure, PKI infrastructure is deployed in CNSMS. Finally experiments are conducted to test the computing and communication cost.

Ning Xi,Di Lu,Cong Sun,Jianfeng Ma,Yulong Shen

DOI: https://doi.org/10.1109/nana.2016.53

2017-01-01

Mobile Information Systems

Abstract:The regional and dynamic characteristics of mobile clouds pose a great challenge on information flow security during service composition. Although secure verification approaches based on standard noninterference provide a solid assurance on information flow security of composite service, too strict constraints on service components may cause the failure of composition procedure. In order to ensure the availability of composite service, we specify the declassification policies based on cryptographic operations to allow data to be legally declassified. And we propose the improved distributed secure service composition framework and approach, which can realize different cloud platforms in multiple domains, cooperate with each other to complete the declassification, and secure composition procedure. Through the experiment and evaluation, it is indicated that our approach provides a more reliable and efficient way for secure service composition in mobile clouds.

Ning Xi,Cong Sun,Jianfeng Ma,Yulong Shen

DOI: https://doi.org/10.1016/j.future.2014.12.009

IF: 7.307

2015-01-01

Future Generation Computer Systems

Abstract:Service clouds built on cloud infrastructures and service-oriented architecture provide users with a novel pattern of composing basic services to achieve complicated tasks. However, in multiple clouds environment, outsourcing data and applications pose a great challenge to information flow security for the composite services, since sensitive data may be leaked to unauthorized attackers during service composition. Although model checking has been considered as a promising approach to enforce information flow security precisely, its high complexity on modeling and the heavy cost on verification cause great burdens to the process of service composition. In this paper, we propose a distributed approach to composing services securely with information flow control. In our approach, each service component is first verified through model checking, and then a compositional verification procedure is executed to ensure the information flow security along with the composition of these services. The experimental results indicate that our approach can reduce the cost of verification compared with the global verification approach.