TIAN Yu-hong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.24.029

2006-01-01

Abstract:The Java virtual machine(JVM)is used more frequently as the basic engine behind dynamic web services.With the proliferation of network attacks on these network resources,much work are done to provide security for the network environment.Little effort has been placed on securing a Java web server where the attacker has a valid login to the host machine.After describing the vulnerabilities in Java's security mechanisms,an extended security system based on Java 2 security architecture is introduced.It also explains the runtime status of system.The increased assurance of correct system operation and the integrity of Java application server are provided.

寇雅楠,李增智,廖志刚,宋涛,周恒琳

DOI: https://doi.org/10.3321/j.issn:0372-2112.2003.11.025

2003-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:By the aid of pluggable module, a security prototype is designed in the active network, which facilitates the security in the aspects of encryption, digital signature, authorization, authentication and revocation. The encryption and digital signature ensure the integrity and confidentiality to the active code. The decode-binding realizes the expansion capacity of the encryption methods in the system. By means of the certificate-checking method, the whole system designs a certificate center that issues X.509 certificate and manages the certificate through light directory access protocol (LDAP). With the active capability adapted to describe any authorization policy, the system can either choose the permitted policy or change the policy according to the requirements of the users. The revocation designed for the active network ensures the validity in the operation of the active code. In the meantime, with the trace records in the database, the revocation can realize the security alarm in the whole system.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

周恒琳,李增智

DOI: https://doi.org/10.3969/j.issn.1000-7180.2004.07.030

2004-01-01

Abstract:The paper represents how to utilize the authentication and authorization theory to resolve the secure problem of the active network. A packet authentication and code authorization mechanism for active network is realized, with the application of the digital certificate and signature technology, the security system of the Java language, as well as the Java Authentication and Authorization Service; In addition, the secure active packet is designed to collaborate with this mechanism. The packet authentication module authenticates the identity of the active packet and checks the integrality of the packet in order to prevent illegal active node from sending baleful code or juggling the active packet midway. The code authenticate module includes authentication of the Executive Environment's code and authentication of the active packet's code. It avoids the ruinous effect on active node by restricting the action of the extraneous code in the active node.

YN Kou,ZZ Li,ZG Liao

DOI: https://doi.org/10.1109/icapp.2002.1173598

2002-01-01

Abstract:As a new programmable network architecture, the active network supports the development, verification and deployment of new network protocols and services. It is not used widely as we expected. The main reason is that its security has not been resolved. We introduce an active network security prototype designed by a pluggable module. It implements three aspects of security, including cryptography and digital signatures; authentication and authorization; revocation; etc. Especially, cryptography solves the integrity and confidentiality of active codes, and the decode mode implements cryptography's replacement and extensibility. Our system is dual nonrepudiation on both. Nonrepudiation on both is that the sender cannot deny that he sends the message; dual nonrepudiation means that nonrepudiation has been done in digital signature authentication and authorization authentication. The section of revocation designed according to the active network guarantees the validity of active code's execution. We measured latency and throughput of the experimental active network on two services: a prototype for active networks, a prototype of security for active networks. In fact, the security techniques applied in our system have little influence on the latency and throughput of active networks.

Nie Fei,Li Zengzhi,CHEN Yan,Qi Jianjun

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.05.051

2005-01-01

Abstract:Traditional certificate will lose efficiency considerablely for active network. Code certificate was put forward in the article to overcome it; code certificate changes the entity from the publisher to code itself. So active node can grant privilege to the active protocol more detailed. The change of the entity makes it possible to add the resource usage information of the protocol in the certificate, which makes it more effective than traditional ACL mode, too. The principle and implementation are described in the article and a simulation test was made. The simulation result shows that code certificate can improve efficiency about 25 percent for sensitive operation than traditional certificate method.

WANG Jianguo,HU Chuan

DOI: https://doi.org/10.3969/j.issn.2095-347x.2008.10.007

2008-01-01

Abstract:When the active network technology with the programmable characteristic is applied to the network management system,many scopes need to be supported by communication services,such as the interaction of network management terminal and active nodes,as well as between active node,and the active code dynamic loading.In order to meet the communication requires of the service-oriented network management system proposed by us,this paper analyses communication functions,and designs the structure of execution environmental and the encapsulation format for active packet.At the same time,the function of dynamically loading active code is implemented based on the Distributed Code Caching for Active Network and a communication platform is implemented.This platform has been applied to the network management prototype system.The application results show that this platform can dynamically load active code and can provide the basis of communications services.

YH Wu,K Xu,JP Wu,MW Xu

DOI: https://doi.org/10.1109/ictel.2003.1191171

2004-01-01

Abstract:Active network is a new network architecture of the last few years, in which active nodes provide programmable network services on passing packets. Users can configure, extend and download these services through active packets. However, the flexibility of network brings serious security problems. Because there are always malicious attackers in network, we must limit users' access to the resources and statuses of active routers to guarantee their safe running. Because traditional routers are mainly responsible for packets forwarding, and lack enough security support to router software, it's necessary to design consummate active network security architecture. This paper defines the integrated security architecture of active network, and provides safe protection to each phase of active codes during their running. And we also define the security architecture of active nodes, and bring forward the resource managing mechanism based on access control. The security architecture and mechanism introduced by this paper have been implemented in Extensible Service Router prototype system.

汤勇平,陆鑫达,朱蕾

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.03.034

2002-01-01

Abstract:Acquiring of load information is a precondition for dynamic load balancing which is a critical issue of networking parallel computing. In this paper, we present the architecture and implementation of JSYS (the load status inspecting system in Java parallel computing environment) which uses Java RMIJNI. The techniques of how to get the load information and the data processing method are also discussed. The experiment results show that the JSYS works correctly and it can provide effective services for dynamic load balancing requirement.;

Mw He,Xc Liu,Gz Zhang

DOI: https://doi.org/10.1108/03684920410514201

IF: 2.352

2004-01-01

Kybernetes

Abstract:This paper discusses the implementation method of open router based on active network, and describes the measure to assure the security of network. The active network can supply the clients with the new services by loading new code on the router in active network, but not changing the hardware.

Chen Xiao-lin,Zhou Jing-yang,Dai Han,Lu Sang-lu,Chen Gui-hai

DOI: https://doi.org/10.1007/bf02828636

2005-01-01

Wuhan University Journal of Natural Sciences

Abstract:We introduce a cluster-based secure active network environment (CSANE) which separates the processing of IP packets from that of active packets in active routers. In this environment, the active code authorized or trusted by privileged users is executed in the secure execution environment (EE) of the active router, while others are executed in the secure EE of the nodes in the distributed shared memory (DSM) cluster. With the supports of a multi-process Java virtual machine and KeyNote, untrusted active packets are controlled to securely consume resource. The DSM consistency management makes that active packets can be parallely processed in the DSM cluster as if they were processed one by one in ANTS (Active Network Transport System). We demonstrate that CSANE has good security and scalability, but imposing little changes on traditional routers.

Xiaoqi Song,Wenjie Lv,Haipeng Qu,Lingyun Ying

2023-03-22

Abstract:Code-reuse attacks have become a kind of common attack method, in which attackers use the existing code in the program to hijack the control flow. Most existing defenses focus on control flow integrity (CFI), code randomization, and software debloating. However, most fine-grained schemes of those that ensure such high security suffer from significant performance overhead, and only reduce attack surfaces such as software debloating can not defend against code-reuse attacks completely. In this paper, from the perspective of shrinking the available code space at runtime, we propose LoadLord, which dynamically loads, and timely unloads functions during program running to defend against code-reuse attacks. LoadLord can reduce the number of gadgets in memory, especially high-risk gadgets. Moreover, LoadLord ensures the control flow integrity of the loading process and breaks the necessary conditions to build a gadget chain. We implemented LoadLord on Linux operating system and experimented that when limiting only 1/16 of the original function. As a result, LoadLord can defend against code-reuse attacks and has an average runtime overhead of 1.7% on the SPEC CPU 2006, reducing gadgets by 94.02%.

Cryptography and Security

CHEN Yulai,SHAN Rongsheng,BAI Yingcai

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.02.062

2007-01-01

Abstract:This paper presents a dynamic defense model of network security, based on which a prototype system is implemented. The system integrates the mechanisms of detection and access control, and has close loop response to the results of attack detection. The system obtains some changes of the service port by network service discrimination and active scan technologies, and then dynamically adjusts and loads the detection module according to these changes, so that the accuracy and efficiency of detection are improved. The experimental results show that the system has a closed-loop dynamic protection mechanism.

ZHOU Heng-lin,LI Zeng-zhi,WU Ya-qiang,LIAO Zhi-gang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.07.039

2005-01-01

Abstract:Utilizing the trait that protocol can be deployed dynamically in active net, the component-based security mechanism is designed for active ne tworks on the base of the security prototype of active networks. The mechanism can meet the security requirement of the active networks, such as secrecy, integrality and usability, and provides security measure including extensible encryption and decryption, authentication and authorization, execution monitor and code revocation, etc for active packet and active node. In addition, it supports dynam itic load and customization, therefore security level can be customized for active networks according to the actual application.

Xinming Chen,Beipeng Mu,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.94

2011-01-01

Abstract:Malicious attacks are frequently launched to make specified network service unavailable, compromising end hosts for political or business purpose. Though network security appliances are widely deployed to resist these attacks, there is a lack of dynamic and collaborative platform to flexibly configure and manage all the security elements. In this paper, we present NetSecu, a platform based on Java and Click Router, which can dynamically enable, disable and configure security elements such as firewall, IPS and AV. Furthermore, a collaborate module is implemented to integrate individual NetSecu platform into a Secure Overlay Network, providing collaborative traffic control against DDoS attack. Equipped with collaborate module, NetSecu platforms are organized in a tree hierarchy where each level node is registered to its father node. A Central Management Site acts as the root node for large scale deployment. The policy is distributed from higher level to lower level NetSecu nodes, while security events are aggregated from lower level to higher level. Performance evaluation shows that our NetSecu system can achieve line rate with and without security function. Finally we deploy the NetSecu platform in multiple sites, where our design is fully demonstrated and tested.

楼润瑜,王备战,王伟

2010-01-01

Abstract:In order to defend the attacks caused by DDOS and worms(or vicious codes) in large scale network,a general,solid,in-depth and distributed active cooperation defense model is presented.A set of achievable methods ranging from systemic architecture,function mechanisms and algorithm descriptions are given.The model,which is demonstrated by the system architecture,function modules and active cooperation defense to stop the attacks,is the integrated and systemic model.It integrates several role security technologies,such as IDS,firework and honeynet,and achieves a complete set of functional mechanisms for active cooperation defense.By the cooperation from the security components within inside and outside the autonomous system(AS),we realize the active cooperation defense which involves the multi-level defense range from network boundary level,kernel level,sub-network level to host level.As a result,the presented model not only can achieve effectively security defense in the large scale network,but also can have the good generality and scalability.

王建国,李增智,王宇,寇雅楠

DOI: https://doi.org/10.3321/j.issn:0253-987X.2002.08.012

2002-01-01

Abstract:After analyzing the current research about active network security, a universal security mechanism for active network is presented. This mechanism keeps to the security specification proposed by Active Network Security Working Group. According to the characteristics of active network, two important protected objects, active node and capsule, are proposed. This mechanism constructs two engines, authentication/authorization engine and accessing control engine. Certificate database and security policy database are designed so that engines can consult certificate to authenticate principals' identity and refer to security policy to control capsule to access system resources when it provide request services for execution environment. These can protect active nodes effectively. In order to describe the complicated dynamic security control policies, this mechanism imports capability. Digital signature and software states catching mechanism are used to protected and isolated capsules. Active nodes and capsules can be protected effectively with this mechanism. Security facilities implemented with this mechanism can serve as a generic component to build secure active network.

Yang Xiong,Zhu Yuguang,Yun Xiaochun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.05.084

2010-01-01

Abstract:Based on the analytical comparison of quite a few worm detection and restraint strategies,an improved dual-cycle worm detection and restraint algorithm is proposed in this paper.The effectiveness of the algorithm in detecting and restraining the attacks from normal worm scanning and concealed worm scanning is discussed.Meanwhile the impact of misusing routine network traffic is also taken into consideration,so that it brings down the false alarm rate greatly.At last,the worm detection effect of the algorithm is analysed through the simulation experiment in the backgrounds of usual network and congestion network,the results verifies that the algorithm can detect and restrain worms effectively whilst the false alarms is quite low.

Dongsheng CHEN,Peikang WANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.12.091

2007-01-01

Abstract:Mobile Ad Hoc networks (MANET) are highly dependant on the different types of nodes and the physical network environment. During the research on MANET, simulation can reflect only a partial behavior for the new protocols in the reallife. Deploying real-life MANET is therefore an indispensable complementary step for the advancement of MANET. This paper presents a Java-based secure MANET application framework——J-SMAF, which brings the intrusion detection system into the flexible and extensible application framework. With J-SMAF, people could build healthy and secure MANET real-life evaluation test-bed and application system easily on different platforms and in various environments.

Guang Jin,Jian-gang Yang,Wei Wei,Ya-bo Dong

DOI: https://doi.org/10.3724/sp.j.1146.2007.00460

2008-01-01

Abstract:Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.