LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

Huang Dao

2003-01-01

Abstract:The paper analyses the principle and problmes of SSL, and applies fuzzy control algorithm to it to reduce latency.

Yin Shu-ling

Abstract:Secure socket layer protocol is developed for the security of the data transmission,SSL VPN is a kind of VPN technology based on SSL protocol.It provides remote access and has been applied in the enterprises increasingly in recent years.It analyzed the components of SSL VPN and researched the key technologies.In view of the problem that the outside users can not access the resources of enterprise network,a solution of SSL VPN is designed.SSL VPN provides remote-access connectivity from almost any Internet-enabled location using a web browser that natively supports SSL encryption,the connection of SSL VPN,the connection of SSL VPN can help enterprise to improve efficient production and information protection in security access,and decrease the management and maintenance cost.

Engineering,Computer Science

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

ZHENG Lan,CHEN Qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.07.058

2005-01-01

Abstract:With the rapid growth of internet and enterprises on a global scale, the use of directories as accessible repositories providesa flexible and various solution for gathering, storage and accessing information. The design and implementation of an unified accesscontrol system supporting single-sign-on areintrodueed, whichis based on LDAPdirectory and combines access controls ofall applicationsystems to realize security access system of unified users management. The system used middleware technology to efficiently resolvethe bottleneck problem when a lot of users accesed LDAP database.

Meng-zhou Gao,Dong-qin Feng

DOI: https://doi.org/10.1631/fitee.1700334

IF: 2.526

2018-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Security issues in networked control systems (NCSs) have received increasing attention in recent years. However, security protection often requires extra energy consumption, computational overhead, and time delays, which could adversely affect the real-time and energy-limited system. In this paper, random cryptographic protection is implemented. It is less expensive with respect to computational overhead, time, and energy consumption, compared with persistent cryptographic protection. Under the consideration of weak attackers who have little system knowledge, ungenerous attacking capability and the desire for stealthiness and random zero-measurement attacks are introduced as the malicious modification of measurements into zero signals. NCS is modeled as a stochastic system with two correlated Bernoulli distributed stochastic variables for implementation of random cryptographic protection and occurrence of random zero-measurement attacks; the stochastic stability can be analyzed using a linear matrix inequality (LMI) approach. The proposed stochastic stability analysis can help determine the proper probability of running random cryptographic protection against random zero-measurement attacks with a certain probability. Finally, a simulation example is presented based on a vertical take-off and landing (VTOL) system. The results show the effectiveness, robustness, and application of the proposed method, and are helpful in choosing the proper protection mechanism taking into account the time delay and in determining the system sampling period to increase the resistance against such attacks.

Xi Chen

DOI: https://doi.org/10.54254/2755-2721/38/20230530

2024-02-07

Abstract:With the widespread application of computer network technology, computer network security defense capability has become a focus of attention in various industries. The extensive use of computer information systems in various sectors has significantly improved work efficiency but has also introduced security risks and management issues. The deployment of network security detection and control systems allows for effective security monitoring and management of computer operations and real-time network information. This paper presents a computer network security detection and control system based on human-computer interaction, which enables users to handle daily key business processes. The work principles and overall architecture of the network security detection and control system are analyzed and demonstrated. It offers functions such as filtering options, address rules, network security detection, network unreachability, overall traffic analysis, subnet definition, fault diagnosis, and security analysis. Testing and analysis indicate that the systems design achieves the intended goals. In the application of network security features, it can effectively combine various forces to enhance the quality and efficiency of network security, making it widely applicable in various industry units.

Zhen Chen,Fa-Chao Deng,An-An Luo,Xin Jiang,Guo-Dong Li,Run-hua Zhang,Chuang Lin

DOI: https://doi.org/10.1109/wcins.2010.5541863

2010-01-01

Abstract:Traditional NAC system in enterprise network is in coarse granularity (e.g. IP or MAC address) and lack of flexibility. Recently the demand in tight control of the enterprise network to defense the misuse and security issues become more and more urgent. Based on the TCG TNC standard, an application level network access control mechanism is proposed and implemented. With TNC client/server model in hand, a client is designed to enhance TNC client with the function of host flow controller (HFC), and intercepts each application network access request(ANAR) and transfer it to PDP server to authorize the access request. When a sensor (i.e. intrusion detection system) detects any malicious traffic, host flow controller and network flow controller can identify the application that origins this traffic by querying Metadata Access Point (MAP) server and block this application's network access. A prototype system is implemented to demonstrate the design and can be used to defense the anomaly network behaviors. The prototype system demonstrates that the hosts, switches, firewalls and IDS can work together to detect, diagnose and protect enterprise network from the malicious applications attack initiated inside or outside of an enterprise network, quarantine unhealthy hosts and make the enterprise network more reliable and trustworthy.

Chen Weidong,Wang Chao,Zhang Li,Xu Zheng,Xing Xishuang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.03.080

2013-01-01

Abstract:Information security of server is encountering increasingly serious security menace.Viruses,worms,Trojans and other malicious programs impose the threat on the security of server system.The operating system has the needs to identify and control from kernel layer the subjects and objects imperilling the security.Mandatory access control has to be executed on files,registry,process,etc.in kernel layer.We study and address the implementation of operating system security kernel in terms of system resources and networks covert communication in this paper.The system has been applied to the corporate websites,various types of servers and other network security applications that have higher security requirement.The mandatory access control and each process,file,registry and network communications,etc.are all endued the appropriate security attributes systematically.Security attributes are set by the administrator strictly in accordance with the rules.Combined with the principle of least privilege and security auditing,security control is conducted at the application layer on the server or server cluster.

GUO Shize,ZHANG Fan,SONG Zhuoxue,ZHAO Ziming,ZHAO Xinjie,WANG Xiaojuan,LUO Xiangyang

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004

2022-01-01

Abstract:Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Zhong-Hua Pang,Lan-Zhi Fan,Haibin Guo,Yuntao Shi,Runqi Chai,Jian Sun,Guo-Ping Liu

DOI: https://doi.org/10.1080/00207721.2022.2143735

2022-11-14

Abstract:A networked control system (NCS), which integrates various physical components by utilising communication networks, is a complex intelligent control system with high flexibility and reliability. It has been widely applied in various areas, such as power grids, intelligent transportation, and smart manufacturing. However, compared with traditional control systems, NCSs expose more extra vulnerabilities with the openness of communication networks, leading to long-term concerns for the security of NCSs against cyber attacks. This paper gives a survey in detail on recent developments on the security of NCSs subject to deception attacks from the two domains of information technology (IT) and system control, respectively. First, several security incidents reported in recent years are reviewed and a couple of prevailing cyber attacks are analysed. Besides, the results on IT security with respect to the protection-detection-reaction model are summarised. Then, from the domain of system control, the security issues on attack design, attack detection, secure state estimation and resilient control are surveyed in depth. Furthermore, several novel security topics from the combination of IT and system control are also discussed. Finally, several future research directions are presented on this topic.

Xiuzhen Chen,Qinghua Zheng,Xiaohong Guan

DOI: https://doi.org/10.1007/s10796-008-9111-6

2008-01-01

Information Systems Frontiers

Abstract:Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.

Qi Gao,Jinniu Bai

DOI: https://doi.org/10.1088/1742-6596/2143/1/012019

2021-12-01

Journal of Physics: Conference Series

Abstract:Abstract With the rapid development of Internet, network security occupies the primary position in computer technology. It is mainly to ensure the security of information, can make the information in the network safe transmission. Next, also want to prevent the invasion of soft virus infection. At present, there are many kinds of technologies to maintain network information security. Such as firewalls, anti-virus software technology, file encryption and digital signature technology. This paper describes the vulnerability of network security and the importance of maintaining its security, mainly study the role of Java in computer network security technology and its application in which, finally based on Java network security technology and some other comparison, draw its advantages.

Yan Jiang,Jing Huang,Yunsong Fan,Xiaobin Zhu

DOI: https://doi.org/10.13052/jcsm2245-1439.1345

2024-06-14

Journal of Cyber Security and Mobility

Abstract:With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.

Tian Huan

DOI: https://doi.org/10.1007/978-3-642-31656-2_104

2013-01-01

Abstract:Since nineties of last century , the world have feaced the Internet storm.From then on,network application have began to go into every aspect of our lives gradually. But the traditional Internet Protocol ( TCP / IP ) does not provide information transmission security mechanism.From the technical level, how to solve the problems of network information thefting, tampering, hacking attack have become a pressing matter of the moment of our science and technology workers. This paper is precisely based on this perspective. Through this views,we analyse and discuss the computer network communication protocol deeply. From the theoretical level, the SSL protocol is applied to the TCP protocol. From doing so,the problem of information transmission security that cannont be solved by traditional TCP/IP protocol will be solved successfully. At the last, an example of online bank specific will be discussed, the reaserch of this paper will be uesd in this example.

Shiyong Zheng,Zhao Li,Biqing Li

DOI: https://doi.org/10.1063/1.4977398

2017-01-01

AIP Conference Proceedings

Abstract:In this paper, it firstly introduces the related knowledge of access control list (ACL) technology, hardware requirements and software configuration. Then it discusses the topological structure of campus network from the perspective of campus network planning as well as demonstrates the application of ACL technology in campus network combined with examples.

Fan Yan,Yang Jian-Wen,Cheng Lin

DOI: https://doi.org/10.1109/icmtma.2015.77

2015-06-01

Abstract:The rapid development of computer network system brings both a great convenience and new security threats for users. Network security problem generally includes network system security and data security. Specifically, it refers to the reliability of network system, confidentiality, integrity and availability of data information in the system. Network security problem exists through all the layers of the computer network, and the network security objective is to maintain the confidentiality, authenticity, integrity, dependability, availability and audit-ability of the network. This paper introduces the network security technologies mainly in detail, including authentication, data encryption technology, firewall technology, intrusion detection system (IDS), antivirus technology and virtual private network (VPN). Network security problem is related to every network user, so we should put a high value upon network security, try to prevent hostile attacks and ensure the network security.

Guihai Chen,Victoria C. Yan,Qing Li,Zengzhi,Liao,Zhigang

2005-01-01

Abstract:The wide application of network technology in power systems brings not only convenience and flexibility but also security threats. An architecture of network security for power system was proposed in this study,which protected data and facilities from being attacked by outside users by means of firewall, security monitor and control system. Firewall was basically the first line of defense for the intranet; the security monitoring system was a kind of IDS (Intrusion Detection System), while security control system provided authentication, authorization,data-encrypted transmission and security management. This architecture provides various security services, such as identification, authentication, authorization, data integrity and confidentiality.

Vijay Varadharajan,Uday Tupakula,Kallol Krishna Karmakar

DOI: https://doi.org/10.1145/3630103

2023-10-30

ACM Transactions on Cyber-Physical Systems

Abstract:Increasingly Industrial Control Systems (ICS) systems are being connected to the Internet to minimise the operational costs and provide additional flexibility. These control systems such as the ones used in power grids, manufacturing and utilities operate continually and have long lifespans measured in decades rather than years as in the case of IT systems. Such industrial control systems require uninterrupted and safe operation. However, they can be vulnerable to a variety of attacks, as successful attacks on critical control infrastructures could have devastating consequences to the safety of human lives as well as a nation’s security and prosperity. Furthermore, there can be a range of attacks that can target ICS and it is not easy to secure these systems against all known attacks let alone unknown ones. In this paper, we propose a software enabled security architecture using Software Defined Networking (SDN) and Network Function Virtualisation (NFV) that can enhance the capability to secure industrial control systems. We have designed such an SDN/NFV enabled security architecture and developed a Control System Security Application (CSSA) in SDN Controller for enhancing security in ICS by achieving real time situational awareness and dynamic policy-driven decision making across the network infrastructure. In particular, CSSA can be used for establishing secure path for end-to-end communication between devices and also deal against certain specific attacks namely denial of service attacks, from unpatched vulnerable control system components and securing the communication flows from the legacy devices that do not support any security functionality. We also discuss how CSSA provides reliable paths for safety critical messages in control systems. We discuss the prototype implementation of the proposed architecture and the results obtained from our analysis.

LI Jiang-hai,HUANG Xiao-jin

2012-01-01

Abstract:The digitalization and networking of control systems in nuclear power plants has brought significant improvements in system control,operation and maintenance.However,the highly digitalized control system also introduces additional security vulnerabilities.Moreover,the replacement of conventional proprietary systems with common protocols,software and devices makes these vulnerabilities easy to be exploited.Through the interaction between control systems and the physical world,security issues in control systems impose high risks on health,safety and environment.These security issues may even cause damages of critical infrastructures and threaten national security.The importance of control system security by reviewing several control system security incidents that happened in nuclear power plants was showed in recent years.Several key difficulties in addressing these security issues were described.Finally,existing researches on control system security and propose several promising research directions were reviewed.