Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

Song Wang,Hongbing Lv

DOI: https://doi.org/10.1109/iccps.2011.6089933

2011-01-01

Abstract:In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.

Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Guangfeng Guo,Junxing Zhang,Zhanfei Ma

DOI: https://doi.org/10.2298/csis200206049g

2021-01-01

Computer Science and Information Systems

Abstract:As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

computer science, information systems, software engineering

Tiantian Cai,Lin Fan,Siliang Suo,Hao Yao,Ganyang Jian,W. Xi

DOI: https://doi.org/10.1109/ITNEC.2019.8729305

2019-03-15

Abstract:The target of security protection of the power distribution automation system (the distribution system for short) is to ensure the security of communication between the distribution terminal (terminal for short) and the distribution master station (master system for short). The encryption and authentication gateway (VPN gateway for short) for distribution system enhances the network layer communication security between the terminal and the VPN gateway. The distribution application layer encryption authentication device (master cipher machine for short) ensures the confidentiality and integrity of data transmission in application layer, and realizes the identity authentication between the master station and the terminal. All these measures are used to prevent malicious damage and attack to the master system by forging terminal identity, replay attack and other illegal operations, in order to prevent the resulting distribution network system accidents. Based on the security protection scheme of the power distribution automation system, this paper carries out the development of multi-chip encapsulation, develops IPSec Protocols software within the security chip, and realizes dual encryption and authentication function in IP layer and application layer supporting the national cryptographic algorithm.

Engineering,Computer Science

Tao Hu,Peng Yi,Yuxiang Hu,Julong Lan,Zhen Zhang,Ziyong Li

DOI: https://doi.org/10.1016/j.comnet.2020.107619

IF: 5.493

2020-12-01

Computer Networks

Abstract:<p>The ease of programmability in Software-Defined Networking has greatly facilitated SDN application development and deployment. Applications run simultaneously in the controller and generate policies to serve the network together. However, multiple applications may cause unintentionally harmful interferences even if each SDN application is properly programmed. Unfortunately, the existing SDN verification and test work have no consideration of application interferences. To solve this problem, we develop the mathematical models for applications and policies and elaborate the relationships of policies based on computational geometry. The application interference is formally defined according to policy conflict. To this end, we propose an efficient <strong>S</strong>DN <strong>A</strong>pplication <strong>I</strong>nterference <strong>D</strong>etection and <strong>E</strong>limination (<strong>SAIDE</strong>) scheme. Firstly, on the basis of designed policy refactor, we encode the matching fields of policies as bit vectors and design bit vectors AND operation to analyze the policy relationships. Then, we combine the action and refactor fields of policies to detect the application interferences (direct and indirect interferences). Finally, with multi-criteria decision making, we assign priorities to conflicting policies to eliminate the corresponding application interferences. We demonstrate the effectiveness and scalability of SAIDE through a proof-of-concept prototype. Simulation results show that the SAIDE can effectively detect the application interferences with 98% accuracy at least and has reduced the detection time by 23.9% compared to the state-of-the-art work.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Muhamad Felemban,Yahya Javeed,Jason Kobes,Thamir Qadah,Arif Ghafoor,Walid Aref

DOI: https://doi.org/10.48550/arXiv.1810.02061

2018-10-04

Cryptography and Security

Abstract:Data-intensive applications exhibit increasing reliance on Database Management Systems (DBMSs, for short). With the growing cyber-security threats to government and commercial infrastructures, the need to develop high resilient cyber systems is becoming increasingly important. Cyber-attacks on DBMSs include intrusion attacks that may result in severe degradation in performance. Several efforts have been directed towards designing an integrated management system to detect, respond, and recover from malicious attacks. In this paper, we propose a data Partitioning-based Intrusion Management System (PIMS, for short) that can endure intense malicious intrusion attacks on DBMS. The novelty in PIMS is the ability to contain the damage into data partitions, termed Intrusion Boundaries (IBs, for short). The IB Demarcation Problem (IBDP, for short) is formulated as a mixed integer nonlinear programming. We prove that IBDP is NP-hard. Accordingly, two heuristic solutions for IBDP are introduced. The proposed architecture for PIMS includes novel IB-centric response and recovery mechanisms, which executes compensating transactions. PIMS is prototyped within PostgreSQL, an open-source DBMS. Finally, empirical and experimental performance evaluation of PIMS are conducted to demonstrate that intelligent partitioning of data tuples improves the overall availability of the DBMS under intrusion attacks.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Li Qi,Xu Mingwei,Xu Ke

DOI: https://doi.org/10.1109/ICOIN.2008.4472762

2008-01-01

Abstract:IP Security (IPSec) is an important protection mechanism for securing the Internet communication. However, IPSec is a complex security protocol family, and the management issue is still a challenge for mass deployment. Many researchers have investigated the IPSec management issue with various approaches, the policy configuration and distribution issue remain to be efficiently resolved. A certificate-based scheme to manage IPSec endpoints is proposed in this paper. A Role-based Access Control (RBAC) model is introduced to simplify the process of policy configuration, and policy control mechanism is proposed to check whether new security association conforms to local security policies. The analysis of the scheme shows the flexibility and efficiency of our approach. Based on our proposed scheme, we implement a prototype system with the proof-of-concept and conduct experimental studies to demonstrate the feasibility and performance of our approach.

Yudong Zhao,Ke Xu,Rashid Mijumbi,Meng Shen

DOI: https://doi.org/10.1007/978-3-319-22047-5_15

2015-01-01

Abstract:In recent years, the world has been shocked by the increasing number of network attacks that take advantage of router vulnerabilities to perform data interceptions. Such attacks are generally based on low cost, unidirectional, concealed mechanisms, and are very difficult to recognize let alone restrain. This is especially so, because the most affected parties - the users and Internet Service Providers (ISPs) - have very little control, if any, on router vulnerabilities. In this paper, we design, implement and evaluate a policy-based security system aimed at stopping such attacks from both the routing and switching network functions, by detecting any violations in the set policies. We prove the system's security completeness to data interception attacks. Based on simulations, we show that 100% of normal packets can pass through the policy-based system, and about 99.92% of intercepting ones would be caught. In addition, the performance of the proposed system is acceptable with regard to current TCP/IP networks.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1093/comjnl/bxn043

2009-01-01

The Computer Journal

Abstract:Intrusion prevention systems (IPSs) not only attempt to detect attacks but also block malicious traffic and pro-actively tear down pertinent network connections. To effectively thwart attacks, IPSs have to operate both in real-time and inline fashion. This dual mode renders the design/implementation and more importantly the testing of IPSs a challenge. In this paper, we propose an IPS testing framework termed IPS Evaluator which consists of a trace-driven inline simulator-engine, mechanisms for generating and manipulating test cases, and a comprehensive series of test procedures. The engine features attacker and victim interfaces which bind to the external and internal ports of an IPS-under-testing (IUT). Our engine employs a bi-directional injection policy to ensure that replayed packets are subject to security inspection by the IUT before they are forwarded. Furthermore, the send-and-receive mechanism of our engine allows for the correlation of engine-replayed and IUT-forwarded packets as well as the verification of IUT actions on detected attacks. Using dynamic addressing and routing techniques, our framework rewrites both source and destination addresses for every replayed packet on-the-fly. In this way, replayed packets conform to the specific features of the IUT. We propose algorithms to partition attacker/victim-emanated packets so that they are subjected to security inspections by the IUT and in addition, we offer packet manipulation operations to shape replayed traces. We discuss procedures that help verify the IUT's detection and prevention accuracy, attack coverage and behavior under diverse traffic patterns. Finally, we evaluate the strengths of our framework by mainly examining the open-source IPS Snort-Inline. IPS deficiencies revealed during testing help establish the effectiveness of our approach.

Xi Chen

DOI: https://doi.org/10.54254/2755-2721/38/20230530

2024-02-07

Abstract:With the widespread application of computer network technology, computer network security defense capability has become a focus of attention in various industries. The extensive use of computer information systems in various sectors has significantly improved work efficiency but has also introduced security risks and management issues. The deployment of network security detection and control systems allows for effective security monitoring and management of computer operations and real-time network information. This paper presents a computer network security detection and control system based on human-computer interaction, which enables users to handle daily key business processes. The work principles and overall architecture of the network security detection and control system are analyzed and demonstrated. It offers functions such as filtering options, address rules, network security detection, network unreachability, overall traffic analysis, subnet definition, fault diagnosis, and security analysis. Testing and analysis indicate that the systems design achieves the intended goals. In the application of network security features, it can effectively combine various forces to enhance the quality and efficiency of network security, making it widely applicable in various industry units.

Ruey-Maw Chen,Kuo-Ta Hsieh

DOI: https://doi.org/10.1002/dac.1289

2011-06-01

International Journal of Communication Systems

Abstract:Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley &amp; Sons, Ltd. In this work, a new system scheme of the allied distributed intrusion prevention system was implemented to meet the increasing Internet security issues. A network intrusion detection system (NIDS) applies misuse detection technique to detect well‐known intrusion behaviors on the Internet. Meanwhile, for anomaly detection technique, a designed tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to find out new intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service attacks inside the protected allied network is also designed. To increase the detection accuracy, reducing false positive and false negative are also accomplished.

telecommunications,engineering, electrical & electronic

Dong-young Lee,H. Seo,Tae-Kyung Kim

Abstract:Enterprise security management system proposed to properly manage heterogeneous security products is the security management infrastructure designed to avoid needless duplications of management tasks and inter-operate those security products effectively. In this paper, we defined the security policies using Z-Notation and the detection algorithm of policy conflict for managing heterogeneous firewall systems. It is designed to help security management build invulnerable security policies that can unify various existing management infrastructures of security policies. Its goal is not only to improve security strength and increase the management efficiency and convenience but also to make it possible to include different security management infrastructures while building security policies. With the process of the detection and resolution for policy conflict, it is possible to integrate heterogeneous security policies and guarantee the integrity of them by avoiding conflicts or duplications among security policies. And further, it provides convenience to manage many security products existing in large networks.

Computer Science,Business

Pradeep Sharma Oruganti,Parinaz Naghizadeh,Qadeer Ahmed

DOI: https://doi.org/10.48550/arXiv.2302.05411

2023-02-11

Abstract:We study the problem of defending a Cyber-Physical System (CPS) consisting of interdependent components with heterogeneous sensitivity to investments. In addition to the optimal allocation of limited security resources, we analyze the impact of an orthogonal set of defense strategies in the form of network design interventions in the CPS to protect it against the attacker. We first propose an algorithm to simplify the CPS attack graph to an equivalent form which reduces the computational requirements for characterizing the defender's optimal security investments. We then evaluate four types of design interventions in the network in the form of adding nodes in the attack graph, interpreted as introducing additional safeguards, introducing structural redundancies, introducing functional redundancies, and introducing new functionalities. We identify scenarios in which interventions that strengthen internal components of the CPS may be more beneficial than traditional approaches such as perimeter defense. We showcase our proposed approach in two practical use cases: a remote attack on an industrial CPS and a remote attack on an automotive system. We highlight how our results closely match recommendations made by security organizations and discuss the implications of our findings for CPS design.

Systems and Control

Kashif Ishaq,Hafiz Ahsan Javed

2023-08-26

Abstract:The security trade confidentiality, integrity and availability are the main pillar of the information systems as every organization emphasize of the security. From last few decades, digital data is the main asset for every digital or non-digital organization. The proliferation of easily accessible attack software on the internet has lowered the barrier for individuals without hacking skills to engage in malicious activities. An Industrial organization operates a server that (Confluence) serves as a learning platform for newly hired employees or Management training officers, thereby making it vulnerable to potential attacks using readily available internet-based software. To mitigate this risk, it is essential to implement a security system capable of detecting and preventing attacks, as well as conducting investigations. This research project aims to develop a comprehensive security system that can detect attack attempts, initiate preventive measures, and carry out investigations by analyzing attack logs. The study adopted a survey methodology and spanned a period of four months, from March 1, 2023, to June 31, 2023. The outcome of this research is a robust security system that effectively identifies attack attempts, blocks the attacker's IP address, and employs network forensic techniques for investigation purposes. The findings indicate that deploying Snort in IPS mode on PfSense enables the detection of attacks targeting e-learning servers, triggering automatic preventive measures such as IP address blocking. The alerts generated by Snort facilitate investigative actions through network forensics, allowing for accurate reporting on the detrimental effects of the attacks.

Cryptography and Security

Chun-Yen Lee,Chia-Hung Lin,Zhan-Lun Chang,Chih-Yu Wang,Hung-Yu Wei

DOI: https://doi.org/10.1109/tsc.2024.3441313

IF: 11.019

2024-10-11

IEEE Transactions on Services Computing

Abstract:Distributed Denial-of-Service (DDoS) attack is critical to latency-critical systems such as Multi-Access Edge Computing (MEC) as it significantly increases the response delay of the victim service. An intrusion prevention system (IPS) is a promising solution to defend against such attacks. Still, there will be a trade-off between IPS deployment and application resource reservation as IPS deployment will reduce the computational resources for MEC applications. In this work, we propose a game-theoretic framework to study the joint computational resource allocation and IPS deployment in the MEC architecture. Given the expected attack strength and end-user demands, we study the pricing strategy of the MEC platform operator (MPO) and purchase strategy of the application service providers (ASPs). The best responses of both MPO and ASPs are derived theoretically. Based on the best responses, we propose an efficient algorithm to derive the Stackelberg equilibrium. The properties and optimality in the efficiency of the equilibrium are analyzed through simulations. The results confirm that the proposed solutions significantly increase the social welfare of the system.

computer science, information systems, software engineering

Pei Ren,Fengyin Li,Ying Wang,Huiyu Zhou,Peiyu Liu

DOI: https://doi.org/10.1002/int.22793

IF: 8.993

2021-12-28

International Journal of Intelligent Systems

Abstract:Intelligent systems are technologically advanced machines that can sense and respond to the surrounding environment. They have been widely used in medicine, military, transportation, automation, and other fields. However, when these systems deal with their environments, problems such as leakage of identities may occur. The adversary can damage the system communication and attack important nodes. To handle resource‐constrained wireless sensor network environments, we propose a secure and anonymous data aggregation scheme. First, based on the bilinear mapping operation and onion routing concepts, we propose a key negotiation and secure information transmission scheme, which conducts confidential transmission and anonymous forwarding of messages in data aggregation. Second, an aggregation routing scheme based on link direction and residual energy is proposed to pledge messages that can arrive the base station without passing through many nodes, which saves network resources to a certain extent. Third, on the basis of the first two contributions, we propose an identity‐privacy‐aware secure and anonymous data aggregation scheme that protects the identity&#x27;s privacy. This scheme can conceal the real identity of important nodes and protect the anonymity of messages and link relationships. In addition, an anonymous identity update and synchronization scheme is also proposed to ensure the reliability and security of communication. Meanwhile, our performance evaluations and simulations show that the proposed framework is more effective than several standard schemes with respect to the ability against various attacks, security, and overhead.

computer science, artificial intelligence

Yijia Cao

2008-01-01

Abstract:According to the development trend and present condition of security protection of power enterprise information integration,a security protection architecture of power enterprise information integration based on the technology of distributed intrusion tolerance with multi-level defense line is proposed.The intrusion tolerance strategies of the proposed architecture consist of following items:(A) the firewall is used as the fundamental protective measures;(B) at key nodes in non-realtime application network,the mobile agents are configured to implement on-line detection and tracking of internal and external intrusions;(C) after the intruder is successfully confirmed by intrusion detection system,according to the requirement of system security the honeypot technology based intrusion inducting system directionally inducts the locked invading flow,and the active defensive mode protects the legitimate system from invasion;(D) by means of slicing-scattering based distributed document management style,the resilient file system serves as the last defense line of enterprise memory system.Moreover,the key security protection problems pertinent to transverse and longitudinal information integration as well as the application of the technologies,such as mobile agents,honeypot,resilient file system and so on,in security protection system are analyzed.Finally,the application of the proposed secure protection architecture is briefly presented.