黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

MAO Weifeng,PING Lingdi,JIANG Li,CHEN Xiaoping

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.12.068

2006-01-01

Abstract:SECOS is a secure operating system with independent intellectual property right,which accords with the requirements of level 4 secure operation system technology.This paper illustrates some key issues of the system,including design method for enchancement of security,improved model from the Bell-La Padula MAC(mandatory access control) implementation,the realization of the model,formal method during the system development,conversiion channel analysis and its prevention,and secure deletion.The performance evaluation shows the design and implementation of SECOS is effective.

Haiwei Xue,Xiong Liu,Dai, Yiqi

DOI: https://doi.org/10.1109/anthology.2013.6784892

2013-01-01

Abstract:Information privacy protection is an essential problem in internal networks. The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control, while it can't be used for networks. L-BLP model is designed for Local Area Networks(LAN) while it can't be proved security. We reveal the security problems in L-BLP and propose a security model based on BLP. We define five new state transition rules, which are designed for LAN with high usability. Our model can be proved to be secure in mathematics, and we implement a prototype system based from it. The experimental results show that our model can effectively prevent leakages of secrets.

LIU Sheng-li,WANG Wen-bing,FEI Jin-long,ZHu Yue-fei

DOI: https://doi.org/10.3969/j.issn.1671-0673.2010.01.019

2010-01-01

Abstract:This paper designs and realizes a data security system for LAN based on Trusted Network Connection(TNC) Specifications.According to TNC mechanism,the new system enforces the network access control method and employs the file system filter driver to monitor and protect sensitive data.In terms of these means,the system can prevent sensitive data from being divulged or stolen and to implement all the files are controlled into the trusted network environment.

Xue Haiwei,Zhang Yunliang,Guo Zhien,Dai Yiqi

IF: 1.019

2014-01-01

Chinese Journal of Electronics

Abstract:Towards data leak caused by misoperation and malicious inside users, we proposed a multilevel security model based on Bell-lapadula（BLP） model. In our model each subject was assigned with a security level. Subjects can read objects only when their security levels are not less than objects’ security levels, and subjects can write objects only when their security levels are not more than objects’ security levels. The current security level in our model can be dynamically changed when users read sensitive data, since users can access data with different security levels in private cloud. Our model use mandatory access control method to control user’s operation and can guarantee that users can not leak sensitive data after they read them. Our model can be proved secure by mathematical method, and we implemented a prototype system of our model and the experimental results show that it is secure.

Jia CHEN,Lei CHENG,Tiange SI,Yiqi DAI

DOI: https://doi.org/10.3321/j.issn:1000-0054.2007.04.040

2007-01-01

Abstract:To solve the problem of Intranet information leakage, this paper proposed a new Intranet security strategy. There are two characteristics in this strategy. In the first place, information is classified by hierarchical means. In the second place, a component called monitor is introduced. With exerting access control over the communication among the entities in the network, the monitor can dynamically isolate the physical connections among host computers involved in security. This new strategy not only ensures information security, but also improves resource utility efficiently. In addition, according to this strategy, a monitor system is also designed based on the Intel IXP2400 chip. Experimental results show that, by virtue of the powerful processing ability of IXP2400, the monitor system could efficiently process high-speed data stream in Gb/s-net.

Ling Sun,Dali Gao

DOI: https://doi.org/10.1155/2022/3141568

IF: 1.43

2022-03-25

Mathematical Problems in Engineering

Abstract:In recent years, there has been an upward trend in the number of leaked secrets. Among them, secret-related computers or networks are connected to the Internet in violation of regulations, cross-use of mobile storage media, and poor security management of secret-related intranets, which are the main reasons for leaks. Therefore, it is of great significance to study the physical isolation and protection technology of classified information systems. Physical isolation is an important part of the protection of classified information systems, which cuts off the possibility of unauthorized outflow of information from the network environment. To achieve the physical isolation of the network environment and build a safe and reliable network, it is necessary to continuously improve the level of network construction and strengthen network management capabilities. At present, the realization of physical isolation technology mainly relies on security products such as firewall, intrusion detection, illegal outreach, host monitoring, and auditing. This study analyzes network security systems such as intrusion detection, network scanning, and firewall. Establishing a model based on network security vulnerabilities and making up for network security hidden dangers caused by holes are generally a passive security system. In a network, the leader of network behavior—human behavior—needs to be constrained according to the requirements of the security management system and monitoring. Accordingly, this study proposes a security monitoring system for computer information network involving classified computer. The system can analyze, monitor, manage, and process the network behavior of the terminal computer host in the local area network, to achieve the purpose of reducing security risks in the network system. Based on the evaluation value sequence, the initial prediction value sequence is obtained by sliding adaptive triple exponential smoothing method. The time-varying weighted Markov chain is used for error prediction, the initial prediction value is corrected, and the accuracy of security situation prediction is improved. According to the security protection requirements of secret-related information systems, a complete, safe, reliable, and controllable security protection system for secret-related information systems is constructed, and the existing security risks and loopholes in secret-related information systems are eliminated to the greatest extent possible. This enables the confidentiality, integrity, and availability of confidential data and information in the computer information system to be reliably protected.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3103765

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Recently, data-driven industrial monitoring systems have been rapidly developed and significantly improved the performance on industrial monitoring tasks. However, the widely deployed data-driven models expose industrial data to more unsecured links, which significantly increase the safety risk of safe-critical industrial systems. The research about adversarial attacks has shown that the potential attackers can utilize tiny crafted perturbations on the input data to mislead the machine learning models’ output. In this article, a novel cross-domain data protection scheme named “Data Guardian” is proposed to authenticate and correct industrial data under potential attacks on data-driven monitoring systems. “Data Guardian” embeds designed redundancy information into the data least significant bits, based on $q$ -ary low-density parity-check (LDPC) codes over the Galois field (finite field). The data are encoded at the secured industrial sites and then decoded before being input into the monitoring systems, in which the security risk is usually higher. The decoding capability of $q$ -ary LDPC codes is improved by the data statistical characteristics, with a new proposed prior estimation method. In the experiments, “Data Guardian” is tested under the attacks to the fault diagnosis models on the Tennessee Eastman process and rolling element bearing from Case Western Reserve University. The results show that “Data Guardian” can efficiently reduce the success rate of adversarial attacks, especially when the attack variable ratio is small.

Yuxia Cheng,Qing Wu,Wenzhi Chen,Bei Wang

DOI: https://doi.org/10.1016/j.jpdc.2018.07.014

IF: 4.542

2018-01-01

Journal of Parallel and Distributed Computing

Abstract:Transmissible cyber threats have become one of the most serious security issues in cyberspace. Many techniques have been proposed to model, simulate and identify threats’ sources and their propagation in large-scale distributed networks. Most techniques are based on the analysis of real networks dataset that contains sensitive information. Traditional in-memory analysis of these dataset often causes data leakage due to system vulnerabilities. If the dataset itself is compromised by adversaries, this threat cost would be even higher than the threat being analysed. In this paper, we propose a new distributed shielded execution framework (Disef) for cyber threats analysis. The Disef framework enables efficient distributed analysis of network dataset while achieves security guarantees of data confidentiality and integrity. In-memory dataset is protected by using a new encrypted key–value format and could be efficiently transferred into Intel SGX enabled enclaves for shielded execution. Our experimental results showed that the proposed framework supports secure in-memory analysis of large network dataset and has comparable performance with systems that have no confidentiality and integrity guarantees.

SI Tian-ge,ZHANG Yao-xue,DAI Yi-qi

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.05.039

2009-01-01

Abstract:Information confidentiality in a local area network (LAN) is enforced by an EL-BLP model that removes the securitv and practicability defects of the L-BLP model.The EL-BLP model adds restrictions to objects, modifies and extends the action set of subjects, and defines new state-transition criteria.These three methods extend the types of applicable terminals and improve the descriptions various actions in the LAN.The state-transition criterion in EL-BLP is shown to be safe and tests show that this model is suitable for LAN environments with various terminals, with all the devices in the LAN unchanged to greatly improve information confidentiality in LAN.

WANG Zhu,DAI Yi-qi

2012-01-01

Abstract:With the development of computer network,there come a lot of security threats.LAN is a basic unit of network functionality,and its security is very important and significant.A Multi-level Security Local Area Network System(MSLANS) based on BLP model is proposed,which with transparent computing system as the platform,conforms with the requirements of security infrastructure.By introducing the security policy server and dynamic monitoring switch into the system,and embedding modules into terminal computers to monitor the user's operations and login procedures,the secure LAN system could thus accomplish the centralized control and protection of the operations within the terminal computers.

Luo Hui,Guan Haibing,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.08.062

2007-01-01

Abstract:Secure network file system can secure the stored data and provide confidence and integrity in opening environment.It should consider such factors as security,performance and convenience when designing a secure file system.The design and implementation of a secure network file system:SecNFS,including its design idea,system architecture,key management,security analysis,share schema and implementation techniques is described.

Xiong Liu,Haiwei Xue,Xiaoping Feng,Yiqi Dai

DOI: https://doi.org/10.1109/iccsn.2011.6013582

2011-01-01

Abstract:The administrator shall implement multilevel security policy in a multilevel security network system. The policy must ensure the information flow from low level host to the same level host or high level host, and prevent the information flow from high level host to low level host, but traditional network is difficult to meet the requirement. This paper proposes a design of multi-level security network switch system. The design adds a module named Filter based on OpenFlow. OpenFlow can control the packets flow of the network, and the Filter can check the packet's content and delay the packets then restrict covert channel. Using OpenFlow and the Filter, the system can implement the multilevel security policy in the scenario of local area network. The experiment verified the feasibility of the design.

Wei Huang

DOI: https://doi.org/10.1088/1742-6596/1881/2/022049

2021-04-01

Journal of Physics: Conference Series

Abstract:Abstract The era of big data promotes the development of computer network, which plays a very important role. Big data can improve people’s life and work enthusiasm with high quality, and further sublimate the standard of the masses. Because of the openness of computer network, it always leads to unnecessary security problems. Therefore, in order to apply the computer network on a large scale and avoid the information leakage caused by the network, this paper proposes the research on the design of computer network security defense system based on the background of big data. First of all, the importance of computer network security is discussed; secondly, the types of network security attacks are discussed, and the computer network security defense system is built by using multi angle and active security defense strategy to maintain the safe operation of the network; then, the risk algorithm is analyzed, and the risk of the whole computer network can be estimated by setting the weight according to the importance of the obtained resources So as to formulate reasonable safety measures. Finally, through the system test, the system has good analysis ability and defense ability, and has outstanding effect in computer network defense.

Haiwei Xue,Yiqi Dai

DOI: https://doi.org/10.1504/ijcc.2012.049768

2012-01-01

International Journal of Cloud Computing

Abstract:Transparent computing system provides services, including OS, applications, data, etc., for end users, in which users can request the computing and storages resources according to their requirement. It is important to protect the data in transparent computing system, especially to enhance the privacy protection. In some cases, security threats are not only from malicious users or viruses but also include inside leaks, which cannot be prevented by current security systems. We proposed system-based privacy protection model for transparent computing systems in this paper. Our model is based from mandatory access control and we use formal methods to analysis the privacy protection problem. Our model is a state machine model, which have five state transition rules and all these rules can be proved to be safe by formally description method. So if we use these rules in transparent computing system, and make sure that the initial state is secure, the transparent computing system is always keep state secure.

Mir Hassan,Chen Jincai,Adnan Iftekhar,Adnan Shehzad,Xiaohui Cui

DOI: https://doi.org/10.48550/arXiv.2012.14111

2020-12-28

Cryptography and Security

Abstract:Data Loss/Leakage Prevention (DLP) continues to be the main issue for many large organizations. There are multiple numbers of emerging security attach scenarios and a limitless number of overcoming solutions. Today's enterprises' major concern is to protect confidential information because a leakage that compromises confidential data means that sensitive information is in competitors' hands. Different data types need to be protected. However, our research is focused only on data in motion (DIM) i-e data transferred through the network. The research and scenarios in this paper demonstrate a recent survey on information and data leakage incidents, which reveals its importance and also proposed a model solution that will offer the combination of previous methodologies with a new way of pattern matching by advanced content checker based on the use of machine learning to protect data within an organization and then take actions accordingly. This paper also proposed a DLP deployment design on the gateway level that shows how data is moving through intermediate channels before reaching the final destination using the squid proxy server and ICAP server.

Ruey-Maw Chen,Kuo-Ta Hsieh

DOI: https://doi.org/10.1002/dac.1289

2011-06-01

International Journal of Communication Systems

Abstract:Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd. In this work, a new system scheme of the allied distributed intrusion prevention system was implemented to meet the increasing Internet security issues. A network intrusion detection system (NIDS) applies misuse detection technique to detect well‐known intrusion behaviors on the Internet. Meanwhile, for anomaly detection technique, a designed tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to find out new intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service attacks inside the protected allied network is also designed. To increase the detection accuracy, reducing false positive and false negative are also accomplished.

telecommunications,engineering, electrical & electronic

Xiaosong Zhang,Fei Liu,Ting Chen,Hua Li

DOI: https://doi.org/10.1109/cis.2009.107

2009-01-01

Abstract:Traditional data leakage prevention strategies encompass access control, audit logon and authority management. They have some effects on preventing sensitive information from leakage, while the system’ s availability may be degraded seriously by their limitation. To solve this problem, a novel model based on Windows file system filter driver is proposed in this paper, in which system encrypts files automatically according to encryption strategies. Leaking confidential information out of enterprise environment, intentionally or unintentionally, will be prevented effectively. Moreover, it has the characteristic of mandatory and transparent encryption, which can compromise the contradiction between data security and user flexibility.

Dapeng Zhou,Yong Zhu

DOI: https://doi.org/10.1007/978-3-030-43306-2_7

2020-01-01

Abstract:With the continuous development of the economy and society, and the continuous improvement of Internet technology, the computer field has paid more and more attention to the use of network security technology. In fact, although network security technology has become more mature in the protection work, virus attacks have gradually matured, making network security technology more difficult in virus handling. The research purpose of this paper is to study the computer network security based on the layered evaluation protection system. This paper analyzes the characteristics of the computer network security layered protection system, studies the main technologies applied in the network security layered protection system, and combines network security The actual characteristics of protection, the design scheme of hierarchical protection evaluation system for computer network security was proposed, the hierarchical evaluation was used to establish the protection system, the computer network security was researched, and the protection system in this paper was verified through system testing. The experimental results in this paper show that the protection system based on layered evaluation in this paper has high security performance, the safety is as high as 97%. In addition, the response time in this layered protection system based on layered evaluation is short and the efficiency is higher.

Chuliang Weng,Yuan Luo,Minglu Li,Xinda Lu

DOI: https://doi.org/10.1109/ICYCS.2008.503

2008-01-01

Abstract:The virtual machine system such as Xen provides a security isolation between virtual machines (VM) running on the virtual machine monitor (VMM). With the wide application of the virtualization technology, VMM is expected to not only provide the simple isolation but also provide limited sharing between VMs in a secure manner. In this paper, we present an access control mechanism for the virtual machine system, which is based on the BLP model. We prove that the virtual machine system with the access control mechanism and an initial secure state is a secure system. In addition, we implement a prototype of the access control mechanism for the virtual machine system based on Xen.