Weili Han,Zheran Fang,Weifeng Chen,Wenyuan Xu,Chang Lei

DOI: https://doi.org/10.1145/2046707.2093491

2011-01-01

Abstract:Policy driven management is widely used to manage networked resources and protect sensitive resources. Existing policy-driven management strategies rely heavily on policy administrators to specify and validate policies, which not only require in depth understanding of policy languages and domain knowledge, but also are error-prone.To simplify the tasks of policy administration, this paper proposes a novel policy administration framework, named collaborative policy administration (CPA). Essentially, the idea is that applications with similar functionalities shall have similar policies. Thus, to specify or validate policies, CPA will examine policies already specified by other applications in the same category and perform collaborative recommendation. In this paper, we consider the Android systems as a case study and show that CPA can strengthen Android security.

Danyang Li,Xiaohe Hu,Linli Wan,Zhi Liu,Jun Li

DOI: https://doi.org/10.1109/icc.2017.7996842

2017-01-01

Abstract:With the fast industrial deployment of software-defined networking (SDN) and network function virtualization (NFV) technologies, network function policy enforcement in large scale virtualized networks becomes a key challenge for network management. Distributed policy enforcement heavily involves network policy space analysis, where set operations consume most of the computation. Based on spatial projection and bitmap indexing, a novel algorithm AHI (Atomic Hyper-Rectangle Indexing) is proposed for fast policy space set operations. Experiments with real datasets demonstrated that AHI improves set operation speed by two to three orders of magnitude and achieves the same least space cost, comparing to existing state-of-the-art algorithms r-BDD, wildcard expression, and PSA.

Jiaqiang Liu,Yong Li,Huandong Wang,Depeng Jin,Li Su,Lieguang Zeng,Thanos Vasilakos

DOI: https://doi.org/10.1016/j.ins.2015.08.019

IF: 8.1

2015-01-01

Information Sciences

Abstract:Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.

Ruiqi Wang,Qianqian Yang,Shibo He,Jiming Chen

DOI: https://doi.org/10.1109/glocom.2014.7036796

2014-01-01

Abstract:Barrier coverage in sensor networks has attracted much attention in recent years. Existing results revealed that sensor mobility can remarkably improve the coverage performance of sensor networks. Considering the high manufacture cost of mobile sensors, in this paper we propose to tradeoff the barrier coverage performance and deployment budget by employing a wireless sensor and actor network (WSAN), wherein an actor is used to move static sensors around in order to enhance the barrier coverage performance. We first formulate the barrier coverage problem in WSAN and propose a new coverage metric to evaluate the barrier coverage performance. Then we design an efficient actor movement scheme, S-AMS, for the case where the number of monitoring points can be divided by the number of available sensors. By exploiting the actor's mobility and clustering procedure, S-AMS is able to significantly improve barrier coverage. Based on the insight from S-AMS, we design G-AMS for the general case. We show that S-AMS achieves asymptotically optimal solution for the special case and G-AMS obtains close-to-optimal solution for the general case. Extensive simulations are conducted to demonstrate the performance of our proposed schemes.

Xuejiao Liu,Yingjie Xia,Wenzhi Chen,Yang Xiang,Mohammad Mehedi Hassan,Abdulhameed Alelaiwi

DOI: https://doi.org/10.1016/j.jcss.2016.05.006

IF: 1.043

2016-01-01

Journal of Computer and System Sciences

Abstract:Vehicular ad hoc network (VANET) is an increasing important paradigm, which not only provides safety enhancement but also improves roadway system efficiency. However, the security issues of data confidentiality, and access control over transmitted messages in VANET have remained to be solved. In this paper, we propose a secure and efficient message dissemination scheme (SEMD) with policy enforcement in VANET, and construct an outsourcing decryption of ciphertext-policy attribute-based encryption (CP-ABE) to provide differentiated access control services, which makes the vehicles delegate most of the decryption computation to nearest roadside unit (RSU). Performance evaluation demonstrates its efficiency in terms of computational complexity, space complexity, and decryption time. Security proof shows that it is secure against replayable choosen-ciphertext attacks (RCCA) in the standard model.

Shibo He,Jiming Chen,Xu Li,Xuemin (Sherman) Shen,Youxian Sun

DOI: https://doi.org/10.1109/tmc.2013.129

IF: 6.075

2014-01-01

IEEE Transactions on Mobile Computing

Abstract:The barrier coverage problem in emerging mobile sensor networks has been an interesting research issue due to many related real-life applications. Existing solutions are mainly concerned with deciding one-time movement for individual sensors to construct as many barriers as possible, which may not be suitable when there are no sufficient sensors to form a single barrier. In this paper, we aim to achieve barrier coverage in the sensor scarcity scenario by dynamic sensor patrolling. Specifically, we design a periodic monitoring scheduling (PMS) algorithm in which each point along the barrier line is monitored periodically by mobile sensors. Based on the insight from PMS, we then propose a coordinated sensor patrolling (CSP) algorithm to further improve the barrier coverage, where each sensor's current movement strategy is derived from the information of intruder arrivals in the past. By jointly exploiting sensor mobility and intruder arrival information, CSP is able to significantly enhance barrier coverage. We prove that the total distance that sensors move during each time slot in CSP is the minimum. Considering the decentralized nature of mobile sensor networks, we further introduce two distributed versions of CSP: S-DCSP and G-DCSP. We study the scenario where sensors are moving on two barriers and propose two heuristic algorithms to guide the movement of sensors. Finally, we generalize our results to work for different intruder arrival models. Through extensive simulations, we demonstrate that the proposed algorithms have desired barrier coverage performances.

Jiayuan Du,Guowei Zhang,Xiaowei Yuan,Xiaodong Zang

DOI: https://doi.org/10.1109/access.2024.3377102

IF: 3.9

2024-03-27

IEEE Access

Abstract:In recent years, edge computing networks have been widely adopted to achieve low latency, save bandwidth, and improve flexibility. However, most of the current Edge Nodes (ENs) are in semi-trusted or untrusted environments, where interactions among users are unsafe. Therefore, providing cost-effective protection strategies for ENs under resource limitations remains a great challenge. To cope with this, we propose an edge computing model with "End-Edge-Cloud" collaborative services, and a Privacy Preservation Strategy with Pseudo-Addresses (P2SPA) is constructed to maximize the cost-effectiveness while protecting the location privacy of the ENs. We quantify the privacy protection preference of user information using the Analytic Hierarchy Process (AHP) to select the optimal EN. Considering the dynamic change in the attack frequency, a pseudo-address selection and updating strategy is constructed based on the Stackelberg game theory; thus, the optimal pseudo-address update frequency is achieved. Numerical estimations are performed to verify the effectiveness of the proposed P2SPA strategy. Compared with the existing methods, P2SPA achieves a compromise service strategy with satisfactory performance on both the defense effect and defense cost.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yawei Zhang,Xiaojun Ye

DOI: https://doi.org/10.1109/ISPA.2008.28

2008-01-01

Abstract:Inspired by rule-based access control models, this paper proposes a universal policy model and an access protection framework to secure dataspace. The key components and processes for this framework, policy organization, policy indexing and two resource searching strategies with access decision-making, are illustrated and experimented to harmonize the contradiction between security and efficiency.

Alex Baird,Abhinandan Panda,Hammond Pearce,Srinivas Pinisetty,Partha Roop

DOI: https://doi.org/10.1109/access.2024.3357714

IF: 3.9

2024-02-03

IEEE Access

Abstract:The security of Cyber-Physical Systems (CPSs) is increasingly important as more and more of these systems are added to the Internet of Things (IoT). As we increase the complexity and connectivity of our smart systems, we likewise broaden their digital attack surface. Recorded attacks on CPSs have caused significant physical impacts making methods for mitigation of attacks of paramount importance. The use of runtime enforcement (RE) can prevent violation of security policies. Here, runtime enforcers intervene before the CPS is compromised. Two key challenges are presented: (1) for complex systems, methods for automatically composing multiple policies are lacking; and (2) runtime enforcers are themselves executed digitally—meaning they too could have potential security vulnerabilities. We present the first comprehensive runtime enforcement framework which addresses both challenges. It can compose a lot of security policies in parallel and synthesize these policies into the more trustworthy hardware layers of a system. This removes reliance on potentially vulnerable firmware and software layers. We demonstrate our approach with policies to mitigate a set of attacks on a Fused Filament Fabrication (FFF) 3D printer. The experimental results show linear growth in logic element and register usage as the number of policies increase. This compares favourably to the exponential state space explosion that occurs with the conventional approach of monolithic composition. Additionally, we find higher enforcer clock frequencies are possible with the proposed parallel approach compared to existing serial approaches.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hao Zeng,Dianfu Ma,Yongwang Zhao,Zhuqing Li

DOI: https://doi.org/10.1007/s11761-013-0143-5

2013-01-01

Abstract:Due to the dynamic, heterogeneous and interorganizational nature, different web services and different ports or operations in the same service, even the same services at different times may have their different security requirements because of their different security domains and different business backgrounds. How to design a flexible, fine-grained and comprehensive architecture for web services security processing has become a matter of great urgency. However, no ideal solutions have been worked out for these problems. As a result of our study, we have presented in this paper a policy-based architecture termed policy-based architecture for web services security processing (PBA4WSSP) to meet the dynamic, complete and fine-grained security requirements. In PBA4WSSP, the processing of all security problems is based on security policy in service stage to support flexibly security configuration. Moreover, we have designed a service policy model to describe the fine-grained security requirements. And the conversion method between security policy model and security policy expression has also been described. In addition, a staged complete security processing architecture is provided to reduce the dependency among protocol implementations. Furthermore, with PBA4WSSP, a web service security module has been designed and implemented as well. Eventually, the performance evaluation results amply demonstrate that our system is flexible and usable.

Yingjie Xia,Xuejiao Liu,Jing Ou,Wei Chen

DOI: https://doi.org/10.1109/tvt.2021.3121335

IF: 6.8

2021-12-01

IEEE Transactions on Vehicular Technology

Abstract:In vehicular ad hoc networks (VANETs), enforcing expressive and suitable access policy is of great importance to achieve desirable and accurate data dissemination services. Recently, secure data dissemination schemes based on attribute-based encryption in VANETs have received considerable attention for their ability of fine-grained access control. Therefore, how to enforce accurate access policy in dynamic VANETs becomes significant yet very challenging. In order to achieve timely, flexible, and accurate data dissemination, we propose a policy enforcement framework for secure data dissemination, which enables data-sender vehicles with high mobility and RSUs with broad perception ability to co-design access control policy. Also, we design a policy combination method, which enforces an expressive access control policy based on the disjunctive norm form (DNF) formed by different attributes. Then we propose a policy conflict resolution based on confidence weights to deal with conflict policies. Finally, the experimental results demonstrate that our proposed scheme is applicable and efficient for secure data dissemination in VANETs.

telecommunications,engineering, electrical & electronic,transportation science & technology

Zhang Yuan,Sun Meng

DOI: https://doi.org/10.1109/ICSESS.2011.5982244

2011-01-01

Abstract:We use a scenario-based visual notation, called Policy Sequence Chart (PSC), for specifying security policies in service coordination. A security policy defines a set of security requirements that correspond to permissions, prohibitions and obligations to some executions when some contextual conditions are satisfied. In this paper, we propose an approach of defining operational semantics of PSCs in terms of constraint automata, which can be used as the semantic foundation for checking compliance between service coordination and the security policies.An

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

zeev geyzel,leo dorrendorf

2003-01-01

Abstract:With the widening of network,more serious problems have appeared,such as virus,IDS.All of these impact the network security.According to P2DR model,this paper shows a plan of security system,binding the functions of firewall and IDS.All the distributed applications are built on COPS.

Chao Chen,Ke Wang,Yiqi Dai

DOI: https://doi.org/10.1109/cis.2009.141

2009-01-01

Abstract:The security and trustworthiness of enterprise networks have been a major concern in the research and practice of Intranet security. The security of endpoints and their network access are inevitably two important factors regarding enterprise network security. In this paper we present a novel architecture to enforce controls on endpoint application execution and network access, in which the Policy Decision Point (PDP) and Policy Enforcement Point (PEP) are introduced. A hybrid mechanism is proposed such that the control of application and network access of endpoints are integrated. Security analysis and performance evaluation prove that the proposed architecture maintains a balance between security and flexibility of enterprise network control.

Wang Xiang,Qi Yaxuan,Wang Kai,Xue Yibo,Li Jun

DOI: https://doi.org/10.1109/cc.2015.7224697

2015-01-01

China Communications

Abstract:Modern network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation on many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

Yunfei Meng,Changbo Ke,Zhiqiu Huang,Guohua Shen,Chunming Liu,Xiaojie Feng

DOI: https://doi.org/10.48550/arXiv.2301.03790

2023-01-10

Cryptography and Security

Abstract:Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.

Vijay Varadharajan,Kallol Karmakar,Uday Tupakula,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.1806.02053

2018-06-06

Abstract:As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

Cryptography and Security