Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Yikuan Yan,Keman Huang,Michael Siegel

2024-03-03

Abstract:The growing system complexity from microservice architectures and the bilateral enhancement of artificial intelligence (AI) for both attackers and defenders presents increasing security challenges for cloud-native operations. In particular, cloud-native operators require a holistic view of the dynamic security posture for the cloud-native environment from a defense aspect. Additionally, both attackers and defenders can adopt advanced AI technologies. This makes the dynamic interaction and benchmark among different intelligent offense and defense strategies more crucial. Hence, following the multi-agent deep reinforcement learning (RL) paradigm, this research develops an agent-based intelligent security service framework (ISSF) for cloud-native operation. It includes a dynamic access graph model to represent the cloud-native environment and an action model to represent offense and defense actions. Then we develop an approach to enable the training, publishing, and evaluating of intelligent security services using diverse deep RL algorithms and training strategies, facilitating their systematic development and benchmark. The experiments demonstrate that our framework can sufficiently model the security posture of a cloud-native system for defenders, effectively develop and quantitatively benchmark different services for both attackers and defenders and guide further service optimization.

Cryptography and Security

Rodrigo Moreira,Rodolfo S. Villaca,Moises R. N. Ribeiro,Joberto S. B. Martins,Joao Henrique Correa,Tereza C. Carvalho,Flavio de Oliveira Silva

DOI: https://doi.org/10.1016/j.future.2024.107537

2024-10-05

Abstract:Network Slicing (NS) has transformed the landscape of resource sharing in networks, offering flexibility to support services and applications with highly variable requirements in areas such as the next-generation 5G/6G mobile networks (NGMN), vehicular networks, industrial Internet of Things (IoT), and verticals. Although significant research and experimentation have driven the development of network slicing, existing architectures often fall short in intrinsic architectural intelligent security capabilities. This paper proposes an architecture-intelligent security mechanism to improve the NS solutions. We idealized a security-native architecture that deploys intelligent microservices as federated agents based on machine learning, providing intra-slice and architectural operation security for the Slicing Future Internet Infrastructures (SFI2) reference architecture. It is noteworthy that federated learning approaches match the highly distributed modern microservice-based architectures, thus providing a unifying and scalable design choice for NS platforms addressing both service and security. Using ML-Agents and Security Agents, our approach identified Distributed Denial-of-Service (DDoS) and intrusion attacks within the slice using generic and non-intrusive telemetry records, achieving an average accuracy of approximately $95.60\%$ in the network slicing architecture and $99.99\%$ for the deployed slice -- intra-slice. This result demonstrates the potential for leveraging architectural operational security and introduces a promising new research direction for network slicing architectures.

Cryptography and Security,Artificial Intelligence,Emerging Technologies,Machine Learning,Networking and Internet Architecture

Hao YIN,Dongchao GUO,Yongqiang LYU,Peng YANG,Zhiwei ZHAO,Yaoxue ZHANG

DOI: https://doi.org/10.1360/n112017-00171

2019-01-01

Abstract:Cyberspace security is vital to state interest. Recently, there are some challenges in cyber security. In architecture for instance, although protection mechanisms are introduced and applied everywhere, the modern network architecture (well connected and open) still has difficulty in completely ensuring cyber security. It is also observed that contemporary cyber security protection mechanism highly depends on the priori information of security threats and thus will hardly address unknown potential threats. In this paper, a novel cyberspace security protection framework is proposed. A dual-structural Internet scheme that integrates the current Internet architecture with a redundant secondary structure network characterized by its broad-storage scheme, heterogeneous structure, and dynamic protection mechanism is introduced. Also, a novel active defense mechanism that is knowledge-data driven and thus independent of the priori information of the security threat is proposed. Furthermore, some key techniques such as transparent access and prepositive active defense are introduced. The theoretical and technical work proposed in this paper offers a comprehensively evolutionary solution to constructing a cyberspace in which the protection mechanism is more independent and active.

Ke Wang,Li Su,Haitao Du

DOI: https://doi.org/10.1109/ICCT59356.2023.10419581

2023-10-20

Abstract:Network slice security is the prerequisite for introducing network slicing to vertical industries. The security capabilities of one slice need to be decided based on customers' requirements and the security capabilities that the network is capable of providing. Provisioning slice security capabilities passes through the life cycle of a slice instance. However, there is a gap between security requirements and security capabilities that need to be provisioned. It's not easy for the slice customers or the network operators provisioning the security capabilities of one slice. An intelligent slice security capabilities provisioning and management method is urgently needed. This paper proposes an approach to decompose, propagate and perform the slice security related intents in order to achieve intent-driven slice security provision and management.

Computer Science,Engineering

Xiang Wang,Zhi Liu,Jun Li,Baohua Yang,Yaxuan Qi

DOI: https://doi.org/10.1109/icccn.2014.6911782

2014-01-01

Abstract:Multi-tenant infrastructures deployed in cloud datacenters need network security protection. However, the rigid control mechanism of current security middleboxes induces inflexible orchestration, limiting the agile and on-demand security provision in virtualized datacenters. This paper presents Tualatin, a consolidated framework of delivering security services in multi-tenant datacenters. It meets security requirements of different scenarios by hardware and software co-design. Leveraging Software-Defined Networking (SDN) and OpenFlow techniques, Tualatin provides fine-grained security protection in dynamically changing network topologies, where both switches and security middleboxes are programmatically controlled by logically centralized controllers. With service-level APIs exposed, Tualatin could be easily integrated with other Cloud Management System (CMS). A proof-of-concept system has been deployed in a Tier-IV datacenter, providing customizable network security services for tenant Virtual Private Cloud (VPC) infrastructure.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Zhiwei Wei,Bing Li,Rongqing Zhang,Lingyang Song

DOI: https://doi.org/10.1109/icc51166.2024.10622253

2024-01-01

Abstract:The Industrial Internet of Things (IIoT) continues to evolve alongside advancements in 5G and beyond 5G communication technologies, and network slicing has emerged as a promising technique to offer isolated slices and tailored services across industrial use cases, which profoundly affects the traditional security solution. As the future IIoT evolves towards the post-5G era, the anticipated growth in network slices will unavoidably exacerbate challenges in security service management, but developing an adaptive and effective security strategy remains a significant challenge. This study introduces a novel slice-specific IIoT (SSIOT) architecture, meticulously crafted to address the unique security needs of each slice based on network function virtualization. To adapt to the SSIOT, an AI-driven GS2L model is presented, which combines graph convolutional network (GCN) with sequence-to-sequence (Seq2Seq) deep reinforcement learning (DRL). The GS2L offers the network topology explanation module, service request analysis module, and slice-specific distribution extraction module, and adeptly navigates the multifaceted Security Service Function Chain (SSFC) embedding conundrum and resource allocation in slice-specific systems. Comprehensive experimental evaluations underscore GS2L's superiority, showcasing its proficiency in delivering augmented QoS satisfaction while ensuring prudent resource utilization over the learning-based and heuristic benchmark.

Anshul Jain,Tanya Singh,Satyendra Kumar Sharma,Vikas Prajapati

DOI: https://doi.org/10.28945/4675

2021-01-01

Abstract:Aim/Purpose: 5G and IoT are two path-breaking technologies, and they are like wall and climbers, where IoT as a climber is growing tremendously, taking the support of 5G as a wall. The main challenge that emerges here is to secure the ecosystem created by the collaboration of 5G and IoT, which consists of a network, users, endpoints, devices, and data. Other than underlying and hereditary security issues, they bring many Zero-day vulnerabilities, which always pose a risk. This paper proposes a security solution using network slicing, where each slice serves customers with different problems. Background: 5G and IoT are a combination of technology that will enhance the user experience and add many security issues to existing ones like DDoS, DoS. This paper aims to solve some of these problems by using network slicing and implementing an Intrusion Detection System to identify and isolate the compromised resources. Methodology: This paper proposes a 5G-IoT architecture using network slicing. Research here is an advancement to our previous implementation, a Python-based software divided into five different modules. This paper’s amplification includes induction of security using pattern matching intrusion detection methods and conducting tests in five different scenarios, with 1000 up to 5000 devices in different security modes. This enhancement in security helps differentiate and isolate attacks on IoT endpoints, base stations, and slices. Contribution: Network slicing is a known security technique; we have used it as a platform and developed a solution to host IoT devices with peculiar requirements and enhance their security by identifying intruders. This paper gives a different solution for implementing security while using slicing technology. Findings: The study entails and simulates how the IoT ecosystem can be variedly deployed on 5G networks using network slicing for different types of IoT devices and users. Simulation done in this research proves that the suggested architecture can be successfully implemented on IoT users with peculiar requirements in a network slicing environment. Recommendations for Practitioners: Practitioners can implement this solution in any live or production IoT environment to enhance security. This solution helps them get a cost-effective method for deploying IoT devices on a 5G network, which would otherwise have been an expensive technology to implement. Recommendation for Researchers: Researchers can enhance the simulations by amplifying the different types of IoT devices on varied hardware. They can even perform the simulation on a real network to unearth the actual impact. Impact on Society: This research provides an affordable and modest solution for securing the IoT ecosystem on a 5G network using network slicing technology, which will eventually benefit society as an end-user. This research can be of great assistance to all those working towards implementing security in IoT ecosystems. Future Research: All the configuration and slicing resources allocation done in this research was performed manually; it can be automated to improve accuracy and results. Our future direction will include machine learning techniques to make this application and intrusion detection more intelligent and advanced. This simulation can be combined and performed with smart network devices to obtain more varied results. A proof-of-concept system can be implemented on a real 5G network to amplify the concept further.

English Else

Huazhe Wang,Xin Li,Yu Zhao,Ye Yu,Hongkun Yang,Chen Qian

DOI: https://doi.org/10.48550/arXiv.1606.07079

2016-06-22

Networking and Internet Architecture

Abstract:There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.

Chengrong WU,Ming YAN,Haolin Jin,Wei LIU,Shiyong ZHANG,Jianping ZENG

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.04.002

2016-01-01

Abstract:Traditional information security defense techniques have the feature of static and passive. Systems and security mechanisms are relatively fixed in a period of time. So attackers can continuously study the static target, and try to find the vulnerability of it. In order to improve the proactivity of security defense, some research programs that tried to“change the rules of the game”had been initialized throughout the world. MTD (moving target defense) and the Mimic-Defense are the emerging ideas of proactive defense. However, to achieve the purpose of proactive defense, in addition to the separate uses of techniques on key points, we also need a framework. Deferent defense mechanisms can be effectively cooperate in the framework to form a general “moving” and controlled proactive defense system. Traditional information system which does not have the build-in proactive defense mechanism can also run in this framework, and be benefited from the proac-tive defense mechanism to enhance the ability of defense. This paper presents a kind of framework that can effectively integrate different levels of proactive defense techniques and mechanisms, and is compatible with the traditional applica-tions. We call it self-transforming proactive defense network framework. This framework can archive the integration of build-in with bolt-on proactive defense techniques, the integration of multi-level and multi-granularity proactive defense techniques. It is compatible with traditional applications which do not have the build-in proactive defense mechanism, and provides ideas.to form a new generation of build-in proactive defense network architecture in the future.

Hongchao Hu,Jiangxing Wu,Zhenpeng Wang,Guozhen Cheng

DOI: https://doi.org/10.1049/iet-ifs.2017.0086

2017-01-01

IET Information Security

Abstract:In recent years, both academia and industry in cyber security have tried to develop innovative defense technologies, expecting that to change the rules of the game between attackers and defenders. The authors start by analysing the root causes of security problems in cyberspace: (i) vulnerabilities in cyber systems are universal; (ii) current cyber systems are static, predictable and monoculture which allows adversaries to plan and launch attacks effectively; (iii) existing techniques cannot detect and eliminates attacks employing unknown vulnerabilities. Based on their analysis, they develop a novel defense framework, mimic defense (MD), that employs dynamic, heterogeneity, redundancy (DHR)' mechanism to defense cyber attacks. The main ideas behind MD are: constructing diverse functional equivalent variants for the protected target; scheduling some variants to run in parallel dynamically; and adopting policy-based arbitration mechanism to decide whose results of current running variants are correct. Theoretical analysis and simulation results show that DHR can significantly increase the difficulties for attackers and enhance the security of cyber systems, and the security enhancement can be more than ten times. They also present a proof-of-principle prototype that employ MD, mimic router, to examine its effectiveness. Finally, they conclude its limitations.

Fei Yu,Qiang Wei,Yangyang Geng,Yunchao Wang

DOI: https://doi.org/10.1109/imcec51613.2021.9482240

2021-06-18

Abstract:Industrial network boundary protection equipment faces threats from attackers when protecting the industrial control system network. The similarity and static characteristics caused by large-scale and long-term deployment determine that it could only defend against known attacks but could not deal with unknown APT threats, which leads to the breakthrough of one defense line is equivalent to the breakthrough of all defense lines and may bring challenges to industrial production safety. This paper proposes a mimic defense model of industrial isolation gateway based on endogenous security. With the dynamic scheduling mechanism to transform the attack surface, the gateway selects multiple heterogeneous filter executors to process the same packet simultaneously. By comparing the processing results of each executor, anomaly detection is carried out to realize the dynamic defense of the industrial isolation gateway. The experimental results show that the industrial isolation gateway based on mimic architecture can significantly increase the difficulty of backdoor utilization, such as paralysis, rule tampering, and information theft, and effectively defend the industrial control system from the threats caused by the backdoors and vulnerabilities of the isolation gateway while exerting the normal boundary protection function.

Fatima Salahdine,Qiang Liu,Tao Han

DOI: https://doi.org/10.1109/ojcs.2022.3161933

2022-01-01

IEEE Open Journal of the Computer Society

Abstract:Network slicing is one of the emerging technologies allowing resource sharing among different network entities in 5G networks. It enables delivering smart, critical, and multi-services with distinctive requirements transiting from network as an infrastructure to network as a service setup. Although its advantages, it is facing several challenges raised from isolation and resource sharing among services leading to security issues. Security is a critical problem for network slicing as slices serving customized services with different requirements may also have different security levels and policies. Thus, considering the impact of these security issues on network slices is required when defining and designing security protocols. Addressing these challenges is necessary to protect users security and privacy while maintaining the required performance and QoS. Most of the existing works covered only one or more aspects of the network slicing including, architecture, taxonomy, challenges, security issues, attacks classification, possible solutions, and future scope. In this paper, we extensively investigated all these aspects and others, we analyzed how the security can be ensured inside and outside of the network slices with resource isolation, machine learning, and cryptography with an E2E security. We presented a deep review of the security issues threatening the network slicing and how to mitigate them over a multi-domain infrastructure in 5G networks. we evaluated the performance of some of these solutions in preventing malicious attacks through experiments using Open Air Interface.

Stan Wong,Bin Han,Hans D. Schotten

DOI: https://doi.org/10.3390/network2010011

2022-03-08

Network

Abstract:This article reveals an adequate comprehension of basic defense, security challenges, and attack vectors in deploying multi-network slicing. Network slicing is a revolutionary concept of providing mobile network on-demand and expanding mobile networking business and services to a new era. The new business paradigm and service opportunities are encouraging vertical industries to join and develop their own mobile network capabilities for enhanced performances that are coherent with their applications. However, a number of security concerns are also raised in this new era. In this article, we focus on the deployment of multi-network slicing with multi-tenancy. We identify the security concerns and discuss the defense approaches such as network slice isolation and insulation in a multi-layer network slicing security model. Furthermore, we identify the importance to appropriately select the network slice isolation points and propose a generic framework to optimize the isolation policy regarding the implementation cost while guaranteeing the security and performance requirements.

Wente Zeng,Mo-Yuen Chow

DOI: https://doi.org/10.1109/tii.2012.2209662

IF: 12.3

2012-01-01

IEEE Transactions on Industrial Informatics

Abstract:Distributed networked control systems (D-NCS) are vulnerable to various network attacks when the network is not secured; thus, D-NCS must be well protected with security mechanisms (e.g., cryptography), which may adversely affect the dynamic performance of the D-NCS because of limited system resources. This paper addresses the tradeoff between D-NCS security and its real-time performance and uses the Intelligent Space (iSpace) for illustration. A tradeoff model for a system's dynamic performance and its security is presented. This model can be used to allocate system resources to provide sufficient protection and to satisfy the D-NCS's real-time dynamic performance requirements simultaneously. Then, the paper proposes a paradigm of the performance-security tradeoff optimization based on the coevolutionary genetic algorithm (CGA) for D-NCS. A Simulink-based test-bed is implemented to illustrate the effectiveness of this paradigm. The results of the simulation show that the CGA can efficiently find the optimal values in a performance-security tradeoff model for D-NCS.