Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Zhijun Zhang

2011-01-01

Abstract:As the use of distributed deployment of a large number of heterogeneous security devices in order to build network security defense system generates a mass of security event information which is difficult to effectively manage and the security monitoring systems that are deployed in different places are difficult to manage integratedly, united platform model for network security management is proposed. According to the actual distribution of Yunnan security monitoring systems, the platform establish a level of information system by the use of distributed technology. Platform designs and analyzes its oriented network security managers system architecture and uses risk assessment and event correlation to analyze network operating conditions in real-time, reduce false alarm ratio so that network security managers can find security accidents precisely and respond promptly. And then the paper describes key technologies such as distributed data model,secure event standardization model,secure communication and control protocol in detail.

Chunming Zhang,Fengji Luo,Mingyang Sun,Gianluca Ranzi

DOI: https://doi.org/10.1109/tnse.2020.3015220

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Advanced Metering Infrastructure (AMI) is a critical and fundamental component of smart grids. Cyber security of AMI thus has direct implications to smart grid's secure and reliable operations. This paper establishes analytical models for studying AMI system's robustness with presence of Distributed Denial-of-Service (DDoS) attacks. This paper firstly proposes a state transition model for individual smart meter nodes and data collector nodes in an AMI communication network; based on this, a dynamic differential system is formulated to describe the network's state evolution. We analyze the dynamic differential system's stability under DDoS attacks and propose a defending strategy, which optimally allocate defending resources in the AMI network, aiming at mitigating the DDoS's threaten with minimum defending loss and cost. Extensive simulations are conducted to validate the proposed method under different AMI network topologies.

李章维,张建明,王树青

DOI: https://doi.org/10.3785/j.issn.1008-973x.2004.08.001

2004-01-01

Abstract:For improving the stability, reliability, and convenient safeguard in network systems, a new method for network fault detection based on the network device running status was proposed. Using the feature of real network and SNMP(simple network management protocol) and TELNET(telecommunication network protocol), the realization of multi-agent network management systems was discussed. The network management system is characterized by rapid network fault detection, determination and treatment, which has intelligence and capacity for self-study, and also shortens the time of network fault (response) and treatment, thus the reliability of the network was improved. With the use of multi-Agent technology, the new way for studying network management has advantages of simple calculation, rapid fault detection, etc.

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Yunfei Meng,Zhiqiu Huang,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.1016/j.cose.2020.102089

2021-01-01

Abstract:<p>Software-defined networking (SDN) has been increasingly utilized to enforce the security of complex networks. However SDN-based security enforcement mechanisms rely heavily on some specific security policies containing underlying network information. Facing the increasingly complex and huge SDN networks, we urgently need a novel security policy management mechanism which can be completely transparent to any underlying network information. That is it can permit network managers to define the high-level security policy model without containing any underlying information, and by means of model transformation, high-level security policy model can be automatically transformed into its corresponding lower-level security policy model containing underlying information. Moreover, we must ensure the system model of data plane updated by the low-level security policy model can hold all of security properties defined in high-level security policy model. Based on these insights, we propose a security policy model transformation and verification approach for SDN in this paper. We first specify the security policies used in SDN networks as a formal security policy model (SPM). Then we establish the system model of SDN's data plane and the mapping rules between the policy objects of SPM and the system objects of system model of data plane. Based on these mapping rules, we propose a security policy model transformation mechanism which transforms SPM into the low-level security policy model, RSPM. In order to verify the system model of data plane updated by RSPM can hold all of security properties defined in SPM, we propose a security policy verification mechanism based on model checking techniques and a group of validation conditions. Finally, we utilize a comprehensive case to illustrate the feasibility of this approach.</p>

computer science, information systems

ZENG Kuang-yi,YANG Jia-hai

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.02.006

2007-01-01

Abstract:Policy refinement and policy conflict resolution are two of the toughest issues in implementing a policy-based network management (PBNM) system. Based on a brief review of general PBNM theories and specific access control technologies, the paper proposed a novel policy-based network management model, which adopts XML as the high level policy description language, and uses the generalized access control list(ACL) as an intermediate refining mechanism, focusing on network security and QoS management. Some critical issues and their solutions, including policy representation, policy refinement, and policy conflict policy detection, are discussed. A formula representation of the policy conflict issue is given with several important inferences. The effectiveness and efficiency of the model is verified by the implemented prototype.

Wei Zhang,Ming Zhong,Minfu A,Yumei Sun,Yang Wang

DOI: https://doi.org/10.1155/2022/5733358

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:In order to improve the adaptive control effect of the multiemergency power supply networking system connected to new energy (NE), this paper studies the adaptive control strategy (ACS) of the multiemergency power supply networking system connected to NE by combining intelligent algorithms and determines the appropriate installation node of the distributed power supply according to the voltage stability index. Moreover, this paper proposes a method to optimize the distribution network feeder reorganization and distributed power configuration problems based on the fireworks algorithm to reduce the network loss and improve the voltage distribution. In addition, distribution network reorganization and distributed power configuration optimization can more effectively minimize network losses and improve voltage distribution. Through the experimental research, it can be seen that the ACS of the multiemergency power supply network system connected to NE proposed in this paper has the established effect.

Chang Zhi-xian

DOI: https://doi.org/10.1007/s12083-020-00979-2

2020-09-11

Abstract:When facing some emergency situations, such as fires, traffic accidents, etc., it is necessary for the network to use the available information to provide the best and fastest access routes. In these cases, it is important to centrally manage all devices throughout the network, so a software-defined network (SDN) -based architecture is used to manage and control emergency service actions and evacuation plans. At this time, differentiated services are provided to customers in emergency and non-emergency situations through network slicing, and resource allocation is performed for network slicing such as delay and bandwidth parameters. In this paper, the first resource management plan is the merit of quick converging to the global optimal solution which was used to design the evaluation function of the network resource management; the second is monitors and analyzes access traffic and centralizes control and management to meet the bandwidth requirements of tenants to counter the tidal effect. The ability of fast random search of particle swarm optimization was used to realize the update and optimization. The simulation results show that can reduce the energy consumption of the network and improve the utilization rate of cyber source at the same time.

computer science, information systems,telecommunications

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Dong-young Lee,H. Seo,Tae-Kyung Kim

Abstract:Enterprise security management system proposed to properly manage heterogeneous security products is the security management infrastructure designed to avoid needless duplications of management tasks and inter-operate those security products effectively. In this paper, we defined the security policies using Z-Notation and the detection algorithm of policy conflict for managing heterogeneous firewall systems. It is designed to help security management build invulnerable security policies that can unify various existing management infrastructures of security policies. Its goal is not only to improve security strength and increase the management efficiency and convenience but also to make it possible to include different security management infrastructures while building security policies. With the process of the detection and resolution for policy conflict, it is possible to integrate heterogeneous security policies and guarantee the integrity of them by avoiding conflicts or duplications among security policies. And further, it provides convenience to manage many security products existing in large networks.

Computer Science,Business

Beipeng Mu,Xinming Chen,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.130

2011-01-01

Abstract:Network Security Appliances are deployed at the vantage point of the Internet to detect security events and prevent attacks. However, these appliances are not so effective when it comes to distributed attacks such as DDoS. This paper presents a design and implementation of collaborative network security management system (CNSMS), which organize the NetSecu nodes into a hybrid P2P and hierarchy architecture to share the security knowledge. NetSecu nodes are organized into a hierarchy architecture so they could realize different management or security functions. In each level, nodes formed a P2P networks for higher efficiency. To guarantee identity trustworthy and information exchange secure, PKI infrastructure is deployed in CNSMS. Finally experiments are conducted to test the computing and communication cost.

Wei Yang

2003-01-01

Abstract:With the widening of network,more serious problems have appeared,such as virus,IDS.All of these impact the network security.According to P2DR model,this paper shows a plan of security system,binding the functions of firewall and IDS.All the distributed applications are built on COPS.

Yunfei Meng,Changbo Ke,Zhiqiu Huang,Guohua Shen,Chunming Liu,Xiaojie Feng

DOI: https://doi.org/10.48550/arXiv.2301.03790

2023-01-10

Cryptography and Security

Abstract:Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.

DOI: https://doi.org/10.4018/joeuc.20211101oa25

2021-11-01

Journal of Organizational and End User Computing

Abstract:The network in information age has become an important part of life, but in the process of in-depth application of computers and networks, information security issues have also become a significant obstacle to their developments. The intelligent solution to information security is a self-organized management and computing security protocol that is completed through the intelligent technologies at both ends of the sensing device and network authentication center. The results show that the network security information communication and publicity management platform built by the self-organized network management and computing of the intelligent solutions to information security can effectively heighten network users’ awareness of information protection, enhance the security of network environment, and promote the improvement of scientific network security rules. The study results of this paper provide a reference for further researches on self-organized network management and computing of intelligent solutions to information security.

information science & library science,management,computer science, information systems

Xin Zhang,Yilin Chang,Li Jiang,Zhong Shen

2006-01-01

Abstract:The monitoring of a wireless network has a significant impact on the performance in that the bandwidths are constrained especially for the wireless channel. Efficient management assumes having reliable network monitoring information about the managed system. Based upon this point of view, a fault monitoring policy of hierarchical wireless network is proposed. It can be used to monitor the network in real time. With the application of the multi-agent Markov Decision Processes, an appropriate policy model of polling with the reinforcement learning is given. The simulation results show that with this MMDP model the network fault can be located fast and accurately and the overhead of network management decreased remarkably.

Haixin Duan,Jianping Wu

DOI: https://doi.org/10.1109/APCC.1999.820481

1999-01-01

Abstract:Security management is one of the five management functions defined by ISO/OSI, which covers two aspects: security of management and management of security. As to management of network security, we give security management requirements for large computer networks, combined with our management experience of managing CERNET. From our experience, the widely used firewalls in the Internet are lacking in the capability to be remotely managed on a large scale, especially multi-vendor network environment. Addressing these problems, the concept of high level security policy management is proposed for large networks. To support high level policy management and collaborative management of multi-vendor firewalls, a definition for a common firewall MIB (CFWMIB) and a common format for the TRAP events record are proposed. For the aspect of security of network management, we present a security architecture which is implemented in our web-based network management system. Flexible authentication and role-based access control mechanisms of the architecture are described. Our ongoing and future research is also outlined.

Zhiyong Shan,Vinod Namboodiri

DOI: https://doi.org/10.24297/ijct.v20i.8841

2020-09-10

Abstract:In recent years, the emerged network worms and attacks have distributive characteristics, which can spread globally in a short time. Security management crossing network to co-defense network-wide attacks and improve the efficiency of security administration is urgently needed. This paper proposes a hierarchical distributed network security management system (HD-NSMS), which can centrally manage security across networks. First describes the system in macrostructure and microstructure; then discusses three key problems when building HD-NSMS: device model, alert mechanism, and emergency response mechanism; at last, it describes the implementation of HD-NSMS. The paper is valuable for implementing NSMS in that it derives from a practical network security management system (NSMS).

English Else

Rong Zeng,Yijia Cao,Yong Li,Sijia Hu,Xia Shao,Liwei Xie,Liang Hou,Long Zhao,Mohammad Shahidehpour

DOI: https://doi.org/10.1109/tsg.2023.3302287

IF: 10.275

2023-01-01

IEEE Transactions on Smart Grid

Abstract:The power system has become the key target of national cyber confrontation. To enhance the risk management capability of the distribution network (DN) while assessing the cyberattack risk quickly and accurately, this paper proposes a general real-time cyberattack risk assessment method for DN involving the influence of distributed feeder automation systems (DFAs). In particular, to clarify the quantitative relationship between cyberattack intrusion and DN state deterioration, we constructed the quantitative model of the cyber physical distribution network (CPDN) under cyberattack, which involves the influence of DFAs’ behavior. In addition, in order to intuitively demonstrate the cyberattack risk, we developed a novel entropy-like risk assessment system upon the quantitative model of CPDN. The real two-feeder test platform with cyberattack simulation devices is used to verify the correctness and practicality of the proposed method. In this process, a digital cyberattack risk assessment unit is created, contributing to the system-level application of risk management.

engineering, electrical & electronic