Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Ming Wan,Minglei Hao,Yang Li,Jianming Zhao,Ying Li

DOI: https://doi.org/10.1145/3586102.3586127

2022-01-01

Abstract:Due to the rapid development of industrial automation, ICSs (Industrial Control Systems) gradually expose their potential security vulnerabilities, and are facing more and more serious security risks. Although different industrial security technologies have been developed to strengthen industrial security protection, they always struggle for their own because of their standalone and non-related functions, and their actual defense effects are not encouraging. This paper first summarizes some intrinsic security vulnerabilities in ICSs, and analyzes the main causes to generate each class of vulnerabilities. Furthermore, five popular security technologies which have been successfully applied in today's ICSs are introduced, and their advantages and shortages are also compared by explaining each working mechanism. In order to take full advantage of various industrial security technologies, this paper proposes one novel cooperative defense model based P2DR (Policy, Protection, Detection and Response), which establishes the dynamical defense process to integrate five different industrial security technologies. Under the guidance of security policies, this model can comprehensively utilize the resources of various industrial security technologies to learn and judge current security status of the whole system, and effectively adjust the optimum deployment to provide the strongest protection with the lowest risk. Finally, one applicable case based on the proposed model is designed to verify the feasibility of cooperative defense in ICSs.

WANG Xiaodong,ZHU Miaoliang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.055

2005-01-01

Abstract:This paper puts forward an intellective network safe guard system based on a multi-agent system structure. The purpose of the system is to defend the intrusion of campus-wide network. It is based on IDXP and the focus is blackboard. This system can deal with multi-levels and many ways of anti-intrusions, which has self-determination. It is proved to have a good performance by spot tests.

Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Guihai Chen,Victoria C. Yan,Qing Li,Zengzhi,Liao,Zhigang

2005-01-01

Abstract:The wide application of network technology in power systems brings not only convenience and flexibility but also security threats. An architecture of network security for power system was proposed in this study,which protected data and facilities from being attacked by outside users by means of firewall, security monitor and control system. Firewall was basically the first line of defense for the intranet; the security monitoring system was a kind of IDS (Intrusion Detection System), while security control system provided authentication, authorization,data-encrypted transmission and security management. This architecture provides various security services, such as identification, authentication, authorization, data integrity and confidentiality.

LI Fang-tao,ZHU Xiao-yan,MENG Li-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.22.037

2006-01-01

Abstract:An integrated database security architecture is proposed.The encryption/authentication component,making use of cryp-tographic knowledge,not only makes the database integrity and confidentiality,but also have the function of detecting and correcting the single error.The single error correction tolerate the transfer's intrusion,and this enables the outer-level intrusion-tolerance.Inner intrusion-tolerant component provides an intrusion-tolerance based database security structure.The flexibility and the ability of protecting from attacks are improved.This system has the functions of not only intrusion-tolerance,but also encryption and authe-ntication.So it can apply to fields where the higher security level is needed.

HE Wei,SUN Yuhai,SHA Xuejun,MENG Lirong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.064

2006-01-01

Abstract:This paper adopts multi-layer security model,integrates redundancy and variety architectures,makes use of integral security strategy and server-oriented intrusion tolerance architecture,realizes the survive and availability of database and the integrity and confidentiality of sensitive data.It can effectively resist malicious attacks with legal identity,and reduce the cost of security.

Jiaxuan Fei,Jieying Zhou,Qigui Yao,Xiaojian Zhang,Mingyan Li

DOI: https://doi.org/10.1109/ispec53008.2021.9735632

2021-12-23

Abstract:In order to ensure the power industrial control system security control in the “unification” and “dynamics”, this paper has designed 3d spatial coordinate axes including safety protection technology dimension (X axis-T), safety emergency response dimension (Y axis-E), comprehensive safety management dimension (Z axis-M) and one dimensional security defense scenarios coordinate axis (T axis-A), which makes up four dimensional space-time stereoscopic defense system architecture. On the one hand, in the technical dimension, the real-time monitoring of the system itself, the security techniques and defensive measures can be strengthened, so as to guarantee the comprehensive and effective implementation of the security techniques and management measures dynamically and in a closed loop, thus to ensure the robustness of the protection system architecture. On the other hand, to adapt to the power industrial control system of the overall “cloud + network + terminal” structure, this paper forms systematic power defense architecture in power industrial control system by multi-chain protection compromised technology and system and different business scenarios “cloud + network + terminal” linkage and synergy between multi-level security defense line. Finally, this study provides effective guidance for technical selection, deployment and application of defense model.

Wang Hong-pin

Abstract:In this paper we first analyze the present situation of the network security. In view of current development trend of network attack, together with practical experience and research results, the paper proposes a workable enterprise network security multi-layer protection strategy, and has given a concrete construction plan. This plan not only takes seriously to protect system's constitution, but also integrated many level protection products. Application has shown that the plan can improve integration security protection func- tions of the enterprise network.

Engineering,Computer Science

Chao Chen,Ke Wang,Yiqi Dai

DOI: https://doi.org/10.1109/cis.2009.141

2009-01-01

Abstract:The security and trustworthiness of enterprise networks have been a major concern in the research and practice of Intranet security. The security of endpoints and their network access are inevitably two important factors regarding enterprise network security. In this paper we present a novel architecture to enforce controls on endpoint application execution and network access, in which the Policy Decision Point (PDP) and Policy Enforcement Point (PEP) are introduced. A hybrid mechanism is proposed such that the control of application and network access of endpoints are integrated. Security analysis and performance evaluation prove that the proposed architecture maintains a balance between security and flexibility of enterprise network control.

Wei-Fa Liao,Hung-Min Sun,Wei Wu

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.159

2016-01-01

Abstract:In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic (virtual network). In order to full defend from a threat, we need to redesign the architecture of the intrusion detection system. In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with an original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

Fei Yu,Qiang Wei,Yangyang Geng,Yunchao Wang

DOI: https://doi.org/10.1109/imcec51613.2021.9482240

2021-06-18

Abstract:Industrial network boundary protection equipment faces threats from attackers when protecting the industrial control system network. The similarity and static characteristics caused by large-scale and long-term deployment determine that it could only defend against known attacks but could not deal with unknown APT threats, which leads to the breakthrough of one defense line is equivalent to the breakthrough of all defense lines and may bring challenges to industrial production safety. This paper proposes a mimic defense model of industrial isolation gateway based on endogenous security. With the dynamic scheduling mechanism to transform the attack surface, the gateway selects multiple heterogeneous filter executors to process the same packet simultaneously. By comparing the processing results of each executor, anomaly detection is carried out to realize the dynamic defense of the industrial isolation gateway. The experimental results show that the industrial isolation gateway based on mimic architecture can significantly increase the difficulty of backdoor utilization, such as paralysis, rule tampering, and information theft, and effectively defend the industrial control system from the threats caused by the backdoors and vulnerabilities of the isolation gateway while exerting the normal boundary protection function.

Hao YIN,Dongchao GUO,Yongqiang LYU,Peng YANG,Zhiwei ZHAO,Yaoxue ZHANG

DOI: https://doi.org/10.1360/n112017-00171

2019-01-01

Abstract:Cyberspace security is vital to state interest. Recently, there are some challenges in cyber security. In architecture for instance, although protection mechanisms are introduced and applied everywhere, the modern network architecture (well connected and open) still has difficulty in completely ensuring cyber security. It is also observed that contemporary cyber security protection mechanism highly depends on the priori information of security threats and thus will hardly address unknown potential threats. In this paper, a novel cyberspace security protection framework is proposed. A dual-structural Internet scheme that integrates the current Internet architecture with a redundant secondary structure network characterized by its broad-storage scheme, heterogeneous structure, and dynamic protection mechanism is introduced. Also, a novel active defense mechanism that is knowledge-data driven and thus independent of the priori information of the security threat is proposed. Furthermore, some key techniques such as transparent access and prepositive active defense are introduced. The theoretical and technical work proposed in this paper offers a comprehensively evolutionary solution to constructing a cyberspace in which the protection mechanism is more independent and active.

Zhen Chen,Fa-Chao Deng,An-An Luo,Xin Jiang,Guo-Dong Li,Run-hua Zhang,Chuang Lin

DOI: https://doi.org/10.1109/wcins.2010.5541863

2010-01-01

Abstract:Traditional NAC system in enterprise network is in coarse granularity (e.g. IP or MAC address) and lack of flexibility. Recently the demand in tight control of the enterprise network to defense the misuse and security issues become more and more urgent. Based on the TCG TNC standard, an application level network access control mechanism is proposed and implemented. With TNC client/server model in hand, a client is designed to enhance TNC client with the function of host flow controller (HFC), and intercepts each application network access request(ANAR) and transfer it to PDP server to authorize the access request. When a sensor (i.e. intrusion detection system) detects any malicious traffic, host flow controller and network flow controller can identify the application that origins this traffic by querying Metadata Access Point (MAP) server and block this application's network access. A prototype system is implemented to demonstrate the design and can be used to defense the anomaly network behaviors. The prototype system demonstrates that the hosts, switches, firewalls and IDS can work together to detect, diagnose and protect enterprise network from the malicious applications attack initiated inside or outside of an enterprise network, quarantine unhealthy hosts and make the enterprise network more reliable and trustworthy.

Zhanjun Li,Bo Hu,Tianqi Lu,Yuxi Wei,Qingqi Zhao,Zhiyuan Duan

DOI: https://doi.org/10.1088/1755-1315/675/1/012156

2021-02-01

IOP Conference Series: Earth and Environmental Science

Abstract:Abstract In this paper, an information-physical risk prevention and control framework based on intrusion tolerance technology is proposed, which is a multi-stage in-depth defense system for the risk interaction mechanism and evolution process in the power information-physical fusion system, the aim of this paper is to improve the survivability of the system under attack and minimize the loss caused by the risk through multi-phase defense strategy. At the same time, according to the phase characteristics of risk propagation in CPS, a safe operation state transition model considering intrusion tolerance is established. In order to contain the critical failure events in the risk evolution process of the information-physics fusion system, according to the risk development characteristics of the information-physics system under attack, this paper presents a self-organized critical state identification method, which integrates the characteristics of physical network power flow and information network traffic flow, in order to identify the critical nides that make CPS system enter the self-organized critical state under network attack. Finally, according to the characteristics of CPS dependent network structure and the self-organized critical characteristics of risk evolution, the protection strategies of strengthening the protection of key nodes, adjusting the coupling state of dependent edges and adding autonomous nodes are formulated, by considering the decision-making model of risk prevention and control strategy in the game of attack and defense, the current defense resources are reasonably allocated.

WU Qing-tao,SHAO Zhi-qing

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.12.004

2005-01-01

Abstract:Intrusion detection,as one of the most active and important network security technology,can compensate the shortcomings of traditional security protection measure.Through building dynamic security cycle,it can promote the protection capacity of system and reduce the security threats as great as possible. An overview of basic issues on intrusion detection is shown in this paper,which is involved with three main aspects of intrusion detection,including Intrusion Detection System(IDS) architecture,intrusion detection methods and IDS evaluation.Firstly,three kinds of IDS architectures are analyzed.Then,current intrusion detection models are given,and their merits or shortcomings are discussed in detail.Finally,some future promi￣sing directions are presented.

Jianping Zeng,Donghui Guo

DOI: https://doi.org/10.5220/0002516401760181

2005-01-01

Abstract:More and more application services are provided and distributed over the Internet for public access. However, the security of distributed application severs is becoming a serious problem due to many possible attacks, such as deny of service, illegal intrusion, etc. Because of weakness of the firewall systems in ensuring security, intrusion detection system (IDS) becomes popular. Now, many kinds of IDS systems are available for serving in the Internet distributed system, but these systems mainly concentrate on networkbased and host-based detection. It is inconvenience to integrate these systems to distributed application servers for application-based intrusion detection. An agent-based IDS that can be smoothly integrated into applications of enterprise information systems is proposed in this paper. We will introduce its system architecture, agent structure, integration mechanism, and etc. In such an IDS system, there are three kinds of agents, i.e. client agent, server agent and communication agent. This paper is also to explain how to integrate agents with access control model for getting better security performance. By introducing standard protocol such as KQML, IDMEF into the design of agent, our agent-based IDS shows much more flexible for built in different kinds of software application system.

Jian Ding,Chunyi Lu,Bo Li

DOI: https://doi.org/10.1007/s11265-022-01741-y

2022-03-08

Journal of Signal Processing Systems

Abstract:Power systems are playing an unsubstitutable role in industrial production and inhabitant life. With the deepening of integration process over industrialization and informatization in the field of power systems, an increasing number of industrial control devices (e.g., PLC, SCADA) are exposing in the Internet, which are attracting more and more attention from attackers and malicious communities as the great values. It is crucial for organizations to monitor and evaluate the security situation of power systems. In this paper, we propose a data-driven based security situation awareness towards power systems, which can monitor and evaluate the security situations in power systems and send warnings to organizations when the system encounters suspicious threats. Specifically, the proposed framework continuously collects public data related to electric safety and scan for the power control devices exposed on the Internet to grasp the security landscape of power systems around the world. We then deploy an extensible honeypot system in the real environment to real-time perceive the internal security situation of power systems. Finally, we leverage a graph structure to fuse the cyber threats inside and outside the power system for capturing a comprehensive security awareness of power systems. Experimental results show that our framework can detect system threats in real time and protect it from penetration and intrusion effectively.

Hui Yuan,Lei Zheng,Shuang Qiu,Xiangli Peng,Yuan Liang,Yaodong Hu,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_142

2019-04-25

Abstract:With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.