Sheng Hong,Ziyun Yu,Xinhao Zou,Hongwei Yin,Yuchen Xiao,Wenhao Wang

DOI: https://doi.org/10.1109/icfeict59519.2023.00080

2023-01-01

Abstract:With the rapid progress and development in fields such as cloud computing, Internet of Things, and mobile offices, the traditional fortress-style network architecture has exposed many problems. In response to the increasingly severe network security situation, zero-trust security proposes a new network architecture based on the idea of “continuous verification, never trust”. The zero-trust network architecture can effectively reduce traditional network security threats and better protect network systems and sensitive resources. Based on the zero-trust security concept, this article proposed a new access control model based on trust and attributes, introduced the mechanisms and algorithms of the access control model, and designed a zero-trust simulation platform for testing. This model can determine whether to allow the request based on the trust value and relevant security attributes of the access request, which greatly improves the security of the network system and reduces security risks from internal and external sources.

Yuanhang He,Daochao Huang,Lei Chen,Yi Ni,Xiangjie Ma

DOI: https://doi.org/10.1155/2022/6476274

2022-06-16

Wireless Communications and Mobile Computing

Abstract:The traditional perimeter-based network protection model cannot adapt to the development of current technology. Zero trust is a new type of network security model, which is based on the concept of never trust and always verify. Whether the access subject is in the internal network or the external network, it needs to be authenticated to access resources. The zero trust model has received extensive attention in research and practice because it can meet the new network security requirements. However, the application of zero trust is still in its infancy, and enterprises, organizations, and individuals are not fully aware of the advantages and disadvantages of zero trust, which greatly hinders the application of zero trust. This paper introduces the existing zero trust architecture and analyzes the core technologies including identity authentication, access control, and trust assessment, which are mainly relied on in the zero trust architecture. The main solutions under each technology are compared and analyzed to summarize the advantages and disadvantages, as well as the current challenges and future research trends. Our goal is to provide support for the research and application of future zero trust architectures.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mengru Tsai,Shanhsin Lee,Shiuhpyng Winston Shieh

DOI: https://doi.org/10.1109/tr.2023.3345665

IF: 5.883

2024-03-09

IEEE Transactions on Reliability

Abstract:In recent years, due to the impact of the COVID-19 pandemic, enterprises have been forced to adapt their operation patterns to ensure resilience, transitioning from traditional office-based work to remote work from home. However, this sudden and unforeseen change has made enterprises unprepared, resulting in a dramatic increase in cybersecurity threats. The most significant challenge arises from the adjustment from working in previously trusted areas to that beyond the boundaries of protection. While employees used to work within the company's defense perimeter, malicious attacks were blocked and detected by boundary security gateways. Shifting to remote work moves employees out of the protective environment, thereby their devices connecting to the internal resources of a company become exploitable targets for threat actors, and weaknesses in the internal authentication, authorization, and access control mechanisms become evident. The zero trust architecture (ZTA) approach is primarily focused on resource protection. When users or services attempt to access resources, ZTA requires precise authentication, minimal authorization, and continuous verification (trust inference) to ensure legitimacy and authorization of the resource usage, eliminating any space for assumed or inherited trust. In this article, we will address the challenges in handling the threats and propose the strategies, implementation, and limitation of ZTA, aiming to shed light on its effectiveness and applicability in mitigating cybersecurity risks.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Wentao Jing,Linning Peng,Hua Fu,Aiqun Hu

DOI: https://doi.org/10.1109/jiot.2024.3385989

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:With the development of Internet of Things (IoT) and cloud networks, the security of edge networks, borderless networks, and obscure networks are essential, so there are many security problems that need to be tackled, including over-trust in trust areas and security only based on security boundaries in traditional security architecture. According to characters of zero trust security architectures and integrative trust model (ITM), the zero trust architectures (ZTAs) better adapt to handle these security problems compared to the ITM for the IoT networks. Meanwhile, the radio frequency fingerprint (RFF) identification keeps high accuracy and high stability with researchers' investigation, which makes RFF authentication feasible. Therefore, we propose a mechanism that combines the RFF authentication technique and ZTA to improve security in IOT networks, including edge networks, borderless networks, and obscure networks. The method resolves the difficulty of over-reliance on a trustable center or trust chain, and the method is suitable for borderless networks and obscure networks. Besides, this method resists data leakage, counterfeit attack and rouge access point (AP) attack with RFF authentication, and it can reduce the risk caused by compromised devices with zero trust concepts. With the analysis in this article, the proposed method keeps high-level security and performance that method effectively against spoofing identity, tampering, and information disclosure. The authentication accuracy of the method has reached 99%, and the authentication owns robustness in time cost and collision-resistant.

Kehe Wu,Jin Shi,Zhimin Guo,Zheng Zhang,Junfei Cai

DOI: https://doi.org/10.1109/iccea53728.2021.00023

2021-01-01

Abstract:In order to guarantee the normal operation of the power Internet of things devices, the zero-trust idea was used for studying the security protection strategies of devices from four aspects: user authentication, equipment trust, application integrity and flow baselines. Firstly, device trust is constructed based on device portrait; then, verification of device application integrity based on MD5 message digest algorithm to achieve device application trustworthiness. Next, the terminal network traffic baselines are mined from OpenFlow, a southbound protocol in SDN. Finally, according to the dynamic user trust degree attribute access control model, the comprehensive user trust degree was obtained by weighting the direct trust degree. It obtained from user authentication and the trust degree of user access to terminal communication traffic. And according to the comprehensive trust degree, users are assigned the minimum authority to access the terminal to realize the security protection of the terminal. According to the comprehensive trust degree, the minimum permissions for users to access the terminal were assigned to achieve the security protection of the terminal. The research shows that the zero-trust mechanism is applied to the terminal security protection of power Internet of Things, which can improve the reliability of the safe operation of terminal equipment.

Xian Guo,Hongbo Xian,Tao Feng,Yongbo Jiang,Di Zhang,Junli Fang

DOI: https://doi.org/10.7717/peerj-cs.1674

2023-11-17

Abstract:Software-defined networking (SDN) faces many of the same security threats as traditional networks. The separation of the SDN control plane and data plane makes the controller more vulnerable to cyber attacks. The conventional "perimeter defense" network security model cannot prevent lateral movement attacks caused by malicious insider users or hardware and software vulnerabilities. The "zero trust architecture" has become a new security network model to protect enterprise network security. In this article, we propose an intelligent zero-trust security framework IZTSDN for the software-defined networking by integrating deep learning and zero-trust architecture, which adopts zero-trust architecture to protect every resource and network connection in the network. IZTSDN uses a traffic anomaly detection mode CALSeq2Seql based on a deep learning algorithm to analyze users' network behavior in real-time and achieve continuous tracking and analysis of users, restrict malicious users from accessing network resources, and realize the dynamic authorization process. Finally, the Mininet simulation platform is extended to build the simulation platform MiniIZTA supporting zero-trust architecture and the proposed security framework IZTSDN is experimentally analyzed. The experimental results show that the IZTSDN security framework can provide about 80.5% of throughput when the network is attacked. The accuracy of abnormal traffic detection reaches 99.56% on the SDN dataset, which verifies that the reliability and availability of the IZTSDN security framework are verified.

Ashfaq Ahmed,Abdulhadi Shoufan,Kais Belwafi

DOI: https://doi.org/10.1109/access.2023.3285630

IF: 3.9

2023-01-01

IEEE Access

Abstract:The semiconductor supply chain is vulnerable to multiple security attacks, such as hardware Trojan injection, intellectual property theft, and overproduction. The notion of zero-trust (ZT)– never trust, always verify– offers a promising opportunity for chip security by authenticating integrated circuits (ICs) when they are connected to critical computing systems. Before exchanging any data, the system establishes trust with the chip using industry security protocols. In this paper, we propose using the secure protocol and data model (SPDM) to establish chip-to-chip (C2C)- ZT communications. Furthermore, we present formal models for this solution and verify these models using state-of-the-art formal verification tools. The results show that the SPDM meets the requirements of the ZT architecture and can be used as a foundation for secure C2C interconnection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Paschal C. Amusuo,Kyle A. Robinson,Tanmay Singla,Huiyun Peng,Aravind Machiry,Santiago Torres-Arias,Laurent Simon,James C. Davis

2024-12-20

Abstract:Third-party libraries like Log4j accelerate software application development but introduce substantial risk. Vulnerabilities in these libraries have led to Software Supply Chain (SSC) attacks that compromised resources within the host system. These attacks benefit from current application permissions approaches: thirdparty libraries are implicitly trusted in the application runtime. An application runtime designed with Zero-Trust Architecture (ZTA) principles secure access to resources, continuous monitoring, and least-privilege enforcement could mitigate SSC attacks, as it would give zero implicit trust to these libraries. However, no individual security defense incorporates these principles at a low runtime cost. This paper proposes Zero-Trust Dependencies to mitigate SSC vulnerabilities: we apply the NIST ZTA to software applications. First, we assess the expected effectiveness and configuration cost of Zero-Trust Dependencies using a study of third-party software libraries and their vulnerabilities. Then, we present a system design, ZTD$_{SYS}$, that enables the application of Zero-Trust Dependencies to software applications and a prototype, ZTD$_{JAVA}$, for Java applications. Finally, with evaluations on recreated vulnerabilities and realistic applications, we show that ZTD$_{JAVA}$ can defend against prevalent vulnerability classes, introduces negligible cost, and is easy to configure and use.

Cryptography and Security,Software Engineering

Han Zhang,Qian Wang,Xiaoli Zhang,Yi He,Bo Tang,Qi Li

DOI: https://doi.org/10.1109/mcom.001.2300390

IF: 9.03

2024-01-01

IEEE Communications Magazine

Abstract:Internet of things (IoT) networks allow cross-device interactions to achieve various intelligent applications, for example, smart homes and smart commercial spaces. However, cross-device interactions are often protected by inadequate authorization mechanisms, making them susceptible to various attacks, including connection-based attacks, application impersonation attacks, and so on. In this article, we propose a zero-trust IoT network architecture, OUTSIDE, designed to provide fine-grained authorization for IoT applications. It achieves the application-level authorization at the network layer by encoding the capability information of applications into verifiable tokens. Meanwhile, it enables a zero-trust service for per-packet verification, ensuring that every packet is sent by an authorized application with proper access privileges. Particularly, our architecture is versatile and compatible with various IoT protocols. We prototype and deploy OUTSIDE in Raspberry Pis and ESP32 microcontrollers running over the constrained application protocol (CoAP). The experimental results show that our architecture incurs negligible performance degradation.

Quan Shen,Yanming Shen

DOI: https://doi.org/10.1016/j.cose.2023.103537

IF: 5.105

2023-01-01

Computers & Security

Abstract:In the rapidly evolving field of information technology, network security, especially enterprise endpoint security, has emerged as a major challenge. This paper presents a comprehensive and interactive method for network access and user authentication utilizing a zero-trust framework. This method integrates key elements, including the Network Access (NA) Agent, Identity and Access Management (IAM) Agent, Policy Enforcement Point (PEP) Agent, and Situational Awareness (SA) Agent, to mitigate security risks associated with critical business information exposure and unauthorized network access. Leveraging a zero-trust approach, the method dynamically controls user permissions, thereby enhancing endpoint security. It also introduces an efficient solution that coexists with legacy infrastructures, balancing security necessities with user accessibility, and offering a unified solution for both internal corporate networks and the Internet. We present a thorough analysis of potential risks associated with this method and propose preventative measures to minimize these threats. We conclude that our method provides a more secure and efficient approach to enterprise network security compared to traditional static rule-based systems, offering a promising direction for future research and implementation.

Biao Zhang,Shuo Yang,Xinran Zheng,Xingjun Wang

DOI: https://doi.org/10.1109/wcnc57260.2024.10571244

2024-01-01

Abstract:Network technology developments are blurring the security boundary of the Internet of Things (IoT), making it difficult for traditional border-based security architectures to cope with endless internal attacks. The Zero Trust Architecture (ZTA), with its core concept of “Never Trust, Always Verify”, effectively addresses this problem. Continuous Authentication (CA) is an indispensable component of the zero trust IoT. However, existing CA protocols are impractical to deploy on zero trust IoT due to their dependence on specific properties and thirst for resources. Therefore, this paper proposes a continuous authentication protocol, namely STCA, that uses stacked tokens to ensure the legitimacy of entities during a whole session. Through the theoretical analysis and simulation results, STCA resists several common attacks. The comparison analysis indicates that STCA has a better performance compared with related CA protocols, thereby demonstrating it is more suitable for zero trust IoT.

Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu

DOI: https://doi.org/10.23919/tst.2017.8030534

2017-01-01

Tsinghua Science & Technology

Abstract:The run-time security guarantee is a hotspot in current cyberspace security research, especially on embedded terminals, such as smart hardware as well as wearable and mobile devices. Typically, these devices use universal hardware and software to connect with public networks via the Internet, and are probably open to security threats from Trojan viruses and other malware. As a result, the security of sensitive personal data is threatened and economic interests in the industry are compromised. To address the run-time security problems efficiently, first, a TrustEnclave-based secure architecture is proposed, and the trusted execution environment is constructed by hardware isolation technology. Then the prototype system is implemented on real TrustZone-enabled hardware devices. Finally, both analytical and experimental evaluations are provided. The experimental results demonstrate the effectiveness and feasibility of the proposed security scheme.

Wei Ren,Ruoting Xiong,Yizhi Liu,G. Min,Tianqing Zhu,Xiaohan Hao,K. Choo

DOI: https://doi.org/10.1109/TC.2022.3157996

IF: 3.183

2023-02-01

IEEE Transactions on Computers

Abstract:Internet-of-Things (IoT) are increasingly operating in the zero-trust environments where any devices and systems may be compromised and hence untrusted. In addition, data collected by and sent from IoT devices may be shared with and processed by edge computing systems, in order to reduce the reliance on centralized (cloud) servers, leading to further security and privacy issues. To cope with these challenges, this paper proposes an innovative blockchain-enabled information sharing solution in zero-trust context to guarantee anonymity yet entity authentication, data privacy yet data trustworthiness, and participant stimulation yet fairness. This new solution is able to support filtering of fabricated information through smart contracts, effective voting, and consensus mechanisms, which can prevent unauthenticated participants from sharing garbage information. We also prove that the proposed solution is secure in the universal composability framework, and further evaluate its performance over an Ethereum-based blockchain platform to demonstrate its utility.

Computer Science,Engineering

Siwei Li,Hui Zhang,Hui Shi,Maode Ma,Cong Wang

DOI: https://doi.org/10.1007/s11227-024-06262-y

IF: 3.3

2024-06-04

The Journal of Supercomputing

Abstract:The distributed authentication of a large number of resource-constrained power terminal devices (PTDs) is crucial for ensuring the security of the power IoT communication. However, existing solutions are inadequate in terms of security (such as vulnerability to single point failures or insider attacks) and communication costs, which do not meet the requirements of the power IoT environment. Therefore, we propose a zero-trust-based mutual authentication scheme in cloud-edge-end collaboration power IoT environment based on blockchain technology. The proposed solution involves deploying a distributed multi-point zero-trust engine around dense PTDs to collect real-time identity information. Through the maintenance of an alliance blockchain, the edge server securely shares and traces identity information, preventing tampering and effectively blocking threats related to lost terminals during authentication. Additionally, a lightweight ECC key management scheme ensures the security of authentication information. The proposed scheme effectively defends against common attacks such as replay attacks and identity forgery attacks through informal security analysis, while its security is evaluated using the Canetti and Krawczyk (CK) adversary models. Performance evaluation results demonstrate that the proposed scheme achieves effectiveness without the compromising required security attributes, which obtains up to 58% improvement 58% improvement in computation delay and a 56.9% improvement in communication costs over previous state-of-the-art methods.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Yunfei Ge,Quanyan Zhu

2023-12-06

Abstract:The increased connectivity and potential insider threats make traditional network defense vulnerable. Instead of assuming that everything behind the security perimeter is safe, the zero-trust security model verifies every incoming request before granting access. This chapter draws attention to the cyber resilience within the zero-trust model. We introduce the evolution from traditional perimeter-based security to zero trust and discuss their difference. Two key elements of the zero-trust engine are trust evaluation (TE) and policy engine (PE). We introduce the design of the two components and discuss how their interplay would contribute to cyber resilience. Dynamic game theory and learning are applied as quantitative approaches to achieve automated zero-trust cyber resilience. Several case studies and implementations are introduced to illustrate the benefits of such a security model.

Cryptography and Security,Computer Science and Game Theory

ZHANG Min,LUO Guang-chun

DOI: https://doi.org/10.3969/j.issn.1001-0548.2007.06.012

2007-01-01

Abstract:The application security problem of Internet is far from being completely solved. In this paper, some basic concepts and critical issues in trustworthy computer network are first introduced. Then an architecture of trustworthy network, and host Identity Protocol as end system identity, is proposed to make sure communicate trustworthy.

Mukhtar Hussain,Shantanu Pal,Zahra Jadidi,Ernest Foo,Salil Kanhere

DOI: https://doi.org/10.1109/mwc.001.2300405

IF: 12.777

2024-04-12

IEEE Wireless Communications

Abstract:Cloud computing services have become ubiquitous, and currently, every organization uses some form of cloud computing service. Furthermore, even if an organization does not allow BYOD for work, employees will still bring their own devices to manage their personal communication while at work. Moreover, in this post COVID-19 era, working from home has become common. These new trends have diminished the previously known boundary between the enterprise-owned trusted network and untrusted outside networks. Therefore, a new cybersecurity paradigm is emerging that is referred to as zero trust architecture (ZTA). A ZTA protects an enterprise infrastructure based on the principles of never trusting and always verifying. The core component of ZTA is a Zero Trust (ZT) algorithm which ensures dynamic access control and continuous monitoring to establish never trusting and always verifying principles. This article provides a novel research direction based on federated artificial intelligence to develop a ZT algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Britta Hale,Ryan Arlitt,Nikolaos Papakonstantinou,Douglas Van Bossuyt

DOI: https://doi.org/10.1115/1.4062597

IF: 2.3

2023-05-23

Journal of Computing and Information Science in Engineering

Abstract:Abstract In an age of worsening global threat landscape and accelerating uncertainty, the design and manufacture of systems must increase resilience and robustness across both the system itself and the entire systems design process. We generally trust our colleagues after initial clearance/background checks; and systems to function as intended and within operating parameters after safety engineering review, verification, validation, and/or system qualification testing. This approach has led to increased insider threat impacts; thus we suggest moving to the “trust, but verify” approach embodied by the Zero-Trust paradigm. Zero-Trust is increasingly adopted for network security but has not seen wide adoption in systems design and operation. Achieving the goal of Zero-Trust throughout the systems lifecycle will help to ensure that no single bad actor -- whether human or machine learning / artificial intelligence (ML/AI) -- can induce failure anywhere in a system's lifecycle. Additionally, while ML/AI and their associated risks are already entrenched within the operations phase of many systems' lifecycles, ML/AI is gaining traction during the design phase. For example, generative design algorithms are increasingly popular but there is less understanding of potential risks. Adopting the Zero-Trust philosophy helps ensure robust and resilient design, manufacture, operations, maintenance, upgrade, and disposal of systems. We outline the rewards and challenges of implementing Zero-Trust and propose the Framework for Zero-Trust for the System Design Lifecycle. The paper highlights several areas of ongoing research with focus on high priority areas where the community should focus efforts.

engineering, manufacturing,computer science, interdisciplinary applications

Zhiqiang Wang,Xinyue Yu,Peiyang Xue,Yunhan Qu,Lei Ju

DOI: https://doi.org/10.3390/s23073774

2023-04-06

Abstract:With the rapid development of Internet of Things technology, cloud computing, and big data, the combination of medical systems and information technology has become increasingly close. However, the emergence of intelligent medical systems has brought a series of network security threats and hidden dangers, including data leakage and remote attacks, which can directly threaten patients' lives. To ensure the security of medical information systems and expand the application of zero trust in the medical field, we combined the medical system with the zero-trust security system to propose a zero-trust medical security system. In addition, in its dynamic access control module, based on the RBAC model and the calculation of user behavior risk value and trust, an access control model based on subject behavior evaluation under zero-trust conditions (ABEAC) was designed to improve the security of medical equipment and data. Finally, the feasibility of the system is verified through a simulation experiment.