An intelligent cyber security system against DDoS attacks in SIP networks
防范SIP网络受分布式拒绝服务攻击的智能网络安全系统
Computer Networks, Volume 136, 8 May 2018, Pages 137-154
Murat Semerci, Ali Taylan Cemgil, Bülent Sankur
摘要:Distributed Denial of Services (DDoS) attacks are among the most encountered cyber criminal activities in communication networks that can result in considerable financial and prestige losses for the corporations or governmental organizations. Therefore, autonomous detection of a DDoS attack and identification of its sources is essential for taking counter-measures. This study proposes an intelligent security system against DDoS attacks in communication networks that is composed of two components: A monitor for detection of DDoS attacks and a discriminator for detection of users in the system with malicious intents. A novel adaptive real time change-point model that tracks the changes in Mahalanobis distances between sampled feature vectors in the monitored system accounts for possible DDoS attacks. A clustering model that runs over the similarity scores of behavioral patterns between the users is used to segregate the malicious from the innocent. The proposed model is deployed over a simulated telephone network that uses a Session Initiation Protocol (SIP) server. The performance of the models are evaluated on data generated by this high throughput simulation environment.
Data collection for attack detection and security measurement in Mobile Ad Hoc Networks: A survey
移动Ad Hoc网络攻击探测与安全检测数据采集综述
Journal of Network and Computer Applications, Volume 105, 1 March 2018, Pages 105-122
Gao Liu, Zheng Yan, Witold Pedrycz
摘要:Mobile Ad Hoc Network (MANET) is becoming one type of major next generation wireless networks. Nevertheless, it easily suffers from various attacks due to its specific characteristics. In order to evaluate and measure the security of MANET in real time and make this network react accordingly, a promising alternative is to integrate detection mechanisms that play a role of the second line of defense to detect attacks in MANETs. We note that in most attack detection mechanisms, it is essential and crucial to collect the data related to security for further analysis. If security-related data collection is untrustworthy, attack detection and security measurement might be impacted and disabled. Unfortunately, few existing studies concern security-related data collection in attack detection for the purpose of trustworthy security measurement. The literature lacks a thorough survey on security-related data collection for attack detection and security measurement in MANETs. In this paper, we propose a number of requirements for trustworthy security-related data collection, and then review detection mechanisms in MANETs that were published in recent 20 years. In particular, we employ the proposed requirements as a set of criteria to evaluate the existing work about security-related data collection. Based on the survey and evaluation, we identify a number of open issues and point out future research directions.
OpCloudSec: Open cloud software defined wireless network security for the Internet of Things
OpCloudSec:物联网开放云软件定义无线网络安全
Computer Communications, Volume 122, June 2018, Pages 1-8
Pradip Kumar Sharma, Saurabh Singh, Jong Hyuk Park
摘要:Cutting-edge cloud frameworks will require a paradigm shift in regards to how they are built and managed. Traditional management and control platforms face significant challenges in terms of security, reliability, and flexibility that these cutting-edge frameworks must deal with. On the other hand, Distributed Denial of Service (DDoS) attacks have become a weapon of choice for cyber-terrorists, cyber-extortionists, and hackers. Recently, the simplicity of programmability in Software-Defined Networking (SDN) makes it a good platform for the implementation of various initiatives that includes decentralized network management, dynamic topology changes, and application deployment in a multi-tenant data center environment. Motivated by the capabilities of SDN, we are proposing a mitigation architecture for security attacks that incorporates a highly programmable monitoring network so as to make it possible to identify attacks. It has a flexible control structure to quickly define the reaction of attacks and particular side, and we show how SDN can be used as a key application in the cloud IoT. We evaluated the performance of our proposed architecture and compared it with the existing models to obtain various performance measures. The results of our evaluation show that our OpCloudSec architecture model can efficiently and effectively meet the security challenges created by the new network paradigm.
Blurring the boundaries between networking and IT security
网络化与IT安全的融合发展
Network Security, Volume 2018, Issue 1, January 2018, Pages 11-13
Dave Nicholson
摘要:Networking and security used to be largely separate IT methodologies. They were even built separately. Traditionally, networks were constructed on standard building blocks (switches, routers etc) and security solutions such as perimeter firewalls, intrusion prevention systems and the like were applied afterwards. Networking and security used to be largely separate IT methodologies. As such, they could be treated as separate domains of the business. That's not the case today. There is now a huge overlap between the two areas. It is becoming common to think about the network itself as a security enforcement platform and these two elements of modern technology systems are becoming inextricably entwined. This development will be overwhelmingly positive both for solutions providers and their end customers, says Dave Nicholson of Axial Systems.
Survey on security in intra-body area network communication
内体域网络通信综述
Ad Hoc Networks, Volume 70, 1 March 2018, Pages 23-43
Marko Kompara, Marko Hölbl
摘要:With the advances in microelectronics, embedded computing, and wireless communications, the interest in Body Sensor Networks has risen sharply and has enabled the development and implementation of such networks. A Body Sensor Network is constructed from sensor nodes distributed in and on the user's body. The nodes form a wireless network that collects physiological data and forwards it on. This sort of network has wide application prospects in the future of healthcare. The collected data is highly private and must, therefore, be protected adequately. The security mechanisms usually deployed depend heavily on the key agreement scheme. Because of the reliability requirements, energy efficiency, and hardware constraints, building a key agreement scheme for a Body Sensor Network can be quite a challenge. This paper presents a state-of-the-art overview of security in Body Sensor Networks, focusing on proposed key agreement schemes, ways they are built in, and the methods used to evaluate their security and performance. Results show that the community is very much split between the traditional key agreement schemes and schemes that take advantage of physiological or other signals to exchange a key. Security analysis is rarely performed with formal methods; instead, descriptive analysis is commonplace. There are no standards or guidelines on measuring a scheme`s efficiency. The authors therefore used different methods and, consequently, schemes can be difficult to compare.
Game Theoretical Security Detection Strategy for Networked Systems
网络系统博弈理论安全检测策略
Information Sciences, In press, accepted manuscript, Available online 18 April 2018
Hao Wu, Wei Wang, Changyun Wen, Zhengguo Li
摘要:In this paper, a game theoretical analysis method is presented to provide the optimal security detection strategies for heterogeneous networked systems. A two-stage game model is firstly established, in which the attacker and defender are considered as two players. In the first stage, the two players make decisions on whether to execute the attack/monitoring actions or to keep silence for each network unit. In the second stage, two important strategic varibles, i.e. the attack intensity and detection threshold, are cautiously determined. The necessary and sufficient conditions to ensure the existence of the Nash equilibriums for the game with complete information are rigorously analyzed. The results reflect that with limited resources and capacities, the defender (attacker) tends to perform defense (attack) actions and further allocate more defense (less attack) resources to the units with larger assets. Besides, Bayesian and robust Nash equilibrium analysis is provided for the game with incomplete information. Finally, a sampling based Nash equilibrium verification and calculation approach is proposed for the game model with continuous kernels. Thus the convexity restrictions can be relaxed and the computational complexity is effectively reduced, with comparison to the existing recursive calculation methods. Numerical examples are given to validate our theoretical results.
Security against passive attacks on network coding system – A survey
网络编码系统被动攻击防范综述
Computer Networks, Volume 138, 19 June 2018, Pages 57-76
Yantao Liu, Yasser Morgan
摘要:Network coding is a progressive information dissemination technology for network communications. Since its emergence at the turn of the millennium, network coding has reached more and more applications. In this survey article, we present a comprehensive review of the researches on secure network coding against passive attack. Studies in this area address problems such as: “If an eavesdropper can wiretap a few packets from a network coding system, how should the system be designed to protect useful information from being divulged?” According to protection strength, we establish a security hierarchy with four grades for network coding systems. For each grade, we collect and investigate existing schemes extensively. The essence of each scheme is expounded, such as key ideas, encryptions, or precoding matrix constructions, etc. Especially, the hardship of cryptanalysis is emphasized. Moreover, advantages and disadvantages are evaluated and compared between these schemes. In spite of single source networks, studies on theoretical possibilities and practical techniques for multisource networks are covered. Countermeasures against traffic analysis attacks are included. Finally, we suggest several open problems and promising methods for the future study.
Attacker-Manager Game Tree (AMGT): A new framework for visualizing and analysing the interactions between attacker and network security manager
攻击者-管理者博弈树:攻击者与网络安全管理者之间“互动”的可视化与分析架构
Computer Networks, Volume 133, 14 March 2018, Pages 42-58
Abbas Arghavani, Mahdi Arghavani, Mahmood Ahmadi, Paul Crane
摘要:The number of security threats has risen sharply in recent years. This increasing trend has encouraged researchers to develop new security models in order to analyse the vulnerability of their systems, evaluating the attack and defence mechanisms, and finding the optimal security solutions. Attack Tree (AT) is the most famous security model which graphically describes the potential attack scenarios. However, it does not consider defence solutions. Hence, Defence Tree (DT) has been designed to graphically demonstrate the security solutions in order to protect the system. In this paper, we first propose a new game theory based graphical security model, Attacker-Manager Game Tree (AMGT), to consolidate all attack and defence scenarios in one model. Using this model it is easier to analyse the interactions between an attacker and security manager. Moreover, the proposed AMGT is a comprehensive educational model for system security which helps the security manager to explain the system flaws and potential risks to the higher level managers. Although finding the optimal security solutions is considered in previous studies, different definitions of optimality make finding the best solution difficult. In the rest of this paper, we consider different definitions of the optimal security solution. Afterward, the MiniMax rule is redefined to help the security manager to extract the best security solutions using AMGT based on the definition of optimality proposed by the system requirements.