Andrew Wangota,a 48-year-old Ugandan farmer,has been using agrivoltaics technology,a solar technology that uses agricultural land for both food production and solar power generation,on his farm in Bunashimolo Parish,B...Andrew Wangota,a 48-year-old Ugandan farmer,has been using agrivoltaics technology,a solar technology that uses agricultural land for both food production and solar power generation,on his farm in Bunashimolo Parish,Bukyiende Subcounty in Uganda where he has been cultivating plantain,coffee and Irish potatoes for the past 16 years.展开更多
The rapid digitalization of urban infrastructure has made smart cities increasingly vulnerable to sophisticated cyber threats.In the evolving landscape of cybersecurity,the efficacy of Intrusion Detection Systems(IDS)...The rapid digitalization of urban infrastructure has made smart cities increasingly vulnerable to sophisticated cyber threats.In the evolving landscape of cybersecurity,the efficacy of Intrusion Detection Systems(IDS)is increasingly measured by technical performance,operational usability,and adaptability.This study introduces and rigorously evaluates a Human-Computer Interaction(HCI)-Integrated IDS with the utilization of Convolutional Neural Network(CNN),CNN-Long Short Term Memory(LSTM),and Random Forest(RF)against both a Baseline Machine Learning(ML)and a Traditional IDS model,through an extensive experimental framework encompassing many performance metrics,including detection latency,accuracy,alert prioritization,classification errors,system throughput,usability,ROC-AUC,precision-recall,confusion matrix analysis,and statistical accuracy measures.Our findings consistently demonstrate the superiority of the HCI-Integrated approach utilizing three major datasets(CICIDS 2017,KDD Cup 1999,and UNSW-NB15).Experimental results indicate that the HCI-Integrated model outperforms its counterparts,achieving an AUC-ROC of 0.99,a precision of 0.93,and a recall of 0.96,while maintaining the lowest false positive rate(0.03)and the fastest detection time(~1.5 s).These findings validate the efficacy of incorporating HCI to enhance anomaly detection capabilities,improve responsiveness,and reduce alert fatigue in critical smart city applications.It achieves markedly lower detection times,higher accuracy across all threat categories,reduced false positive and false negative rates,and enhanced system throughput under concurrent load conditions.The HCIIntegrated IDS excels in alert contextualization and prioritization,offering more actionable insights while minimizing analyst fatigue.Usability feedback underscores increased analyst confidence and operational clarity,reinforcing the importance of user-centered design.These results collectively position the HCI-Integrated IDS as a highly effective,scalable,and human-aligned solution for modern threat detection environments.展开更多
Smart distribution grid needs data communication systems as a support to complete their important functions. The smart distribution grid of the data and information are increasingly adopting internet protocol and Ethe...Smart distribution grid needs data communication systems as a support to complete their important functions. The smart distribution grid of the data and information are increasingly adopting internet protocol and Ethernet technology. The IP addresses are more and more important for the smart distribution grid equipment. The current IPv4 protocol occupies a dominant position; therefore, the challenges of the evolution to IPv6 and network security are faced by data communication systems of the smart distribution grid. The importance of data communications network and its main bearer of business were described. The data communications network from IPv4 to IPv6 evolution of the five processes and four stages of the transition were analyzed. The smart distribution grid data communications network security and types of their offensive and defensive were discussed. And the data communications network security architecture was established. It covers three dimensions, the security level, the communications network security engineering and the communications network security management. The security architecture safeguards the evolution to IPv6 for the smart distribution grid data communication systems.展开更多
The concept of landscape architecture with eco-security was proposed,ecological security of landscape architecture in Yunnan was elaborated from 8 aspects,specifically as landform,typical climate,natural vegetation,bi...The concept of landscape architecture with eco-security was proposed,ecological security of landscape architecture in Yunnan was elaborated from 8 aspects,specifically as landform,typical climate,natural vegetation,biodiversity,transplantation of large-size trees,disaster-proof function,greening security,introduction of garden species.Moreover,countermeasures for maintaining the ecological security of landscape architecture in Yunnan Province were further put forward,① In view of local conditions,inheriting natural views of classical Chinese gardens,respecting all natural elements,② Rising higher requirements on the planning of garden green space system,③ Paying more attention to the integrated construction of green spaces in urban and rural areas,maintaining the wholeness of suburban ecosystem,④ Devoting more in developing seedling industry,culturing more large-size seedlings in original sites,⑤ Selecting right trees for right sites in constructing urban gardens.Eventually,it was proposed that gardens in Yunnan Province should be developed by combining with its outstanding ecological conditions,among which ecological security should be the focus of attention.展开更多
Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces m...Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.展开更多
The fact that the security facilities within a system are closely coupled and the security facilities between systems are unconnected results in an isolated protection structure for systems, and gives rise to a seriou...The fact that the security facilities within a system are closely coupled and the security facilities between systems are unconnected results in an isolated protection structure for systems, and gives rise to a serious challenge to system security integrations and system controls. Also, the need for diversified services and flexible extensions of network security asks for more considerations and contribu?tions from the perspective of software engineering in the process of designing and constructing security systems. Based on the essence of the virtualization technique and the idea of software-defined networks, we in this paper propose a novel software-defi ned security architecture for systems. By abstracting the traditional security facilities and techniques, the proposed security architecture provides a new, simple, effective, and programmable framework in which security operations and security controls can be decoupled, and thereby reduces the software module sizes, decreases the intensity of software deve?lopments, and improves the security extensibility of systems.展开更多
Current SDN controllers suffer from a series of potential attacks. For example, malicious flow rules may lead to system disorder by introducing unexpected flow entries. In this paper, we propose Mcad-SA, an aware deci...Current SDN controllers suffer from a series of potential attacks. For example, malicious flow rules may lead to system disorder by introducing unexpected flow entries. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multiple controllers, which could coordinate heterogeneous controllers internally as a "big" controller. This architecture includes an additional plane, the scheduling plane, which consists of transponder, sensor, decider and scheduler. Meanwhile it achieves the functions of communicating, supervising and scheduling between data and control plane. In this framework, we adopt the vote results from the majority of controllers to determine valid flow rules distributed to switches. Besides, an aware dynamic scheduling(ADS) mechanism is devised in scheduler to intensify security of Mcad-SA further. Combined with perception, ADS takes advantage of heterogeneity and redundancy of controllers to enable the control plane operate in a dynamic, reliable and unsteady state, which results in significant difficulty of probing systems and executing attacks. Simulation results demonstrate the proposed methods indicate better security resilience over traditional architectures as they have lower failure probability when facing attacks.展开更多
With the rapid development of cloud manufacturing technology and the new generation of artificial intelligence technology,the new cloud manufacturing system(NCMS)built on the connotation of cloud manufacturing 3.0 pre...With the rapid development of cloud manufacturing technology and the new generation of artificial intelligence technology,the new cloud manufacturing system(NCMS)built on the connotation of cloud manufacturing 3.0 presents a new business model of“Internet of everything,intelligent leading,data driving,shared services,cross-border integration,and universal innovation”.The network boundaries are becoming increasingly blurred,NCMS is facing security risks such as equipment unauthorized use,account theft,static and extensive access control policies,unauthorized access,supply chain attacks,sensitive data leaks,and industrial control vulnerability attacks.Traditional security architectures mainly use information security technology,which cannot meet the active security protection requirements of NCMS.In order to solve the above problems,this paper proposes an integrated cloud-edge-terminal security system architecture of NCMS.It adopts the zero trust concept and effectively integrates multiple security capabilities such as network,equipment,cloud computing environment,application,identity,and data.It adopts a new access control mode of“continuous verification+dynamic authorization”,classified access control mechanisms such as attribute-based access control,rolebased access control,policy-based access control,and a new data security protection system based on blockchain,achieving“trustworthy subject identity,controllable access behavior,and effective protection of subject and object resources”.This architecture provides an active security protection method for NCMS in the digital transformation of large enterprises,and can effectively enhance network security protection capabilities and cope with increasingly severe network security situations.展开更多
As the Internet of Things (IoT) is emerging as an attractive paradigm, a typical IoT architecture that U2IoT (Unit IoT and Ubiquitous IoT) model has been presented for the future IoT. Based on the U2IoT model, this pa...As the Internet of Things (IoT) is emerging as an attractive paradigm, a typical IoT architecture that U2IoT (Unit IoT and Ubiquitous IoT) model has been presented for the future IoT. Based on the U2IoT model, this paper proposes a cyber-physical-social based security architecture (IPM) to deal with Information, Physical, and Management security perspectives, and presents how the architectural abstractions support U2IoT model. In particular, 1) an information security model is established to describe the mapping relations among U2IoT, security layer, and security requirement, in which social layer and additional intelligence and compatibility properties are infused into IPM;2) physical security referring to the external context and inherent infrastructure are inspired by artificial immune algorithms;3) recommended security strategies are suggested for social management control. The proposed IPM combining the cyber world, physical world and human social provides constructive proposal towards the future IoT security and privacy protection.展开更多
As an important branch of information security algorithms,the efficient and flexible implementation of stream ciphers is vital.Existing implementation methods,such as FPGA,GPP and ASIC,provide a good support,but they ...As an important branch of information security algorithms,the efficient and flexible implementation of stream ciphers is vital.Existing implementation methods,such as FPGA,GPP and ASIC,provide a good support,but they could not achieve a better tradeoff between high speed processing and high flexibility.ASIC has fast processing speed,but its flexibility is poor,GPP has high flexibility,but the processing speed is slow,FPGA has high flexibility and processing speed,but the resource utilization is very low.This paper studies a stream cryptographic processor which can efficiently and flexibly implement a variety of stream cipher algorithms.By analyzing the structure model,processing characteristics and storage characteristics of stream ciphers,a reconfigurable stream cryptographic processor with special instructions based on VLIW is presented,which has separate/cluster storage structure and is oriented to stream cipher operations.The proposed instruction structure can effectively support stream cipher processing with multiple data bit widths,parallelism among stream cipher processing with different data bit widths,and parallelism among branch control and stream cipher processing with high instruction level parallelism;the designed separate/clustered special bit registers and general register heaps,key register heaps can satisfy cryptographic requirements.So the proposed processor not only flexibly accomplishes the combination of multiple basic stream cipher operations to finish stream cipher algorithms.It has been implemented with 0.18μm CMOS technology,the test results show that the frequency can reach 200 MHz,and power consumption is 310 mw.Ten kinds of stream ciphers were realized in the processor.The key stream generation throughput of Grain-80,W7,MICKEY,ACHTERBAHN and Shrink algorithm is 100 Mbps,66.67 Mbps,66.67 Mbps,50 Mbps and 800 Mbps,respectively.The test result shows that the processor presented can achieve good tradeoff between high performance and flexibility of stream ciphers.展开更多
Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHS...Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHSAS is developed for national backbone network,large network operators,large enterprises and other large-scale network.This paper describes its architecture and key technologies:Network Security Oriented Total Factor Information Collection and High-Dimensional Vector Space Analysis,Knowledge Representation and Management of Super Large-Scale Network Security,Multi-Level,Multi-Granularity and Multi-Dimensional Network Security Index Construction Method,Multi-Mode and Multi-Granularity Network Security Situation Prediction Technology,and so on.The performance tests show that YHSAS has high real-time performance and accuracy in security situation analysis and trend prediction.The system meets the demands of analysis and prediction for large-scale network security situation.展开更多
Impressive advances in space technology are enabling complex missions, with potentially significant and long term impacts on human life and activities. In the vision of future space exploration, communication links am...Impressive advances in space technology are enabling complex missions, with potentially significant and long term impacts on human life and activities. In the vision of future space exploration, communication links among planets, satel ites, spacecrafts and crewed vehicles wil be designed according to a new paradigm, known as the disruption tolerant networking. In this scenario, space channel peculiarities impose a massive reengineering of many of the protocols usually adopted in terrestrial networks; among them, security solutions are to be deeply reviewed, and tailored to the specific space requirements. Security is to be provided not only to the payload data exchanged on the network, but also to the telecommands sent to a spacecraft, along possibly differentiated paths. Starting from the secure space telecommand design developed by the Consultative Committee for Space Data Systems as a response to agency-based requirements, an adaptive link layer security architecture is proposed to address some of the chal enges for future space networks. Based on the analysis of the communication environment and the error diffusion properties of the authentication algorithms, a suitable mechanism is proposed to classify frame retransmission requests on the basis of the originating event (error or security attack) and reduce the impact of security operations. An adaptive algorithm to optimize the space control protocol, based on estimates of the time varying space channel, is also presented. The simulation results clearly demonstrate that the proposed architecture is feasible and efficient, especially when facing malicious attacks against frame transmission.展开更多
By analyzing existed Internet of Things' system security vulnerabilities, a security architecture on trusting one is constructed. In the infrastructure, an off-line identity authentication based on the combined publi...By analyzing existed Internet of Things' system security vulnerabilities, a security architecture on trusting one is constructed. In the infrastructure, an off-line identity authentication based on the combined public key (CPK) mechanism is proposed, which solves the problems about a mass amount of authentications and the cross-domain authentication by integrating nodes' validity of identity authentication and uniqueness of identification. Moreover, the proposal of constructing nodes' authentic identification, valid authentication and credible communication connection at the application layer through the perception layer impels the formation of trust chain and relationship among perceptional nodes. Consequently, a trusting environment of the Internet of Things is built, by which a guidance of designing the trusted one would be provided.展开更多
Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture fo...Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture for current popular cloud platform Open Stack with kernel-based virtual machine(KVM). With this architecture, we can monitor all active processes in online virtual machine(VMs) and scan them for their potential maliciousness in OpenS tack with no agent, and can also detect hidden processes in offline VMs’ memory snapshots and notice the user to decide whether to kill them when VMs become active. Analysis and experimental results show that our architecture is able to reduce consumption of CPU, memory and bandwidth in cloud platform and can detect viruses and hidden processes effectively in VMs.展开更多
The tremendous growth of the cloud computing environments requires new architecture for security services. Cloud computing is the utilization of many servers/data centers or cloud data storages (CDSs) housed in many d...The tremendous growth of the cloud computing environments requires new architecture for security services. Cloud computing is the utilization of many servers/data centers or cloud data storages (CDSs) housed in many different locations and interconnected by high speed networks. CDS, like any other emerging technology, is experiencing growing pains. It is immature, it is fragmented and it lacks standardization. Although security issues are delaying its fast adoption, cloud computing is an unstoppable force and we need to provide security mechanisms to ensure its secure adoption. In this paper a comprehensive security framework based on Multi-Agent System (MAS) architecture for CDS to facilitate confidentiality, correctness assurance, availability and integrity of users' data in the cloud is proposed. Our security framework consists of two main layers as agent layer and CDS layer. Our propose MAS architecture includes main five types of agents: Cloud Service Provider Agent (CSPA), Cloud Data Confidentiality Agent (CDConA), Cloud Data Correctness Agent (CDCorA), Cloud Data Availability Agent (CDAA) and Cloud Data Integrity Agent (CDIA). In order to verify our proposed security framework based on MAS architecture, pilot study is conducted using a questionnaire survey. Rasch Methodology is used to analyze the pilot data. Item reliability is found to be poor and a few respondents and items are identified as misfits with distorted measurements. As a result, some problematic questions are revised and some predictably easy questions are excluded from the questionnaire. A prototype of the system is implemented using Java. To simulate the agents, oracle database packages and triggers are used to implement agent functions and oracle jobs are utilized to create agents.展开更多
A security kernel architeclrne built on trusted computing platform in thelight of thinking about trusted computing is presented According to this architecture,a newsecurity module TCB(Trusted Computing Base)is added t...A security kernel architeclrne built on trusted computing platform in thelight of thinking about trusted computing is presented According to this architecture,a newsecurity module TCB(Trusted Computing Base)is added to the operation system kerneland twooperation interface modes are provided for the sake of self-protection.The security kernel isdivided into two parts and trusted mechanism Is separated from security functionality.Ihe TCBmodule implements the trusted mechanism such as measurement and attestation,while the othercomponents of security kernel provide security functionality based on these mechanisms.Thisarchitecture takes full advantage of functions provided by trusted platform and clearly defines thesecurity perimeter of TCB so as to assure stlf-securily from architcetmal vision.We also presentfunction description of TCB and discuss the strengths and limitations comparing with other relatedresearches.展开更多
This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents...This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents monitor the situation in the network. These agents can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating, decision and generating responses. Such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions. The proposed intrusion detection architecture is designed to be flexible, extendible, and adaptable that can perform real-time monitoring. This paper provides the conceptual view and a general framework of the proposed system. In the end, the architecture is illustrated by an example to show it can prevent the attack efficiently.展开更多
More and more modern group oriented collaborativeapplications use the peer-to-peer(P2P)paradigm tobe independent of expensive infrastructures as theyare,for instance,provided for audio and video conferencesby H.323 sy...More and more modern group oriented collaborativeapplications use the peer-to-peer(P2P)paradigm tobe independent of expensive infrastructures as theyare,for instance,provided for audio and video conferencesby H.323 systems.Decentralized collaborativeP2P solutions require appropriate mechanismsto protect group privacy and data integrity.A centralizedclient/server based video conference system canbe well shielded in a standard manner,whilst thereare no off-the-shelf approaches to secure a P2P videoconference up to now.The paper addresses this issueand presents a flexible security architecture.Usingthe BRAVIS system[4]as an example it shows howthe architecture can be embedded into a P2P videoconferencing system.展开更多
The wide application of network technology in power systems brings not only convenience and flexibility but also security threats. An architecture of network security for power system was proposed in this study,which ...The wide application of network technology in power systems brings not only convenience and flexibility but also security threats. An architecture of network security for power system was proposed in this study,which protected data and facilities from being attacked by outside users by means of firewall, security monitor and control system. Firewall was basically the first line of defense for the intranet; the security monitoring system was a kind of IDS (Intrusion Detection System), while security control system provided authentication, authorization,data-encrypted transmission and security management. This architecture provides various security services, such as identification, authentication, authorization, data integrity and confidentiality.展开更多
文摘Andrew Wangota,a 48-year-old Ugandan farmer,has been using agrivoltaics technology,a solar technology that uses agricultural land for both food production and solar power generation,on his farm in Bunashimolo Parish,Bukyiende Subcounty in Uganda where he has been cultivating plantain,coffee and Irish potatoes for the past 16 years.
基金funded and supported by the Ongoing Research Funding program(ORF-2025-314),King Saud University,Riyadh,Saudi Arabia.
文摘The rapid digitalization of urban infrastructure has made smart cities increasingly vulnerable to sophisticated cyber threats.In the evolving landscape of cybersecurity,the efficacy of Intrusion Detection Systems(IDS)is increasingly measured by technical performance,operational usability,and adaptability.This study introduces and rigorously evaluates a Human-Computer Interaction(HCI)-Integrated IDS with the utilization of Convolutional Neural Network(CNN),CNN-Long Short Term Memory(LSTM),and Random Forest(RF)against both a Baseline Machine Learning(ML)and a Traditional IDS model,through an extensive experimental framework encompassing many performance metrics,including detection latency,accuracy,alert prioritization,classification errors,system throughput,usability,ROC-AUC,precision-recall,confusion matrix analysis,and statistical accuracy measures.Our findings consistently demonstrate the superiority of the HCI-Integrated approach utilizing three major datasets(CICIDS 2017,KDD Cup 1999,and UNSW-NB15).Experimental results indicate that the HCI-Integrated model outperforms its counterparts,achieving an AUC-ROC of 0.99,a precision of 0.93,and a recall of 0.96,while maintaining the lowest false positive rate(0.03)and the fastest detection time(~1.5 s).These findings validate the efficacy of incorporating HCI to enhance anomaly detection capabilities,improve responsiveness,and reduce alert fatigue in critical smart city applications.It achieves markedly lower detection times,higher accuracy across all threat categories,reduced false positive and false negative rates,and enhanced system throughput under concurrent load conditions.The HCIIntegrated IDS excels in alert contextualization and prioritization,offering more actionable insights while minimizing analyst fatigue.Usability feedback underscores increased analyst confidence and operational clarity,reinforcing the importance of user-centered design.These results collectively position the HCI-Integrated IDS as a highly effective,scalable,and human-aligned solution for modern threat detection environments.
文摘Smart distribution grid needs data communication systems as a support to complete their important functions. The smart distribution grid of the data and information are increasingly adopting internet protocol and Ethernet technology. The IP addresses are more and more important for the smart distribution grid equipment. The current IPv4 protocol occupies a dominant position; therefore, the challenges of the evolution to IPv6 and network security are faced by data communication systems of the smart distribution grid. The importance of data communications network and its main bearer of business were described. The data communications network from IPv4 to IPv6 evolution of the five processes and four stages of the transition were analyzed. The smart distribution grid data communications network security and types of their offensive and defensive were discussed. And the data communications network security architecture was established. It covers three dimensions, the security level, the communications network security engineering and the communications network security management. The security architecture safeguards the evolution to IPv6 for the smart distribution grid data communication systems.
基金Supported by Key Scientific Research Foundation of Southwest Forestry University(110809)~~
文摘The concept of landscape architecture with eco-security was proposed,ecological security of landscape architecture in Yunnan was elaborated from 8 aspects,specifically as landform,typical climate,natural vegetation,biodiversity,transplantation of large-size trees,disaster-proof function,greening security,introduction of garden species.Moreover,countermeasures for maintaining the ecological security of landscape architecture in Yunnan Province were further put forward,① In view of local conditions,inheriting natural views of classical Chinese gardens,respecting all natural elements,② Rising higher requirements on the planning of garden green space system,③ Paying more attention to the integrated construction of green spaces in urban and rural areas,maintaining the wholeness of suburban ecosystem,④ Devoting more in developing seedling industry,culturing more large-size seedlings in original sites,⑤ Selecting right trees for right sites in constructing urban gardens.Eventually,it was proposed that gardens in Yunnan Province should be developed by combining with its outstanding ecological conditions,among which ecological security should be the focus of attention.
基金supported by National Information Security Program under Grant No.2009A112
文摘Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.
基金supported in part by the following grants:National Science Foundation of China(Grant No.61272400)Chongqing Innovative Team Fund for College Development Project(Grant No.KJTD201310)+3 种基金Chongqing Youth Innovative Talent Project(Grant No.cstc2013kjrc-qnrc40004)Science and Technology Research Program of the Chongqing Municipal Education Committee(Grant No.KJ1500425)Foundation of CQUPT(Grant No.WF201403)Chongqing Graduate Research and Innovation Project(Grant No.CYS14146)
文摘The fact that the security facilities within a system are closely coupled and the security facilities between systems are unconnected results in an isolated protection structure for systems, and gives rise to a serious challenge to system security integrations and system controls. Also, the need for diversified services and flexible extensions of network security asks for more considerations and contribu?tions from the perspective of software engineering in the process of designing and constructing security systems. Based on the essence of the virtualization technique and the idea of software-defined networks, we in this paper propose a novel software-defi ned security architecture for systems. By abstracting the traditional security facilities and techniques, the proposed security architecture provides a new, simple, effective, and programmable framework in which security operations and security controls can be decoupled, and thereby reduces the software module sizes, decreases the intensity of software deve?lopments, and improves the security extensibility of systems.
基金supported by the Foundation for Innovative Research Groups of the National Natural Science Foundation of China (No.61521003)the National Key R&D Program of China (No.2016YFB0800100,No.2016YFB0800101)the National Natural Science Foundation of China (No.61602509)
文摘Current SDN controllers suffer from a series of potential attacks. For example, malicious flow rules may lead to system disorder by introducing unexpected flow entries. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multiple controllers, which could coordinate heterogeneous controllers internally as a "big" controller. This architecture includes an additional plane, the scheduling plane, which consists of transponder, sensor, decider and scheduler. Meanwhile it achieves the functions of communicating, supervising and scheduling between data and control plane. In this framework, we adopt the vote results from the majority of controllers to determine valid flow rules distributed to switches. Besides, an aware dynamic scheduling(ADS) mechanism is devised in scheduler to intensify security of Mcad-SA further. Combined with perception, ADS takes advantage of heterogeneity and redundancy of controllers to enable the control plane operate in a dynamic, reliable and unsteady state, which results in significant difficulty of probing systems and executing attacks. Simulation results demonstrate the proposed methods indicate better security resilience over traditional architectures as they have lower failure probability when facing attacks.
文摘With the rapid development of cloud manufacturing technology and the new generation of artificial intelligence technology,the new cloud manufacturing system(NCMS)built on the connotation of cloud manufacturing 3.0 presents a new business model of“Internet of everything,intelligent leading,data driving,shared services,cross-border integration,and universal innovation”.The network boundaries are becoming increasingly blurred,NCMS is facing security risks such as equipment unauthorized use,account theft,static and extensive access control policies,unauthorized access,supply chain attacks,sensitive data leaks,and industrial control vulnerability attacks.Traditional security architectures mainly use information security technology,which cannot meet the active security protection requirements of NCMS.In order to solve the above problems,this paper proposes an integrated cloud-edge-terminal security system architecture of NCMS.It adopts the zero trust concept and effectively integrates multiple security capabilities such as network,equipment,cloud computing environment,application,identity,and data.It adopts a new access control mode of“continuous verification+dynamic authorization”,classified access control mechanisms such as attribute-based access control,rolebased access control,policy-based access control,and a new data security protection system based on blockchain,achieving“trustworthy subject identity,controllable access behavior,and effective protection of subject and object resources”.This architecture provides an active security protection method for NCMS in the digital transformation of large enterprises,and can effectively enhance network security protection capabilities and cope with increasingly severe network security situations.
文摘As the Internet of Things (IoT) is emerging as an attractive paradigm, a typical IoT architecture that U2IoT (Unit IoT and Ubiquitous IoT) model has been presented for the future IoT. Based on the U2IoT model, this paper proposes a cyber-physical-social based security architecture (IPM) to deal with Information, Physical, and Management security perspectives, and presents how the architectural abstractions support U2IoT model. In particular, 1) an information security model is established to describe the mapping relations among U2IoT, security layer, and security requirement, in which social layer and additional intelligence and compatibility properties are infused into IPM;2) physical security referring to the external context and inherent infrastructure are inspired by artificial immune algorithms;3) recommended security strategies are suggested for social management control. The proposed IPM combining the cyber world, physical world and human social provides constructive proposal towards the future IoT security and privacy protection.
基金supported by National Natural Science Foundation of China with granted No.61404175
文摘As an important branch of information security algorithms,the efficient and flexible implementation of stream ciphers is vital.Existing implementation methods,such as FPGA,GPP and ASIC,provide a good support,but they could not achieve a better tradeoff between high speed processing and high flexibility.ASIC has fast processing speed,but its flexibility is poor,GPP has high flexibility,but the processing speed is slow,FPGA has high flexibility and processing speed,but the resource utilization is very low.This paper studies a stream cryptographic processor which can efficiently and flexibly implement a variety of stream cipher algorithms.By analyzing the structure model,processing characteristics and storage characteristics of stream ciphers,a reconfigurable stream cryptographic processor with special instructions based on VLIW is presented,which has separate/cluster storage structure and is oriented to stream cipher operations.The proposed instruction structure can effectively support stream cipher processing with multiple data bit widths,parallelism among stream cipher processing with different data bit widths,and parallelism among branch control and stream cipher processing with high instruction level parallelism;the designed separate/clustered special bit registers and general register heaps,key register heaps can satisfy cryptographic requirements.So the proposed processor not only flexibly accomplishes the combination of multiple basic stream cipher operations to finish stream cipher algorithms.It has been implemented with 0.18μm CMOS technology,the test results show that the frequency can reach 200 MHz,and power consumption is 310 mw.Ten kinds of stream ciphers were realized in the processor.The key stream generation throughput of Grain-80,W7,MICKEY,ACHTERBAHN and Shrink algorithm is 100 Mbps,66.67 Mbps,66.67 Mbps,50 Mbps and 800 Mbps,respectively.The test result shows that the processor presented can achieve good tradeoff between high performance and flexibility of stream ciphers.
基金This work is funded by the National Natural Science Foundation of China under Grant U1636215the National key research and development plan under Grant Nos.2018YFB0803504,2016YFB0800303.
文摘Network Security Situation Awareness System YHSAS acquires,understands and displays the security factors which cause changes of network situation,and predicts the future development trend of these security factors.YHSAS is developed for national backbone network,large network operators,large enterprises and other large-scale network.This paper describes its architecture and key technologies:Network Security Oriented Total Factor Information Collection and High-Dimensional Vector Space Analysis,Knowledge Representation and Management of Super Large-Scale Network Security,Multi-Level,Multi-Granularity and Multi-Dimensional Network Security Index Construction Method,Multi-Mode and Multi-Granularity Network Security Situation Prediction Technology,and so on.The performance tests show that YHSAS has high real-time performance and accuracy in security situation analysis and trend prediction.The system meets the demands of analysis and prediction for large-scale network security situation.
基金supported by the National Natural Science Fundation of China(61101073)
文摘Impressive advances in space technology are enabling complex missions, with potentially significant and long term impacts on human life and activities. In the vision of future space exploration, communication links among planets, satel ites, spacecrafts and crewed vehicles wil be designed according to a new paradigm, known as the disruption tolerant networking. In this scenario, space channel peculiarities impose a massive reengineering of many of the protocols usually adopted in terrestrial networks; among them, security solutions are to be deeply reviewed, and tailored to the specific space requirements. Security is to be provided not only to the payload data exchanged on the network, but also to the telecommands sent to a spacecraft, along possibly differentiated paths. Starting from the secure space telecommand design developed by the Consultative Committee for Space Data Systems as a response to agency-based requirements, an adaptive link layer security architecture is proposed to address some of the chal enges for future space networks. Based on the analysis of the communication environment and the error diffusion properties of the authentication algorithms, a suitable mechanism is proposed to classify frame retransmission requests on the basis of the originating event (error or security attack) and reduce the impact of security operations. An adaptive algorithm to optimize the space control protocol, based on estimates of the time varying space channel, is also presented. The simulation results clearly demonstrate that the proposed architecture is feasible and efficient, especially when facing malicious attacks against frame transmission.
基金supported by the 863 Program under Grant No. 2008AA04A107
文摘By analyzing existed Internet of Things' system security vulnerabilities, a security architecture on trusting one is constructed. In the infrastructure, an off-line identity authentication based on the combined public key (CPK) mechanism is proposed, which solves the problems about a mass amount of authentications and the cross-domain authentication by integrating nodes' validity of identity authentication and uniqueness of identification. Moreover, the proposal of constructing nodes' authentic identification, valid authentication and credible communication connection at the application layer through the perception layer impels the formation of trust chain and relationship among perceptional nodes. Consequently, a trusting environment of the Internet of Things is built, by which a guidance of designing the trusted one would be provided.
基金Supported by the National Natural Science Foundation of China(61170026)
文摘Traditional security framework in cloud platform usually brings self-vulnerability and considerable additional resource consumption. To solve these problems, we propose an external processes monitoring architecture for current popular cloud platform Open Stack with kernel-based virtual machine(KVM). With this architecture, we can monitor all active processes in online virtual machine(VMs) and scan them for their potential maliciousness in OpenS tack with no agent, and can also detect hidden processes in offline VMs’ memory snapshots and notice the user to decide whether to kill them when VMs become active. Analysis and experimental results show that our architecture is able to reduce consumption of CPU, memory and bandwidth in cloud platform and can detect viruses and hidden processes effectively in VMs.
文摘The tremendous growth of the cloud computing environments requires new architecture for security services. Cloud computing is the utilization of many servers/data centers or cloud data storages (CDSs) housed in many different locations and interconnected by high speed networks. CDS, like any other emerging technology, is experiencing growing pains. It is immature, it is fragmented and it lacks standardization. Although security issues are delaying its fast adoption, cloud computing is an unstoppable force and we need to provide security mechanisms to ensure its secure adoption. In this paper a comprehensive security framework based on Multi-Agent System (MAS) architecture for CDS to facilitate confidentiality, correctness assurance, availability and integrity of users' data in the cloud is proposed. Our security framework consists of two main layers as agent layer and CDS layer. Our propose MAS architecture includes main five types of agents: Cloud Service Provider Agent (CSPA), Cloud Data Confidentiality Agent (CDConA), Cloud Data Correctness Agent (CDCorA), Cloud Data Availability Agent (CDAA) and Cloud Data Integrity Agent (CDIA). In order to verify our proposed security framework based on MAS architecture, pilot study is conducted using a questionnaire survey. Rasch Methodology is used to analyze the pilot data. Item reliability is found to be poor and a few respondents and items are identified as misfits with distorted measurements. As a result, some problematic questions are revised and some predictably easy questions are excluded from the questionnaire. A prototype of the system is implemented using Java. To simulate the agents, oracle database packages and triggers are used to implement agent functions and oracle jobs are utilized to create agents.
基金Supported by the National Basic Research Programof China(G1999035801)
文摘A security kernel architeclrne built on trusted computing platform in thelight of thinking about trusted computing is presented According to this architecture,a newsecurity module TCB(Trusted Computing Base)is added to the operation system kerneland twooperation interface modes are provided for the sake of self-protection.The security kernel isdivided into two parts and trusted mechanism Is separated from security functionality.Ihe TCBmodule implements the trusted mechanism such as measurement and attestation,while the othercomponents of security kernel provide security functionality based on these mechanisms.Thisarchitecture takes full advantage of functions provided by trusted platform and clearly defines thesecurity perimeter of TCB so as to assure stlf-securily from architcetmal vision.We also presentfunction description of TCB and discuss the strengths and limitations comparing with other relatedresearches.
基金Supported by the National High Technology Develop ment 863 Program of China (No.2003AA148010)Key Technologies R&D Program of China (No.2002DA103A03-07).
文摘This paper focuses on investigating immunological principles in designing a multi-agent security architecture for intrusion detection and response in mobile ad hoc networks. In this approach, the immunity-based agents monitor the situation in the network. These agents can take appropriate actions according to the underlying security policies. Specifically, their activities are coordinated in a hierarchical fashion while sensing, communicating, decision and generating responses. Such an agent can learn and adapt to its environment dynamically and can detect both known and unknown intrusions. The proposed intrusion detection architecture is designed to be flexible, extendible, and adaptable that can perform real-time monitoring. This paper provides the conceptual view and a general framework of the proposed system. In the end, the architecture is illustrated by an example to show it can prevent the attack efficiently.
文摘More and more modern group oriented collaborativeapplications use the peer-to-peer(P2P)paradigm tobe independent of expensive infrastructures as theyare,for instance,provided for audio and video conferencesby H.323 systems.Decentralized collaborativeP2P solutions require appropriate mechanismsto protect group privacy and data integrity.A centralizedclient/server based video conference system canbe well shielded in a standard manner,whilst thereare no off-the-shelf approaches to secure a P2P videoconference up to now.The paper addresses this issueand presents a flexible security architecture.Usingthe BRAVIS system[4]as an example it shows howthe architecture can be embedded into a P2P videoconferencing system.
文摘The wide application of network technology in power systems brings not only convenience and flexibility but also security threats. An architecture of network security for power system was proposed in this study,which protected data and facilities from being attacked by outside users by means of firewall, security monitor and control system. Firewall was basically the first line of defense for the intranet; the security monitoring system was a kind of IDS (Intrusion Detection System), while security control system provided authentication, authorization,data-encrypted transmission and security management. This architecture provides various security services, such as identification, authentication, authorization, data integrity and confidentiality.
