Security,Controllability,Manageability and Survivability in Trustworthy Network

The Internet plays increasingly important roles in everyone's life; however, the existence of a mismatch between the basic architectural idea beneath the Internet and the emerging requirements for it is becoming more and more obvious. Although the Internet community came up with a consensus that the future network should be trustworthy, the concept of 'trustworthy networks' and the ways leading us to a trustworthy network are not yet clear. This research insists that the security, controllability, manageability, and survivability should be basic properties of a trustworthy network. The key ideas and techniques involved in these properties are studied, and recent developments and progresses are surveyed. At the same time, the technical trends and challenges are briefly discussed. The network trustworthiness could and should be eventually achieved.

Towards a Dynamic Controller Scheduling-Timing Problem in Software-Defined Networking

Controller vulnerabilities allow malicious actors to disrupt or hijack the Software-Defined Networking. Traditionally, it is static mappings between the control plane and data plane. Adversaries have plenty of time to exploit the controller's vulnerabilities and launch attacks wisely. We tend to believe that dynamically altering such static mappings is a promising approach to alleviate this issue, since a moving target is difficult to be compromised even by skilled adversaries. It is critical to determine the right time to conduct scheduling and to balance the overhead afforded and the security levels guaranteed. Little previous work has been done to investigate the economical time in dynamic-scheduling controllers. In this paper, we take the first step to both theoretically and experimentally study the scheduling-timing problem in dynamic control plane. We model this problem as a renewal reward process and propose an optimal algorithm in deciding the right time to schedule with the objective of minimizing the long-term loss rate. In our experiments, simulations based on real network attack datasets are conducted and we demonstrate that our proposed algorithm outperforms given scheduling schemes.

A New Intrusion Detection Algorithm AE-3WD for Industrial Control Network

In this paper,we propose a intrusion detection algorithm based on auto-encoder and three-way decisions(AE-3WD)for industrial control networks,aiming at the security problem of industrial control network.The ideology of deep learning is similar to the idea of intrusion detection.Deep learning is a kind of intelligent algorithm and has the ability of automatically learning.It uses self-learning to enhance the experience and dynamic classification capabilities.We use deep learning to improve the intrusion detection rate and reduce the false alarm rate through learning,a denoising AutoEncoder and three-way decisions intrusion detection method AE-3WD is proposed to improve intrusion detection accuracy.In the processing,deep learning AutoEncoder is used to extract the features of high-dimensional data by combining the coefficient penalty and reconstruction loss function of the encode layer during the training mode.A multi-feature space can be constructed by multiple feature extractions from AutoEncoder,and then a decision for intrusion behavior or normal behavior is made by three-way decisions.NSL-KDD data sets are used to the experiments.The experiment results prove that our proposed method can extract meaningful features and effectively improve the performance of intrusion detection.

A distributed authentication and authorization scheme for in-network big data sharing

Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking （ICN） is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography （IBC） to propose a Distributed Authentication and Authorization Scheme （DAAS）, where an identity-based signature （IBS） is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribnte-based encryption （CP-ABE） is used to enable the distributed and fine-grained authorization. DAAS consists of three phases： initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the in- terest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest （NOAM） dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest （AM） distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.