Software-Defined Networking(SDN)is a new network technology that uses programming to complement the data plane with a control plane.To enable safe connection,however,numerous security challenges must be addressed.Floo...Software-Defined Networking(SDN)is a new network technology that uses programming to complement the data plane with a control plane.To enable safe connection,however,numerous security challenges must be addressed.Flooding attacks have been one of the most prominent risks on the internet for decades,and they are now becoming challenging difficulties in SDN networks.To solve these challenges,we proposed a unique firewall application built on multiple levels of packet filtering to provide a flooding attack prevention system and a layer-based packet detection system.This study offers a systematic strategy for wrapping up the examination of SDN operations.The Mininet simulator examines the effectiveness of SDN-based firewalls at various network tiers.The fundamental network characteristics that specify how SDN should operate.The three main analytical measures of the network are jitter,response time,and throughput.During regular operations,their behavior evaluates in the standard SDN conditions of Transmission Control Protocol(TCP)flooding and User Datagram Protocol(UDP)flooding with no SDN occurrences.Low Orbit Ion Cannon(LOIC)is applied to launch attacks on the transmission by the allocated server.Wireshark and MATLAB are used for the behavioral study to determine how sensitive the parameters are used in the SDN network and monitor the fluctuations of those parameters for different simulated scenarios.展开更多
The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash...The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.展开更多
Recently, most electric power substations have adopted production control systems, such as SCADA systems, which communicate with field devices and remotely control processes from a computer screen. However, these syst...Recently, most electric power substations have adopted production control systems, such as SCADA systems, which communicate with field devices and remotely control processes from a computer screen. However, these systems together with protection measures and additional control actions (using protocol IEC61850) seem not to be enough to free substations of security attacks (e.g. virus, intruders, forgery or unauthorized data manipulation). This paper analyzes the main features of an electric power substation together with the aspects that might be significantly affected by cyber-attacks. The paper also presents the implementation of a specific security system (i.e. firewall-wise system) intended to protect a target distribution network.展开更多
The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict dete...The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.展开更多
Research has revealed that, in the next ten to twen ty years, the implementation of E-commence will become a new basis of economic in crease of China and other countries in the world. And the essence of implementin g ...Research has revealed that, in the next ten to twen ty years, the implementation of E-commence will become a new basis of economic in crease of China and other countries in the world. And the essence of implementin g E-commerce is the credit standing among the banks, the sellers and the custom ers. But the credit standing in the net ultimately depends on the security of th e network. Firewall is a useful network security technology to keep a network fr om being intruded. The rational use of firewalls can strengthen the security of the E-commence system. Traditional package-filtering firewalls usually rej ect the illegal accesses and admit the legal accesses according to filtering pol icy established by the administrator in advance. But the measures of attacking n etworks are increasing, so ACL (access control list) that is established in adva nce can hardly meet the needs of the rapid development of the network. And the r eal-time quality and sensitivity of traditional firewalls are not satisfied. No w a new model of implementing the expert system to the management of network sec urity is brought forward. The focus of the intelligent packet-filtering firewal l lies on the expert system. The tight combination of expert system and the filt ering method can realize the efficient detection and control of the packages tha t flow through the firewall system. By using the intelligent firewall, the secur ity of the E-commence can be strengthened indeed.展开更多
In recent years, the number of users connected to the Internet has experienced a phenomenal growth. The security of systems and networks become essential. That is why the performance of Linux firewall and Berkeley Sof...In recent years, the number of users connected to the Internet has experienced a phenomenal growth. The security of systems and networks become essential. That is why the performance of Linux firewall and Berkeley Software Distribution (BSD) are of paramount importance in security systems and networks in all businesses. The following evaluates the firewall based tool that we have developed in Python and Scapy, which performs time measurements by serving packets traversing the firewall test. Several results were presented: the speed of the firewall under FreeBSD in terms of service time compared to the speed of the firewall under Linux as the number of rules increases;the speed of the filtering rule of a firewall stateless in terms of service time compared to the filtering rule of an active firewall gradually as the number of rules increases. Then, for care of simplicity, we have presented the queue M/M/1/K to model the performances of firewalls. The resulting model was validated using Simulink and mean squared error. The analytical model and Simulink of the firewalls are presented in the article.展开更多
The forthcoming Next Generation Network (NGN) is an all IP network. Multimedia communications over IP networks are a type of bundled session communications, which cannot directly traverse Network Address Translations ...The forthcoming Next Generation Network (NGN) is an all IP network. Multimedia communications over IP networks are a type of bundled session communications, which cannot directly traverse Network Address Translations (NATs) and firewalls even in NGN. To solve the problem that the existing traversal methods are not suitable for service providers to set up a real system in NGN, a Distributed Broker-agent Architecture (DBA) is addressed. DBA is secure and realizable for service providers and enterprises because it is easy to set up and does not need to upgrade the existing devices like Firewalls, NATs or endpoint devices of subscribers. DBA is composed of two-layer distributed agents, the server proxies and the client agents, in which all multimedia communications use shared tunnels to carry signaling messages and media data between broker-agents, and the call signaling is encrypted over Security Socket Layer (SSL) to guarantee the security of calling. Moreover, the function model and multiplexed connection messages format of DBA are designed, which lays a basis for the protocol in the future NGN. In addition, a simple implementation based on H.323 verifyies the main function of traversing firewalls and NATs.展开更多
In this paper we have present the architecture and module for internet firewall. The central component is fuzzy controller while properties of packets are fuzzified as inputs. On the basis of proposed fuzzy security a...In this paper we have present the architecture and module for internet firewall. The central component is fuzzy controller while properties of packets are fuzzified as inputs. On the basis of proposed fuzzy security algorithm, we have figured out security level of each packet and adjust according to packets dynamic states. Internet firewall can respond to these dynamics and take respective actions accordingly. Therefore, proactive firewall solves the conflict between speed and security by providing high performance and high security. Simulation shows that if the response value is in between 0.7 and 1 it belongs to high security.展开更多
基金supported in part by the Research Committee of Hamdard University Karachi Pakistan(www.hamdard.edu.pk)the Office of Research Innovation&Commercialization(ORIC)of Dawood University of Engineering&Technology Karachi Pakistan(www.duet.edu.pk).
文摘Software-Defined Networking(SDN)is a new network technology that uses programming to complement the data plane with a control plane.To enable safe connection,however,numerous security challenges must be addressed.Flooding attacks have been one of the most prominent risks on the internet for decades,and they are now becoming challenging difficulties in SDN networks.To solve these challenges,we proposed a unique firewall application built on multiple levels of packet filtering to provide a flooding attack prevention system and a layer-based packet detection system.This study offers a systematic strategy for wrapping up the examination of SDN operations.The Mininet simulator examines the effectiveness of SDN-based firewalls at various network tiers.The fundamental network characteristics that specify how SDN should operate.The three main analytical measures of the network are jitter,response time,and throughput.During regular operations,their behavior evaluates in the standard SDN conditions of Transmission Control Protocol(TCP)flooding and User Datagram Protocol(UDP)flooding with no SDN occurrences.Low Orbit Ion Cannon(LOIC)is applied to launch attacks on the transmission by the allocated server.Wireshark and MATLAB are used for the behavioral study to determine how sensitive the parameters are used in the SDN network and monitor the fluctuations of those parameters for different simulated scenarios.
基金The National Natural Science Foundation of China(No.71071033)the Innovation Project of Jiangsu Postgraduate Education(No.CX10B_058Z)
文摘The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system (IDS) and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS & vulnerability scan and firewall & IDS are discussed in detail.
文摘Recently, most electric power substations have adopted production control systems, such as SCADA systems, which communicate with field devices and remotely control processes from a computer screen. However, these systems together with protection measures and additional control actions (using protocol IEC61850) seem not to be enough to free substations of security attacks (e.g. virus, intruders, forgery or unauthorized data manipulation). This paper analyzes the main features of an electric power substation together with the aspects that might be significantly affected by cyber-attacks. The paper also presents the implementation of a specific security system (i.e. firewall-wise system) intended to protect a target distribution network.
基金supported by the National Nature Science Foundation of China under Grant No.61170295 the Project of National ministry under Grant No.A2120110006+2 种基金 the Co-Funding Project of Beijing Municipal Education Commission under Grant No.JD100060630 the Beijing Education Committee General Program under Grant No. KM201211232010 the National Nature Science Foundation of China under Grant NO. 61370065
文摘The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.
文摘Research has revealed that, in the next ten to twen ty years, the implementation of E-commence will become a new basis of economic in crease of China and other countries in the world. And the essence of implementin g E-commerce is the credit standing among the banks, the sellers and the custom ers. But the credit standing in the net ultimately depends on the security of th e network. Firewall is a useful network security technology to keep a network fr om being intruded. The rational use of firewalls can strengthen the security of the E-commence system. Traditional package-filtering firewalls usually rej ect the illegal accesses and admit the legal accesses according to filtering pol icy established by the administrator in advance. But the measures of attacking n etworks are increasing, so ACL (access control list) that is established in adva nce can hardly meet the needs of the rapid development of the network. And the r eal-time quality and sensitivity of traditional firewalls are not satisfied. No w a new model of implementing the expert system to the management of network sec urity is brought forward. The focus of the intelligent packet-filtering firewal l lies on the expert system. The tight combination of expert system and the filt ering method can realize the efficient detection and control of the packages tha t flow through the firewall system. By using the intelligent firewall, the secur ity of the E-commence can be strengthened indeed.
文摘In recent years, the number of users connected to the Internet has experienced a phenomenal growth. The security of systems and networks become essential. That is why the performance of Linux firewall and Berkeley Software Distribution (BSD) are of paramount importance in security systems and networks in all businesses. The following evaluates the firewall based tool that we have developed in Python and Scapy, which performs time measurements by serving packets traversing the firewall test. Several results were presented: the speed of the firewall under FreeBSD in terms of service time compared to the speed of the firewall under Linux as the number of rules increases;the speed of the filtering rule of a firewall stateless in terms of service time compared to the filtering rule of an active firewall gradually as the number of rules increases. Then, for care of simplicity, we have presented the queue M/M/1/K to model the performances of firewalls. The resulting model was validated using Simulink and mean squared error. The analytical model and Simulink of the firewalls are presented in the article.
基金TraversingNAT/firewallTeachingandResearchAwardProgramforOutstandingYoungTeachersinHighEducationInstitutionsofMOE ,China (No .2 0 0 0 6 5 )
文摘The forthcoming Next Generation Network (NGN) is an all IP network. Multimedia communications over IP networks are a type of bundled session communications, which cannot directly traverse Network Address Translations (NATs) and firewalls even in NGN. To solve the problem that the existing traversal methods are not suitable for service providers to set up a real system in NGN, a Distributed Broker-agent Architecture (DBA) is addressed. DBA is secure and realizable for service providers and enterprises because it is easy to set up and does not need to upgrade the existing devices like Firewalls, NATs or endpoint devices of subscribers. DBA is composed of two-layer distributed agents, the server proxies and the client agents, in which all multimedia communications use shared tunnels to carry signaling messages and media data between broker-agents, and the call signaling is encrypted over Security Socket Layer (SSL) to guarantee the security of calling. Moreover, the function model and multiplexed connection messages format of DBA are designed, which lays a basis for the protocol in the future NGN. In addition, a simple implementation based on H.323 verifyies the main function of traversing firewalls and NATs.
文摘In this paper we have present the architecture and module for internet firewall. The central component is fuzzy controller while properties of packets are fuzzified as inputs. On the basis of proposed fuzzy security algorithm, we have figured out security level of each packet and adjust according to packets dynamic states. Internet firewall can respond to these dynamics and take respective actions accordingly. Therefore, proactive firewall solves the conflict between speed and security by providing high performance and high security. Simulation shows that if the response value is in between 0.7 and 1 it belongs to high security.
