Over the past few years,rapid advancements in the internet and communication technologies have led to increasingly intricate and diverse networking systems.As a result,greater intelligence is necessary to effectively ...Over the past few years,rapid advancements in the internet and communication technologies have led to increasingly intricate and diverse networking systems.As a result,greater intelligence is necessary to effectively manage,optimize,and maintain these systems.Due to their distributed nature,machine learning models are challenging to deploy in traditional networks.However,Software-Defined Networking(SDN)presents an opportunity to integrate intelligence into networks by offering a programmable architecture that separates data and control planes.SDN provides a centralized network view and allows for dynamic updates of flow rules and softwarebased traffic analysis.While the programmable nature of SDN makes it easier to deploy machine learning techniques,the centralized control logic also makes it vulnerable to cyberattacks.To address these issues,recent research has focused on developing powerful machine-learning methods for detecting and mitigating attacks in SDN environments.This paper highlighted the countermeasures for cyberattacks on SDN and how current machine learningbased solutions can overcome these emerging issues.We also discuss the pros and cons of using machine learning algorithms for detecting and mitigating these attacks.Finally,we highlighted research issues,gaps,and challenges in developing machine learning-based solutions to secure the SDN controller,to help the research and network community to develop more robust and reliable solutions.展开更多
Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmab...Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmability, the “three-layer two-interface” architecture of SDN changes the traditional network and increases the network attack nodes, which results in new security issues. In this paper, we firstly introduced the background, architecture and working process of SDN. Secondly, we summarized and analyzed the typical security issues from north to south: application layer, northbound interface, control layer, southbound interface and data layer. Another contribution is to review and analyze the existing solutions and latest research progress of each layer, mainly including: authorized authentication module, application isolation, DoS/DDoS defense, multi-controller deployment and flow rule consistency detection. Finally, a conclusion about the future works of SDN security and an idealized global security architecture is proposed.展开更多
Currently,the Internet of Things(IoT)is revolutionizing communi-cation technology by facilitating the sharing of information between different physical devices connected to a network.To improve control,customization,f...Currently,the Internet of Things(IoT)is revolutionizing communi-cation technology by facilitating the sharing of information between different physical devices connected to a network.To improve control,customization,flexibility,and reduce network maintenance costs,a new Software-Defined Network(SDN)technology must be used in this infrastructure.Despite the various advantages of combining SDN and IoT,this environment is more vulnerable to various attacks due to the centralization of control.Most methods to ensure IoT security are designed to detect Distributed Denial-of-Service(DDoS)attacks,but they often lack mechanisms to mitigate their severity.This paper proposes a Multi-Attack Intrusion Detection System(MAIDS)for Software-Defined IoT Networks(SDN-IoT).The proposed scheme uses two machine-learning algorithms to improve detection efficiency and provide a mechanism to prevent false alarms.First,a comparative analysis of the most commonly used machine-learning algorithms to secure the SDN was performed on two datasets:the Network Security Laboratory Knowledge Discovery in Databases(NSL-KDD)and the Canadian Institute for Cyberse-curity Intrusion Detection Systems(CICIDS2017),to select the most suitable algorithms for the proposed scheme and for securing SDN-IoT systems.The algorithms evaluated include Extreme Gradient Boosting(XGBoost),K-Nearest Neighbor(KNN),Random Forest(RF),Support Vector Machine(SVM),and Logistic Regression(LR).Second,an algorithm for selecting the best dataset for machine learning in Intrusion Detection Systems(IDS)was developed to enable effective comparison between the datasets used in the development of the security scheme.The results showed that XGBoost and RF are the best algorithms to ensure the security of SDN-IoT and to be applied in the proposed security system,with average accuracies of 99.88%and 99.89%,respectively.Furthermore,the proposed security scheme reduced the false alarm rate by 33.23%,which is a significant improvement over prevalent schemes.Finally,tests of the algorithm for dataset selection showed that the rates of false positives and false negatives were reduced when the XGBoost and RF algorithms were trained on the CICIDS2017 dataset,making it the best for IDS compared to the NSL-KDD dataset.展开更多
Information security is the backbone of current intelligent systems,such as the Internet of Things(IoT),smart grids,and Machine-to-Machine(M2M)communication.The increasing threat of information security requires new m...Information security is the backbone of current intelligent systems,such as the Internet of Things(IoT),smart grids,and Machine-to-Machine(M2M)communication.The increasing threat of information security requires new models to ensure the safe transmission of information through such systems.Recently,quantum systems have drawn much attention since they are expected to have a significant impact on the research in information security.This paper proposes a quantum teleportation scheme based on controlled multi-users to ensure the secure information transmission among users.Quantum teleportation is an original key element in a variety of quantum information tasks as well as quantum-based technologies,which plays a pivotal role in the current progress of quantum computing and communication.In the proposed scheme,the sender transmits the information to the receiver under the control of a third user or controller.Here,we show that the efficiency of the proposed scheme depends on the properties of the transmission channel and the honesty of the controller.Compared with various teleportation scheme presented recently in the literature,the most important difference in the proposed scheme is the possibility of suspicion about the honesty of the controller and,consequently,taking proper precautions.展开更多
In this paper a scheme for quantum secure direct communication (QSDC) network is proposed with a sequence of polarized single photons. The single photons are prepared originally in the same state (0) by the server...In this paper a scheme for quantum secure direct communication (QSDC) network is proposed with a sequence of polarized single photons. The single photons are prepared originally in the same state (0) by the servers on the network, which will reduce the difficulty for the legitimate users to check eavesdropping largely. The users code the information on the single photons with two unitary operations which do not change their measuring bases. Some decoy photons, which are produced by operating the sample photons with a Hadamard, are used for preventing a potentially dishonest server from eavesdropping the quantum lines freely. This scheme is an economical one as it is the easiest way for QSDC network communication securely.展开更多
Backdoor attacks are emerging security threats to deep neural networks.In these attacks,adversaries manipulate the network by constructing training samples embedded with backdoor triggers.The backdoored model performs...Backdoor attacks are emerging security threats to deep neural networks.In these attacks,adversaries manipulate the network by constructing training samples embedded with backdoor triggers.The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label.While quantum neural networks(QNNs)have shown promise in surpassing their classical counterparts in certain machine learning tasks,they are also susceptible to backdoor attacks.However,current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods.Given the diversity of encoding methods and model structures in QNNs,the effectiveness of such backdoor attacks remains uncertain.In this paper,we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks.A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data.The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger.Furthermore,our proposed attack cannot be easily resisted by existing backdoor detection methods.展开更多
We propose a bidirectional quantum secure direct communication(QSDC) network protocol with the hyperentanglment in both the spatial-mode ad the polarization degrees of freedom of photon pairs which can in principle be...We propose a bidirectional quantum secure direct communication(QSDC) network protocol with the hyperentanglment in both the spatial-mode ad the polarization degrees of freedom of photon pairs which can in principle be produced with a beta barium borate crystal.The secret message can be encoded on the photon pairs with unitary operations in these two degrees of freedom independently.Compared with other QSDC network protocols,our QSDC network protocol has a higher capacity as each photon pair can carry 4 bits of information.Also,we discuss the security of our QSDC network protocol and its feasibility with current techniques.展开更多
In the current era,anyone can freely access the Internet thanks to the development of information and communication technology.The cloud is attracting attention due to its ability to meet continuous user demands for r...In the current era,anyone can freely access the Internet thanks to the development of information and communication technology.The cloud is attracting attention due to its ability to meet continuous user demands for resources.Additionally,Cloud is effective for systems with large data flow such as the Internet of Things(IoT)systems and Smart Cities.Nonetheless,the use of traditional networking technology in the cloud causes network traffic overload and network security problems.Therefore,the cloud requires efficient networking technology to solve the existing challenges.In this paper,we propose one-time password-based software-defined cloud architecture for secure dynamic routing to mitigating the above-mention issues.The proposed cloud architecture provides a secure data path through dynamic routing using One-Time Internet Protocol(OTIP)algorithm between each layer.On the network side,we use software-defined technology to provide efficient network management and data security.We introduce a software-defined cloud architecture that applies OTIP algorithms for secure dynamic routing.We conduct a comparative analysis between general IP communication and proposed OTIP communication architecture.It evaluates the performance of OTIP algorithms.Finally,we examine the proposed software-defined cloud architecture,including how to apply OTIP in secure dynamic routing according to the results of the comparative analysis.展开更多
In software-defined networking(SDN),controllers are sinks of information such as network topology collected from switches.Organizations often like to protect their internal network topology and keep their network poli...In software-defined networking(SDN),controllers are sinks of information such as network topology collected from switches.Organizations often like to protect their internal network topology and keep their network policies private.We borrow techniques from secure multi-party computation(SMC)to preserve the privacy of policies of SDN controllers about status of routers.On the other hand,the number of controllers is one of the most important concerns in scalability of SMC application in SDNs.To address this issue,we formulate an optimization problem to minimize the number of SDN controllers while considering their reliability in SMC operations.We use Non-Dominated Sorting Genetic Algorithm II(NSGA-II)to determine the optimal number of controllers,and simulate SMC for typical SDNs with this number of controllers.Simulation results show that applying the SMC technique to preserve the privacy of organization policies causes only a little delay in SDNs,which is completely justifiable by the privacy obtained.展开更多
Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,t...Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,traditional routing mechanisms in SDN, based on the Dijkstra shortest path, do not take the capacity of nodes into account, which may lead to network congestion. Moreover, security resource utilization in SDN is inefficient and is not addressed by existing routing algorithms. In this paper, we propose Route Guardian, a reliable securityoriented SDN routing mechanism, which considers the capabilities of SDN switch nodes combined with a Network Security Virtualization framework. Our scheme employs the distributed network security devices effectively to ensure analysis of abnormal traffic and malicious node isolation. Furthermore, Route Guardian supports dynamic routing reconfiguration according to the latest network status. We prototyped Route Guardian and conducted theoretical analysis and performance evaluation. Our results demonstrate that this approach can effectively use the existing security devices and mechanisms in SDN.展开更多
Controllers play a critical role in software-defined networking(SDN).However,existing singlecontroller SDN architectures are vulnerable to single-point failures,where a controller's capacity can be saturated by fl...Controllers play a critical role in software-defined networking(SDN).However,existing singlecontroller SDN architectures are vulnerable to single-point failures,where a controller's capacity can be saturated by flooded flow requests.In addition,due to the complicated interactions between applications and controllers,the flow setup latency is relatively large.To address the above security and performance issues of current SDN controllers,we propose distributed rule store(DRS),a new multi-controller architecture for SDNs.In DRS,the controller caches the flow rules calculated by applications,and distributes these rules to multiple controller instances.Each controller instance holds only a subset of all rules,and periodically checks the consistency of flow rules with each other.Requests from switches are distributed among multiple controllers,in order to mitigate controller capacity saturation attack.At the same time,when rules at one controller are maliciously modified,they can be detected and recovered in time.We implement DRS based on Floodlight and evaluate it with extensive emulation.The results show that DRS can effectively maintain a consistently distributed rule store,and at the same time can achieve a shorter flow setup time and a higher processing throughput,compared with ONOS and Floodlight.展开更多
文摘Over the past few years,rapid advancements in the internet and communication technologies have led to increasingly intricate and diverse networking systems.As a result,greater intelligence is necessary to effectively manage,optimize,and maintain these systems.Due to their distributed nature,machine learning models are challenging to deploy in traditional networks.However,Software-Defined Networking(SDN)presents an opportunity to integrate intelligence into networks by offering a programmable architecture that separates data and control planes.SDN provides a centralized network view and allows for dynamic updates of flow rules and softwarebased traffic analysis.While the programmable nature of SDN makes it easier to deploy machine learning techniques,the centralized control logic also makes it vulnerable to cyberattacks.To address these issues,recent research has focused on developing powerful machine-learning methods for detecting and mitigating attacks in SDN environments.This paper highlighted the countermeasures for cyberattacks on SDN and how current machine learningbased solutions can overcome these emerging issues.We also discuss the pros and cons of using machine learning algorithms for detecting and mitigating these attacks.Finally,we highlighted research issues,gaps,and challenges in developing machine learning-based solutions to secure the SDN controller,to help the research and network community to develop more robust and reliable solutions.
基金supported by the Wuhan Frontier Program of Application Foundation (No.2018010401011295)National High Technology Research and Development Program of China (“863” Program) (Grant No. 2015AA016002)
文摘Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmability, the “three-layer two-interface” architecture of SDN changes the traditional network and increases the network attack nodes, which results in new security issues. In this paper, we firstly introduced the background, architecture and working process of SDN. Secondly, we summarized and analyzed the typical security issues from north to south: application layer, northbound interface, control layer, southbound interface and data layer. Another contribution is to review and analyze the existing solutions and latest research progress of each layer, mainly including: authorized authentication module, application isolation, DoS/DDoS defense, multi-controller deployment and flow rule consistency detection. Finally, a conclusion about the future works of SDN security and an idealized global security architecture is proposed.
文摘Currently,the Internet of Things(IoT)is revolutionizing communi-cation technology by facilitating the sharing of information between different physical devices connected to a network.To improve control,customization,flexibility,and reduce network maintenance costs,a new Software-Defined Network(SDN)technology must be used in this infrastructure.Despite the various advantages of combining SDN and IoT,this environment is more vulnerable to various attacks due to the centralization of control.Most methods to ensure IoT security are designed to detect Distributed Denial-of-Service(DDoS)attacks,but they often lack mechanisms to mitigate their severity.This paper proposes a Multi-Attack Intrusion Detection System(MAIDS)for Software-Defined IoT Networks(SDN-IoT).The proposed scheme uses two machine-learning algorithms to improve detection efficiency and provide a mechanism to prevent false alarms.First,a comparative analysis of the most commonly used machine-learning algorithms to secure the SDN was performed on two datasets:the Network Security Laboratory Knowledge Discovery in Databases(NSL-KDD)and the Canadian Institute for Cyberse-curity Intrusion Detection Systems(CICIDS2017),to select the most suitable algorithms for the proposed scheme and for securing SDN-IoT systems.The algorithms evaluated include Extreme Gradient Boosting(XGBoost),K-Nearest Neighbor(KNN),Random Forest(RF),Support Vector Machine(SVM),and Logistic Regression(LR).Second,an algorithm for selecting the best dataset for machine learning in Intrusion Detection Systems(IDS)was developed to enable effective comparison between the datasets used in the development of the security scheme.The results showed that XGBoost and RF are the best algorithms to ensure the security of SDN-IoT and to be applied in the proposed security system,with average accuracies of 99.88%and 99.89%,respectively.Furthermore,the proposed security scheme reduced the false alarm rate by 33.23%,which is a significant improvement over prevalent schemes.Finally,tests of the algorithm for dataset selection showed that the rates of false positives and false negatives were reduced when the XGBoost and RF algorithms were trained on the CICIDS2017 dataset,making it the best for IDS compared to the NSL-KDD dataset.
文摘Information security is the backbone of current intelligent systems,such as the Internet of Things(IoT),smart grids,and Machine-to-Machine(M2M)communication.The increasing threat of information security requires new models to ensure the safe transmission of information through such systems.Recently,quantum systems have drawn much attention since they are expected to have a significant impact on the research in information security.This paper proposes a quantum teleportation scheme based on controlled multi-users to ensure the secure information transmission among users.Quantum teleportation is an original key element in a variety of quantum information tasks as well as quantum-based technologies,which plays a pivotal role in the current progress of quantum computing and communication.In the proposed scheme,the sender transmits the information to the receiver under the control of a third user or controller.Here,we show that the efficiency of the proposed scheme depends on the properties of the transmission channel and the honesty of the controller.Compared with various teleportation scheme presented recently in the literature,the most important difference in the proposed scheme is the possibility of suspicion about the honesty of the controller and,consequently,taking proper precautions.
基金Project supported by the National Natural Science Foundation of China (Grant Nos 10604008 and 10435020) and the Beijing Education Committee (Grant No XK100270454).
文摘In this paper a scheme for quantum secure direct communication (QSDC) network is proposed with a sequence of polarized single photons. The single photons are prepared originally in the same state (0) by the servers on the network, which will reduce the difficulty for the legitimate users to check eavesdropping largely. The users code the information on the single photons with two unitary operations which do not change their measuring bases. Some decoy photons, which are produced by operating the sample photons with a Hadamard, are used for preventing a potentially dishonest server from eavesdropping the quantum lines freely. This scheme is an economical one as it is the easiest way for QSDC network communication securely.
基金supported by the National Natural Science Foundation of China(Grant No.62076042)the National Key Research and Development Plan of China,Key Project of Cyberspace Security Governance(Grant No.2022YFB3103103)the Key Research and Development Project of Sichuan Province(Grant Nos.2022YFS0571,2021YFSY0012,2021YFG0332,and 2020YFG0307)。
文摘Backdoor attacks are emerging security threats to deep neural networks.In these attacks,adversaries manipulate the network by constructing training samples embedded with backdoor triggers.The backdoored model performs as expected on clean test samples but consistently misclassifies samples containing the backdoor trigger as a specific target label.While quantum neural networks(QNNs)have shown promise in surpassing their classical counterparts in certain machine learning tasks,they are also susceptible to backdoor attacks.However,current attacks on QNNs are constrained by the adversary's understanding of the model structure and specific encoding methods.Given the diversity of encoding methods and model structures in QNNs,the effectiveness of such backdoor attacks remains uncertain.In this paper,we propose an algorithm that leverages dataset-based optimization to initiate backdoor attacks.A malicious adversary can embed backdoor triggers into a QNN model by poisoning only a small portion of the data.The victim QNN maintains high accuracy on clean test samples without the trigger but outputs the target label set by the adversary when predicting samples with the trigger.Furthermore,our proposed attack cannot be easily resisted by existing backdoor detection methods.
基金Supported by the Natural Science Foundation of Jiangsu Provincial Universities under Grant No.10KJB180004the National Natural Science Foundation of China under Grant No.11105075
文摘We propose a bidirectional quantum secure direct communication(QSDC) network protocol with the hyperentanglment in both the spatial-mode ad the polarization degrees of freedom of photon pairs which can in principle be produced with a beta barium borate crystal.The secret message can be encoded on the photon pairs with unitary operations in these two degrees of freedom independently.Compared with other QSDC network protocols,our QSDC network protocol has a higher capacity as each photon pair can carry 4 bits of information.Also,we discuss the security of our QSDC network protocol and its feasibility with current techniques.
基金This work was supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(NRF-2019R1A2B5B01070416)also supported by the Advanced Research Project funded by the SeoulTech(Seoul National University of Science and Technology).
文摘In the current era,anyone can freely access the Internet thanks to the development of information and communication technology.The cloud is attracting attention due to its ability to meet continuous user demands for resources.Additionally,Cloud is effective for systems with large data flow such as the Internet of Things(IoT)systems and Smart Cities.Nonetheless,the use of traditional networking technology in the cloud causes network traffic overload and network security problems.Therefore,the cloud requires efficient networking technology to solve the existing challenges.In this paper,we propose one-time password-based software-defined cloud architecture for secure dynamic routing to mitigating the above-mention issues.The proposed cloud architecture provides a secure data path through dynamic routing using One-Time Internet Protocol(OTIP)algorithm between each layer.On the network side,we use software-defined technology to provide efficient network management and data security.We introduce a software-defined cloud architecture that applies OTIP algorithms for secure dynamic routing.We conduct a comparative analysis between general IP communication and proposed OTIP communication architecture.It evaluates the performance of OTIP algorithms.Finally,we examine the proposed software-defined cloud architecture,including how to apply OTIP in secure dynamic routing according to the results of the comparative analysis.
文摘In software-defined networking(SDN),controllers are sinks of information such as network topology collected from switches.Organizations often like to protect their internal network topology and keep their network policies private.We borrow techniques from secure multi-party computation(SMC)to preserve the privacy of policies of SDN controllers about status of routers.On the other hand,the number of controllers is one of the most important concerns in scalability of SMC application in SDNs.To address this issue,we formulate an optimization problem to minimize the number of SDN controllers while considering their reliability in SMC operations.We use Non-Dominated Sorting Genetic Algorithm II(NSGA-II)to determine the optimal number of controllers,and simulate SMC for typical SDNs with this number of controllers.Simulation results show that applying the SMC technique to preserve the privacy of organization policies causes only a little delay in SDNs,which is completely justifiable by the privacy obtained.
基金supported in part by the National Natural Science Foundation of China (Nos. 61402029, 61370190, and 61379002)the National Key Basic Research Program (973) of China (No. 2012CB315905)
文摘Software-Defined Networking(SDN) decouples the control plane and the data plane in network switches and routers, which enables the rapid innovation and optimization of routing and switching configurations. However,traditional routing mechanisms in SDN, based on the Dijkstra shortest path, do not take the capacity of nodes into account, which may lead to network congestion. Moreover, security resource utilization in SDN is inefficient and is not addressed by existing routing algorithms. In this paper, we propose Route Guardian, a reliable securityoriented SDN routing mechanism, which considers the capabilities of SDN switch nodes combined with a Network Security Virtualization framework. Our scheme employs the distributed network security devices effectively to ensure analysis of abnormal traffic and malicious node isolation. Furthermore, Route Guardian supports dynamic routing reconfiguration according to the latest network status. We prototyped Route Guardian and conducted theoretical analysis and performance evaluation. Our results demonstrate that this approach can effectively use the existing security devices and mechanisms in SDN.
基金supported by the National Natural Science Foundation of China(Nos.61402357,61272459,and 61402357)the China Postdoctoral Science Foundation(No.2015M570835)+2 种基金the Fundamental Research Funds for the Central Universities,Chinathe Program for New Century Excellent Talents in Universitythe CETC 54 Project(No.ITD-U14001/KX142600008)
文摘Controllers play a critical role in software-defined networking(SDN).However,existing singlecontroller SDN architectures are vulnerable to single-point failures,where a controller's capacity can be saturated by flooded flow requests.In addition,due to the complicated interactions between applications and controllers,the flow setup latency is relatively large.To address the above security and performance issues of current SDN controllers,we propose distributed rule store(DRS),a new multi-controller architecture for SDNs.In DRS,the controller caches the flow rules calculated by applications,and distributes these rules to multiple controller instances.Each controller instance holds only a subset of all rules,and periodically checks the consistency of flow rules with each other.Requests from switches are distributed among multiple controllers,in order to mitigate controller capacity saturation attack.At the same time,when rules at one controller are maliciously modified,they can be detected and recovered in time.We implement DRS based on Floodlight and evaluate it with extensive emulation.The results show that DRS can effectively maintain a consistently distributed rule store,and at the same time can achieve a shorter flow setup time and a higher processing throughput,compared with ONOS and Floodlight.
