Cloud Computing-Based Forensic Analysis for Collaborative Network Security Management System

Internet security problems remain a major challenge with many security concerns such as Internet worms, spam, and phishing attacks. Botnets, well-organized distributed network attacks, consist of a large number of bots that generate huge volumes of spam or launch Distributed Denial of Service (DDoS) attacks on victim hosts. New emerging botnet attacks degrade the status of Internet security further. To address these problems, a practical collaborative network security management system is proposed with an effective collaborative Unified Threat Management (UTM) and traffic probers. A distributed security overlay network with a centralized security center leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. Security functions for the UTM are retrofitted to share security rules. In this paper, we propose a design and implementation of a cloud-based security center for network security forensic analysis. We propose using cloud storage to keep collected traffic data and then processing it with cloud computing platforms to find the malicious attacks. As a practical example, phishing attack forensic analysis is presented and the required computing and storage resources are evaluated based on real trace data. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.     

Fine-grained and heterogeneous proxy re-encryption for secure cloud storage

Cloud is an emerging computing paradigm. It has drawn extensive attention from both academia and industry. But its security issues have been considered as a critical obstacle in its rapid development. When data owners store their data as plaintext in cloud, they lose the security of their cloud data due to the arbitrary accessibility, specially accessed by the un-trusted cloud. In order to protect the confidentiality of data owners＇ cloud data, a promising idea is to encrypt data by data owners before storing them in cloud. However, the straightforward employment of the traditional encryption algorithms can not solve the problem well, since it is hard for data owners to manage their private keys, if they want to securely share their cloud data with others in a fine-grained manner. In this paper, we propose a fine-grained and heterogeneous proxy re-encryption （FH- PRE） system to protect the confidentiality of data owners＇ cloud data. By applying the FH-PRE system in cloud, data owners＇ cloud data can be securely stored in cloud and shared in a fine-grained manner. Moreover, the heteroge- neity support makes our FH-PRE system more efficient than the previous work. Additionally, it provides the secure data sharing between two heterogeneous cloud systems, which are equipped with different cryptographic primitives.     

QoS-Aware Virtual Machine Scheduling for Video Streaming Services in Multi-Cloud

Video streaming services are trending to be deployed on cloud. Cloud computing offers better stability and lower price than traditional IT facilities. Huge storage capacity is essential for video streaming service. More and more cloud providers appear so there are increasing cloud platforms to choose. A better choice is to use more than one data center, which is called multi-cloud. In this paper a closed-loop approach is proposed for optimizing Quality of Service (QoS) and cost. Modules of monitoring and controlling data centers are required as well as the application feedback such as video streaming services. An algorithm is proposed to help choose cloud providers and data centers in a multi-cloud environment as a video service manager. Performance with different video service workloads are evaluated. Compared with using only one cloud provider, dynamically deploying services in multi-cloud is better in aspects of both cost and QoS. If cloud service costs are different among data centers, the algorithm will help make choices to lower the cost and keep a high QoS.     

Efficient schemes for securing network coding against wiretapping

Existing solutions for secure network coding either bring significant bandwidth overhead or incur a high computa- tional complexity. For exploiting low-overhead mechanism for secure network coding against wiretapping, three efficient schemes are proposed for the applications with different security requirements. The basic idea behind this paper is first to encrypt a small part of source vectors and then subject the remaining original source vectors and the encrypted vectors to a special linear transformation. Also, a lightweight version of this scheme is then presented for resource-constrained networks. Moreover, an extensive scheme with enhanced security is also considered. All proposals are shown to have properties of lower security complexity and smaller bandwidth usage compared with the existing solutions. Also, the proposals can be easy to achieve flexible levels of security for various applications.     

Identity Based Group Key Agreement in Multiple PKG Environment

Secure and reliable group communication is an increasingly active research area by growing popularity in group-oriented and collaborative applications. In this paper, we propose the first identity-based authenticated group key agreement in multiple private key generators （PKG） environment. It is inspired on a new two-party identity-based key agreement protocol first proposed by Hoonjung Lee et al. In our scheme, although each member comes from different domain and belongs to different PKGs which do not share the common system parameters, they can agree on a shared secret group key. We show that our scheme satisfies every security requirements of the group key agreement protocols.     

Remote collaborative pseudo-dynamic testing system based on acquisition board control

In this paper, NetSLab network platform for remote collaborative pseudo-dynamic testing, which was developed recently by a research group led by the Hunan University, is presented. Aiming at MTS system which is widely used in structural testing, the control method with acquisition board was investigated in this study to realize the communication interface between NetSLab and MTS system, and open up the remote collaborative pseudo-dynamic testing system. Using the developed testing system, a collaborative pseudo-dynamic testing on LAN was carried out successfully. The result manifests that the data transmission and collaborative control can be implemented accurately between NetSLab and MTS system, so that the usability of the testing system is validated.     

Model of Security Evaluation of Infrastructure as a Service Layer of Cloud Computing System

At present,most providers of cloud computing mainly provide infrastructures and services of infrastructure as a service(IaaS).But there is a serious problem that is the lack of security standards and evaluation model of IaaS.After analyzing the vulnerabilities performance of IaaS cloud computing system,the mapping relationship was established between the vulnerabilities of IaaS and the nine threats of cloud computing which was released by cloud security alliance(CSA).According to the mapping relationship,a model for evaluating security of IaaS was proposed which verified the effectiveness of the model on OpenStack by the analytic hierarchy process(AHP) and the fuzzy evaluation method.     

An Efficient Key Management Protocol for Wireless Sensor Networks

Key management is a fundamental security service in wireless sensor networks. The communication security problems for these networks are exacerbated by the limited power and energy of the sensor devices. In this paper, we describe the design and implementation of an efficient key management scheme based on low energy adaptive clustering hierarchy（LEACH） for wireless sensor networks. The design of the protocol is motivated by the observation that many sensor nodes in the network play different roles. The paper presents different keys are set to the sensors for meeting different transmitting messages and variable security requirements. Simulation results show that our key management protocol based-on LEACH can achieve better performance. The energy consumption overhead introduced is remarkably low compared with the original Kerberos schemes.     

Dispatch Liquidity Theory in a Deregulated Environment

Power system security and reliability are more complex issues in a deregulated environment.Various criteria have been considered for power system reliability. In the day-ahead market, a successful trade schedule should be able to accept various disturbances with sufficient flexibility to be adjusted during the re-dispatch process. This paper describes the dispatch liquidity theory and some liquidity indices. The liquidity indices evaluate the effective operating reserves with the network constraints taken into consideration. A model is presented to calculate the liquidity index. An extended trade scheduling model with minimum liquidity index constraints is presented that considers the distribution requirements of the operating reserves. The liquidity indices could also be used to coordinate the security and reliability between multistage markets and for contingency selection. The algorithms were tested with real power system data. The results show that the dispatch liquidity theory is reasonable and the algorithms are effective.     

网格计算中的合作--一种对策论方法

The complexity of solving large business and scientific problems demands higher requirements one xisting IT enviroment of the concerned institutions. An increase in complexity is often couple with demands to deliver various different Qualities of Service (QoS), relating for example to response time,throughput, availability, security and/or co-allocation of multiple resource types. In many cases it is not enough just to deliver the required QoS in a straight for ward way but the delivery also has to satisfy requirements with respect to timing, load distribution and security among others. Because of this outsourcing of such coordinated QoS (CQoS)is getting more and more common. The connection and collaboration of different resources across system boundaries and control domains is a promising approach for executing such large-scale resource and coordiation intensive jobs.     

基于外部报警日志的本地网络安全威胁度量

Internet安全报警数据中心是应对大规模网络安全威胁的重要基础设施之一.文章提出了一种利用数据中心度量本地网络安全威胁的方法.在系统漏洞扫描分析的基础上,引入端口攻击趋势的概念,利用外部数据中心数据计算攻击趋势.使本地系统的威胁评估与当前网络安全状况相结合,重新计算系统的安全威胁评分,实现了一个原型验证了所设计的方...     

Efficient Multi-Tenant Virtual Machine Allocation in Cloud Data Centers

Virtual Machine(VM) allocation for multiple tenants is an important and challenging problem to provide efficient infrastructure services in cloud data centers. Tenants run applications on their allocated VMs, and the network distance between a tenant's VMs may considerably impact the tenant's Quality of Service(Qo S). In this study, we define and formulate the multi-tenant VM allocation problem in cloud data centers, considering the VM requirements of different tenants, and introducing the allocation goal of minimizing the sum of the VMs' network diameters of all tenants. Then, we propose a Layered Progressive resource allocation algorithm for multi-tenant cloud data centers based on the Multiple Knapsack Problem(LP-MKP). The LP-MKP algorithm uses a multi-stage layered progressive method for multi-tenant VM allocation and efficiently handles unprocessed tenants at each stage. This reduces resource fragmentation in cloud data centers, decreases the differences in the Qo S among tenants, and improves tenants' overall Qo S in cloud data centers. We perform experiments to evaluate the LP-MKP algorithm and demonstrate that it can provide significant gains over other allocation algorithms.     

一个基于等级保护的高校数据中心信息系统安全方案

针对国家信息系统安全等级保护体系中第三等级的所提出的关键技术要求,结合某高职院校数据中心在网络环境、主机服务、应用程序和数据管理等方面的实际情况,提出一个基于等级保护的高校数据中心信息系统安全体系设计方案。     

云计算技术及其对网络的影响

云计算代表一种全新的计算模型,并从根本上改变IT服务的方方面面。云环境的主要优势在于降低数据中心的成本支出,并在需要资源时获得动态接入,而不需耗费人力、时间,不影响工作人员的效率和组织竞争力。但云计算仍然存在一些网络性能和安全的问题。所有运营云的企业、政府机构和服务提供商,还有支持云基础设施的设备提供商必须在其设计中考虑这些因素。可用云性能和安全测试工具检测云应有的性能,以实现其结果。     

云计算安全体系设计与实现综述

云计算的安全性既要面对传统信息技术带来的安全威胁,又要面对云计算核心技术,如虚拟化带来的新风险。根据经典的以安全策略(policy)、保护(protection)、检测(detection)和响应(response)为核心的安全模型—PPDR模型,结合笔者在云服务商工作积累的多年安全实践,论述了云计算安全体系设计与实现的关键技术,包括网络、主机、应用、数据和运维运营5个层面的安全设计与实现,并对云计算安全相关的技术趋势进行了展望。提出一种经实战检验的云计算安全体系的设计与实现,特别是数据安全体系的设计与实现。该体系上线3年来,已消减针对云平台99.99%以上的安全攻击,经受住了现网大规模安全实战的考验。     

公共云安全体系结构设计

针对云计算环境下新型服务模式的引入以及虚拟化技术的使用为信息安全带来一系列新的安全隐患问题, 对公共云的安全性进行研究。从用户安全目标数据安全性和云服务可用性及性能两方面入手, 全面分析公共云面临的安全威胁。设计了公共云安全参考框架, 提出从用户管理、 数据安全、 数据中心软硬件安全和控制权转移引发的安全问题加强公共云安全性。最后对云安全评估进行了讨论。实验结果表明, 该结构能整体提高公共安全性, 抵御各类安全威胁。     

5G网络环境下雾计算框架的数据安全性

随着5G网络的大规模商用，5G架构下的数据安全性和隐私保护成为当前研究的热点。传统的云计算，在5G网络环境中发展出移动边缘计算架构，继而发展出标准化的“雾计算”框架。为了保障雾计算框架中的数据安全和隐私保护，本研究引入区块链分布式安全机制进行安全认证和分片式非对称加密，并通过仿真实验进一步验证优化基础计算框架，从实验结果看，能够在保障数据安全的前提下显著降低时延，并形成了可实用的网络拓扑架构，将在各领域的5G大规模应用的数据安全和隐私保护中发挥作用。     

基于云架构的FTP服务安全性研究

在研究云计算技术的基础上,构架了FTP服务器,并从解决目前网络安全问题的角度出发,研究了FTP云的安全性问题。     

基于云计算安全体系架构的研究

随着计算机与互联网的发展,云计算与物联网、智慧地球等概念一样备受关注。目前云计算已从产生到实质发展阶段,因此云计算的安全问题备受关注,近年来成为计算机学科领域的研究热点。在此背景下,首先介绍了云计算的概念、特点及服务模式,并在此基础上总结了云计算所面临的安全隐患,最后提出了云计算中确保信息安全的解决方案。     

兼顾网络带宽的节能云数据副本布局算法

由于云数据中心作为云应用服务的重要基础设施,在满足日益增长的用户需求的同时,也导致了云数据中心能耗的急剧上涨。为了降低能耗和提高云应用服务质量,文中通过全面考虑云数据中心的服务器和网络设备的能耗,兼顾网络带宽建立了云数据中心的能耗计算模型,提出了一种全新的以能耗优化为目标的云数据副本的布局算法,并通过GreenCloud验证了所提出的节能模型和算法的有效性。实验结果表明：文中提出的布局算法能有效地降低云数据中心的能耗和对网络带宽的消耗,从而提升了用户对云应用服务质量的满意度。