基于信息融合的网络安全态势评估模型

安全态势评估是近年来国内外在网络安全领域的研究热点之一.对已有的安全态势评估方法进行了详细分析和比较,针对网络安全中多数据源的特点,提出基于信息融合的网络安全态势评估模型,引入改进的D-S证据理论将多数据源信息进行融合,利用漏洞信息和服务信息,经过态势要素融合和节点态势融合计算网络安全态势,绘制安全态势曲线图,同时对态势计算结果进行时间序列分析,从而实现网络安全趋势的预测.最后利用网络实例数据,对所提出的网络安全态势评估模型和算法进行了验证,结果表明该模型比已有成果更加有效和准确.

国内外信息安全研究现状及其发展趋势

随着信息技术的发展与应用,信息安全的内涵在不断地延伸,从最初的信息保密性发展到信息的完整性、可用性、可控性和不可否认性,进而又发展为“攻(攻击)、防(防范)、测(检测)、控(控制)、管(管理)、评(评估)”等多方面的基础理论和实施技术。信息安全是一个综合、交叉学科领域,它要综合利用数学、物理、通信和计算机诸多学科的长期知识积累和最

一种对等计算安全性的时间自衰减信任管理算法

面向对等计算的信任度评估提出了一种新的信任管理量化算法，该算法解决了已有算法不能很好解决的信任时间衰减特性和节点联盟等问题，系统地对目前有代表性的网络信任评估算法进行了总结和分析，并对当前相关的国内外研究热点作了分类，同时给出了信任相关的一些定义以及算法应该考虑的问题，并提出一套完整解决问题的算法．定义了信任时间矫正函数、域信任矫正函数、信任值校准函数和准确度函数，并构造了信任时间矫正算法与域矫正算法，通过推导说明本算法具有良好的时间衰减性、历史经验相关性、新入节点奖励特性和联盟特性，同时给出了一般性的信任自然衰减曲线和8种典型特征域的系数变化范围．通过实验评价了算法的正确性和有效性，并和Azzedin算法进行比较，表明提出的算法效率和准确性有了显著的提高．

基于日志审计与性能修正算法的网络安全态势评估模型

文章分析和比较了目前的安全态势评估方法,提出了一种基于日志审计与性能修正算法的网络安全态势评估模型.首先利用日志审计评估节点理论安全威胁,并通过性能修正算法计算节点安全态势.然后利用节点服务信息计算网络安全态势,并且采用多种预测模型对网络安全态势进行预测,绘制安全态势曲线图.最后构建了一个网络实例,使用网络仿真软件对文中提出的态势评估模型和算法进行了验证.实验证明该方法切实有效,比传统方浇法更准确地反映了网络的安全态势和发展趋势.

分工式门限认证加密方案

(t,n)门限认证加密方案允许t个以上签名方产生指定接收方的认证加密签名,使得只有指定的接收方能够恢复消息和验证消息的完整性,而其他人却无法做到这一点.最近,在Tseng和Jan的认证加密方案的基础上,Chung等构造了一个(t,n)门限认证加密方案.该方案运用了分工式签名技术,有效地减轻了签名方的负担.然而,该文作者对该方案的安全性仅进行了解释性说明.目前,文献中没有对分工式门限认证加密的形式化刻画,没有出现可证安全分工式门限认证加密方案.事实上,Chung等的分工式门限认证加密方案存在设计上的缺陷.文中给出了分工式门限认证加密方案的形式化模型和安全模型,基于双线性映射构造了一个新的分工式门限认证加密方案.在随机预言机模型下,证明了该方案对于适应性选择密文攻击是语义安全的,该方案对于适应性选择消息攻击是存在性不可伪造的.方案的安全性可规约到计算性Diffie-Hellman(CDH)困难假设和决定性双线性Diffie-Hellman困难假设(DBDH).

Tools for Finding Inconsistencies in Real-world Logic-based Systems

Currently there is extensive theoretical work on inconsistencies in logic-based systems. Recently, algorithms for identifying inconsistent clauses in a single conjunctive formula have demonstrated that practical application of this work is possible. However, these algorithms have not been extended for full knowledge base systems and have not been applied to real-world knowledge. To address these issues, we propose a new algorithm for finding the inconsistencies in a knowledge base using existing algorithms for finding inconsistent clauses in a formula. An implementation of this algorithm is then presented as an automated tool for finding inconsistencies in a knowledge base and measuring the inconsistency of formulae. Finally, we look at a case study of a network security rule set for exploit detection (QRadar) and suggest how these automated tools can be applied.

Secure Multiuser Multiple Amplify-and-Forward Relay Networks in Presence of Multiple Eavesdroppers

In this paper, we study the information-theoretical security of a downlink multiuser cooperative relaying network with multiple intermediate amplify-and-forward (AF) relays, where there exist multiple eavesdroppers which can overhear the message. To prevent the wiretap and strength the network security, we select one best relay and user pair, so that the selected user can receive the message from the base station assisted by the selected relay. The relay and user selection is performed by maximizing the ratio of the received signal-to-noise ratio (SNR) at the user to the eavesdroppers, which is based on both the main and eavesdropper links. For the considered system, we derive the closed-form expression of the secrecy outage probability, and provide the asymptotic expression in high main-to-eavesdropper ratio (MER) region. From the asymptotic analysis, we can find that the system diversity order is equivalent to the number of relays regardless of the number of users and eavesdroppers.

Investigation of secure wireless regions using configurable beamforming on WARP

In this paper, we examine a novel approach to network security against passive eavesdroppers in a ray-tracing model and implement it on a hardware platform. By configuring antenna array beam patterns to transmit the data to specific regions, it is possible to create defined regions of coverage for targeted users. By adapting the antenna configuration according to the intended user’s channel state information, this allows the vulnerability of the physical regions to eavesdropping to be reduced. We present the application of our concept to 802.11n networks where an antenna array is employed at the access point. A range of antenna array configurations are examined by simulation and then realized using the Wireless Open-Access Research Platform(WARP)

Creating secure wireless regions using configurable beamforming

We present a novel approach to network security against passive eavesdroppers by employing a configurable beam-forming technique to create tightly defined regions of coverage for targeted users. In contrast to conventional encryption methods, our security scheme is developed at the physical layer by configuring antenna array beam patterns to transmit the data to specific regions. It is shown that this technique can effectively reduce vulnerability of the physical regions to eavesdropping by adapting the antenna configuration according to the intended user's channel state information. In this paper we present the application of our concept to 802.11n networks where an antenna array is employed at the access point, and consider the issue of minimizing the coverage area of the region surrounding the targeted user. A metric termed the exposure region is formally defined and used to evaluate the level of security offered by this technique. A range of antenna array configurations are examined through analysis and simulation, and these are subsequently used to obtain the optimum array configuration for a user traversing a coverage area.

Secure Multiuser Communications in Multiple Amplify-and-Forward Relay Networks

This paper proposes relay selection in order to increase the physical layer security in multiuser cooperative relay networks with multiple amplify-and-forward (AF) relays, in the presence of multiple eavesdroppers. To strengthen the network security against eavesdropping attack, we present three criteria to select the best relay and user pair. Specifically, criterion I and II study the received signal-to-noise ratio (SNR) at the receivers, and perform the selection by maximizing the SNR ratio of the user to the eavesdroppers. To this end, criterion I relies on both the main and eavesdropper links, while criterion II relies on the main links only. Criterion III is the standard max-min selection criterion,
which maximizes the minimum of the dual-hop channel gains of main links. For the three selection criteria, we examine the system secrecy performance by deriving the analytical expressions for the secrecy outage probability. We also derive the asymptotic analysis for the secrecy outage probability with high main-to eavesdropper ratio (MER). From the asymptotic analysis, an interesting observation is reached: for each criterion, the system diversity order is equivalent to the number of relays regardless of the number of users and eavesdroppers.

Implementation of Selective Packet Destruction on Wireless Open-Access Research Platform

Interesting wireless networking scenarios exist wherein network services must be guaranteed in a dynamic fashion for some priority users. For example, in disaster recovery, members need to be able to quickly block other users in order to gain sole use of the radio channel. As it is not always feasible to physically switch off other users, we propose a new approach, termed selective packet destruction (SPD) to ensure service for priority users. A testbed for SPD has been created, based on the Rice University Wireless open-Access Research Platform and been used to examine the feasibility of our approach. Results from the testbed are presented to demonstrate the feasibility of SPD and show how a balance between performance and acknowledgement destruction rate can be achieved. A 90% reduction in TCP & UDP traffic is achieved for a 75% MAC ACK destruction rate.

Geofencing Components and Existing Models

This paper describes the various Geofencing Components and Existing Models in terms of their Information Security Control Attribute Profiles. The profiles will dictate the security attributes that should accompany each and every Geofencing Model used for Wi-Fi network security control in an organization, thus minimizing the likelihood of malfunctioning security controls. Although it is up to an organization to investigate the best way of implementing information security for itself, by looking at the related models that have been used in the past this paper will present models commonly used to implement information security controls in the organizations. Our findings will highlight the strengths and weaknesses of the various models and present what our experiment and prototype consider as a robust Geofencing Security Model for securing Wi-Fi Networks

Effectiveness Of Feature Detection Operators On The Performance Of Iris Biometric Recognition System

Iris Recognition is a highly efficient biometric identification system with great possibilities for future in the security systems area.Its robustness and unobtrusiveness, as opposed tomost of the currently deployed systems, make it a good candidate to replace most of thesecurity systems around. By making use of the distinctiveness of iris patterns, iris recognition systems obtain a unique mapping for each person. Identification of this person is possible by applying appropriate matching algorithm.In this paper, Daugman’s Rubber Sheet model is employed for irisnormalization and unwrapping, descriptive statistical analysis of different feature detection operators is performed, features extracted is encoded using Haar wavelets and for classification hammingdistance as a matching algorithm is used. The system was tested on the UBIRIS database. The edge detection algorithm, Canny, is found to be the best one to extract most of the iris texture. The success rate of feature detection using canny is 81%, False Accept Rate is 9% and False Reject Rate is 10%.