Biblio

Network Functions Virtualization (NFV) and Software Defined Networking (SDN) make it easier for security administrators to manage security policies on a network system. However, it is still challenging to map high-level security policies defined by users into low-level security policies that can be applied to network security devices. To address this problem, we introduce a framework for effectively managing user-defined security policies for network security functions based on standard interfaces that are currently being standardized in an IETF working group. To show the feasibility of the proposed framework, we implemented a prototype based on the RESTCONF protocol and showed that the proposed framework can be applied in real-world scenarios for network separation, DDoS mitigation and ransomeware prevention.

Cloud computing is the major paradigm in today's IT world with the capabilities of security management, high performance, flexibility, scalability. Customers valuing these features can better benefit if they use a cloud environment built using HPC fabric architecture. However, security is still a major concern, not only on the software side but also on the hardware side. There are multiple studies showing that the malicious users can affect the regular customers through the hardware if they are co-located on the same physical system. Therefore, solving possible security concerns on the HPC fabric architecture will clearly make the fabric industries leader in this area. In this paper, we propose an autonomic HPC fabric architecture that leverages both resilient computing capabilities and adaptive anomaly analysis for further security.

With the scale of big data increasing in large-scale IoT application, fog computing is a recent computing paradigm that is extending cloud computing towards the edge of network in the field. There are a large number of storage resources placed on the edge of the network to form a geographical distributed storage system in fog computing system (FCS). It is used to store the big data collected by the fog computing nodes and to reduce the management costs for moving big data to the cloud. However, the storage of fog nodes at the edge of the network faces a direct attack of external threats. In order to improve the security of the storage of fog nodes in FCS, in this paper, we proposed a data security storage model for fog computing (FCDSSM) to realize the integration of storage and security management in large-scale IoT application. We designed a detail of the FCDSSM system architecture, gave a design of the multi-level trusted domain, cooperative working mechanism, data synchronization and key management strategy for the FCDSSM. Experimental results show that the loss of computing and communication performance caused by data security storage in the FCDSSM is within the acceptable range, and the FCDSSM has good scalability. It can be adapted to big data security storage in large-scale IoT application.

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

Software-defined networks provide new facilities for deploying security mechanisms dynamically. In particular, it is possible to build and adjust security chains to protect the infrastructures, by combining different security functions, such as firewalls, intrusion detection systems and services for preventing data leakage. It is important to ensure that these security chains, in view of their complexity and dynamics, are consistent and do not include security violations. We propose in this paper an automated strategy for supporting the verification of security chains in software-defined networks. It relies on an architecture integrating formal verification methods for checking both the control and data planes of these chains, before their deployment. We describe algorithms for translating specifications of security chains into formal models that can then be verified by SMT1 solving or model checking. Our solution is prototyped as a package, named Synaptic, built as an extension of the Frenetic family of SDN programming languages. The performances of our approach are evaluated through extensive experimentations based on the CVC4, veriT, and nuXmv checkers.

Software-defined networks provide new facilities for deploying security mechanisms dynamically. In particular, it is possible to build and adjust security chains to protect the infrastructures, by combining different security functions, such as firewalls, intrusion detection systems and services for preventing data leakage. It is important to ensure that these security chains, in view of their complexity and dynamics, are consistent and do not include security violations. We propose in this paper an automated strategy for supporting the verification of security chains in software-defined networks. It relies on an architecture integrating formal verification methods for checking both the control and data planes of these chains, before their deployment. We describe algorithms for translating specifications of security chains into formal models that can then be verified by SMT1 solving or model checking. Our solution is prototyped as a package, named Synaptic, built as an extension of the Frenetic family of SDN programming languages. The performances of our approach are evaluated through extensive experimentations based on the CVC4, veriT, and nuXmv checkers.

Generative policies enable devices to generate their own policies that are validated, consistent and conflict free. This autonomy is required for security policy generation to deal with the large number of smart devices per person that will soon become reality. In this paper, we discuss the research issues that have to be addressed in order for devices involved in security enforcement to automatically generate their security policies - enabling policy-based autonomous security management. We discuss the challenges involved in the task of automatic security policy generation, and outline some approaches based om machine learning that may potentially provide a solution to the same.

Network Functions Virtualization (NFV) has provided a new way to design and deploy network security services, but it may fail to build a practically useful ecosystem that seamlessly integrates network security services if there is no standard interface between them. We propose a generic architecture for security management service based on Network Security Functions (NSF) using NFV. The proposed architecture allows users to define their security requirements in a user-friendly manner by providing the users with high-level security interfaces that do not require specific information about network resources and protocols. We design basic components (e.g., Security policy manager, NSF capability manager, Application logic, Policy updater and Event collector) and interfaces for the proposed architecture. We introduce three use cases: (1) blacklists of dangerous domains, (2) time-dependent access control policies and (3) detection of suspicious calls for VoIP-VoLTE services. We also explain how to implement our proposed architecture with an illustrative example. Furthermore, we discuss several technical challenges to deploy the proposed architecture in a real network environment.

Increasing interest in cyber-physical systems with integrated computational and physical capabilities that can interact with humans can be identified in research and practice. Since these systems can be classified as safety- and security-critical systems the need for safety and security assurance and certification will grow. Moreover, these systems are typically characterized by fragmentation, interconnectedness, heterogeneity, short release cycles, cross organizational nature and high interference between safety and security requirements. These properties combined with the assurance of compliance to multiple standards, carrying out certification and re-certification, and the lack of an approach to model, document and integrate safety and security requirements represent a major challenge. In order to address this gap we developed a domain agnostic approach to model security and safety requirements in an integrated view to support certification processes during design and run-time phases of cyber-physical systems.

The objective of the paper is to propose a social network security management model for a multi-tenancy SaaS application using Unified Communications as a Service (UCaaS) approach. The earlier security management models do not cover the issues when data inadvertently get exposed to other users due to poor implementation of the access management processes. When a single virtual machine moves or dissolves in the network, many separate machines may bypass the security conditions that had been implemented for its neighbors which lead to vulnerability of the hosted services. When the services are multi-tenant, the issue becomes very critical due to lack of asynchronous asymmetric communications between virtual when more number of applications and users are added into the network creating big data issues and its identity. The TRAIN model for the security management using PC-FAST algorithm is proposed in order to detect and identify the communication errors between the hosted services.
 

The Cloud computing offers various services and web based applications over the internet. With the tremendous growth in the development of cloud based services, the security issue is the main challenge and today's concern for the cloud service providers. This paper describes the management of security issues based on Diameter AAA mechanisms for authentication, authorization and accounting (AAA) demanded by cloud service providers. This paper focuses on the integration of Diameter AAA into cloud system architecture.