Biblio

The experimental results demonstrated that, With the development of cloud computing, more and more people use cloud computing to do all kinds of things. However, for cloud computing, the most important thing is to ensure the stability of user data and improve security at the same time. From an analysis of the experimental results, it can be found that Cloud computing makes extensive use of technical means such as computing virtualization, storage system virtualization and network system virtualization, abstracts the underlying physical facilities into external unified interfaces, maps several virtual networks with different topologies to the underlying infrastructure, and provides differentiated services for external users. By comparing and analyzing the experimental results, it is clear that virtualization technology will be the main way to solve cloud computing security. Virtualization technology introduces a virtual layer between software and hardware, provides an independent running environment for applications, shields the dynamics, distribution and differences of hardware platforms, supports the sharing and reuse of hardware resources, provides each user with an independent and isolated computer environment, and facilitates the efficient and dynamic management and maintenance of software and hardware resources of the whole system. Applying virtualization technology to cloud security reduces the hardware cost and management cost of "cloud security" enterprises to a certain extent, and improves the security of "cloud security" technology to a certain extent. This paper will outline the basic cloud computing security methods, and focus on the analysis of virtualization cloud security technology

In this paper, we address the virtual network embedding (VNE) problem in non-terrestrial networks (NTNs) enabling dynamic changes in the virtual network function (VNF) deployment to maximize the service acceptance rate and service revenue. NTNs such as satellite networks involve highly dynamic topology and limited resources in terms of rate and power. VNE in NTNs is a challenge because a static strategy under-performs when new service requests arrive or the network topology changes unexpectedly due to failures or other events. Existing solutions do not consider the power constraint of satellites and rate limitation of inter-satellite links (ISLs) which are essential parameters for dynamic adjustment of existing VNE strategy in NTNs. In this work, we propose a dynamic VNE algorithm that selects a suitable VNE strategy for new and existing services considering the time-varying network topology. The proposed scheme, D-ViNE, increases the service acceptance ratio by 8.51% compared to the benchmark scheme TS-MAPSCH.

Dynamic memory allocators are critical components of modern systems, and developers strive to find a balance between their performance and their security. Unfortunately, vulnerable allocators are routinely abused as building blocks in complex exploitation chains. Most of the research regarding memory allocators focuses on popular and standardized heap libraries, generally used by high-end devices such as desktop systems and servers. However, dynamic memory allocators are also extensively used in embedded systems but they have not received much scrutiny from the security community.In embedded systems, a raw firmware image is often the only available piece of information, and finding heap vulnerabilities is a manual and tedious process. First of all, recognizing a memory allocator library among thousands of stripped firmware functions can quickly become a daunting task. Moreover, emulating firmware functions to test for heap vulnerabilities comes with its own set of challenges, related, but not limited, to the re-hosting problem.To fill this gap, in this paper we present HEAPSTER, a system that automatically identifies the heap library used by a monolithic firmware image, and tests its security with symbolic execution and bounded model checking. We evaluate HEAPSTER on a dataset of 20 synthetic monolithic firmware images — used as ground truth for our analyses — and also on a dataset of 799 monolithic firmware images collected in the wild and used in real-world devices. Across these datasets, our tool identified 11 different heap management library (HML) families containing a total of 48 different variations. The security testing performed by HEAPSTER found that all the identified variants are vulnerable to at least one critical heap vulnerability. The results presented in this paper show a clear pattern of poor security standards, and raise some concerns over the security of dynamic memory allocators employed by IoT devices.

Software Defined Networking (SDN) is an emerging technology, which provides the flexibility in communicating among network. Software Defined Network features separation of the data forwarding plane from the control plane which includes controller, resulting centralized network. Due to centralized control, the network becomes more dynamic, and resources are managed efficiently and cost-effectively. Network Virtualization is transformation of network from hardware-based to software-based. Network Function Virtualization will permit implementation, adaptable provisioning, and even management of functions virtually. The use of virtualization of SDN networks permits network to strengthen the features of SDN and virtualization of NFV and has for that reason has attracted notable research awareness over the last few years. SDN platform introduces network security challenges. The network becomes vulnerable when a large number of requests is encapsulated inside packet\_in messages and passed to controller from switch for instruction, if it is not recognized by existing flow entry rules. which will limit the resources and become a bottleneck for the entire network leading to DDoS attack. It is necessary to have quick provisional methods to prevent the switches from breaking down. To resolve this problem, the researcher develops a mechanism that detects and mitigates flood attacks. This paper provides a comprehensive survey which includes research relating frameworks which are utilized for detecting attack and later mitigation of flood DDoS attack in Software Defined Network (SDN) with the help of NFV.

Dual Connectivity is a key approach to achieving optimization of throughput and latency in heterogeneous networks. Originally a technique introduced by the 3rd Generation Partnership Project (3GPP) for terrestrial communications, it is not been widely explored in satellite systems. In this paper, Dual Connectivity is implemented in a multi-orbital satellite network, where a network model is developed by employing the diversity gains from Dual Connectivity and Carrier Aggregation for the enhancement of satellite uplink capacity. An introduction of software defined network controller is performed at the network layer coupled with a carefully designed hybrid resource allocation algorithm which is implemented strategically. The algorithm performs optimum dynamic flow control and traffic steering by considering the availability of resources and the channel propagation information of the orbital links to arrive at a resource allocation pattern suitable in enhancing uplink system performance. Simulation results are shown to evaluate the achievable gains in throughput and latency; in addition we provide useful insight in the design of multi-orbital satellite networks with implementable scheduler design.

In order to solve the problem that the traditional “centralized” access control technology can no longer guarantee the security of access control in the current Internet of Things (IoT)environment, a dynamic access control game mechanism based on trust is proposed. According to the reliability parameters of the recommended information obtained by the two elements of interaction time and the number of interactions, the user's trust value is dynamically calculated, and the user is activated and authorized to the role through the trust level corresponding to the trust value. The trust value and dynamic adjustment factor are introduced into the income function to carry out game analysis to avoid malicious access behavior of users. The hybrid Nash equilibrium strategy of both sides of the transaction realizes the access decision-making work in the IoT environment. Experimental results show that the game mechanism proposed in this paper has a certain restraining effect on malicious nodes and can play a certain incentive role in the legitimate access behavior of IoT users.

A modular static analysis decomposes a program's analysis into analyses of its parts, or components. An intercomponent analysis instructs an intra-component analysis to analyse each component independently of the others. Additional analyses are scheduled for newly discovered components, and for dependent components that need to account for newly discovered component information. Modular static analyses are scalable, can be tuned to a high precision, and support the analysis of programs that are highly dynamic, featuring e.g., higher-order functions or dynamically allocated processes.In this paper, we present the engineering aspects of MAF, a static analysis framework for implementing modular analyses for higher-order languages. For any such modular analysis, the framework provides a reusable inter-component analysis and it suffices to implement its intra-component analysis. The intracomponent analysis can be composed from several interdependent and reusable Scala traits. This design facilitates changing the analysed language, as well as the analysis precision with minimal effort. We illustrate the use of MAF through its instantiation for several different analyses of Scheme programs.

Dealing with algorithms, which process large amount of similar data by using significant number of small and various sizes of memory allocation/de-allocation in a dynamic yet deterministic way, is an important issue for soft real-time systems designs. In order to improve the response time, efficiency and security of this kind of processing, we propose a software-based memory management method based on hierarchy of shared memory pools, which could be used to replace standard heap management mechanism of the operating system for some cases. Implementation of this memory management scheme can allocate memory through processing allocation/de-allocation requests of required space. Lockable implementation of this model can safely deal with the multi-threaded concurrent access. We also provide the results of experiments, according to which response time of test systems with soft time-bounded execution demand were considerably improved.

Edge computing supports the deployment of ubiquitous, smart services by providing computing and storage closer to terminal devices. However, ensuring the full security and privacy of computations performed at the edge is challenging due to resource limitation. This paper responds to this challenge and proposes an adaptive approach to defense randomization among the edge data centers via a stochastic game, whose solution corresponds to the optimal security deployment at the network's edge. Moreover, security risk is evaluated subjectively based on Prospect Theory to reflect realistic scenarios where the attacker and the edge system do not similarly perceive the status of the infrastructure. The results show that a non-deterministic defense policy yields better security compared to a static defense strategy.

The digital transformation is injecting energy into economic growth and governance improvement for the China government. Digital governance and e-government services are playing a more and more important role in public management and social governance. Meanwhile, cyber-attacks and threats become the major challenges for e-government application systems. In this paper, we proposed a novel dynamic access entry scheme for web application, which provide a rapidly-changing defender-controlled attack surface based on Moving Target Defense (MTD) technology. The scheme can turn the static keywords of Uniform Resource Locator (URL) into the dynamic and random ones, which significantly increase the cost to adversaries attack. We present the prototype of the proposed scheme and evaluate the feasibility and effectiveness. The experimental results demonstrated the scheme is practical and effective.

The task of malware labeling on real datasets faces huge challenges—ever-changing datasets and lack of ground-truth labels—owing to the rapid growth of malware. Clustering malware on their respective families is a well known tool used for improving the efficiency of the malware labeling process. In this paper, we addressed the challenge of clustering email malware, and carried out a cluster analysis on a real dataset collected from email campaigns over a 13-month period. Our main original contribution is to analyze the usefulness of email’s header information for malware clustering (a novel approach proposed by Burton [1]), and compare it with features collected from the malware directly. We compare clustering based on email header’s information with traditional features extracted from varied resources provided by VirusTotal [2], including static and dynamic analysis. We show that email header information has an excellent performance.

This paper presents a management system for a fleet of autonomous mobile robots performing logistics in security-heterogeneous factories. Loading and unloading goods and parts between workstations in these dynamic environments often demands from the mobile robots to share space and resources such as corridors, interlocked security doors and elevators among themselves. This model explores a dynamic task scheduling and assignment to the robots taking into account their location, tasks previously assigned and battery levels, all the while being aware of the physical constraints of the installation. The benefits of the proposed architecture were validated through a set of experiments in a mockup of INCM's shop-floor environment. During these tests 3 robots operated continuously for several hours, self-charging without any human intervention.

IoT applications are quickly evolving in scope and objectives while their focus is being shifted toward supporting dynamic users’ requirements. IoT users initiate applications and expect quick and reliable deployment without worrying about the underlying complexities of the required sensing and routing resources. On the other hand, IoT sensing nodes, sinks, and gateways are heterogeneous, have limited resources, and require significant cost and installation time. Sensing network-level virtualization through virtual Sensing Networks (VSNs) could play an important role in enabling the formation of virtual groups that link the needed IoT sensing and routing resources. These VSNs can be initiated on-demand with the goal to satisfy different IoT applications’ requirements. In this context, we present a joint algorithm for IoT Sensing Resource Allocation with Dynamic Resource-Based Routing (SRADRR). The SRADRR algorithm builds on the current distinguished empowerment of sensing networks using recent standards like RPL and 6LowPAN. The proposed algorithm suggests employing the RPL standard concepts to create DODAG routing trees that dynamically adapt according to the available sensing resources and the requirements of the running and arriving applications. Our results and implementation of the SRADRR reveal promising enhancements in the overall applications deployment rate.

Adapting parallel scheduling function in the design of multi-scheduling algorithm results significant impact in the operation of high performance parallel systems. The various methods of parallelizing scheduling functions are widely applied in traditional multiprocessor systems. In this paper a novel algorithm is introduced which works not only for parallel execution of jobs but also focuses the parallelization of scheduling function. It gives attention on reducing the execution time, minimizing the load balance performance by selecting the volume of tasks for migration in terms of packets. Jobs are grouped into packets consisting of 2n jobs which are scheduled in parallel. Thus, an enhancement in the scheduling mechanism by packet formation is made to carry out high utilization of underlying architecture with increased throughput. The proposed method is assessed on a desktop computer equipped with multi-core processors in cube based multiprocessor systems. The algorithm is implemented with different configuration of multi-core systems. The simulation results indicate that the proposed technique reduces the overall makespan of execution with an improved performance of the system.

The virtualization technology in cloud environment brings some data and privacy security issues to users. Aiming at the problems of virtual machines singleness, homogeneity and static state in cloud environment, a negative feedback dynamic scheduling algorithm is proposed. This algorithm is based on mimic defense and creates multiple virtual machines to complete user request services together through negative feedback control mechanism which can achieve real-time monitor of the running state of virtual machines. When virtual machines state is found to be inconsistent, this algorithm will dynamically change its execution environment, resulting in the attacker's information collection and vulnerability exploitation process being disrupting. Experiments show that the algorithm can better solve security threats caused by the singleness, homogeneity and static state of virtual machines in the cloud, and improve security and reliability of cloud users.

The DES is a symmetric cryptosystem which encrypts data in blocks of 64 bits using 48 bit keys in 16 rounds. It comprises a key schedule, encryption and decryption components. The key schedule, in particular, uses three static component units, the PC-1, PC-2 and rotation tables. However, can these three static components of the key schedule be altered? The DES development team never explained most of these component units. Understanding the DES key schedule is, thus, hard. In addition, reproducing the DES model with unknown component units is challenging, making it hard to adapt and bring implementation of the DES model closer to novice developers' context. We propose an alternative approach for re-implementing the DES key schedule using, rather, dynamic instead of static tables. We investigate the design features of the DES key schedule and implement the same. We then propose a re-engineering view towards a more white-box design. Precisely, generation of the PC-1, rotation and PC-2 tables is revisited to random dynamic tables created at run time. In our views, randomly generated component units eliminate the feared concerns regarding perpetrators' possible knowledge of the internal structures of the static component units. Comparison of the performances of the hybrid DES key schedule to that of the original DES key schedule shows closely related outcomes, connoting the hybrid version as a good alternative to the original model. Memory usage and CPU time were measured. The hybrid insignificantly out-performs the original DES key schedule. This outcome may inspire further researches on possible alterations to other DES component units as well, bringing about completely white-box designs to the DES model.

The paper presents a reinforcement learning solution to dynamic resource allocation for 5G radio access network slicing. Available communication resources (frequency-time blocks and transmit powers) and computational resources (processor usage) are allocated to stochastic arrivals of network slice requests. Each request arrives with priority (weight), throughput, computational resource, and latency (deadline) requirements, and if feasible, it is served with available communication and computational resources allocated over its requested duration. As each decision of resource allocation makes some of the resources temporarily unavailable for future, the myopic solution that can optimize only the current resource allocation becomes ineffective for network slicing. Therefore, a Q-learning solution is presented to maximize the network utility in terms of the total weight of granted network slicing requests over a time horizon subject to communication and computational constraints. Results show that reinforcement learning provides major improvements in the 5G network utility relative to myopic, random, and first come first served solutions. While reinforcement learning sustains scalable performance as the number of served users increases, it can also be effectively used to assign resources to network slices when 5G needs to share the spectrum with incumbent users that may dynamically occupy some of the frequency-time blocks.

Due to the proliferation of Internet-of-Things (IoT) environments, humans working with heterogeneous, smart objects in public IoT environments become more popular than ever before. This situation often requires to establish trust relationships between a user and a smart object for their secure interactions, but without the presence of prior interactions. In this work, we are interested in how a smart object can grant an access right to a human user in the absence of any prior knowledge in which some users may be malicious aiming to breach security goals of the IoT system. To solve this problem, we propose a trust-aware, role-based access control system, namely TARAS, which provides adaptive authorization to users based on dynamic trust estimation. In TARAS, for the initial trust establishment, we take a multidisciplinary approach by adopting the concept of I-sharing from psychology. The I-sharing follows the rationale that people with similar roles and traits are more likely to respond in a similar way. This theory provides a powerful tool to quickly establish trust between a smart object and a new user with no prior interactions. In addition, TARAS can adaptively filter malicious users out by revoking their access rights based on adaptive, dynamic trust estimation. Our experimental results show that the proposed TARAS mechanism can maximize system integrity in terms of correctly detecting malicious or benign users while maximizing service availability to users particularly when the system is fine-tuned based on the identified optimal setting in terms of an optimal trust threshold.

It is expected that the concept of Internet of everything will be realized in 2020 because of the coming of the 5G wireless communication technology. Internet of Things (IoT) services in various fields require different types of network service features, such as mobility, security, bandwidth, latency, reliability and control strategies. In order to solve the complex requirements and provide customized services, a new network architecture is needed. To change the traditional control mode used in the traditional network architecture, the Software Defined Network (SDN) is proposed. First, SDN divides the network into the Control Plane and Data Plane and then delegates the network management authority to the controller of the control layer. This allows centralized control of connections of a large number of devices. Second, SDN can help realizing the network slicing in the aspect of network layer. With the network slicing technology proposed by 5G, it can cut the 5G network out of multiple virtual networks and each virtual network is to support the needs of diverse users. In this work, we design and develop a network slicing framework. The contributions of this article are two folds. First, through SDN technology, we develop to provide the corresponding end-to-end (E2E) network slicing for IoT applications with different requirements. Second, we develop a dynamic network slice resource scheduling and management method based on SDN to meet the services' requirements with time-varying characteristics. This is usually observed in streaming and services with bursty traffic. A prototyping system is completed. The effectiveness of the system is demonstrated by using an electronic fence application as a use case.

At present, the network architecture is based on the TCP/IP protocol and node communications are achieved by the IP address and identifier of the node. The IP address in the network remains basically unchanged, so it is more likely to be attacked by network intruder. To this end, it is important to make periodic dynamic hopping in a specific address space possible, so that an intruder fails to obtain the internal network address and grid topological structure in real time and to continue to perform infiltration by the building of a new address space layout randomization system on the basis of SDN from the perspective of an attacker.

Autonomic resource management for distributed edge computing systems provides an effective means of enabling dynamic placement and adaptation in the face of network changes, load dynamics, and failures. However, adaptation in-and-of-itself offers a side channel by which malicious entities can extract valuable information. An attacker can take advantage of autonomic resource management techniques to fool a system into misallocating resources and crippling applications. Using a few scenarios, we outline how attacks can be launched using partial knowledge of the resource management substrate - with as little as a single compromised node. We argue that any system that provides adaptation must consider resource management as an attack surface. As such, we propose ADAPT2, a framework that incorporates concepts taken from Moving-Target Defense and state estimation techniques to ensure correctness and obfuscate resource management, thereby protecting valuable system and application information from leaking.

Advanced Persistent Threat (APT) attack has the characteristics of complex attack means, long duration and great harmfulness. Based on the idea of dynamic deception, the paper proposed an APT defense system framework, and analyzed the deception defense process. The paper proposed a hybrid encryption communication mechanism based on socket, a dynamic IP address generation method based on SM4, a dynamic timing selection method based on Viterbi algorithm and a dynamic policy allocation mechanism based on DHCPv6. Tests show that the defense system can dynamically change and effectively defense APT attacks.

In this paper, we design a model for resource allocation in IoT system considering the cyber security, to achieve optimal resource allocation when defend the attack and threat. The resource allocation problem is constructed as a dynamic game, where the threat level is the state and the defend cost is the objective function. Open loop solution and feedback solutions are both given to the defender as the optimal control variables under different solutions situations. The optimal allocated resource and the optimal threat level for the defender is simulated through the numerical simulations.

In this paper, security of networked control system (NCS) under denial of service (DoS) attack is considered. Different from the existing literatures from the perspective of control systems, this paper considers a novel method of dynamic allocation of network bandwidth for NCS under DoS attack. Firstly, time-constrained DoS attack and its impact on the communication channel of NCS are introduced. Secondly, details for the proposed dynamic bandwidth allocation structure are presented along with an implementation, which is a bandwidth allocation strategy based on error between current state and equilibrium state and available bandwidth. Finally, a numerical example is given to demonstrate the effectiveness of the proposed bandwidth allocation approach.

Serving heterogeneous traffic demand requires efficient resource utilization to deliver the promises of 5G wireless network towards enhanced mobile broadband, massive machine type communication and ultra-reliable low-latency communication. In this paper, an integrated user application-specific demand characteristics as well as network characteristics evaluation based online slice allocation model for 5G wireless network is proposed. Such characteristics include, available bandwidth, power, quality of service demand, service priority, security sensitivity, network load, predictive load etc. A degree of intra-slice resource sharing elasticity has been considered based on their availability. The availability has been assessed based on the current availability as well as forecasted availability. On the basis of application characteristics, an admission control strategy has been proposed. An interactive AMF (Access and Mobility Function)- RAN (Radio Access Network) information exchange has been assumed. A cost function has been derived to quantify resource allocation decision metric that is valid for both static and dynamic nature of user and network characteristics. A dynamic intra-slice decision boundary estimation model has been proposed. A set of analytical comparative results have been attained in comparison to the results available in the literature. The results suggest the proposed resource allocation framework performance is superior to the existing results in the context of network utility, mean delay and network grade of service, while providing similar throughput. The superiority reported is due to soft nature of the decision metric while reconfiguring slice resource block-size and boundaries.