AI systems face potential hardware security threats. Existing AI systems generally use the heterogeneous architecture of CPU + Intelligent Accelerator, with PCIe bus for communication between them. Security mechanisms are implemented on CPUs based on the hardware security isolation architecture. But the conventional hardware security isolation architecture does not include the intelligent accelerator on the PCIe bus. Therefore, from the perspective of hardware security, data offloaded to the intelligent accelerator face great security risks. In order to effectively integrate intelligent accelerator into the CPU’s security mechanism, a novel hardware security isolation architecture is presented in this paper. The PCIe protocol is extended to be security-aware by adding security information packaging and unpacking logic in the PCIe controller. The hardware resources on the intelligent accelerator are isolated in fine-grained. The resources classified into the secure world can only be controlled and used by the software of CPU’s trusted execution environment. Based on the above hardware security isolation architecture, a security isolation spiking convolutional neural network accelerator is designed and implemented in this paper. The experimental results demonstrate that the proposed security isolation architecture has no overhead on the bandwidth and latency of the PCIe controller. The architecture does not affect the performance of the entire hardware computing process from CPU data offloading, intelligent accelerator computing, to data returning to CPU. With low hardware overhead, this security isolation architecture achieves effective isolation and protection of input data, model, and output data. And this architecture can effectively integrate hardware resources of intelligent accelerator into CPU’s security isolation mechanism.
Authored by Rui Gong, Lei Wang, Wei Shi, Wei Liu, JianFeng Zhang
Edge computing enables the computation and analytics capabilities to be brought closer to data sources. The available literature on AI solutions for edge computing primarily addresses just two edge layers. The upper layer can directly communicate with the cloud and comprises one or more IoT edge devices that gather sensing data from IoT devices present in the lower layer. However, industries mainly adopt a multi-layered architecture, referred to as the ISA-95 standard, to isolate and safeguard their assets. In this architecture, only the upper layer is connected to the cloud, while the lower layers of the hierarchy get to interact only with the neighbouring layers. Due to these added intermediate layers (and IoT edge devices) between the top and lower layers, existing AI solutions for typical two-layer edge architectures may not be directly applicable in this scenario. Moreover, not all industries prefer to send and store their private data in the cloud. Implementing AI solutions tailored to a hierarchical edge architecture would increase response time and maintain the same degree of security by working within the ISA-95-compliant network architecture. This paper explores a possible strategy for deploying a centralized federated learning-based AI solution in a hierarchical edge architecture and demonstrates its efficacy through a real deployment scenario.
Authored by Narendra Bisht, Subhasri Duttagupta
As a result of globalization, the COVID-19 pandemic and the migration of data to the cloud, the traditional security measures where an organization relies on a security perimeter and firewalls do not work. There is a shift to a concept whereby resources are not being trusted, and a zero-trust architecture (ZTA) based on a zero-trust principle is needed. Adapting zero trust principles to networks ensures that a single insecure Application Protocol Interface (API) does not become the weakest link comprising of Critical Data, Assets, Application and Services (DAAS). The purpose of this paper is to review the use of zero trust in the security of a network architecture instead of a traditional perimeter. Different software solutions for implementing secure access to applications and services for remote users using zero trust network access (ZTNA) is also summarized. A summary of the author s research on the qualitative study of “Insecure Application Programming Interface in Zero Trust Networks” is also discussed. The study showed that there is an increased usage of zero trust in securing networks and protecting organizations from malicious cyber-attacks. The research also indicates that APIs are insecure in zero trust environments and most organization are not aware of their presence.
Authored by Farhan Qazi
Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of assets on these networks necessitate the need for a robust AI-based Zero Day Threat detection model that can quickly analyze petabyte-scale data for potentially malicious and novel activity. In this paper, the authors introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time. The methodology utilizes network flow telemetry augmented with asset-level graph features, which are passed through a dual-autoencoder structure for anomaly and novelty detection respectively. The models have been trained and tested on four large scale datasets that are representative of real-world organizational networks and they produce strong results with high precision and recall values. The models provide a novel methodology to detect complex threats with low false positive rates that allow security operators to avoid alert fatigue while drastically reducing their mean time to response with near-real-time detection. Furthermore, the authors also provide a novel, labelled, cyber attack dataset generated from adversarial activity that can be used for validation or training of other models. With this paper, the authors’ overarching goal is to provide a novel architecture and training methodology for cyber anomaly detectors that can generalize to multiple IT networks with minimal to no retraining while still maintaining strong performance.
Authored by Christopher Redino, Dhruv Nandakumar, Robert Schiller, Kevin Choi, Abdul Rahman, Edward Bowen, Aaron Shaha, Joe Nehila, Matthew Weeks
Network intrusion detection technology has developed for more than ten years, but due to the network intrusion is complex and variable, it is impossible to determine the function of network intrusion behaviour. Combined with the research on the intrusion detection technology of the cluster system, the network security intrusion detection and mass alarms are realized. Method: This article starts with an intrusion detection system, which introduces the classification and workflow. The structure and working principle of intrusion detection system based on protocol analysis technology are analysed in detail. Results: With the help of the existing network intrusion detection in the network laboratory, the Synflood attack has successfully detected, which verified the flexibility, accuracy, and high reliability of the protocol analysis technology. Conclusion: The high-performance cluster-computing platform designed in this paper is already available. The focus of future work will strengthen the functions of the cluster-computing platform, enhancing stability, and improving and optimizing the fault tolerance mechanism.
Authored by Feng Li, Fei Shu, Mingxuan Li, Bin Wang
Network intrusion detection technology has developed for more than ten years, but due to the network intrusion is complex and variable, it is impossible to determine the function of network intrusion behaviour. Combined with the research on the intrusion detection technology of the cluster system, the network security intrusion detection and mass alarms are realized. Method: This article starts with an intrusion detection system, which introduces the classification and workflow. The structure and working principle of intrusion detection system based on protocol analysis technology are analysed in detail. Results: With the help of the existing network intrusion detection in the network laboratory, the Synflood attack has successfully detected, which verified the flexibility, accuracy, and high reliability of the protocol analysis technology. Conclusion: The high-performance cluster-computing platform designed in this paper is already available. The focus of future work will strengthen the functions of the cluster-computing platform, enhancing stability, and improving and optimizing the fault tolerance mechanism.
Authored by Feng Li, Fei Shu, Mingxuan Li, Bin Wang
The computing capability of the embedded systems and bandwidth of the home network increase rapidly due to the rapid development of information and communication technologies. Many home appliances such as TVs, refrigerators, or air conditioners are now connected to the internet, then, the controlling firmware modules are automatically updatable via the network. TR-069 is a widely adopted standard for automatic appliance management and firmware update. Maintaining a TR069 network usually involves the design and deployment of the overall security and trust infrastructure, the update file repository and the update audit mechanisms. Thus, maintaining a dedicated TR-069 network is a heavy burden for the vendors of home appliances. Blockchain is an emerging technology that provides a secure and trust infrastructure based on distributed consensus. This paper reports the results of our initial attempt to design a prototype of a multitenant TR-069 platform based on the blockchain. The core idea is to reify each automatic deployment task as a smart contract instance whose transactions are recorded in the append-only distributed ledger and verified by the peers. Also, the overall design should be transparent to the original TR069 entities. We have built a prototype based on the proposed architecture to verify the feasibility in three key scenarios. The experimental results show that the proposed approach is feasible and is able to scale linearly in proportion to the number of managed devices.
Authored by Chun-Feng Liao, Leng-Hui Wang
The computing capability of the embedded systems and bandwidth of the home network increase rapidly due to the rapid development of information and communication technologies. Many home appliances such as TVs, refrigerators, or air conditioners are now connected to the internet, then, the controlling firmware modules are automatically updatable via the network. TR-069 is a widely adopted standard for automatic appliance management and firmware update. Maintaining a TR069 network usually involves the design and deployment of the overall security and trust infrastructure, the update file repository and the update audit mechanisms. Thus, maintaining a dedicated TR-069 network is a heavy burden for the vendors of home appliances. Blockchain is an emerging technology that provides a secure and trust infrastructure based on distributed consensus. This paper reports the results of our initial attempt to design a prototype of a multitenant TR-069 platform based on the blockchain. The core idea is to reify each automatic deployment task as a smart contract instance whose transactions are recorded in the append-only distributed ledger and verified by the peers. Also, the overall design should be transparent to the original TR069 entities. We have built a prototype based on the proposed architecture to verify the feasibility in three key scenarios. The experimental results show that the proposed approach is feasible and is able to scale linearly in proportion to the number of managed devices.
Authored by Chun-Feng Liao, Leng-Hui Wang
The continuously growing importance of today’s technology paradigms such as the Internet of Things (IoT) and the new 5G/6G standard open up unique features and opportunities for smart systems and communication devices. Famous examples are edge computing and network slicing. Generational technology upgrades provide unprecedented data rates and processing power. At the same time, these new platforms must address the growing security and privacy requirements of future smart systems. This poses two main challenges concerning the digital processing hardware. First, we need to provide integrated trustworthiness covering hardware, runtime, and the operating system. Whereas integrated means that the hardware must be the basis to support secure runtime and operating system needs under very strict latency constraints. Second, applications of smart systems cover a wide range of requirements where "one- chip-fits-all" cannot be the cost and energy effective way forward. Therefore, we need to be able to provide a scalable hardware solution to cover differing needs in terms of processing resource requirements.In this paper, we discuss our research on an integrated design of a secure and scalable hardware platform including a runtime and an operating system. The architecture is built out of composable and preferably simple components that are isolated by default. This allows for the integration of third-party hardware/software without compromising the trusted computing base. The platform approach improves system security and provides a viable basis for trustworthy communication devices.
Authored by Friedrich Pauls, Sebastian Haas, Stefan Kopsell, Michael Roitzsch, Nils Asmussen, Gerhard Fettweis
Network security isolation technology is an important means to protect the internal information security of enterprises. Generally, isolation is achieved through traditional network devices, such as firewalls and gatekeepers. However, the security rules are relatively rigid and cannot better meet the flexible and changeable business needs. Through the double sandbox structure created for each user, each user in the virtual machine is isolated from each other and security is ensured. By creating a virtual disk in a virtual machine as a user storage sandbox, and encrypting the read and write of the disk, the shortcomings of traditional network isolation methods are discussed, and the application of cloud desktop network isolation technology based on VMwarer technology in universities is expounded.
Authored by Kai Ye
The digital transformation brought on by 5G is redefining current models of end-to-end (E2E) connectivity and service reliability to include security-by-design principles necessary to enable 5G to achieve its promise. 5G trustworthiness highlights the importance of embedding security capabilities from the very beginning while the 5G architecture is being defined and standardized. Security requirements need to overlay and permeate through the different layers of 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture within a risk-management framework that takes into account the evolving security-threats landscape. 5G presents a typical use-case of wireless communication and computer networking convergence, where 5G fundamental building blocks include components such as Software Defined Networks (SDN), Network Functions Virtualization (NFV) and the edge cloud. This convergence extends many of the security challenges and opportunities applicable to SDN/NFV and cloud to 5G networks. Thus, 5G security needs to consider additional security requirements (compared to previous generations) such as SDN controller security, hypervisor security, orchestrator security, cloud security, edge security, etc. At the same time, 5G networks offer security improvement opportunities that should be considered. Here, 5G architectural flexibility, programmability and complexity can be harnessed to improve resilience and reliability. The working group scope fundamentally addresses the following: •5G security considerations need to overlay and permeate through h the different layers of the 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture including a risk management framework that takes into account the evolving security threats landscape. •5G exemplifies a use-case of heterogeneous access and computer networking convergence, which extends a unique set of security challenges and opportunities (e.g., related to SDN/NFV and edge cloud, etc.) to 5G networks. Similarly, 5G networks by design offer potential security benefits and opportunities through harnessing the architecture flexibility, programmability and complexity to improve its resilience and reliability. •The IEEE FNI security WG s roadmap framework follows a taxonomic structure, differentiating the 5G functional pillars and corresponding cybersecurity risks. As part of cross collaboration, the security working group will also look into the security issues associated with other roadmap working groups within the IEEE Future Network Initiative.
Authored by Ashutosh Dutta, Eman Hammad, Michael Enright, Fawzi Behmann, Arsenia Chorti, Ahmad Cheema, Kassi Kadio, Julia Urbina-Pineda, Khaled Alam, Ahmed Limam, Fred Chu, John Lester, Jong-Geun Park, Joseph Bio-Ukeme, Sanjay Pawar, Roslyn Layton, Prakash Ramchandran, Kingsley Okonkwo, Lyndon Ong, Marc Emmelmann, Omneya Issa, Rajakumar Arul, Sireen Malik, Sivarama Krishnan, Suresh Sugumar, Tk Lala, Matthew Borst, Brad Kloza, Gunes Kurt
5G core network introduces service based architecture, software defined network, network function virtualization and other new technologies, showing the characteristics of IT and Internet. The new architecture and new technologies not only bring convenience to 5G but also introduce new security threats, especially the unknown security threats caused by unknown vulnerabilities or backdoors. This paper mainly introduces the security threats after the application of software defined network, network function virtualization and other technologies to 5G, summarizes the security solutions proposed by standardization organizations and academia, and puts forward a new idea of building a high-level secure 5G core network based on the endogenous safety and security.
Authored by Wei You, Mingyan Xu, Deqiang Zhou
By analyzing the design requirements of a secure desktop virtualization information system, this paper proposes the security virtualization technology of "whitelist" security mechanism, the virtualization layer security technology of optimized design, and the virtual machine security technology of resource and network layer isolation. On this basis, this paper constructs the overall architecture of the secure desktop virtualization information system. This paper studies the desktop virtualization technology research based on VMware using VMware server virtualization solution to transform and upgrade the traditional intelligent desktop virtualization system, improve server resource utilization rate, and reduce operation and maintenance costs.
Authored by Honglei Xia
Science of Security 2022 - In order to overcome new business changes that bring new security threats and challenges to many Industrial Internet of Things (IIoT) fields such as smart grids, smart factories, and smart transportation, the paper proposed the architecture of the industrial Internet of Things system, and analyzed the security threats of the industrial Internet of Things system. Combining various attack methods, targeted security protection strategies for the perception layer, network layer, platform layer and application layer are designed. The results show that the security protection strategy can effectively meet the security protection requirements of IIoT systems.
Authored by Ping Yu, Yunxin Long, Hui Yan, Hanlin Chen, Xiaozhong Geng
Science of Security 2022 - To prevent all sorts of attacks, the technology of security service function chains (SFC) is proposed in recent years, it becomes an attractive research highlights. Dynamic orchestration algorithm can create SFC according to the resource usage of network security functions. The current research on creating SFC focuses on a single domain. However in reality the large and complex networks are divided into security domains according to different security levels and managed separately. Therefore, we propose a cross-security domain dynamic orchestration algorithm to create SFC for network security functions based on ant colony algorithm(ACO) and consider load balancing, shortest path and minimum delay as optimization objectives. We establish a network security architecture based on the proposed algorithm, which is suitable for the industrial vertical scenarios, solves the deployment problem of the dynamic orchestration algorithm. Simulation results verify that our algorithm achieves the goal of creating SFC across security domains and demonstrate its performance in creating service function chains to resolve abnormal traffic flows.
Authored by Weidong Xiao, Xu Zhang, Dongbin Wang
Predictive Security Metrics - With the emergence of Zero Trust (ZT) Architecture, industry leaders have been drawn to the technology because of its potential to handle a high level of security threats. The Zero Trust Architecture (ZTA) is paving the path for a security industrial revolution by eliminating location-based implicant access and focusing on asset, user, and resource security. Software Defined Perimeter (SDP) is a secure overlay network technology that can be used to implement a Zero Trust framework. SDP is a next-generation network technology that allows network architecture to be hidden from the outside world. It also hides the overlay communication from the underlay network by employing encrypted communications. With encrypted information, detecting abnormal behavior of entities on an overlay network becomes exceedingly difficult. Therefore, an automated system is required. We proposed a method in this paper for understanding the normal behavior of deployed polices by mapping network usage behavior to the policy. An Apache Spark collects and processes the streaming overlay monitoring data generated by the built-in fabric API in order to do this mapping. It sends extracted metrics to Prometheus for storage, and then uses the data for machine learning training and prediction. The cluster-id of the link that it belongs to is predicted by the model, and the cluster-ids are mapped onto the policies. To validate the legitimacy of policy, the labeled polices hash is compared to the actual polices hash that is obtained from blockchain. Unverified policies are notified to the SDP controller for additional action, such as defining new policy behavior or marking uncertain policies.
Authored by Waleed Akbar, Javier Rivera, Khan Ahmed, Afaq Muhammad, Wang-Cheol Song
Object Oriented Security - Smart distribution grids have new protection concepts known as fault self-healing whereby Intelligent Electronic Devices (IEDs) can automatically reconfigure the power circuits to isolate faults and restore power to the relevant sections. This is typically implemented with IEDs exchanging IEC 61850 Generic Object Oriented Substation Event (GOOSE) messages in a peer-to-peer communication network. However, a selfhealing application may be faced by challenges of emerging cyber-physical security threats. These can result in disruption to the applications’ operations thereby affecting the power system reliability. Blockchain is one technology that has been deployed in several applications to offer security and bookkeeping. In this paper, we propose a novel concept using blockchain as a second-tier security mechanism to support time-critical selfhealing operations in smart distribution grids. We show through a simulation study the impact of our proposed architecture when compared with a normal self healing architecture. The results show that our proposed architecture can achieve significant savings in time spent in no-power state by portions of the grid during cyber-physical attacks.
Authored by Befekadu Gebraselase, Charles Adrah, Tesfaye Amare, Bjarne Helvik, Poul Heegaard
Network Security Resiliency - The 5G ecosystem is designed as a highly sophisticated and modularized architecture that decouples the radio access network (RAN), the multi-access edge computing (MEC) and the mobile core to enable different and scalable deployments. It leverages modern principles of virtualized network functions, microservices-based service chaining, and cloud-native software stacks. Moreover, it provides built-in security and mechanisms for slicing. Despite all these capabilities, there remain many gaps and opportunities for additional capabilities to support end-toend secure operations for applications across many domains. Although 5G supports mechanisms for network slicing and tunneling, new algorithms and mechanisms that can adapt network slice configurations dynamically to accommodate urgent and mission-critical traffic are needed. Such slices must be secure, interference-aware, and free of side channel attacks. Resilience of the 5G ecosystem itself requires an effective means for observability and (semi-)autonomous self-healing capabilities. To address this plethora of challenges, this paper presents the SECurity and REsiliency TEchniques for Differentiated 5G OPerationS (SECRETED 5G OPS) project, which is investigating fundamental new solutions that center on the zero trust, network slicing, and network augmentation dimensions, which together will achieve secure and differentiated operations in 5G networks. SECRETED 5G OPS solutions are designed to be easily deployable, minimally invasive to the existing infrastructure, not require modifications to user equipment other than possibly firmware upgrades, economically viable, standards compliant, and compliant to regulations.
Authored by Akram Hakiri, Aniruddha Gokhale, Yogesh Barve, Valerio Formicola, Shashank Shekhar, Charif Mahmoudi, Mohammad Rahman, Uttam Ghosh, Syed Hasan, Terry Guo
Network Security Resiliency - The 5G ecosystem is designed as a highly sophisticated and modularized architecture that decouples the radio access network (RAN), the multi-access edge computing (MEC) and the mobile core to enable different and scalable deployments. It leverages modern principles of virtualized network functions, microservices-based service chaining, and cloud-native software stacks. Moreover, it provides built-in security and mechanisms for slicing. Despite all these capabilities, there remain many gaps and opportunities for additional capabilities to support end-toend secure operations for applications across many domains. Although 5G supports mechanisms for network slicing and tunneling, new algorithms and mechanisms that can adapt network slice configurations dynamically to accommodate urgent and mission-critical traffic are needed. Such slices must be secure, interference-aware, and free of side channel attacks. Resilience of the 5G ecosystem itself requires an effective means for observability and (semi-)autonomous self-healing capabilities. To address this plethora of challenges, this paper presents the SECurity and REsiliency TEchniques for Differentiated 5G OPerationS (SECRETED 5G OPS) project, which is investigating fundamental new solutions that center on the zero trust, network slicing, and network augmentation dimensions, which together will achieve secure and differentiated operations in 5G networks. SECRETED 5G OPS solutions are designed to be easily deployable, minimally invasive to the existing infrastructure, not require modifications to user equipment other than possibly firmware upgrades, economically viable, standards compliant, and compliant to regulations.
Authored by Akram Hakiri, Aniruddha Gokhale, Yogesh Barve, Valerio Formicola, Shashank Shekhar, Charif Mahmoudi, Mohammad Rahman, Uttam Ghosh, Syed Hasan, Terry Guo
Network Security Architecture - As a result of globalization, the COVID-19 pandemic and the migration of data to the cloud, the traditional security measures where an organization relies on a security perimeter and firewalls do not work. There is a shift to a concept whereby resources are not being trusted, and a zero-trust architecture (ZTA) based on a zero-trust principle is needed. Adapting zero trust principles to networks ensures that a single insecure Application Protocol Interface (API) does not become the weakest link comprising of Critical Data, Assets, Application and Services (DAAS). The purpose of this paper is to review the use of zero trust in the security of a network architecture instead of a traditional perimeter. Different software solutions for implementing secure access to applications and services for remote users using zero trust network access (ZTNA) is also summarized. A summary of the author’s research on the qualitative study of “Insecure Application Programming Interface in Zero Trust Networks” is also discussed. The study showed that there is an increased usage of zero trust in securing networks and protecting organizations from malicious cyber-attacks. The research also indicates that APIs are insecure in zero trust environments and most organization are not aware of their presence.
Authored by Farhan Qazi
Network Security Architecture - Design a new generation of smart power meter components, build a smart power network, implement power meter safety protection, and complete smart power meter network security protection. The new generation of smart electric energy meters mainly complete legal measurement, safety fee control, communication, control, calculation, monitoring, etc. The smart power utilization structure network consists of the master station server, front-end processor, cryptographic machine and master station to form a master station management system. Through data collection and analysis, the establishment of intelligent energy dispatching operation, provides effective energy-saving policy algorithms and strategies, and realizes energy-smart electricity use manage. The safety protection architecture of the electric energy meter is designed from the aspects of its own safety, full-scenario application safety, and safety management. Own security protection consists of hardware security protection and software security protection. The full-scene application security protection system includes four parts: boundary security, data security, password security, and security monitoring. Security management mainly provides application security management strategies and security responsibility division strategies. The construction of the intelligent electric energy meter network system lays the foundation for network security protection.
Authored by Baofeng Li, Feng Zhai, Yilun Fu, Bin Xu
Network Security Architecture - To prevent all sorts of attacks, the technology of security service function chains (SFC) is proposed in recent years, it becomes an attractive research highlights. Dynamic orchestration algorithm can create SFC according to the resource usage of network security functions. The current research on creating SFC focuses on a single domain. However in reality the large and complex networks are divided into security domains according to different security levels and managed separately. Therefore, we propose a cross-security domain dynamic orchestration algorithm to create SFC for network security functions based on ant colony algorithm(ACO) and consider load balancing, shortest path and minimum delay as optimization objectives. We establish a network security architecture based on the proposed algorithm, which is suitable for the industrial vertical scenarios, solves the deployment problem of the dynamic orchestration algorithm. Simulation results verify that our algorithm achieves the goal of creating SFC across security domains and demonstrate its performance in creating service function chains to resolve abnormal traffic flows.
Authored by Weidong Xiao, Xu Zhang, Dongbin Wang
Network Security Architecture - Software-Defined Networking or SDN (Software-Defined Networking) is a technology for software control and management of the network in order to improve its properties. Unlike classic network management technologies, which are complex and decentralized, SDN technology is a much more flexible and simple system. The new architecture may be vulnerable to several attacks leading to resource depletion and preventing the SDN controller from providing support to legitimate users. One such attack is the Distributed Denial of Service (DDoS), which is on the rise today. We suggest Modified-DDoSNet, a system for detecting DDoS attacks in the SDN environment. A model based on Deep Learning (DL) techniques will be implemented, combining a Recurrent Neural Network (RNN) with an Autoencoder. The proposed model, which was first trained to detect attacks, was implemented in the security architecture of the SDN network, as a new component. The security architecture of the SDN network contains a total of 13 components, each of which represents an individual part of the architecture, where the first component is the RNN - autoencoder. The model itself, which is the first component, was trained in the CICDDoS2019 dataset. It has high reliability for attack detection, which increases the security of the SDN network architecture.
Authored by Jovan Gojic, Danijel Radakovic
Network Security Architecture - Network security isolation technology is an important means to protect the internal information security of enterprises. Generally, isolation is achieved through traditional network devices, such as firewalls and gatekeepers. However, the security rules are relatively rigid and cannot better meet the flexible and changeable business needs. Through the double sandbox structure created for each user, each user in the virtual machine is isolated from each other and security is ensured. By creating a virtual disk in a virtual machine as a user storage sandbox, and encrypting the read and write of the disk, the shortcomings of traditional network isolation methods are discussed, and the application of cloud desktop network isolation technology based on VMwarer technology in universities is expounded.
Authored by Kai Ye
Network Security Architecture - In view of the current network security architecture of power grid enterprises does not adapt to new regulatory regulations, does not adapt to the development trend of digitalization, and the new technology of network security is not covered, this paper designs a set of network security architecture containing element views, capability views and measures views on the basis of the IPDRR network security architecture model, combined with the requirements of power grid enterprises for network security architecture, which covers the network security requirements of "collection, transmission, storage, application" and information system life cycle at the level of information system architecture. Meet new regulations and provide leadership with an understanding of the security posture of the enterprise, improving the organization s ability to defend against attacks.
Authored by Jinqiang Fan, Yonggang Xu, Jing Ma