Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of assets on these networks necessitate the need for a robust AI-based Zero Day Threat detection model that can quickly analyze petabyte-scale data for potentially malicious and novel activity. In this paper, the authors introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time. The methodology utilizes network flow telemetry augmented with asset-level graph features, which are passed through a dual-autoencoder structure for anomaly and novelty detection respectively. The models have been trained and tested on four large scale datasets that are representative of real-world organizational networks and they produce strong results with high precision and recall values. The models provide a novel methodology to detect complex threats with low false positive rates that allow security operators to avoid alert fatigue while drastically reducing their mean time to response with near-real-time detection. Furthermore, the authors also provide a novel, labelled, cyber attack dataset generated from adversarial activity that can be used for validation or training of other models. With this paper, the authors’ overarching goal is to provide a novel architecture and training methodology for cyber anomaly detectors that can generalize to multiple IT networks with minimal to no retraining while still maintaining strong performance.

Network intrusion detection technology has developed for more than ten years, but due to the network intrusion is complex and variable, it is impossible to determine the function of network intrusion behaviour. Combined with the research on the intrusion detection technology of the cluster system, the network security intrusion detection and mass alarms are realized. Method: This article starts with an intrusion detection system, which introduces the classification and workflow. The structure and working principle of intrusion detection system based on protocol analysis technology are analysed in detail. Results: With the help of the existing network intrusion detection in the network laboratory, the Synflood attack has successfully detected, which verified the flexibility, accuracy, and high reliability of the protocol analysis technology. Conclusion: The high-performance cluster-computing platform designed in this paper is already available. The focus of future work will strengthen the functions of the cluster-computing platform, enhancing stability, and improving and optimizing the fault tolerance mechanism.

Network intrusion detection technology has developed for more than ten years, but due to the network intrusion is complex and variable, it is impossible to determine the function of network intrusion behaviour. Combined with the research on the intrusion detection technology of the cluster system, the network security intrusion detection and mass alarms are realized. Method: This article starts with an intrusion detection system, which introduces the classification and workflow. The structure and working principle of intrusion detection system based on protocol analysis technology are analysed in detail. Results: With the help of the existing network intrusion detection in the network laboratory, the Synflood attack has successfully detected, which verified the flexibility, accuracy, and high reliability of the protocol analysis technology. Conclusion: The high-performance cluster-computing platform designed in this paper is already available. The focus of future work will strengthen the functions of the cluster-computing platform, enhancing stability, and improving and optimizing the fault tolerance mechanism.

The computing capability of the embedded systems and bandwidth of the home network increase rapidly due to the rapid development of information and communication technologies. Many home appliances such as TVs, refrigerators, or air conditioners are now connected to the internet, then, the controlling firmware modules are automatically updatable via the network. TR-069 is a widely adopted standard for automatic appliance management and firmware update. Maintaining a TR069 network usually involves the design and deployment of the overall security and trust infrastructure, the update file repository and the update audit mechanisms. Thus, maintaining a dedicated TR-069 network is a heavy burden for the vendors of home appliances. Blockchain is an emerging technology that provides a secure and trust infrastructure based on distributed consensus. This paper reports the results of our initial attempt to design a prototype of a multitenant TR-069 platform based on the blockchain. The core idea is to reify each automatic deployment task as a smart contract instance whose transactions are recorded in the append-only distributed ledger and verified by the peers. Also, the overall design should be transparent to the original TR069 entities. We have built a prototype based on the proposed architecture to verify the feasibility in three key scenarios. The experimental results show that the proposed approach is feasible and is able to scale linearly in proportion to the number of managed devices.

The computing capability of the embedded systems and bandwidth of the home network increase rapidly due to the rapid development of information and communication technologies. Many home appliances such as TVs, refrigerators, or air conditioners are now connected to the internet, then, the controlling firmware modules are automatically updatable via the network. TR-069 is a widely adopted standard for automatic appliance management and firmware update. Maintaining a TR069 network usually involves the design and deployment of the overall security and trust infrastructure, the update file repository and the update audit mechanisms. Thus, maintaining a dedicated TR-069 network is a heavy burden for the vendors of home appliances. Blockchain is an emerging technology that provides a secure and trust infrastructure based on distributed consensus. This paper reports the results of our initial attempt to design a prototype of a multitenant TR-069 platform based on the blockchain. The core idea is to reify each automatic deployment task as a smart contract instance whose transactions are recorded in the append-only distributed ledger and verified by the peers. Also, the overall design should be transparent to the original TR069 entities. We have built a prototype based on the proposed architecture to verify the feasibility in three key scenarios. The experimental results show that the proposed approach is feasible and is able to scale linearly in proportion to the number of managed devices.

The continuously growing importance of today’s technology paradigms such as the Internet of Things (IoT) and the new 5G/6G standard open up unique features and opportunities for smart systems and communication devices. Famous examples are edge computing and network slicing. Generational technology upgrades provide unprecedented data rates and processing power. At the same time, these new platforms must address the growing security and privacy requirements of future smart systems. This poses two main challenges concerning the digital processing hardware. First, we need to provide integrated trustworthiness covering hardware, runtime, and the operating system. Whereas integrated means that the hardware must be the basis to support secure runtime and operating system needs under very strict latency constraints. Second, applications of smart systems cover a wide range of requirements where "one- chip-fits-all" cannot be the cost and energy effective way forward. Therefore, we need to be able to provide a scalable hardware solution to cover differing needs in terms of processing resource requirements.In this paper, we discuss our research on an integrated design of a secure and scalable hardware platform including a runtime and an operating system. The architecture is built out of composable and preferably simple components that are isolated by default. This allows for the integration of third-party hardware/software without compromising the trusted computing base. The platform approach improves system security and provides a viable basis for trustworthy communication devices.

Network security isolation technology is an important means to protect the internal information security of enterprises. Generally, isolation is achieved through traditional network devices, such as firewalls and gatekeepers. However, the security rules are relatively rigid and cannot better meet the flexible and changeable business needs. Through the double sandbox structure created for each user, each user in the virtual machine is isolated from each other and security is ensured. By creating a virtual disk in a virtual machine as a user storage sandbox, and encrypting the read and write of the disk, the shortcomings of traditional network isolation methods are discussed, and the application of cloud desktop network isolation technology based on VMwarer technology in universities is expounded.

The digital transformation brought on by 5G is redefining current models of end-to-end (E2E) connectivity and service reliability to include security-by-design principles necessary to enable 5G to achieve its promise. 5G trustworthiness highlights the importance of embedding security capabilities from the very beginning while the 5G architecture is being defined and standardized. Security requirements need to overlay and permeate through the different layers of 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture within a risk-management framework that takes into account the evolving security-threats landscape. 5G presents a typical use-case of wireless communication and computer networking convergence, where 5G fundamental building blocks include components such as Software Defined Networks (SDN), Network Functions Virtualization (NFV) and the edge cloud. This convergence extends many of the security challenges and opportunities applicable to SDN/NFV and cloud to 5G networks. Thus, 5G security needs to consider additional security requirements (compared to previous generations) such as SDN controller security, hypervisor security, orchestrator security, cloud security, edge security, etc. At the same time, 5G networks offer security improvement opportunities that should be considered. Here, 5G architectural flexibility, programmability and complexity can be harnessed to improve resilience and reliability. The working group scope fundamentally addresses the following: •5G security considerations need to overlay and permeate through h the different layers of the 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture including a risk management framework that takes into account the evolving security threats landscape. •5G exemplifies a use-case of heterogeneous access and computer networking convergence, which extends a unique set of security challenges and opportunities (e.g., related to SDN/NFV and edge cloud, etc.) to 5G networks. Similarly, 5G networks by design offer potential security benefits and opportunities through harnessing the architecture flexibility, programmability and complexity to improve its resilience and reliability. •The IEEE FNI security WG s roadmap framework follows a taxonomic structure, differentiating the 5G functional pillars and corresponding cybersecurity risks. As part of cross collaboration, the security working group will also look into the security issues associated with other roadmap working groups within the IEEE Future Network Initiative.

5G core network introduces service based architecture, software defined network, network function virtualization and other new technologies, showing the characteristics of IT and Internet. The new architecture and new technologies not only bring convenience to 5G but also introduce new security threats, especially the unknown security threats caused by unknown vulnerabilities or backdoors. This paper mainly introduces the security threats after the application of software defined network, network function virtualization and other technologies to 5G, summarizes the security solutions proposed by standardization organizations and academia, and puts forward a new idea of building a high-level secure 5G core network based on the endogenous safety and security.

By analyzing the design requirements of a secure desktop virtualization information system, this paper proposes the security virtualization technology of "whitelist" security mechanism, the virtualization layer security technology of optimized design, and the virtual machine security technology of resource and network layer isolation. On this basis, this paper constructs the overall architecture of the secure desktop virtualization information system. This paper studies the desktop virtualization technology research based on VMware using VMware server virtualization solution to transform and upgrade the traditional intelligent desktop virtualization system, improve server resource utilization rate, and reduce operation and maintenance costs.

Science of Security 2022 - In order to overcome new business changes that bring new security threats and challenges to many Industrial Internet of Things (IIoT) fields such as smart grids, smart factories, and smart transportation, the paper proposed the architecture of the industrial Internet of Things system, and analyzed the security threats of the industrial Internet of Things system. Combining various attack methods, targeted security protection strategies for the perception layer, network layer, platform layer and application layer are designed. The results show that the security protection strategy can effectively meet the security protection requirements of IIoT systems.

Science of Security 2022 - To prevent all sorts of attacks, the technology of security service function chains (SFC) is proposed in recent years, it becomes an attractive research highlights. Dynamic orchestration algorithm can create SFC according to the resource usage of network security functions. The current research on creating SFC focuses on a single domain. However in reality the large and complex networks are divided into security domains according to different security levels and managed separately. Therefore, we propose a cross-security domain dynamic orchestration algorithm to create SFC for network security functions based on ant colony algorithm(ACO) and consider load balancing, shortest path and minimum delay as optimization objectives. We establish a network security architecture based on the proposed algorithm, which is suitable for the industrial vertical scenarios, solves the deployment problem of the dynamic orchestration algorithm. Simulation results verify that our algorithm achieves the goal of creating SFC across security domains and demonstrate its performance in creating service function chains to resolve abnormal traffic flows.

Predictive Security Metrics - With the emergence of Zero Trust (ZT) Architecture, industry leaders have been drawn to the technology because of its potential to handle a high level of security threats. The Zero Trust Architecture (ZTA) is paving the path for a security industrial revolution by eliminating location-based implicant access and focusing on asset, user, and resource security. Software Defined Perimeter (SDP) is a secure overlay network technology that can be used to implement a Zero Trust framework. SDP is a next-generation network technology that allows network architecture to be hidden from the outside world. It also hides the overlay communication from the underlay network by employing encrypted communications. With encrypted information, detecting abnormal behavior of entities on an overlay network becomes exceedingly difficult. Therefore, an automated system is required. We proposed a method in this paper for understanding the normal behavior of deployed polices by mapping network usage behavior to the policy. An Apache Spark collects and processes the streaming overlay monitoring data generated by the built-in fabric API in order to do this mapping. It sends extracted metrics to Prometheus for storage, and then uses the data for machine learning training and prediction. The cluster-id of the link that it belongs to is predicted by the model, and the cluster-ids are mapped onto the policies. To validate the legitimacy of policy, the labeled polices hash is compared to the actual polices hash that is obtained from blockchain. Unverified policies are notified to the SDP controller for additional action, such as defining new policy behavior or marking uncertain policies.

Object Oriented Security - Smart distribution grids have new protection concepts known as fault self-healing whereby Intelligent Electronic Devices (IEDs) can automatically reconfigure the power circuits to isolate faults and restore power to the relevant sections. This is typically implemented with IEDs exchanging IEC 61850 Generic Object Oriented Substation Event (GOOSE) messages in a peer-to-peer communication network. However, a selfhealing application may be faced by challenges of emerging cyber-physical security threats. These can result in disruption to the applications’ operations thereby affecting the power system reliability. Blockchain is one technology that has been deployed in several applications to offer security and bookkeeping. In this paper, we propose a novel concept using blockchain as a second-tier security mechanism to support time-critical selfhealing operations in smart distribution grids. We show through a simulation study the impact of our proposed architecture when compared with a normal self healing architecture. The results show that our proposed architecture can achieve significant savings in time spent in no-power state by portions of the grid during cyber-physical attacks.

Network Security Resiliency - The 5G ecosystem is designed as a highly sophisticated and modularized architecture that decouples the radio access network (RAN), the multi-access edge computing (MEC) and the mobile core to enable different and scalable deployments. It leverages modern principles of virtualized network functions, microservices-based service chaining, and cloud-native software stacks. Moreover, it provides built-in security and mechanisms for slicing. Despite all these capabilities, there remain many gaps and opportunities for additional capabilities to support end-toend secure operations for applications across many domains. Although 5G supports mechanisms for network slicing and tunneling, new algorithms and mechanisms that can adapt network slice configurations dynamically to accommodate urgent and mission-critical traffic are needed. Such slices must be secure, interference-aware, and free of side channel attacks. Resilience of the 5G ecosystem itself requires an effective means for observability and (semi-)autonomous self-healing capabilities. To address this plethora of challenges, this paper presents the SECurity and REsiliency TEchniques for Differentiated 5G OPerationS (SECRETED 5G OPS) project, which is investigating fundamental new solutions that center on the zero trust, network slicing, and network augmentation dimensions, which together will achieve secure and differentiated operations in 5G networks. SECRETED 5G OPS solutions are designed to be easily deployable, minimally invasive to the existing infrastructure, not require modifications to user equipment other than possibly firmware upgrades, economically viable, standards compliant, and compliant to regulations.

Network Security Resiliency - The 5G ecosystem is designed as a highly sophisticated and modularized architecture that decouples the radio access network (RAN), the multi-access edge computing (MEC) and the mobile core to enable different and scalable deployments. It leverages modern principles of virtualized network functions, microservices-based service chaining, and cloud-native software stacks. Moreover, it provides built-in security and mechanisms for slicing. Despite all these capabilities, there remain many gaps and opportunities for additional capabilities to support end-toend secure operations for applications across many domains. Although 5G supports mechanisms for network slicing and tunneling, new algorithms and mechanisms that can adapt network slice configurations dynamically to accommodate urgent and mission-critical traffic are needed. Such slices must be secure, interference-aware, and free of side channel attacks. Resilience of the 5G ecosystem itself requires an effective means for observability and (semi-)autonomous self-healing capabilities. To address this plethora of challenges, this paper presents the SECurity and REsiliency TEchniques for Differentiated 5G OPerationS (SECRETED 5G OPS) project, which is investigating fundamental new solutions that center on the zero trust, network slicing, and network augmentation dimensions, which together will achieve secure and differentiated operations in 5G networks. SECRETED 5G OPS solutions are designed to be easily deployable, minimally invasive to the existing infrastructure, not require modifications to user equipment other than possibly firmware upgrades, economically viable, standards compliant, and compliant to regulations.

Network Security Architecture - As a result of globalization, the COVID-19 pandemic and the migration of data to the cloud, the traditional security measures where an organization relies on a security perimeter and firewalls do not work. There is a shift to a concept whereby resources are not being trusted, and a zero-trust architecture (ZTA) based on a zero-trust principle is needed. Adapting zero trust principles to networks ensures that a single insecure Application Protocol Interface (API) does not become the weakest link comprising of Critical Data, Assets, Application and Services (DAAS). The purpose of this paper is to review the use of zero trust in the security of a network architecture instead of a traditional perimeter. Different software solutions for implementing secure access to applications and services for remote users using zero trust network access (ZTNA) is also summarized. A summary of the author’s research on the qualitative study of “Insecure Application Programming Interface in Zero Trust Networks” is also discussed. The study showed that there is an increased usage of zero trust in securing networks and protecting organizations from malicious cyber-attacks. The research also indicates that APIs are insecure in zero trust environments and most organization are not aware of their presence.

Network Security Architecture - Design a new generation of smart power meter components, build a smart power network, implement power meter safety protection, and complete smart power meter network security protection. The new generation of smart electric energy meters mainly complete legal measurement, safety fee control, communication, control, calculation, monitoring, etc. The smart power utilization structure network consists of the master station server, front-end processor, cryptographic machine and master station to form a master station management system. Through data collection and analysis, the establishment of intelligent energy dispatching operation, provides effective energy-saving policy algorithms and strategies, and realizes energy-smart electricity use manage. The safety protection architecture of the electric energy meter is designed from the aspects of its own safety, full-scenario application safety, and safety management. Own security protection consists of hardware security protection and software security protection. The full-scene application security protection system includes four parts: boundary security, data security, password security, and security monitoring. Security management mainly provides application security management strategies and security responsibility division strategies. The construction of the intelligent electric energy meter network system lays the foundation for network security protection.

Network Security Architecture - To prevent all sorts of attacks, the technology of security service function chains (SFC) is proposed in recent years, it becomes an attractive research highlights. Dynamic orchestration algorithm can create SFC according to the resource usage of network security functions. The current research on creating SFC focuses on a single domain. However in reality the large and complex networks are divided into security domains according to different security levels and managed separately. Therefore, we propose a cross-security domain dynamic orchestration algorithm to create SFC for network security functions based on ant colony algorithm(ACO) and consider load balancing, shortest path and minimum delay as optimization objectives. We establish a network security architecture based on the proposed algorithm, which is suitable for the industrial vertical scenarios, solves the deployment problem of the dynamic orchestration algorithm. Simulation results verify that our algorithm achieves the goal of creating SFC across security domains and demonstrate its performance in creating service function chains to resolve abnormal traffic flows.

Network Security Architecture - Software-Defined Networking or SDN (Software-Defined Networking) is a technology for software control and management of the network in order to improve its properties. Unlike classic network management technologies, which are complex and decentralized, SDN technology is a much more flexible and simple system. The new architecture may be vulnerable to several attacks leading to resource depletion and preventing the SDN controller from providing support to legitimate users. One such attack is the Distributed Denial of Service (DDoS), which is on the rise today. We suggest Modified-DDoSNet, a system for detecting DDoS attacks in the SDN environment. A model based on Deep Learning (DL) techniques will be implemented, combining a Recurrent Neural Network (RNN) with an Autoencoder. The proposed model, which was first trained to detect attacks, was implemented in the security architecture of the SDN network, as a new component. The security architecture of the SDN network contains a total of 13 components, each of which represents an individual part of the architecture, where the first component is the RNN - autoencoder. The model itself, which is the first component, was trained in the CICDDoS2019 dataset. It has high reliability for attack detection, which increases the security of the SDN network architecture.

Network Security Architecture - Network security isolation technology is an important means to protect the internal information security of enterprises. Generally, isolation is achieved through traditional network devices, such as firewalls and gatekeepers. However, the security rules are relatively rigid and cannot better meet the flexible and changeable business needs. Through the double sandbox structure created for each user, each user in the virtual machine is isolated from each other and security is ensured. By creating a virtual disk in a virtual machine as a user storage sandbox, and encrypting the read and write of the disk, the shortcomings of traditional network isolation methods are discussed, and the application of cloud desktop network isolation technology based on VMwarer technology in universities is expounded.

Network Security Architecture - In view of the current network security architecture of power grid enterprises does not adapt to new regulatory regulations, does not adapt to the development trend of digitalization, and the new technology of network security is not covered, this paper designs a set of network security architecture containing element views, capability views and measures views on the basis of the IPDRR network security architecture model, combined with the requirements of power grid enterprises for network security architecture, which covers the network security requirements of "collection, transmission, storage, application" and information system life cycle at the level of information system architecture. Meet new regulations and provide leadership with an understanding of the security posture of the enterprise, improving the organization s ability to defend against attacks.

Network on Chip Security - This paper designs a network security protection system based on artificial intelligence technology from two aspects of hardware and software. The system can simultaneously collect Internet public data and secret-related data inside the unit, and encrypt it through the TCM chip solidified in the hardware to ensure that only designated machines can read secret-related materials. The data edgecloud collaborative acquisition architecture based on chip encryption can realize the cross-network transmission of confidential data. At the same time, this paper proposes an edge-cloud collaborative information security protection method for industrial control systems by combining endaddress hopping and load balancing algorithms. Finally, using WinCC, Unity3D, MySQL and other development environments comprehensively, the feasibility and effectiveness of the system are verified by experiments.

Network on Chip Security - IoT technology is finding new applications every day and everywhere in our daily lives. With that, come new use cases with new challenges in terms of device and data security. One of such challenges arises from the fact that many IoT devices/nodes are no longer being deployed on owners’ premises, but rather on public or private property other than the owner’s. With potential physical access to the IoT node, adversaries can launch many attacks that circumvent conventional protection methods. In this paper, we propose Secure SoC (SecSoC), a secure system-on-chip architecture that mitigates such attacks. This include logical memory dump attacks, bus snooping attacks, and compromised operating systems. SecSoC relies on two main mechanisms, (1) providing security extensions to the compute engine that runs the user application without changing its instruction set, (2) adding a security management unit (SMU) that provide HW security primitives for encryption, hashing, random number generators, and secrets store (keys, certificates, etc.). SecSoC ensures that no secret or sensitive data can leave the SoC IC in plaintext. SecSoC is being implemented in Bluespec SystemVerilog. The experimental results will reveal the area, power, and cycle time overhead of these security extensions. Overall performance (total execution time) will also be evaluated using IoT benchmarks.

Network Intrusion Detection - Aiming at the problems of low detection accuracy, high false detection rate and high missed detection rate of traditional Intelligent Substation (I-S) secondary system network Intrusion Detection (I-D) methods, a semantic enhanced network I-D method for I-S secondary system is proposed. First of all, through the analysis of the secondary system network of I-S and the existing security risks, the information network security protection architecture is built based on network I-D. Then, the overall structure of I-S secondary network I-D is constructed by integrating CNN and BiLSTM. Finally, the semantic analysis of Latent Dirichlet Allocation (LDA) is introduced to enhance the network I-D model, which greatly improves the detection accuracy. The proposed method is compared with the other two methods under the same conditions through simulation experiments. The results show that the detection accuracy of the proposed method is the highest (95.02\%) in the face of 10 different types of attack traffic, and the false detection rate and missed detection rate are the lowest (1.3\% and 3.8\% respectively). The algorithm performance is better than the other three comparison algorithms.