【摘 要】
:
Network functions such as intrusion detection systems(IDS)have been increasingly deployed as virtual network functions or outsourced to cloud service providers to achieve the scalability and agility a
【机 构】
:
Department of Cyber Science and Engineering,Whuhan University,Whuhan and 430072,China
【出 处】
:
第十二届中国可信计算与信息安全学术会议
论文部分内容阅读
Network functions such as intrusion detection systems(IDS)have been increasingly deployed as virtual network functions or outsourced to cloud service providers to achieve the scalability and agility and to reduce equipment costs and operational cost.However,virtual intrusion detection systems(VIDS)face more serious security threals due to running in a shared and virtualized environment instead of proprietary devices.Cloud service providers or malicious tenants may illegally access and tamper with the policies of intrusion detection systems,packet information,and internal processing status,thereby violating the privacy and security of tenants networks.To address these challenges,we use Intel SGX to build a Trusted Virtual Intrusion Detection System(TVIDS).For TVIDS,to prevent cloud service providers from accessing sensitive information about the users network,we build a trusted execution environment for security policy,packets processing,and internal state so that cloud service providers and other malicious tenants cant access the protected code,policy,processing states,and packets information of the intrusion detection system.We implemented TVIDS on the basis of the Snort which is famous an open-source IDS,and evaluated its results on real SGX hardware.The results show that our method can protect the security of the virtual IDS and brings the acceptable performance.
其他文献
针对数据库驱动的认知无线电网络(Cognitive Radio Networks,CRNs)中存在的严重的位置隐私泄露问题,本文提出了一种基于SpaceTwist 的隐私保护方案。该方案借助查询服务器,以锚点为中心向数据库展开增量近邻查询,以获得锚点周围的主用户可用信道。数据库将查询结果返回给查询服务器,查询服务器根据最大传输功率公式判断次用户周围可用的信道,并根据次用户允许发送的功率进行信道分配
Traditional voting schemes are used for the credit evaluation and authentication.During the voting process,the contents need to be verified through the signature algorithms.Traditional signature schem
With the explosive development of the mobile Internet,the security threats faced by the mobile Internet have grown rapidly in recent years.Since the normal operation of the mobile Internet depends on
Aim to improve the detection accuracy,anovel peer-to-peerbotnet detection method based on permutation entropy and adaptive information fusion algorithm was proposed.Permutation entropy was utilized to
Trusted access to the Internet of Things sensing layer node is the precondition for the trusted operation of the Internet of Things.How to quickly and accurately implement identity authentication of a
Identity-Based Proxy Re-Encryption(IB-PRE)is a cryptographic primitive that permits a semi-trusted proxy to convert the ciphertext encrypted under Alices identity into Bobs ciphertext of the same mess
ElGamal cryptography is one of the most important Public Key Cryptography(PKC)since Diffie-hellman exchangs was proposed,however these PKCs which are based on the hard problems that dis-crete logarith
对未知协议消息序列进行聚类处理是分析协议格式的基础.从字符串匹配的角度出发,利用协议格式字段的连续性,在传统K-均值算法基础上提出一种基于连续特征的未知协议消息聚类算法.首先基于协议格式字段连续性对待测数据集进行粗聚类,提取出K-均值算法的初始聚类中心,再使用消息距离及收敛函数改进的迭代算法对数据进行迭代处理实现消息的进一步聚类.实验表明,提出的新方法与传统K-均值算法相比,在聚类准确度上提升了1
Based on the different representations of the finite field GF(256),there are different AES implementations,called dual ciphers.They have the same encryption process as AES,but with parameters modified
In order to deeply understand the security features of Windows and explore the flaws of Windows UAC mechanism,the origin of UAC mechanism is firstly introduced,and then its implementation principles a