网络安全外文翻译文献

网络安全英语论文Title: The Importance of Network Security in the Digital Age Introduction:In today's digital age, where the internet has revolutionized the way we communicate, work, and conduct business, the importance of network security cannot be overstated. With cyber threats continuously evolving, organizations and individuals need to prioritize effective measures to protect their sensitive information, privacy, and the integrity of their systems. This paper explores the significance of network security and proposes practical steps to safeguard against potential cyber attacks.Body:1. The Growing Threat LandscapeSince the advent of the internet, cybercrimes have proliferated, posing significant threats to individuals, businesses, and governments. Hackers, with increasingly sophisticated tools and techniques, exploit vulnerabilities in networks, aiming to steal financial information, personal data, and intellectual property. Ransomware attacks, distributed denial of service (DDoS) attacks, and phishing scams are just a few examples of the multitude of cyber threats faced today.2. Potential Impacts of Network Security BreachesNetwork security breaches can have severe consequences, including financial losses, reputation damage, and legal implications. Companies may face the loss of valuable digital assets and customer data, leading to a loss of trust and credibility.Moreover, breaches in critical infrastructure systems, such as power grids and healthcare systems, can result in devastating consequences for society as a whole. Therefore, prioritizing robust network security measures is imperative to mitigate potential damages.3. Network Security MeasuresTo combat cyber threats effectively, organizations and individuals should implement a multi-layered approach to network security. This includes:a) Firewalls: Deploying firewalls acts as the first line of defense against unauthorized access, ensuring that only legitimate traffic is allowed into a network.b) Encryption: Encrypting data in transit and at rest helps to protect sensitive information from unauthorized access, ensuring that even if a breach occurs, the data remains unreadable.c) Strong Passwords and Two-factor Authentication: Encouraging the use of complex passwords and implementing two-factor authentication adds an extra layer of security, making it harder for attackers to gain access to sensitive accounts.d) Regular Software Updates and Patches: Keeping software, operating systems, and applications up to date helps to address any known vulnerabilities and weaknesses, mitigating the risk of exploitation.e) Employee Education and Awareness: Establishingcomprehensive training programs to educate employees about cybersecurity threats, such as phishing and social engineering, helps to build a strong human firewall and foster a security-conscious culture within an organization.4. Collaboration and Government InvolvementGiven the global nature of cyber threats, collaboration between governments, organizations, and individuals is crucial to combating cybercrimes effectively. Governments should enact strong legislation and regulations to protect individuals' privacy and organizations' sensitive information. Additionally, international cooperation is essential to sharing information about emerging threats, best practices, and conducting joint investigations.Conclusion:In conclusion, network security is a critical aspect of our digital lives and is paramount in protecting individuals, organizations, and critical infrastructure from cyber threats. Implementing robust network security measures, such as firewalls, encryption, and regular updates, along with fostering a culture of cybersecurity awareness, is key to safeguarding against potential attacks. It is imperative that governments, organizations, and individuals work together to address this ever-evolving threat landscape and ensure a secure and resilient digital environment.。

网络安全英文论文Cybersecurity: An Analysis of Current Threats and Mitigation StrategiesAbstractWith the rapid growth of the internet and digital technologies, cybersecurity has become a critical concern for organizations and individuals alike. This paper aims to analyze the current cybersecurity threats and possible mitigation strategies. The analysis is conducted based on recent studies and surveys conducted by cybersecurity experts and organizations. The findings demonstrate that the most prevalent cybersecurity threats include malware attacks, phishing scams, hacking attempts, and data breaches. To mitigate these threats, organizations are encouraged to implement robust security measures, such as firewalls, antivirus software, encryption algorithms, and two-factor authentication. Additionally, promoting cybersecurity awareness among employees through regular training sessions and workshops is suggested. Ultimately, a comprehensive approach that involves technological solutions and human resilience is necessary to safeguard against evolving cybersecurity threats.IntroductionThe internet has transformed the way we live, work, and communicate. However, along with its vast benefits, the digital realm has also given rise to numerous security challenges. Cybersecurity refers to the protection of electronic data and systems from unauthorized access, use, or destruction. Itencompasses a wide range of threats, such as hacking, data breaches, viruses, and phishing scams. The consequences of a cybersecurity breach can be severe, including financial losses, compromised sensitive information, and damage to reputation.Current Cybersecurity Threats1. Malware Attacks: Malware, short for malicious software, includes viruses, worms, Trojan horses, and ransomware. Malware can infect systems through email attachments, downloads, or vulnerabilities in software. Once installed, it can grant unauthorized access to hackers and cause significant damage, such as stealing sensitive data, corrupting files, or encrypting data for ransom.2. Phishing Scams: Phishing is a fraudulent activity where attackers impersonate legitimate organizations through emails, text messages, or phone calls to deceive individuals into revealing sensitive information, such as passwords, credit card details, or social security numbers. Successful phishing attacks can lead to identity theft or unauthorized access to personal accounts.3. Hacking Attempts: Hackers use various techniques to exploit vulnerabilities in computer systems, networks, or software. They may employ password cracking, SQL injection, or distributed denial-of-service (DDoS) attacks to gain unauthorized access, manipulate data, or disrupt services. Hacking attempts can result in data breaches, financial losses, or damage to critical infrastructure.4. Data Breaches: Data breaches involve the unauthorized access,theft, or exposure of sensitive information held by organizations. Personal, financial, or healthcare data can be compromised and misused for identity theft, fraud, or blackmail. Data breaches can occur due to inadequate security measures, insider threats, or hacking activities.Mitigation Strategies1. Robust Security Measures: Organizations should implement a multi-layered security approach, including firewalls, intrusion detection systems, and antivirus software. Regular updates to software and patches should be applied to address vulnerabilities and protect against known threats. Additionally, encryption algorithms can ensure the confidentiality of data both in transit and at rest.2. Two-Factor Authentication: Enforcing two-factor authentication adds an extra layer of security by requiring users to provide two forms of identification, such as a password and a unique verification code. This method significantly reduces the risk of unauthorized access, even if passwords are compromised.3. Employee Training and Awareness: Organizations should conduct regular cybersecurity training sessions to educate employees about potential threats and safe online practices. This includes educating them about phishing scams, malware, and the importance of strong passwords. By enhancing employee awareness, organizations can develop a stronger line of defense against social engineering attacks.ConclusionAs the digital landscape continues to evolve, so do the cybersecurity threats. Organizations and individuals must remain vigilant to protect their sensitive information and digital assets. By implementing robust security measures, promoting cybersecurity awareness, and staying updated on the latest threats and mitigation strategies, individuals and organizations can mitigate the risks associated with cyber threats. Through a comprehensive approach that combines technological solutions and human resilience, a safer digital future can be achieved.References:[Insert references here]。

New technique of the computer networkAbstractThe 21 century is an ages of the information economy, being the computer network technique of representative techniques this ages, will be at very fast speed develop soon in continuously creatively, and will go deep into the people's work, life and study. Therefore, control this technique and then seem to be more to deliver the importance. Now I mainly introduce the new technique of a few networks in actuality live of application.keywordsInternet Network System Digital Certificates Grid Storage1. ForewordInternet turns 36, still a work in progressThirty-six years after computer scientists at UCLA linked two bulky computers using a 15-foot gray cable, testing a new way for exchanging data over networks, what would ultimately become the Internet remains a work in progress.University researchers are experimenting with ways to increase its capacity and speed. Programmers are trying to imbue Web pages with intelligence. And work is underway to re-engineer the network to reduce Spam (junk mail) and security troubles.All the while threats loom: Critics warn that commercial, legal and political pressures could hinder the types of innovations that made the Internet what it is today.Stephen Crocker and Vinton Cerf were among the graduate students who joined UCLA professor Len Klein rock in an engineering lab on Sept. 2, 1969, as bits of meaningless test data flowed silently between the two computers. By January, three other "nodes" joined the fledgling network.Then came e-mail a few years later, a core communications protocol called TCP/IP in the late 70s, the domain name system in the 80s and the World Wide Web - now the second most popular application behind e-mail - in 1990. The Internet expanded beyond its initial military and educational domain into businesses and homes around the world.Today, Crocker continues work on the Internet, designing better tools for collaboration. And as security chairman for the Internet's key oversight body, he is trying to defend the core addressing system from outside threats.He acknowledges the Internet he helped build is far from finished, and changes are in store to meet growing demands for multimedia. Network providers now make only "best efforts" at delivering data packets, and Crocker said better guarantees are needed to prevent the skips and stutters now common with video.Cerf, now at MCI Inc., said he wished he could have designed the Internet with security built-in. Microsoft Corp.Yahoo Inc. and America Online Inc., among others, are currently trying to retrofit the network so e-mail senders can be authenticated - a way to cut down on junk messages sent using spoofed addresses.Many features being developed today wouldn't have been possible at birth given the slower computing speeds and narrower Internet pipes, or bandwidth, Cerf said.2.Digital CertificatesDigital certificates are data files used to establish the identity of people and electronic assets on the Internet. They allow for secure, encrypted online communication and are often used to protect online transactions.Digital certificates are issued by a trusted third party known as a certification authority (CA). The CA validates the identity of a certificate holder and “signs” the certificate to a ttest that it hasn’t been forged or altered in any way.New Uses For Digital CertificatesDigital certificates are now being used to provide security and validation for wireless connections, and hardware manufacturers are one of the latest groups to use them. Not long ago, Version Inc. announced its Cable Modem Authentication Services, which allow hardware manufacturers to embed digital certificates into cable modems to help prevent the pirating of broadband services through device cloning.Using Version software, hardware makers can generate cryptographic keys and corresponding digital certificates those manufacturers or cable service providers can use to automatically identify individual modems.This ‘ast-mile’authentication not only protects the value of existing content and services but also positions cable system operators to bring a broad new range of content, applications and value-added services to market.When a CA digitally signs a certificate, its owner can use it as an electronic passport to prove his identity. It can be presented to Web sites, networks or individuals that require secure access.Identifying information embedded in the certificate includes the holder’ s name and e-mail address, the name of the CA, a serial number and any activation or expiration data for the certificate. When the CA verifies a user’s identity, the certificate uses the holder’s public encryption key to protect this data.Certificates that a Web server uses to confirm the authenticity of a Web site for a user’s browser also employ public keys. When a user wants to send confidential information to a Web server, such as a credit-card number for an online transaction, the browser will access the public key in the server’s digital certificate to verify its identity.Role of Public-Key CryptographyThe public key is one half of a pair of keys used in public-key cryptography, which provides the foundation for digital certificates.Public-key cryptography uses matched public and private keys for encryption and decrypt ion. These keys have a numerical value that’s used by an algorithm to scramble information and make it readable only to users with the corresponding decryption key.Others to encrypt information meant only for that person use a person’s public key. When he receives the information, he uses his corresponding private key, which is kept secret, to decrypt the data. A person's public key can be distributed without damaging the private key. A Web server using a digital certificate can use its private key to make sure that only it can decrypt confidential information sent to it over the Internet.The Web server’s certificate is validated by a self-signed CA certificate that identifies the issuing CA. CA certificates are preinstalled on most major Web browsers, including Microsoft Internet Explorer and Netscape Navigator.The CA certificate tells users whether they can trust the Web server certificate when it’s presented to the browser. If the validity of the Web server certificate is affirmed, the certificate’s public key is used to secure information for the server using Secure Sockets Layer (SSL) technology.Digital certificates are used by the SSL security protocol to create a secure “pipe” between two parties that seek confidential communication. SSL is used in most major Web browsers and commercial Web servers.3. Digital Wallets----A digital wallet is software that enables users to pay for goods on the Web ．It holds credit-card numbers and other personal information such as a shipping address ．Once entered，the data automatically populates order fields at merchant sites ．----When using a digital wallet，consumers don’t need to fill out order forms on each site when they purchase an item because the information has already been stored and is automatically updated and entered into the order fields across merchant sites ．Consumers also benefit when using digital wallets because their information is encrypted or protected by a private software code ．And merchants benefit by receiving protection against fraud ．----Digital wallets are available to consumers free of charge，and they’re fairly easy to obtain ．For example，when a consumer makes a purchase at a merchant site that’s set up to handle server-side digital wallets，he types his name and payment and shippin g information into the merchant’s own form ．At the end of the purchase，one consumer is asked to sign up for a wallet of his choice by entering a user name and password for future purchases ．Users can also acquire wallets at a wallet vendor’s site ．----Although a wallet is free for consumers，vendors charge merchants for wallets ．----Digital wallets come in two main types: client-side and server- side ．Within those divisions are wallets that work only on specific merchant sites and those that are merchant agnostic ．----Client-based digital wallets，the older of the two types，are falling by the wayside，according to analysts，because they require users to download and installsoftware ．A user downloads the wallet application and inputs payment and mailing information ．At that point，the information is secured and encrypted on the user’s hard drive ．The user retains control of his credit card and personal information locally ．----With a server-based wallet，a user fills out his personal information，and a cookie is automatically downloaded ．(A cookie is a text contains information about the user ．）In this scenario，the consumer information resides on the server of a financial institution or a digital wallet vendor rather than on the user’s PC ．----Server-side wallets provide assurance against merchant fraud because they use certificates to verify the identity of all parties ．When a party makes a transaction，it presents its certificate to the other parties involved ．A certificate is an attachment to an electronic message used to verify the identity of the party and to provide the receiver with the means to encode a reply ．----Furthermore，the cardholder’s sensitive data is typically housed at a financial institution，so there’s an extra sense of security because financial environments generally provide the highest degree of security ．----But even though wallets provide easy shopping online，adoption hasn’t been widespread ．----Standards are pivotal to the success of digital wallets ．----Last month，major vendors，including Microsoft Corp ．， Sun Microsystems Inc ．and America Online Inc ．announced their endorsement of a new standard called EMCL，or E-Commerce Modeling Language，to give Web merchants a standardized way to collect electronic data for shipping，billing and payment ．4. Grid StorageDefinition: Grid storage, analogous to grid computing, is a new model for deploying and managing storage distributed across multiple systems and networks, making efficient use of available storage capacity without requiring a large, centralized switching system.A grid is, in fact, a meshed network in which no single centralized switch or hub controls routing. Grids offer almost unlimited scalability in size and performancebecause they aren’t constrained by the need for ev er-larger central switches. Grid networks thus reduce component costs and produce a reliable and resilient structure.Applying the grid concept to a computer network lets us harness available but unused resources by dynamically allocating and deal locating capacity, bandwidth and processing among numerous distributed computers. A computing grid can span locations, organizations, machine architectures and software boundaries, offering power, collaboration and information access to connected users. Universities and research facilities are using grids to build what amounts to supercomputer capability from PCs, Macintoshes and Linux boxes.After grid computing came into being, it was only a matter of time before a similar model would emerge for making use of distributed data storage. Most storage networks are built in star configurations, where all servers and storage devices are connected to a single central switch. In contrast, grid topology is built with a network of interconnected smaller switches that can scale as bandwidth increases and continue to deliver improved reliability and higher performance and connectivity.Based on current and proposed products, it appears that a grid storage system should include the following:Modular storage arrays: These systems are connected across a storage network using serial ATA disks. The systems can be block-oriented storage arrays or network-attached storage gateways and servers.Common virtualization layer: Storage must be organized as a single logical pool of resources available to users.Data redundancy and availability: Multiple copies of data should exist across nodes in the grid, creating redundant data access and availability in case of a component failure.Common management: A single level of management across all nodes should cover the areas of data security, mobility and migration, capacity on demand, and provisioning.Simplified platform/management architecture: Because common management is so important, the tasks involved in administration should be organized in modular fashion, allowing the auto discovery of new nodes in the grid and automating volume and .Three Basic BenefitsApplying grid topology to a storage network provides several benefits, including the following:Reliability. A well-designed grid network is extremely resilient. Rather than providing just two paths between any two nodes, the grid offers multiple paths between each storage node. This makes it easy to service and replace components in case of failure, with minimal impact on system availability or downtime.Performance. The same factors that lead to reliability also can improve performance. Not requiring a centralized switch with many ports eliminates a potential performance bottleneck, and applying load-balancing techniques to the multiple paths available offers consistent performance for the entire network.Scalability. It’s easy to expand a grid network using inexpensive switches with low port counts to accommodate additional servers for increased performance, bandwidth and capacity. In essence, grid storage is a way to scale out rather than up, using relatively inexpensive storage building blocks.计算机网络摘要：21世纪是信息经济的时代，作为这个时代的代表技术，计算机网络技术将在非常快的速度发展很快，不断创造性地将进入人们的工作，学习和生活中深。

外文翻译原文及译文学院计算机学院专业计算机科学与技术班级学号姓名指导教师负责教师2011年6月Detecting ARP Spoofing: An Active TechniqueVivek Ramachandran and Sukumar NandiCisco Systems, Inc., Bangalore IndiaIndian Institute of Technology, Guwahati, Assam, IndiaAbstract. The Address Resolution Protocol (ARP) due to itsstatelessness and lack of an authentication mechanism for verifyingthe identity of the sender has a long history of being prone tospoofing attacks. ARP spoofing is sometimes the starting point formore sophisticated LAN attacks like denial of service, man in themiddle and session hijacking. The current methods of detection use apassive approach, monitoring the ARP traffic and looking forinconsistencies in the Ethernet to IP address mapping. The maindrawback of the passive approach is the time lag between learningand detecting spoofing. This sometimes leads to the attack beingdiscovered long after it has been orchestrated. In this paper, wepresent an active technique to detect ARP spoofing. We inject ARPrequest and TCP SYN packets into the network to probe forinconsistencies. This technique is faster, intelligent, scalable andmore reliable in detecting attacks than the passive methods. It canalso additionally detect the real mapping of MAC to IP addresses to afair degree of accuracy in the event of an actual attack.1. IntroductionThe ARP protocol is one of the most basic but essential protocols for LAN communication. The ARP protocol is used to resolve the MAC address of a host given its IP address. This is done by sending an ARP request packet (broadcasted) on the network. The concerned host now replies back with its MAC address in an ARP reply packet (unicast). In some situations a host might broadcast its own MAC address in a special Gratuitous ARP packet. All hosts maintain an ARP cache where all address mappingslearnt from the network (dynamic entries) or configured by the administrator (static entries) are kept. The dynamic entries age out after a fixed interval of time, which varies across operating systems. After the entry ages out it is deleted from the cache and if the host wants to communicate with the same peer, another ARP request is made. The static entries never age out.The ARP protocol is stateless. Hosts will cache all ARP replies sent to them even if they had not sent an explicit ARP request for it. Even if a previous unexpired dynamic ARP entry is there in the ARP cache it will be overwritten by a newer ARP reply packet on most operating systems. All hosts blindly cache the ARP replies they receive, as they have no mechanism to authenticate their peer. This is the root problem, which leads to ARP spoofing.ARP spoofing is the process of forging ARP packets to be able to impersonate another host on the network. In the most general form of ARP spoofing the attacker sends spoofed ARP responses to the victim periodically. The period between the spoofed responses is much lesser than the ARP cache entry timeout period for the operating system running on the victim host. This will ensure that the victim host would never make an ARP request for the host whose address the attacker is impersonating. Following subsection briefly discuss the current detection and mitigation techniques.1.1 Current Mitigation and Detection TechniquesExisting ARP spoofing detection techniques are discussed next sequentially.1.1.1 Secure ARP Protocol (S-ARP)This has been proposed as a replacement for the ARP protocol in S-ARP: a Secure Address Resolution Protocol. The S-ARP protocol is definitely a permanent solution to ARP spoofing but the biggest drawback is that we will have to make changes to the network stack of all the hosts. This is not very scalable as going for a stack upgrade across all available operating systems is something both vendors and customers will not be happy about. As S-ARP uses Digital Signature Algorithm (DSA) we have the additional overhead of cryptographic calculations though the authors of the paper have claimed that this overhead is not significant.1.1.2 Static MAC EntriesAdding static MAC addresses on every host for all other hosts will not allow spoofing but is not a scalable solution at all and managing all these entries is a full time job by itself. This can fail miserably if mobile hosts such as laptops are periodically introduced into the network. Also some operating systems are known to overwrite static ARP entries if they receive Gratuitous ARP packets (GARP).1.1.3 Kernel Based PatchesKernel based patches such as Anticap and Antidote have made an attempt to protect from ARP spoofing at a individual host level. Anticap does not allow updating of the host ARP cache by an ARP reply that carries a different MAC address then the one already in the cache. This unfortunately makes it drop legal gratuitous ARP replies as well, which is a violation to the ARP protocol specification. Antidote on receiving an ARP reply whose MAC address differs from the previously cached one tries to check if the previously learnt MAC is still alive. If the previously learnt MAC is still alive then the update is rejected and the offending MAC address is added to a list of banned addresses.Both the above techniques rely on the fact that the ARP entry in the cache is the legitimate one. This creates a race situation between the attacker and the victim. If the attacker gets his spoofed ARP entry into the host’s cache before the real host can, then the real MAC address is banned. This can only be undone by administrative intervention. Thus we can conclude that wrong learning may cause these tools to fail in detecting ARP spoofing.1.1.4 Passive DetectionIn Passive Detection we sniff the ARP requests/responses on the network and construct a MAC address to IP address mapping database. If we notice a change in any of these mappings in future ARP traffic then we raise an alarm and conclude that an ARP spoofing attack is underway. The most popular tool in this category is ARPWATCH.The main drawback of the passive method is a time lag between learning the address mappings and subsequent attack detection. In a situation where the ARP spoofing began before the detection tool was started for the first time, the tool will learn the forged replies in it’s IP to MAC address mapping database. Now only after the victim starts communicating with some other host the inconsistency will be detected and an alarm rose. The attacker may have made his getaway because of this delay. Also a spoofed entry learned as in the above scenario would have to be manually undone by the networkadministrator. The only solution to this problem is to manually feed the correct address mappings into the database before starting the tool or create an attack free learning traffic. Both of these are unreasonable due to scalability and mobility issues. An ideal example would be mobile hosts e.g. laptops brought in by customers or visitors to a company. This slow learning curve makes it impossible to install passive tools on a large network (1000+ hosts) and expect them to identify attacks instantaneously.The passive techniques do not have any intelligence and blindly look for a mismatch in the ARP traffic with their learnt database tables. If an ARP spoofing is detected than there is no way of ascertaining if the newly seen address mapping is because of a spoofing attempt or the previously learnt one was actually a spoofed one. Our technique will determine the real MAC to IP mapping during an actual attack to a fair degree of accuracy.The passive learning technique is also very unreliable. A new address mapping is learnt when ARP traffic is seen from them. Thus a switch ARP Cache table overflow attempt by the generation of random ARP reply packets per second with arbitrary MAC and IP addresses will just result in new stations being discovered instead of being reported as attack traffic. To overcome problems in earlier techniques, we present a new ARP spoofing detection technique. Our technique uses an active approach to detect ARP spoofing. We send out ARP request and TCP SYN packets to probe the authenticity of the ARP traffic we see in the network. The approach is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. It can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack. A description of the technique in detail is reported in following sections.2 The Proposed Active Detection Technique for ARP spoofingThe proposed technique actively interacts with the network to gauge the presence of ARP spoofing attacks. We will henceforth assume the following about the network we desire to protect.2.1 Assumptions1. The attacker’s computer has a normal network stack. This assumption will hold for most of the attacks as “ready to use” ARP spoofing tools have always been the attacker’s most popular choice. If the attacker does use a customized stack then our technique willstill detect ARP spoofing but will not be able to predict the correct address mappings anymore. We will discuss performance in the presence of a customized stack in section 2.5.2. The individual hosts we desire to protect on the network may use a personal firewall but at least one TCP port should be allowed through the firewall. This is to allow our probe packets (TCP SYN packets) to go through. This is a reasonable assumption as even if a firewall is installed some LAN based services such as NETBIOS etc are normally allowed through it for LAN communication.3. We assume that all devices, which we protect, have a TCP/IP network stack up and running.2.2 TerminologyWe now introduce the terminology used in the rest of this paper.1. Threshold interval: ARP replies to an ARP request must be received within a specified time interval. After this time has elapsed we will consider the ARP request to have “expired”.We will call this interval as the “Threshold Interval”. This will be administratively configurable on any tool using our technique.2. Host Database: This is the mapping of all legitimate IP and MAC pairs on the network verified and learnt by our technique.The ARP packets consist of the MAC header and the ARP header. Based on the value of the source and destination MAC addresses in the MAC header and as advertised in the ARP header we can divide the all ARP packets into 2 categories.1. Inconsistent Header ARP packets: The MAC addresses in the MAC and ARP header differ i.e. Source MAC address in MAC header! = Source MAC address in ARP header (in ARP requests/responses) and/or Destination MAC address in MAC header! = Destination address in ARP header (only for ARP replies).2. Consistent Header ARP packets: These are the compliment of the Inconsistent Header ARP packets. The MAC addresses in the MAC and ARP headers match in these packets.Note that Inconsistent Header ARP packets are guaranteed spoofed packets as such an anomaly is only possible in attack traffic. Based on the above classification we can further bunch the Consistent Header ARP packets into three groups:1. Full ARP Cycle: An ARP request and its corresponding ARP replies seen within the threshold interval.2. Request Half Cycle: An ARP request for which no replies are sent as seen within the threshold time.3. Response Half Cycle: An ARP reply generated without an ARP request. These three categories form the basis of our input to the ARP spoofing detection mechanism. The following subsection discusses the Architecture of the proposed technique in detail.2.3 ArchitecturePlease refer to Figure 1 for the architecture discussion. We have adopted a modularized approach and have divided our spoof detection into the following modules:1. ARP Sniffer module: This sniffs all ARP traffic from the network.2. MAC - ARP header anomaly detector module: This module classifies the ARP traffic into Inconsistent Header ARP packets and Consistent Header ARP packets.3. Known Traffic Filter module: This filters all the traffic, which is already learnt. It will either drop the packet if the IP to MAC mapping is coherent with the learnt Host Database or raise an alarm if there are any contradictions. All the new ARP packets with unknown addresses are sent to the Spoof Detection Engine for verification.4. Spoof Detection Engine module: This is the main detection engine. We feed the Consistent Header ARP packets to it as input. The design of this module will be discussed in Section 2.4.5. Add to Database Module: Legitimate ARP entries verified by the Spoof Detection Engine are added to the Host Database by this module.6. Spoof Alarm Module: This module raises an alarm on detection of ARP spoofing by sending a mail, SMS etc to the administrator.Fig. 1. Inter-relation between various Modules used by the ARP Spoof Detection AlgorithmAs shown in Figure 1, the ARP Sniffer module sniffs all the ARP traffic in its LAN segment and passes it to the MAC – ARP Header Anomaly Detector. This module passes the entire Consistent Header ARP packets to the Known Traffic Filter module. The entireInconsistent Header ARP packets are sent to the Spoof Alarm. This is done because the Inconsistent Header ARP packets are all spoofed packets as discussed earlier. The Known Traffic Filter module will remove all traffic coherent with the already learnt addresses by consulting the Host Database. If there is a contradiction in the ARP traffic for already learnt addresses then it raises a Spoof Alarm. All new ARP traffic is passed to the Spoof Detection Engine.The Spoof Detection Engine applies our detection algorithm to detect ARP spoofing. The newly seen Consistent Header ARP packets are input to this module. The engine now internally bunches these packets into the three categories discussed in Section 2.2 namely Full ARP Cycle, Request and Response Half Cycle packets. The detection algorithm applied by the engine will be discussed in the section 2.4. After applying the detection algorithm the Spoof Detection engine either sends the ARP entry to the Add to Database module or the Spoof Alarm module. The Add to Database module will add these verified MAC and IP address mapping to the Host Database. The spoof detection engine is discussed in detail next.2.4 The Spoof Detection EngineThe Spoof Detection Engine is the heart of the whole system. The three different ARP Cycle packets as discussed in Section 2.2 are treated in slightly different ways by the Spoof Detection Engine to detect an attempted spoofing. The Spoof Detection Engine works based on the following Rules:Rule A: “The network interface card of a host will accept packets sent to its MAC address, Broadcast address and subscribed multicast addresses. It will pass on these packets to the IP layer. The IP layer will only accept IP packets addressed to its IP address(s) and will silently discard the rest of the packets. If the accepted packet is a TCP packet it is passed on to the TCP layer. If a TCP SYN packet is received then the host will either respond back with a TCP SYN/ACK packet if the destination port is open or with a TCP RST packet if the port is closed”.Rule B: “The attacker can spoof ARP packets imp ersonating a host but he can never stop the real host from replying to ARP requests (or any other packet) sent to it. The valid assumption here is that the r eal host is up on the network.”It should be noted that these rules have been derived from the correct behavior that a host’s network stack should exhibit when it receives a packet. To exemplify Rule A, let a host have MAC address = X and IP address = Y. If this host receives a packet with destination MAC address = X and destination IP address = Z then even though the network interface card would accept the packet as the destination MAC address matches, the host’s network stack will silently discard this packet as the destination IP address does not match, without sending any error messages back to the source of the packet.Based on Rule A, we can conceive of two types of probe packets from a host’s network stack point of view which we will use to detect ARP spoofing.a. Right MAC – Wrong IP packet: The destination MAC address in the packet is of the hos t but the IP address is invalid and does not correspond to any of the host’s addresses. The destination host will silently drop this packet.b. Right MAC – Right IP packet: The destination MAC address and IP addresses pairs are of the host’s and its networ k stack accepts it.We will henceforth assume that the attacker is using an unmodified network stack. The performance of our technique in the presence of a modified network stack will be evaluated in Section 2.5. Based on the above observation we will construct our own packets based on Rule A and send them on the network. We will use the address information in the ARP response packet sent by the host whose authenticity is to be verified. We will use the MAC and IP addresses used in the ARP response packet to construct a TCP SYN packet i.e. the destination MAC and IP in the TCP SYN packet will be the source MAC and IP address advertised in the ARP response packet and the source MAC and IP in the TCP SYN packet would be of the host running the Spoof Detection Engine. The TCP destination port will be chosen based on the presence/absence of packet filtering firewalls on the network hosts. If there is a firewall installed on the hosts we will choose the “allowed TCP port” (as in section 2.1) and if no firewalls ar e there then we can choose any TCP port. The rest of the header values in the TCP SYN packet will be set as usual.When a TCP SYN packet as constructed above is sent to the source of the ARP reply packet, the host’s response will be based on Rule A. If the ARP response was from the real host its IP stack will respond back with either a TCP RST packet (If the destination port is closed) or a TCP SYN/ACK packet (if the destination port is open).If the ARP response had been from a malicious host then its network stack would silently discard the TCP SYN packet in accordance with Rule A. Thus based on the fact that the Spoof Detection Engine does/does not receive any TCP packets in return to the SYN packet it sent, it can judge the authenticity of the received ARP response packet.APR欺骗检测：一种主动技术手段维克拉玛苍兰和舒库玛南迪思科系统公司班加罗尔印度印度理工学院，古瓦哈蒂，阿萨姆，印度摘要.地址解析协议（ARP）由于其无状态性和缺乏对发送者身份进行验证的机制，因而长久以来常被用于欺骗攻击。

物联网安全问题的研究外文文献翻译毕业设计(论文)外文文献翻译院系:年级专业:姓名:学号:附件:指导老师评语:指导教师签名:年月日备注:1.从所引用的与毕业设计(论文)内容相近的外文文献中选择一篇或一部分进行翻译(不少于3000实词);2.外文文献翻译的装订分两部分，第一部分为外文文献;第二部分为该外文文献的中文翻译;3.外文文献正文按毕业设计(论文)格式排版，两部分内容不能联排，用分页符分页。

The Internet of thingsThe Internet of things the Internet of things the Internet of things more and more modules and sensors embedded system to enhance theirability of communication. The resulting information networks will create new business models, improve business processes, risk and reduce costs Michael cui, marcus method, and Roger RobertsIn most organizations, the information spread along the familiar path. Proprietary information is placed in the database and make a analysis in the report and then start the management chain. Information collected from public sources, Internet information collection and information from suppliers to buy.But the forecast information is changing the way: the physical world itself is becoming a kind of information system. In so-called iot, sensors, and micro devices (actuators) is embedded in the physical module from highway to heart pacemakers is through wired or wireless network connections, is often connected to the Internet using the same Internet protocol. The network transmission of data is used for computer analysis. If some modules can sense the environment and can be used for information exchange, so they can become and rapid response to solve the problem of complicated tools. The information revolution in the field of the physical information system is developing continuously, and even some will also be able to work under a single intervention.Pill shape photomicrographic device has successfully through the human digestive tract, and back to the thousands of images to pinpoint the source of the disease. Composed of satellite and ground sensor data acquisition system through the wireless device can detect crop status and connected to the precision agriculture can adjust method for everypart of the farming land. For example, by spreading more chemical fertilizers to increase poor soil fertile. Billboards in Japan, waiting for pedestrians pass by, and can assess the consumption of passers-by, and then according to the evaluation results show that the different advertising information.Yes, in many companies, or even earlier today has been warned many predict the future. With the emergence of new value creation method, the current business model is largely based on static information structure is faced with challenges. If in a specific location to a specific time you will be able to experience the mind of the buyer, then the dynamic pricing may increase the possibility of buying. Know how often, and a deep understanding of the usage of the product might get more harvest, choose addfee instead of direct selling. There are a lot of people responsible for the control of manufacturing process to get a more accurate, and can improve the production efficiency. There are such as the operating system are constantly monitored to prevent the emergence of dangerous or people can take corrective measures to avoid the occurrence of damage, risk, and to reduce the cost. Make the fullest use of these functions of the company will gain more profit than the competitor.The wide application of Internet of things is need time, but thanks to its development technology, got advance time line. Wireless technology and the further standardization of communication protocol makes it possible to collect information from the sensor at any time.Based on this, a small silicon chip is endowed with new functions, and at the same time, based on the pattern of Moore's law, its cost is falling. These largely increase the storage capacity of computer and computing power, some of the digital operation scope has expanded through the cloud computing, and reduces the cost.The Internet of things in the workIot for those technologies and not walk in the forefront of company is the news. But as these technologies mature, the enterprise deployment scope will increase. Now is the manager ofall industries to build ideas, consider the contact from theInternet of things or get potential of the development of The Times. We now know that there are six different types of emerging applications, most of which belong to the following two categories: the first, second, information and analysis, automation and control.Information and analysisDue to network increased with the product, the company's assets or data management environment of the link, they will produce better information and analysis, it is important to improve decision making. Some organizations have begun to use these application deployment in the target region, and more advanced and thirst for application is still in concept or test phase. 1, tracking, behaviorSensors embedded in the product, the enterprise can track the movements of these products, even interaction and monitoring them. Business models can be slightly adjusted to take advantage of thisscience. For example, some insurance companies to provide the carposition sensor installation. That how the insurance company may, according to the car was driven to determine the amount and where is the travel situation. Insurance can be customized to operating the vehicle's actual risk, not based on if the driver's age, gender,or places to live in such a situation.Or consider install the sensor and the network connection to thetaxi will happen: it can be used for a short period of time for the car rental service member, so you no longer need to rental service center, and each car's use can also be optimized for higher revenues. Zipcar company pioneered the use of this model, and a growing number of car rental companies are also beginning to follow suit. In retail, used to display shopping data of sensors can provide more detailed informationor provide discount information, make shopping easier. Leaders such as tesco supermarket in the forefront of the use of this technology.The English name for The Internet of Things The Internet of Things, hereinafter referred to as: The IOT. The Internet of things through the transmission device, radio frequency identification technology, such as global positioning system (GPS) technology, no need to monitor real-time acquisition, connected, interactive object or process, collect the sound, light, heat, electricity, mechanics, chemistry, biology, location and other needed information, through all kinds of possible Internet access, content and the content, the objects and people in the link, to realizeintelligent perception of objects and processes, identification and management. Internet of things is through theintellisense recognition technology and pervasive computing, ubiquitous network integration application, known as the computer andthe Internet after the third wave of world information industry development. Rather than the Internet of things is a network, theInternet of things is the business and application of Internet of things is seen as the Internet application development. The innovation is the core of the development of the Internet of things application, the user experience as the core of innovation is the soul of the development of the Internet of things. 2.0The meaning of "thing" here "objects" to satisfy the following conditions can be incorporated into the scope of the "Internet of things" : 1. The receiver should have corresponding information; 2. Must have the data transmission channel; 3. To have a storage function; 4. Have the CPU; 5. Must have the operating system; 6. There should be special applications; 7. Must have the data sender; 8. To follow the communication protocol of the Internet of things; 9. In the network have the only number can be identified. 3. Definition of "Chinese" Internetof Things (Internet of Things) refers to the Ubiquitous (Ubiquitous) at the end of the equipment (Devices) and facility (Facilities), including "inherent intelligence" of sensors, mobile terminals, industrial system, building control systems, home intelligent Facilities and video monitoring system, etc, and "external Enabled" (Enabled), such as thevarious Assets (Assets), RFID wireless terminal to carry personal and vehicle and so on "intelligent objects or animals" or "smart dust" (Mote), through a variety of wireless and/or cable over long distances and/or short distance communication network connectivity (M2M), application Integration (Grand Integration), and cloud-based SaaS operation mode, in the internal network (Intranet), private network (Extranet), and/or the Internet (Internet) environment, adoptappropriate information security guarantee mechanism, to provide safeand controllable and personalized real-time online monitoring,positioning traces, alarm linkage, dispatch control, program management, remote control, security, remote maintenance, online upgrade, statistics, decision support, leading desktop (Cockpit display Dashboard), etc. Management and service functions,implementation of "all Things" "high efficiency, energy saving, safety, environmental protection" "tube, control, camp" Integration of the. 4. The definition of the eu in September 2009, held in Beijing the china-eu seminar on Internet of things and the enterprise environment, and social media department of RFID, head of the European commission information Lorent Ferderix DrGives the definition of the Internet of things: the Internet ofthings is a dynamic global network infrastructure, it has a standard and interoperable communications protocol based self-organizing ability, including physical and virtual "things" have identification, physical properties, the characteristics of virtual and intelligent interface,and seamless integration and information network. Iot will work with the media, Internet service of the Internet and the Internet, constitute the future Internet.Changes in theIot (Internet of Things), the word widely recognized at home and abroad is a professor at MIT Auto - Ashton ID center in RFID research in 1999 at the earliest. In 2005, the international telecommunication union (ITU) release of the same report, the definition and scope of the Internet of things have changed, coverage has a larger development, is no longer just a iot based on RFID technology.Since August 2009, when prime minister wen jiabao put forward since the "experience China" Internet of things was officially listed as one of five major emerging strategic industries, write "government work report," the Internet of things in China is heavily influenced by the whole society's attention, is the degreeof concern in the United States, European Union, and the rest of the world incomparable.The concept of Internet of things is not so much a foreign concept, as it is already a "made in China" concept, and his coverage of advancing with The Times, professor Ashton has exceeded 1999 and 2005, the scope of the ITU report referred to in the Internet of things has been labeled "Chinese".物联网物联网物联网物联网越来越多的模块与传感器构成嵌入式系统从而增强其通讯能力。

英文原文：CHAPTER 8 Security in Computer NetworksWay back in Section 1.6 we described some of the more prevalent and damaging classes of Internet attacks, including malware attacks, denial of service, sniffing, source masquerading, and message modification and deletion. Although we have since learned a tremendous amount about computer networks, we still haven’t examined how to secure networks from those attacks. Equipped with our newly acquired expertise in computer networking and Internet protocols, we’ll now study in-depth secure communication and, in particular, how computer networks can be defended from those nasty bad guys.Let us introduce Alice and Bob, two people who want to communicate and wish to do so “securely.” This being a networking text, we should remark that Alice and Bob could be two routers that want to exchange routing tables securely, a client and server that want to establish a secure transport connection, or two e-mail appli- cations that want to exchange secure e-mail —all case studies that we will consider later in this chapter. Alice and Bob are well-known fixtures in the security commu- nity, perhaps because their names are more fun than a generic entity named “A”that wants to communicate securely with a generic entity named “B.” Love affairs, wartime communication, and business transactions are the commonly cited human needs for secure communications; preferring the first to the latter two, we’re happy to use Alice and Bob as our sender and receiver, and imagine them in this first scenario.We said that Alice and Bob want to communicate and wish to do so “securely ”but what precisely does this mean? As we will see, security (like love) is a many- splendored thing; that is, there are many facets to security. Certainly, Alice and Bob would like for the contents of their communication to remain secret from an eavesdropper. They probably would also like to make sure that when they are communicating, they are indeed communicating with each other, and that if their communication is tampered with by an eavesdropper, that this tampering is detected. In the first part of this chapter, we’ll cover the fundamental cryptography techniques that allow for encrypting communication, authenticating the party with whom one is communicating, and ensuring message integrity.In the second part of this chapter, we’ll examine how the fundamentalcrypto- graphy principles can be used to create secure networking protocols. Once again taking a top-down approach, we’ll examine secure protocols in each of the (top four) layers, beginning with the application layer. We’ll examine how to secure e- mail, how to secure a TCP connection, how to provide blanket security at the net- work layer, and how to secure a wireless LAN. In the third part of this chapter we’ll consider operational security, which is about protecting organizational networks from attacks. In particular, we’ll take a careful look at how firewalls and intrusion detection systems can enhance the security of an organizational network.What Is Network Security?Let’s begin our study of network security by returning to our lovers, Alice and Bob, who want to communicate “securely.” What precisely does this mean? Certainly, Alice wants only Bob to be able to understand a message that she has sent, even though they are communicating over an insecure medium where an intruder (Trudy, the intruder) may intercept whatever is transmitted from Alice to Bob. Bob also wants to be sure that the message he receives from Alice was indeed sent by Alice, and Alice wants to make sure that the person with whom she is communicat- ing is indeed Bob. Alice and Bob also want to make sure that the contents of their messages have not been altered in transit. They also want to be assured that they can communicate in the first place (i.e., that no one denies them access to the resources needed to communicate). Given these considerations, we can identify the following desirable properties of secure communication.●Confidentiality. Only the sender and intended receiver should be ableto under- stand the contents of the transmitted message. Because eavesdroppers may inter- cept the message, this necessarily requires that the message be somehow encrypted so that an intercepted message cannot be understood by an intercep- tor. This aspect of confidentiality is probably the most commonly perceived meaning of the term secure communication. We’ll study cryptographic tech- niques for encrypting and decrypting data in Section 8.2.●Message integrity. Alice and Bob want to ensure that the content oftheir com- munication is not altered, either maliciously or byaccident, in transit. Extensions to the checksumming techniques thatwe encountered in reliable transport and data link protocols can beused to provide such message integrity. We will study message integrityin Section 8.3.●End-point authentication. Both the sender and receiver should beable to confirm the identity of the other party involved in thecommunication—to confirm that the other party is indeed whoor what they claim to be. Face-to-face human communication solvesthis problem easily by visual recognition. When communicatingentities exchange messages over a medium where they cannot seethe other party, authentication is not so simple. When a user wantsto access an inbox, how does the mail server ver- ify that the useris the person he or she claims to be? We study end-pointauthentication in Section 8.4.●Operational security. Almost all organizations (companies,universities, and so on) today have networks that are attached tothe public Internet. These net- works therefore can potentially be compromised. Attackers can attempt to deposit worms into thehosts in the network, obtain corporate secrets, map the internalnetwork configurations, and launch DoS attacks. We’ll see inSection 8.9 that operational devices such as firewalls and intrusiondetection systems are used to counter attacks against anorganization’s network. A firewall sits between the organization’s network and the public network, controlling packet access toand from the network. An intrusion detection sys- tem performs “deep packet inspection,” alerting the network administrators aboutsuspicious activity.Having established what we mean by network security, let’s next consider exactly what information an intruder may have access to, and what actions can be taken by the intruder. Figure 8.1 illustrates the scenario. Alice, the sender, wants to send data to Bob, the receiver. In order to exchange data securely, while meeting the requirements of confidentiality, end-point authentication, and message integrity, Alice and Bob will exchange control messages and data messages (in much the same way that TCP senders and receivers exchange control segments and data seg- ments). All or some of thesemessages will typically be encrypted. As discussed in Section 1.6, an intruder can potentially perform● eavesdropping —sniffing and recording control and data messageson the channel.● modification, insertion, or deletion of messages or message content.Figure 8.1 Sender, receiver, and intruder (Alice, Bob, and Trudy)As we ’ll see, unless appropriate countermeasures are taken, these capabilities allow an intruder to mount a wide variety of security attacks: snooping on commu- nication (possibly stealing passwords and data), impersonating another entitity, hijacking an ongoing session, denying service to legitimate network users by over- loading system resources, and so on. A summary of reported attacks is maintained at the CERT Coordination Center [CERT 2012].Having established that there are indeed real threats loose in the Internet, what are the Internet equivalents of Alice and Bob, our friends who need to com- municate securely? Certainly, Bob and Alice might be human users at two end systems, for example, a real Alice and a real Bob who really do want to exchange secure e-mail. They might also be participants in an electronic commerce transac- tion. For example, a real Bob might want to transfer his credit card number securely to a Web server to purchase an item online. Similarly, a real Alice might want to interact with her bank online. The parties needing secure communication might themselves also be part of the network infrastructure. Recall that the domain name system (DNS, see Section 2.5) or routing daemons that exchange routing information (see Section 4.6) require secure communication between two parties. The same is true for network management applications, a topic we exam- ine in Chapter9. An intruder that could actively interfere with DNS lookups (as discussed in Section 2.5), routing computations [RFC 4272], or network manage- ment functions [RFC 3414] could wreak havoc in the Internet.Secure sender Secure receiverData DataControl, data messages Channel Alice BobHaving now established the framework, a few of the most important defi- nitions, and the need for network security, let us next delve into cryptography. While the use of cryptography in providing confidentiality is self-evident, we’ll see shortly that it is also central to providing end-point authentication and message integrity—making cryptography a cornerstone of network security.Principles of CryptographyAlthough cryptography has a long history dating back at least as far as Julius Caesar, modern cryptographic techniques, including many of those used in the Internet, are based on advances made in the past 30 years. Kahn’s book, The Codebreakers [Kahn 1967], and Singh’s book, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography [Singh 1999], provide a fascinating look at the long history of cryptography. A complete discussion of cryptography itself requires a complete book [Kaufman 1995; Schneier 1995] and so we only touch on the essential aspects of cryptography, particularly as they are practiced on the Internet. We also note that while our focus in this section will be on the use of cryptography for confidentiality, we’ll see shortly that cryptographic techniques are inextricably woven into authentication, message integrity, nonrepudiation, and more.Cryptographic techniques allow a sender to disguise data so that an intruder can gain no information from the intercepted data. The receiver, of course, must be able to recover the original data from the disguised data. Figure 8.2 illustrates some of the important terminology.Suppose now that Alice wants to send a message to Bob. Alice’s message in its original form (for example, “Bob, I love you. Alice”) is known as plaintext, or cleartext. Alice encrypts her plaintext message using an encryption algorithm so that the encrypted message, known as ciphertext, looks unintelligible to any intruder. Interestingly, in many modern cryptographic systems, including those used in the Internet, the encryption technique itself is known—published, stan- dardized, and available to everyone (for example, [RFC 1321; RFC 3447; RFC 2420; NIST 2001]), even a potential intruder! Clearly, if everyone knows the method for encoding data, then there must be some secret information that prevents an intruderfrom decrypting the transmitted data. This is where keys come in.Key:Figure 8.2 Cryptographic components In Figure 8.2, Alice provides a key, K A , a string of numbers or characters, as input to the encryption algorithm. The encryption algorithm takes the key and theplaintext message, m, as input and produces ciphertext as output. The notation K A (m ) refers to the ciphertext form (encrypted using the key K A ) of the plaintext message, m . The actual encryption algorithm that uses key K A will be evident from the context. Similarly, Bob will provide a key, K B , to the decryption algorithm that takes the ciphertext and Bob ’s key as input and produces the original plain- text as output. That is, if Bob receives an encrypted message K A (m ), he decrypts it by computing K B (K A (m )) = m. In symmetric key systems, Alice ’s and Bob ’s keys are identical and are secret. In public key systems, a pair of keys is used. One of the keys is known to both Bob and Alice (indeed, it is known to the whole world). The other key is known only by either Bob or Alice (but not both).Encryption algorithmDecryption algorithm Plaintext Plaintext Ciphertext Channel K A K B Alice Bob译文：第八章计算机网络中的安全早在1.6节就阐述了一些流行的和危险的网络攻击，包括恶意的软件攻击、拒绝服务、嗅探、源伪装以及报文修改和删除。

中英文资料外文翻译计算机网络计算机网络，通常简单的被称作是一种网络，是一家集电脑和设备为一体的沟通渠道，便于用户之间的沟通交流和资源共享。

网络可以根据其多种特点来分类。

计算机网络允许资源和信息在互联设备中共享。

一．历史早期的计算机网络通信始于20世纪50年代末，包括军事雷达系统、半自动地面防空系统及其相关的商业航空订票系统、半自动商业研究环境。

1957年俄罗斯向太空发射人造卫星。

十八个月后，美国开始设立高级研究计划局(ARPA)并第一次发射人造卫星。

然后用阿帕网上的另外一台计算机分享了这个信息。

这一切的负责者是美国博士莱德里尔克。

阿帕网于来于自印度，1969年印度将其名字改为因特网。

上世纪60年代，高级研究计划局(ARPA)开始为美国国防部资助并设计高级研究计划局网(阿帕网)。

因特网的发展始于1969年，20世纪60年代起开始在此基础上设计开发，由此，阿帕网演变成现代互联网。

二．目的计算机网络可以被用于各种用途:为通信提供便利:使用网络，人们很容易通过电子邮件、即时信息、聊天室、电话、视频电话和视频会议来进行沟通和交流。

共享硬件:在网络环境下，每台计算机可以获取和使用网络硬件资源，例如打印一份文件可以通过网络打印机。

共享文件：数据和信息: 在网络环境中，授权用户可以访问存储在其他计算机上的网络数据和信息。

提供进入数据和信息共享存储设备的能力是许多网络的一个重要特征。

共享软件:用户可以连接到远程计算机的网络应用程序。

信息保存。

安全保证。

三．网络分类下面的列表显示用于网络分类：3．1连接方式计算机网络可以据硬件和软件技术分为用来连接个人设备的网络，如：光纤、局域网、无线局域网、家用网络设备、电缆通讯和G.hn（有线家庭网络标准）等等。

以太网的定义，它是由IEEE 802标准，并利用各种媒介，使设备之间进行通信的网络。

经常部署的设备包括网络集线器、交换机、网桥、路由器。

无线局域网技术是使用无线设备进行连接的。

Int.J.Inf.Secur.(2009)8:233–246DOI10.1007/s10207-009-0077-2REGULAR CONTRIBUTIONEnsuring security in depth based on heterogeneous network security technologiesMeharouech Sourour·Bouhoula Adel·Abbes TarekPublished online:24March2009©Springer-Verlag2009Abstract With the explosive growth of Internet connectivity that includes not only end-hosts but also pervasive devices, security becomes a requirement for enterprises.Although a significant effort has been made by the research community to develop defense techniques against security attacks,less focus has been given to manage security configuration effiwork security devices,such asfirewalls,intrusion detection and prevention systems,honeypot as well as vulner-ability scanner,operate as a stand-alone system for solving a particular security problem.Yet these devices are not nec-essarily independent.The focus of this work is encompass-ing a security infrastructure where multiple security devices form a global security layer.Each component is defined with respect to the others and interacts dynamically and automat-ically with the different security devices in order to choose the best solution to be launched to prevent thefinal mali-cious objective.Our solution aims at solving,at the same time,the need for active defence,speed,reliability,accuracy and usability of the network.Keywords Network security·Security technologies·Management of interaction·Devices’collaborationM.Sourour(B)·B.Adel·A.TarekDigital Security Unit,Higher School of Communications SupCom,Tunis,Tunisiae-mail:m.sourour@voila.frB.Adele-mail:adel.bouhoula@supcom.rnu.tnA.Tareke-mail:Tarek.Abbes@loria.fr 1IntroductionSecurity in the enterprise has become the primary concern of IT managers.The challenges of securing enterprise networks have become overwhelming and are still growing.To improve their network security,organizations have sought solutions such asfirewalls,Intrusion detection systems(IDS),Intru-sion prevention systems(IPS),honeypot,and vulnerability scanner(VS).However,even with the massive deployment of several security products,the network is not protected.In fact,The2003Computer Security Institute/FBI Computer Crime and Security Survey indicate that the total annual losses reported in the2003were$201,797,340[6].The prob-lem is that security solutions are implemented as stand-alone systems and are used for solving particular security problems.Firewall is designed to provide traffic control by allow-ing,blocking connections according to a security policy.The 2001Computer Security Institute/FBI Computer Crime and Security Survey[16]shows that thefirewalls technologies are in wide use in organizational systems,indeed95%of respondents usefirewalls to protect their networks.How-ever,firewalls are not always effective against many intru-sion attempts.The problem is that many exploits attempt to take advantage of weaknesses in protocols that are allowed through ourfirewalls.Other problem is thatfirewalls are typically employed at the network perimeter so they can not prevent attacks coming from Intranet;however,many attacks are launched from within an organization[21].Intrusion detection systems are also an essential tool for monitoring safety in computer systems and networks.The 2001CSI/FBI Computer Crime and Security Survey[16] shows that61%of respondents use IDSs to protect their networks.IDSs are responsible for identifying suspicious activity and notifying the network administrator about such. However,IDSs are passive;their goal is to detect attack not to234M.Sourour et al.prevent them.The detection of a suspected intrusion typically triggers a manual response from a system administrator;too often this comes too late.In fact,recent worms have such fast propagation speeds that by the time an alert is generated,the damage is done and spreading fast.So,the demand for not only being alerted in the event of an attack,but also to prevent the attack altogether has become an absolute necessity and has led to increased use of IPS.The2004CSI/FBI survey[9] was thefirst to ask organizations about the use of IPS tech-nology.The question got a45%response rate.In fact,IPSs have the same detection methods of IDS(anomaly detection and misuse detection).Its biggest advantage is its potential to respond in real time.However,IPSs are not always effec-tive.There are a number of problems that stem from the fact that the IPS device is designed to work inline.In fact,if an in-line device fails,it can seriously affect the performance of the network.If the IPS fails the traffic stops and the net-work becomes unavailable,in this case it is a self-inflicted Denial of Service.There is also the problem of false positives which is more serious in the context of intrusion prevention.A false positive occurs because the intrusion system misin-terprets normal packets or activities as an attack.If a passive IDS permits itself to do mistakes,an active IPS does not have the right,otherwise it will cause more problems than it solves. In fact,if the IPS assumes normal traffic as malicious,it will cause denial of service to a valid user.Concerning the VS,known also as vulnerability assess-ment tool,its role is to detect vulnerabilities on hosts in a net-work.Vulnerabilities constitute weaknesses on a system that could potentially be exploited by malicious hackers.These weaknesses might be in the operation system,the applica-tion software,the computer server hardware,etc.But,there are many disadvantages of currently VSs.In fact,a VS can-not prove that a host is not vulnerable and do not provide detection of attacks.Honeypots have been used in many ways to solve differ-ent security problems[8].One of the main applications of honeypots is detection[5].Several authors states that hon-eypots should be classified as a special kind of IDS[4].In fact,a honeypot system simulates computers on the network, allows attackers to interact with them and provides the attack-ers with all the necessary resources needed for a successful attack and the full extent of their behavior can be recorded and studied.Whereas honeypots have gained nowadays much acceptance,they present some weaknesses.In fact,operators security have considered that any interaction with honeypot is most likely an unauthorized or malicious activity.Whereas, Tang[19]shows that many interactions with honeypot are not real attacks.Honeypots are also passive;detection of a sus-pected intrusion typically triggers a manual response from a system administrator.As is shown,each security device has some weaknesses that are detrimental to the network.In addition,each security device is optimized for a specific purpose and it is not designed to communicate with the others about itsfindings. So,having examined the capabilities and the weaknesses of each security technology,we propose in this paper a security layer based on all the devices involved.The solution aimed at solving,at the same time,the need for active defence,speed, reliability,accuracy and usability of network.In fact,our architecture combines all these network security solutions, permits an exchange of information and authorizes an auto-matic devices’reconfiguration.Each security component in the system attempt to overcome the shortcomings of the other and helps the system to take the best decisions based on what is appropriate to the actual situation of the protected sys-tem.The remainder of this paper is organized as follows. Section2discusses related work.Section3describes the architecture of our proposed system and the role of each com-ponent.We show in Sect.4,the advantage of our solution. Sections5,6describe the detail of the main components. Section7presents the collaboration between honeypot and firewall and Sect.8presents the collaboration between honeypot and IPSs.Section9designs a communication infra-structure for the exchange of security-event within the archi-tecture.Section10evaluates the solution.Finally,in Sect.11 we summarize the paper and outline future work.2Previous worksFrom the works that attempt to overcome the shortcomings of IDS by honeypot technology,we highlight the work of Tang [19].The solution implements an IDS in a honeypot and present HonIDS,a honeypot system for detecting malicious hosts and intruders in local network.HonIDS is character-ized by its layered structure and is enhanced by two detection models:TFRPP(times,frequency,range,port risk,average payload length)model and Bayes model.The basic idea of the authors is to judge whether one interaction with the hon-eypots is an attack or normal activity.The solution aims at identifying intruders by analyzing the plentiful and global events of honeypots.Kuwatly[13]designs a dynamic hon-eypot for intrusion detection.In fact,the paper discusses the design of a dynamic honeypot,which is an autonomous hon-eypot capable of adapting in a dynamic and constantly chang-ing network environment.The dynamic honeypot approach integrates passive or active probing and virtual honeypots. The solution emphasizes the detection function and serves a major purpose of detecting intruders and malicious hosts to secure local network.Artaila[1]proposes a hybrid and adaptable honeypot-based approach that improves the cur-rently deployed IDSs for protecting networks from intruders. The main idea is to deploy low-interaction honeypots that act as emulators of services and operating systems and have them direct malicious traffic to high-interaction honeypots,Ensuring security in depth based on heterogeneous network security technologies235where hackers engage with real services.The setup permits for recording and analyzing the intruder’s activities and using the results to take administrative actions toward protecting the network.To improve network security,Lai[14]proposes a solu-tion where the access controls are used in blocking the vul-nerabilities from malicious users.The access control setting consists of the port number and the IP address.After access control is set,all of the vulnerabilities via the port on the host can not be exploited.With referring to the physical connec-tions of hosts,the system mangers can efficiently improve the network security by setting the access controls to block vulnerabilities via these ports.One access control may block several vulnerabilities on a host.From the works that combine IDS and VS,we highlight the solution of Yu[20].The architecture aimed at reduc-ing false positives alerts by integrating the VS information into the evaluation process of the IDS and correlating events based on logical relations to generate global and synthesized alert.The work in[15]automaticallyfilter valuable and rele-vant attack alerts from the noise generated by false positive. This Automation is accomplished by correlating IDS alerts with“environmental data”which is gathered by vulnerabil-ity assessment tool.In fact,the solution uses attack versus operating system and attack versus vulnerability correlations in order to perform an effective IDS’s analysis.Other researches present collaboration betweenfirewalls and IDS.In fact,the IDS capability of examining protocols in detail nicely complements thefirewall’s role in restricting the number of services and servers that need to be consid-ered.Similarly the IDS tendency to integrate information across multiple connections makes it possible to recognize port scans that afirewall on its own would miss.Some IDSs have the capability to kill off existing connections if they are found to be carrying dubious traffic,this can complement thefirewalls decision to pass a connection which is made as the service is opened,before any traffic passes through it.Whilst this combination has clear advantages,it must be used with caution,since an attacker could manipulate the IDS into instructing thefirewall to block legitimate connections,thereby denying service.Beside,not all the commercialfire-walls offer the option of reconfiguration by IDSs due to huge number of errors done by this tool.In fact,it has been esti-mated that up to99%of alerts reported by IDSs are false positives[15].With respect to previous work,our solution presents a security architecture combining several components and pro-viding a communication infrastructure for these security devices.The exchange of security events between individ-ual security components allows automatic corrective action without user intervention,while keeping the ability to adapt to an evolving environment.3System architectureFigure1presents the system we suggest to improve net-work security.Different security tools collaborate closely to enhance protection and to provide global-layer defense.In fact,we usefirewall,network-intrusions prevention systems, VS and honeypot system.We use also a network-knowledge base and a vulnerability-knowledge base to store all the net-work information.1.Firewall:in addition to its role to block unauthorized traf-fic,ourfirewall provides the capability,through a syn-ergistic relationship with the honeypot,to an automatic policy modifications,allowing or disallowing to pass a particular type of traffic from a specific source for a given period.2.Intrusions prevention architecture:it contains a load bal-ancing module permitting the division of the traffic between a number of IPSs.Our IPSs provide also self-correction actions based on the information collected by the VS.3.Vulnerability scanner:it performs a diagnostic analysisof the protected system to identify the existing vulner-abilities in the computers,services and network infra-structure.Fig.1Systemarchitecture236M.Sourour et al.4.Vulnerability-knowledge base:The result found by theVS will be recorded in the vulnerability-knowledge base and updated at each test carried out by the scanner.These results are used during the intrusion analysis phase. work knowledge base:it serves to store all the hosts’information(i.e.operating systems,services,software version,applications,etc).Beside,if one host has been authorized to do a special action,this information will be reported in this base by the administrator.Examples of special actions are network scan and service scan.In fact these actions are malicious unless the computer performing them has been authorized to do so.work agent:it collects the hosts’information fromthe network and it stores this information in the network knowledge base.7.Honeypot:In our architecture,the honeypot is deployedto resolve the problem when IPSs cannot take a deci-sion.So,it will learn more about intrusive traffic taken as“unknown”by our IPSs.4How our security layer meets the different needsWe will show in this section how our security layer meets the needs for speed,availability,reliability and accuracy at the same time.In fact,thefirewall reduces the amount of traffic that can reach our IPSs.Our architecture enables also parallel data processing between a number of IPS which reduces the processing requirement per analyser.Our architecture provides the option to an active-active fail-over.In case of problem,the system discharges the failed IPS and sends its traffic to others active IPSs.In addition, an IPS requires a re-boot after received updates.But,when operating inline,sensors rebooting pose a problem during the period of the reboot.However,with the fail-over we can surcharge IPSs with extra load during the update of the others.Another problem is the use of cryptographic protocols. In fact,this technology presents a difficult challenge to the IPSs;inspection of encrypted data generates a high rate of false positives and false negatives.To solve this problem,our firewall can redirect protocols that the IPS cannot inspect, such as SSH and HTTPS.The lack of“environmental awareness”triggers many false positives and false negatives.Actions that are mali-cious in certain environments may be normal in others[3]. However,our system is aware about the network infrastruc-ture,the components,the operating system,the services and the applications running.So,when the IPS doubts about the nature of traffic,it extracts information from the two bases to efficiently and effectively validate the traffic and takes the adequate decision.Fig.2Intrusions prevention architecture5Intrusions prevention architectureThe network data received from thefirewall is balanced between at least two IPSs(Fig.2).The balancing was per-formed in a stateful way that guarantees the detection of all the threat scenarios.If a random division is used,different parts of an attack may have been assigned to different slices, this could result in missed attacks.However,in our load bal-ancing algorithm,packets that belong to the same session are analysed by the same self-correction IPS.Our load balancing algorithm was described in detail in a previous work[18].The self-correction IPS is an IPS with the ability to eval-uate and judge the appropriateness and the relevance of its action before blocking or allowing the traffic.In fact,each self-correction IPS interact with the network and vulnerabil-ity knowledge bases to take the best decisions based on what is appropriate to the situation of the protected system at this time.6Self-correction IPSAs noted above,our self-correction IPSs have the ability to evaluate and judge the appropriateness and the relevance of their responses based on auto-corrective actions.The implementation of the self-correction IPS is shown in Fig.3.This device contains three modules:a receiver mod-ule,an analysis module and a data process module.•Receiver module:it receives network traffic and stores packets in order of arrival for further analysis by the anal-ysis module.•Analysis module:it analyses traffic tofind patterns that match the description of an attack.After being processed, packets which were taken as secure are allowed imme-diately to pass through the network.Packets which were taken as intrusive must be processed further by the data process module in order to be sure that they represent real attacks and we don’t block legitimate traffic.•Data process module:it interacts with the network and the vulnerability knowledge bases to roughly evaluate traffic taken as intrusive.This module classifies traffic into three types:valid traffic,intrusive traffic and unknown traffic.Validated traffic is allowed to pass immediately throughEnsuring security in depth based on heterogeneous network security technologies 237Fig.3Self-correction IPSsReceiver mod u le Analysis mod u leData process mod u le:block or not ? yesO u t of normal packetsNormal no Unknown dataControl the network,intrusive traffic is discarded and packets taken as unknown are allowed to pass through the net-work but with care.In fact,the honeypot deployed in our security layer will receive all packets taken as unknown by the data process module to learn more about this traffic and to see even they reconstruct attack.The data process module is based on two phases,start-up phase and oper-ational phase.6.1Start-up phaseDuring the start-up phase,the vulnerability knowledge base is initialled by the VS findings.In fact,the vulnerability knowl-edge base contains two types of information (Fig.4):the Attack/Vulnerability IDs table and the vulnerability report.The Attack/Vulnerability IDs table permits matching pairs of attacks IDs and vulnerability IDs.In fact,there is a well-defined association between what vulnerability(ies)a sys-tem has for a specific attack to be successful.So,by collecting and keeping up-to-date this table,the data pro-cess module correctly identified the existence or not of the vulnerability for a specific ID_attack.This table is necessary but not sufficient because,on one hand certain attacks do not exploit vulnerabilities.On the other hand,even an attack exploit a vulnerability in the system,the intrusion system can do not mention this vulnerability.In fact,not all attacks signatures have assigned vulnerability IDs.That is why we need to record also the vulnerability report in the vulnera-bility knowledge base.Our Attack/Vulnerability IDs table is mapped based on the standardized naming schemas CVE [7].In fact CVE have been developed as identifiers to uniquely reference and directly map attack and vulnerability informa-tion.Our vulnerability-knowledge base is updated at each test carried out by the VS.In fact,our scanner runs at intervals to maintain an updated vulnerabilities information.The network knowledge base contains two types of infor-mation (Fig.4):the hosts’information report (operating system,services supported,applications running,software version,etc)and the Attack/Host IDs table.The Attack/Host IDs table permits matching pairs of ID-attacks and ID-hosts and it is necessary when there are in the network hosts that are authorized to do actions which can be taken as malicious,for example performing a network scan.So,by collecting and keeping up-to-date this table,the data process module cor-rectly identified the hosts and validated their authorization to do a specific out-of-normal-action.In the Attack/Host IDs table,The ID_Action represent the ID_Attack (CVE identi-fier)since the action is an attack and the ID_Host represent the identifier of the source of the action (address IP).There are two important requirements for Attack/Host IDs table:The correctness and the completeness.Mistake informationFig.4Vulnerability and network knowledge bases’information238M.Sourour etal.Fig.5Network agentwill block a good traffic or allow passing malicious traf-fic.Also,missing couples of ID_Action/ID_Host increase the processing time since good traffic will further evaluated without necessity.The Attack/Host IDs table is updated by the security operator who enables some hosts to do special actions and disable others.Concerning the hosts’information report,it contains low-level details of the hosts’system and configuration infor-mation.This information is collected and updated by the network agent and it is used in the evaluation process to cor-rectly identify intrusions and rank the severity of attacks.In fact,this information is very important to validate the traffic.However,the state of the network is continuously changing (a user might install new applications,a host run-ning windows can reboot and became linus,a web server can be modified by another version or product).So,we pro-pose that our network agent updates dynamically and con-stantly the network knowledge to reflect the change in the protected system.As shown in Fig.5,a host agent is installed on each host in the monitored network.They collect low-level details of the host’s system and configuration infor-mation.Each host agent identifies the state of its host (up or down),the host name,the operating systems,active TCP and UDP services supported,open ports and the applications running behind those ports,the software version,etc.The host agents are also intelligent and detect any change of the system where they are running.Host agents do not commu-nicate with each other.Instead,they all communicate with the network agent.Hosts’information collected from host agents are first sent to the network agent.This component stores then the infor-mation in appropriate places in the network knowledge base.To enable coordination between the host agents and the net-work agent,we have adopted KQML [2]as an agent com-munication language (ACL).6.2Operational phase:collaboration betweenself-correction IPSs and data basesDuring the operational phase,the self-correction IPSs exchange information with the vulnerability and the network knowledge bases in order to correctly validate the traffic.In fact,the data process module automatically generates and sends request to the network and vulnerability bases in order to determine the appropriate response action.The data pro-cess module applies the process flow presented in Fig.6towards any packet taken as intrusive by the analysis-module.The following paragraphs explain our process:1.The data process module extracts from the suspicious packet the addresses source and destination,the ports source and destination and the attack identifier.After it confronts this information with the AH:table (Attack/Host IDs table)to determine if the corresponding host is authorized to do this malicious action.If there is a match,the data is taken as valid traffic.Otherwise,the traffic evaluation goes to the next step.2.In the second step,the data process module evaluates the traffic with the AV:table (Attack/Vulnerability IDs table).This evaluation determines if there is vulnerabil-ity for the specific attack in the target host.If there is a match,the data is taken as intrusive traffic.Otherwise,the data process module goes to the next step.3.The data process module requires information about the system target of an attack.So,it collaborates with the HI:Report (Hosts’information report)and the VA:Report (Vulnerability report)to verify if the protocol,the port,the service and the application targets of the attack match the available ones in the target system.If there is no HI:Report or VA:Report ,the traffic is considered as unknown.Otherwise,the data process module pushes the suspicious packet through different levels of filters.At the first level,the data process module determines if the attack on the specific protocols/port match the available protocols/open port on the target system.In case of matching,the existence of an active communica-tion allows the validation of the traffic as intrusive.The next levels validate the service,the application,including the software version.So,the evaluation process extracts information from the HI:Report ,and then it consults the Vulnerability report to see if the target service and application are vulnerable to this attack.7Collaboration between honeypot and firewall In our architecture,the honeypot is an attempt to overcome the shortcomings of IPSs.In fact,IPSs are unable to discover new attacks.So,the deployment of the honeypot is importantEnsuring security in depth based on heterogeneous network security technologies239 Fig.6Operational phase of thedata process moduleto detect new attacks and to know who our enemy is,what kind of strategy he uses,what tools he utilizes and what he is aiming for?Gathering this kind of information is not easy, but important.In fact,by knowing attacks strategies,coun-termeasures can be improved.In case of“unknown packet”,the IPS does not block the traffic but it allows it to pass“with care”.In fact,“with care”means that we send all the packets belonging to the specific connection to our honeypot.This component provides all the necessary resources needed.When the honeypot detect the attack(Fig.7),it forwards an order to thefirewall with the necessary information.In fact,the honeypot can detect the attack during or at the end of the communication.If it catches a hacker while conducting an attack,thefirewall will confirm240M.Sourour et al. Fig.7Collaboration betweenhoneypot andfirewallactive communication,stops immediately the connection.If the honeypot detects the attacks at end of the communication, the attack already passed in the network and might harm a computer.But the honeypotfinding leads to knowledge of the attack,so thefirewall will block the attacker from spreading to other network resources.We have mentioned that the honeypot forwards an order to thefirewall with the necessary information about the traffic to block.So,thefirewall requires being able to receive events from other devices,to automatically modify its policy rules, to understand and to execute the order.To be able to receive and respond to security events accord-ingly,all the security devices have been extended with our communication infrastructure presented in Sect.9.Every time an order is received,thefirewall should modify and perform a recalculation of its configuration rule base.So, we should now transform this requirement into configuration. Our idea is that an incoming order will lead to the creation of a new rule within thefirewall.In fact,firewall configuration is typically performed via rules.A rule can be divided into 2parts.The left hand side contains a set of parameters to be matched by the packet.The right hand side specifies the action to be taken.The set of parameters includes generally the source IP address,destination IP address,source port,and destination port.The action allows or disallows the traffic to pass.So,we define our orders with respect to thefirewall rules.Below is the schema of our order.Order:(field1,...,field n)→ action,time Where:•field i e{source IP address,destination IP address,source port,and destination port}•action=block the traffic•time=the duration of the execution of the order.This parameter isfixed by the security operator and can take different values based on the time of day when an event is happening.In fact,the administrator might want to con-figure the system to respond differently.For example if the attacker is detected during a day-time,the administra-tor wants a period of blockage sufficient until he analyses the situation.However,if such event is happening duringnight-time,the system should respond automatically byblocking this specific attacker all the night.We give below the different types of our order:•Type1:(address,port)→ block,T1This order blocks a particular host to use a particular serviceduring a period T1.•Type2:(*,port)→ block,T2This order is used to block a particular service during a periodT2.•Type3:(address,*)→ block,T3This order is used to block a particular host during a periodT3.8Collaboration between honyepot and self-correctionIPSsWe are interested now by the collaboration between honye-pot and self-correction IPSs.In fact,the self-correction IPSshould ensure a stateful analysis for the honeypot.In case of“unknown packet”,the honeypot must receive all the pack-ets(intrusive and normal)belonging to the communicationto guarantee the detection of the threat scenarios.For this,we propose to record the identifying of the connection in anarborescent structure.For each new connection forwardedto the honeypot,the IPS creates a new node.When the IPSreceives a packet putting an end to a connection,it destroysthe corresponding node.Each connection in our graph isbased on a record structure named honypot connection.The honypot connection contains eight attributes:ID connection(identifier of the connection),adds connection(address sourceof the connection),addd connection(address destination ofthe connection),ports connection(port source of the connec-tion),portd connection(port destination of the connection),I Dattack connection(the identifier of the attack reported by。