Zhi Fu scite author profile

Zhi Fu

5Publications

143Citation Statements Received

75Citation Statements Given

How they've been cited

270

143

How they cite others

Affiliations

China Academy of Information and Communications Technology, Motorola (United States), North Carolina State University

Publications

Order By: Most citations

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

Huang³

et al. 2001

View full text Add to dashboard Cite

Abstract. IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intradomain and inter-domain environment.

show abstract

Botnet Research Survey

Zhu

Chen

et al. 2008

120

View full text Add to dashboard Cite

Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment

Fu¹,

Wu²

2001

View full text Add to dashboard Cite

IPSec [1] policies are widely deployed in firewalls or security gateways to protect information property. The security treatment (e.g. deny, allow or encrypt etc.) of all inbound or outbound traffic will be determined by the security policies, and thus it is critical for policies to be specified and configured correctly. IPSec policies are manually configured to individual security gateway in current practice, which could be very inefficient and error-prone. In this research, we focus on two questions: 1) How to ensure policy correctness? 2) How to systematically specify correct policies instead of manually configuring? Apparently, policies are correct if they do what they are wanted to do. However, there is vague relationship between what they are wanted and what they really do. In our research, we clearly defined a higher level policy, called security requirement, and clearly defined their satisfaction. Therefore, policies are correct only if they satisfy all requirements. Furthermore, we designed algorithms to automatically generate correct policies given security requirements. People can specify their requirements at a high level without concerning specific low level parameters, and then correct low level policies will be automatically generated. The automation can not only save tremendous administrative labor but also guarantee the policies are correct.

show abstract

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

Li¹,

Wang

Chen

et al. 2007

View full text Add to dashboard Cite

Abstract-It is crucial to detect zero-day polymorphic worms and to generate signatures at the edge network gateways or honeynets so that we can prevent the worms from propagating at their early phase. However, most existing network-based signatures generated are not vulnerability-based and can be easily evaded by attacks. In this paper, we propose generating vulnerability-based signatures on the network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based Length-based Signature Generator (LESG) for worms based on buffer overflow vulnerabilities 1 . The signatures generated are intrinsic to buffer overflows, and are very hard for attackers to evade. We further prove the attack resilience bounds even under worst case attacks with deliberate noise injection. Moreover, LESG is fast and noisetolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.

show abstract

Exception triggered DoS attacks on wireless networks

Zhao

Vemuri

Chen

et al. 2009

View full text Add to dashboard Cite

Security protocols are not as secure as we assumed. In this paper, we identified a practical way to launch DoS attacks on security protocols by triggering exceptions. Through experiments, we show that even the latest strongly authenticated protocols such as PEAP, EAP-TLS and EAP-TTLS are vulnerable to these attacks. Real attacks have been implemented and tested against TLS-based EAP protocols, the major family of security protocols for Wireless LAN, as well as the Return Routability of Mobile IPv6, an emerging lightweight security protocol in new IPv6 infrastructure. DoS attacks on PEAP, one popular TLS-based EAP protocol were performed and tested on a major university's wireless network, and the attacks were highly successful. We further tested the scalability of our attack through a series of ns-2 simulations. Countermeasures for detection of such attacks and improvements of the protocols to overcome these types of DoS attacks are also proposed and verified experimentally.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Zhi Fu

IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution

Botnet Research Survey

Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

Exception triggered DoS attacks on wireless networks

Contact Info

Product

Resources

About