基于大数据的网络安全态势感知及主动防御技术研究与应用

针对电力信息系统网络安全态势感知及主动防御问题,介绍了网络安全态势感知相关概念及技术。为了监控网络安全态势,研究了利用大数据分析技术开展基于多源日志的网络安全态势感知,提出了态势感知平台部署架构及主动防御模型思想,并将其技术应用于某电力公司网络信息系统环境。通过在公司内外网网络出口部署全流量数据采集分析器,对原始网络流量进行实时采集和存储,并借助大数据可视化分析工具与丰富的数据展示组件,实现对分析结果的多维度图形化直观展现。经实验测试实现了攻击事件及安全态势的实时监控预警,保障了公司信息系统的安全稳定运行。     

基于RTCP的闭环码率调控和流量整形策略

网络监控系统中的实时视频质量容易受网络带宽影响。针对此问题,提出了一种基于RCTP控制报文的闭环码率调控策略,即通过分析RTCP接收者报包(Receiver Report, RR)的反馈信息,调整编码器码率,以自适应网络承载能力;又进一步针对H. 264码流传输的高突发性,提出了码流流量整形策略,用以抑制数据突发,从而避免因突发引起的瞬时网络阻塞,减小网络丢包。实验结果表明,本策略有效地降低了码流的传输丢包率,提高了实时视频质量。     

On the performance of a hybrid network traffic model

We study a hybrid network traffic model that combines a fluid-based analytical model using ordinary differential equations with the packet-oriented discrete-event simulation. The hybrid model is important to large-scale real-time network simulations, where the packet-level emulation traffic is handled by discrete events and the majority of the background traffic is described more efficiently as fluids. We present a simple performance analysis of this hybrid approach. We propose three techniques—namely, pointer caching, update dampening, and dynamic time stepping—in an implementation of the hybrid model. Experiments show that these techniques can significantly improve the performance of the fluid-based network simulation.     

NetStream技术应用

NetStream技术是一种基于网络流量信息的统计技术,通过对华为9306型号交换机的配置实现对流量数据的采集与发送;基于V5版本的报文格式,开发了流量数据接收与存储软件,以完成流量数据的收集与存储;使用第三方流量监测软件Netflow Analyzer对统计信息进行了分析,分析的结果可以为网络计费、流量监控和分析等提供依据。     

A privacy mechanism for mobile-based urban traffic monitoring

In mobile-based traffic monitoring applications, each user provides real-time updates on their location and speed while driving. This data is collected by a centralized server and aggregated to provide participants with current traffic conditions. Successful participation in traffic monitoring applications utilizing participatory sensing depends on two factors: the information utility of the estimated traffic condition, and the amount of private information (position and speed) each participant reveals to the server. We assume each user prefers to reveal as little private information as possible, but if everyone withholds information, the quality of traffic estimation will deteriorate. In this paper, we model these opposing requirements by considering each user to have a utility function that combines the benefit of high quality traffic estimates and the cost of privacy loss. Using a novel Markovian model, we mathematically derive a policy that takes into account the mean, variance and correlation of traffic on a given stretch of road and yields the optimal granularity of information revelation to maximize user utility. We validate the effectiveness of this policy through real-world empirical traces collected during the Mobile Century experiment in Northern California. The validation shows that the derived policy yields utilities that are very close to what could be obtained by an oracle scheme with full knowledge of the ground truth.     

A correlation framework for the CORBA component model

Large distributed systems, including real-time embedded systems, are increasingly being built using sophisticated middleware frameworks. Communication in such systems is often realized using in terms of asynchronous events whose propagation is implemented by an underlying publish/subscribe service that hooks components into a generic event communication channel. Event correlation—a mechanism for monitoring and filtering events—has been introduced in some of these systems as an effective technique for reducing network traffic and computation time. Unfortunately, even though event correlation is used heavily in frameworks such as ACE/TAO’s real-time event-channel and in mission critical contexts such as Boeing’s Bold Stroke avionics middleware, the industry standard CORBA Component Model (CCM) does not include a specification of event correlation. While previous proposals for event correlation usually offer sophisticated facilities to detect combinations in the stream of incoming events, they have not been constructed to fit within the CCM type system, and they offer relatively little support for transforming and rearranging filtered events into meaningful output events. In this paper, we present the design rationale, syntax, and semantics for a new and highly flexible model for event correlation that is designed for integration into the CCM type system. Our model has been integrated and tested in the Cadena development and analysis framework, which has been designed to support development of mission-control applications in the Boeing Bold Stroke framework. This work was supported in part by the US Army Research Office (DAAD190110564), by DARPA/IXO’s PCES program (AFRL Contract F33615-00-C-3044), by NSF (CCR-0306607) and by Lockheed Martin.     

实时交通信息服务数据组织与基于JAVA的系统实现

相对于单纯道路网络信息和历史经验交通信息,实时交通信息对于出行者出行决策具有更为重要的意义。随着实时交通信息获取手段的多样化和普及化,更富生命力的实时交通服务系统已经纳入应用日程。首先分析总结了公众对于实时动态交通信息的需求状况,将与导航和出行密切相关的实时道路交通信息分为交通事件和交通流信息两大类,对交通事件,根据其几何特征,进一步分为点事件、线事件、面事件和关系事件。基于J2ME/J2EEE软件开发架构,Post SQL与Post GIS的时空交通数据管理模式,研发了中心式的实时交通信息服务系统原型,并对典型的交通事件和交通流信息在移动终端模拟器进行了时空表达示例。     

基于数据流管理平台的网络安全事件监控系统

复杂而繁多的网络攻击要求监控系统能够在高速网络流量下实时检测发现各种安全事件．数据流管理系统是一种对高速、大流量数据的查询请求进行实时响应的流数据库模型．本文提出了一种将数据流技术应用到网络安全事件监控中的框架模型．在这个模型中，数据流管理平台有效地支持了对高速网络数据流的实时查询与分析，从而保证基于其上的网络安全事件监控系统能够达到较高的处理性能．利用CQL作为接口语言，精确描述安全事件规则与各种监拉查询，具有很强的灵活性与完整性．另外，系统能够整合入侵检测、蠕虫发现、网络交通流量管理等多种监控功能，具有良好的可扩展性，     

面向应用的IPSec系统策略管理机制

针对现有IPSec系统策略机制的不足，本文提出了一种面向应用的IPSec系统策略管理机制，通过监视应用程序的socket活动，实时地设置好相应的IPSec策略，对IP流实施细粒度的、不同等级的保护；同时，提供高级语言形式的策略设置语句，以满足用户添加和修改细粒度IPSec策略的需要；提供解决策略冲突的算法，将相互冲突的需求转化为无冲突的策略。该机制可以提高现有IPSec系统的性能，使其更好地满足网络实际环境的需要。     

A real-time network simulation infrastructure based on OpenVPN

We present an open and flexible software infrastructure that embeds physical hosts in a simulated network. In real-time network simulation, where real-world implementations of distributed applications and network services can run together with the network simulator that operates in real-time, real network packets are injected into the simulation system and subject to the simulated network conditions computed as a result of both real and virtual traffic traversing the network and competing for network resources. Our real-time simulation infrastructure has been implemented based on Open Virtual Private Network (OpenVPN), modified and customized to bridges traffic between the physical hosts and the simulated network. We identify the performance advantages and limitations of our approach via a set of experiments. We also present two interesting application scenarios to show the capabilities of the real-time simulation infrastructure.     

Neural projection techniques for the visual inspection of network traffic

A crucial aspect in network monitoring for security purposes is the visual inspection of the traffic pattern, mainly aimed to provide the network manager with a synthetic and intuitive representation of the current situation. Towards that end, neural projection techniques can map high-dimensional data into a low-dimensional space adaptively, for the user-friendly visualization of monitored network traffic. This work proposes two projection methods, namely, cooperative maximum likelihood Hebbian learning and auto-associative back-propagation networks, for the visual inspection of network traffic. This set of methods may be seen as a complementary tool in network security as it allows the visual inspection and comprehension of the traffic data internal structure. The proposed methods have been evaluated in two complementary and practical network-security scenarios: the on-line processing of network traffic at packet level, and the off-line processing of connection records, e.g. for post-mortem analysis or batch investigation. The empirical verification of the projection methods involved two experimental domains derived from the standard corpora for evaluation of computer network intrusion detection: the MIT Lincoln Laboratory DARPA dataset.     

基于Zigbee组网技术城市窨井实时监测系统

窨井管理是城市基础设施管理的重要组成部分,是关系到社会安定和人民群众生命财产安全的大事。本文介绍一种基于Zigbee组网技术监测窨井盖损坏或被盗以及窨井内沼气浓度的实时监测系统。     

基于分流过滤算法的分布式高速网络监控

如何实时处理网络巨大的流量，是高速网络监控的核心。文章提出一种分流过滤算法，结合了分流和过滤的优点，通过并行的方法较好地解决了这个问题。同时基于这种分流过滤算法，提出了分布式的层次的高速网络监控体系结构，实现了对高速网络的监控。     

Modeling external network behavior by using internal measurements

Network behavior is the set of observations or measurements that can be made about a network over time. The growth of network-based computing and the Internet have ensured that networks can no longer be considered in isolation, as events external to a particular network increasingly impact its behavior. Network management requires that information be known about these events, a task that is not always possible. We present a modeling strategy that takes partial information about a network and uses it to predict the behavior in unmonitored areas. This implementation is based on a meta-heuristic (genetic algorithm), and uses IP-packet information as well as a limited understanding of the external topology. This is then used to model the full topology, routing tables and traffic for the entire network at periodic intervals. The system was tested using the ns-2 network simulator and a Java implementation on a series of cases. The results showed a reasonable level of accuracy in predicting traffic and topology. Performance increased under system load, and at no point did the system generate any additional network traffic. This provides an efficient and effective strategy for network management.     

Enterprise Network Traffic Monitoring, Analysis, and Reporting Using Web Technology

Today's enterprise networks are composed of multiple types of interconnected networks. Furthermore, organizations use a variety of systems and applications on these networks. Operations and management staff must provide an efficient, reliable and secure operating environment to support an organization's daily activities. Enterprise networks must be monitored for performance, configuration, security, accounting and fault management. Current management practices typically involve the use of complex, hard-to-learn and hard-to-use tools. What is needed desperately is a set of simple, uniform, ubiquitous tools for managing networks. Web-based management promises to provide such solutions. This paper focuses on the use of Web technology and the Multi-Router Traffic Grapher (MRTG) for the purposes of enterprise network traffic monitoring and reporting. In this paper, we first examine the requirements for enterprise network traffic monitoring, analysis and reporting, and then present the design and implementation of a Web-based network traffic monitoring and reporting system that satisfies those requirements. We also present guidelines we have formulated and used for analyzing enterprise network traffic. We then discuss our experiences in using such a system for traffic monitoring on two large enterprise networks.     

Sonification of a network’s self-organized criticality for real-time situational awareness

Communication networks involve the transmission and reception of large volumes of data. Research indicates that network traffic volumes will continue to increase. These traffic volumes will be unprecedented and the behaviour of global information infrastructures when dealing with these data volumes is unknown. It has been shown that complex systems (including computer networks) exhibit self-organized criticality under certain conditions. Given the possibility in such systems of a sudden and spontaneous system reset the development of techniques to inform system administrators of this behaviour could be beneficial. This article focuses on the combination of two dissimilar research concepts, namely sonification (a form of auditory display) and self-organized criticality (SOC). A system is described that sonifies in real time an information infrastructure’s self-organized criticality to alert the network administrators of both normal and abnormal network traffic and operation. It is shown how the system makes changes in a system’s SOC readily perceptible. Implications for how such a system may support real-time situational awareness and post hoc incident analysis are discussed.     

Practical network security: experiences with ntop

As networks become large and heterogeneous, network administrators need efficient tools for monitoring network activities and enforcing global security. In open environments such as universities and research organisations, it is rather difficult to prevent access to core network resources without restricting users’ freedom.Ntop is an open-source web-based traffic measurement and monitoring application written by the authors and widely available on the Internet. This paper shows how ntop can also be effectively used for network security as it is able to identify potential intruders and security flaws, as well as discover misconfigured or faulty applications that generate suspicious traffic.     

Optimization Techniques for Reactive Network Monitoring

We develop a framework for minimizing the communication overhead of monitoring global system parameters in IP networks and sensor networks. A global system predicate is defined as a conjunction of the local properties of different network elements. A typical example is to identify the time windows when the outbound traffic from each network element exceeds a predefined threshold. Our main idea is to optimize the scheduling of local event reporting across network elements for a given network traffic load and local event frequencies. The system architecture consists of N distributed network elements coordinated by a central monitoring station. Each network element monitors a set of local properties and the central station is responsible for identifying the status of global parameters registered in the system. We design an optimal algorithm, the Partition and Rank (PAR) scheme, when the local events are independent; whereas, when they are dependent, we show that the problem is NP-complete and develop two efficient heuristics: the PAR for dependent events (PAR-D) and Adaptive (Ada) algorithms, which adapt well to changing network conditions, and outperform the current state of the art techniques in terms of communication cost.     

Autonomic configuration and recovery in a mobile agent‐based distributed event monitoring system

In this paper we present a framework for building policy‐based autonomic distributed agent systems. The autonomic mechanisms of configuration and recovery are supported through a distributed event processing model and a set of policy enforcement mechanisms embedded in an agent framework. Policies are event‐driven rules derived from the system's functional and non‐functional requirements. Agents in the network monitor the system state for policy violation conditions, generate appropriate events, and communicate them to other agents for cooperative filtering, aggregation, and handling. A set of agents perform policy enforcement actions whenever events signifying any policy violation conditions occur. Policies are defined using a specification framework based on XML. The policy enforcement agents interpret the policies given in XML. We illustrate the utility of this framework in the context of an agent‐based distributed network monitoring application. We also present an experimental evaluation of our approach. Copyright © 2006 John Wiley & Sons, Ltd.     

实时网络安全监控系统的设计和实现

提出了一种实时网络安全监控系统(Real-time Network Security Monitoring System，RNSMS)，讨论了RNSMS的工作模式、实现功能、关键技术等问题。RNSMS能实时地对网络活动进行监控，对常见网络数据包(HTTP，FTP，Tclnet，POP，SMTP，SSL，UDP)内容进行实时分析还原，并加入OPSEC接口，加强与其他网络安全工具的协作互动。应用表明RNSMS是一种有效的网络安全工具。