CONFIDDENT: A model-driven consistent and non-redundant layer-3 firewall ACL design, development and maintenance framework

Design, development, and maintenance of firewall ACLs are very hard and error-prone tasks. Two of the reasons for these difficulties are, on the one hand, the big gap that exists between the access control requirements and the complex and heterogeneous firewall platforms and languages and, on the other hand, the absence of ACL design, development and maintenance environments that integrate inconsistency and redundancy diagnosis. The use of modelling languages surely helps but, although several ones have been proposed, none of them has been widely adopted by industry due to a combination of factors: high complexity, unsupported firewall important features, no integrated model validation stages, etc. In this paper, CONFIDDENT, a model-driven design, development and maintenance framework for layer-3 firewall ACLs is proposed. The framework includes different modelling stages at different abstraction levels. In this way, non-experienced administrators can use more abstract models while experienced ones can refine them to include platform-specific features. CONFIDDENT includes different model diagnosis stages where the administrators can check the inconsistencies and redundancies of their models before the automatic generation of the ACL to one of the many of the market-leader firewall platforms currently supported.     

语种辨识的多特征信息应用

提取动态的高层语言学特征建立了改进的语种相关的、联合的GMM-LM语种辨识方案。该方案减小了不同语种的高斯混合模型和语言模型之间的相关性,也降低了训练的复杂度。还提出了基于特征提取层和判决层融合技术的语种辨识系统。该系统利用了不同类型的特征对区分不同语种的贡献来增加不同语种语料之间的差异,并使相同语种的语料之间的差异减小。实验表明,设计的语种辨识系统具有较好的扩展性;基于特征提取层和判决层的融合系统能够有效地提高系统识别率。     

Dynamical consistency in hierarchical supervisory control

A hierarchical control theory is presented founded upon the trace-dynamical consistency property, which is an extension of the notion of dynamical consistency (DC) to the supervisory case of automata with disablable transitions. Partitions of a system state space are considered for which both the trace-DC and the (non-blocking) in-block controllability (IBC) conditions hold; it is shown that low-level non-blocking controllable languages project up to such languages in the high-level system, and that, when the (non-blocking) IBC condition also holds, high-level non-blocking controllable languages map down to such languages in the low-level system. It is demonstrated that the resulting pairs of low-level and high-level languages satisfy a version of the hierarchical consistency condition found in the existing language-based hierarchical supervisory control theory. The structures produced in the formulation of hierarchical control in this paper permit efficient regulator design (and, in particular, repeated re-design) for hierarchy-compatible language specifications; such specifications consist of low-level languages whose maximal controllable sublanguages are realizable by a combination of a high-level (possibly history-dependent) regulator and a set of (state-dependent) low-level regulators (specified block-wise). An algorithm is proposed which facilitates the construction of (non-blocking) IBC partitions of systems with vocalized states. Examples are presented, including a material transfer line with re-entrant flow and a double queue     

防火墙在传输网络中的吞吐量与管理问题及解决方案

讨论防火墙在大型传输网络(Transit Network )应用中的管理和吞吐量问题：一是手工方式配置分布在各个接入点的多个防火墙,无法适应开放的、动态的网络环境;二是大量的过滤规则导致防火墙吞吐量下降.针对大量防火墙的管理问题,该文提出了一种访问控制政策的自动分配与动态配置模型,将全局过滤规则自动地分发到相应的防火墙;同时利用入侵监测系统和搜索引擎的结果,自动定位防火墙、动态配置过滤规则,实时地过滤不良站点,终止攻击行为.针对单个防火墙的吞吐量问题,提出了一种基于散列表的规则匹配算法,该算法可以将时间复杂度从O(N)降低到O(1),从而大大提高防火墙的吞吐量.     

An Efficient and Scalable Approach to Correct Class Model Refinement

Today, programmers benefit immensely from Integrated Development Environments (IDEs), where errors are highlighted within seconds of their introduction. Yet, designers rarely benefit from such an instant feedback in modeling tools. This paper focuses on the refinement of UML-style class models with instant feedback on correctness. Following the Model-Driven Architecture (MDA) paradigm, we strongly believe in the benefit of maintaining high-level and low-level models separately to 1) document the lower level model and 2) continuously ensure the correctness of the low-level model during later evolution (i.e., high- or low-level models may be evolved independently). However, currently the refinement and subsequent evolution lack automated support, let alone an instant feedback on their correctness (i.e., consistency). Traditional approaches to consistency checking fail here because of the computational cost of comparing class models. Our proposed instant approach first transforms the low-level model into an intermediate model that is then easier comparable with the high-level model. The key to computational scalability is the separation of transformation and comparison so that each can react optimally to changes—changes that could happen concurrently in both the high- and low-level class models. We evaluate our approach on eight third-party design models. The empirical data show that the separation of transformation and comparison results in a 6 to 11-fold performance gain and a ninefold reduction in producing irrelevant feedback. While this work emphasizes the refinement of class models, we do believe that the concepts are more generally applicable to other kinds of modeling languages, where transformation and subsequent comparison are computationally expensive.     

基于独立规则集位提取的包分类压缩方法

针对当前互联网中多匹配域流表规模不断膨胀、匹配宽度不断增大，导致硬件存储压力过大的问题，提出了一种基于独立规则子集位提取（BEIS）的压缩方案。首先，根据多匹配域之间的逻辑关系进行匹配域合并，从而减少匹配域个数、减小流表位宽；其次，对合并后的规则集进行独立规则子集分割，将分割后的子集进行可区分的位提取，从而使用部分位完成匹配查找功能，进一步缩减所用的三态内容寻址寄存器（TCAM）空间；最后，提出了实现该方案的硬件查找架构。仿真结果表明，对于OpenFlow流表，该方案在一定的时间复杂度下，比匹配域裁剪（FT）方案减少了20%的存储空间；另外，对于实际应用中常见的访问控制列表、防火墙等包分类规则集，可实现20%到40%的压缩比率。     

Security types preserving compilation

Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce confidentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and “low-level languages have not received much attention in studies of secure information flow” (Sabelfeld and Myers, [Language-based information-flow security. IEEE Journal on Selected Areas in Communications 2003; 21:5–19]). Therefore, we introduce an information flow type system for a low-level language featuring jumps and calls, and show that the type system enforces termination-insensitive non-interference.Furthermore, information flow type systems for low-level languages should appropriately relate to their counterparts for high-level languages. Therefore, we introduce a compiler from a high-level imperative programming language to our low-level language, and show that the compiler preserves information flow types.     

基于关联规则挖掘的图像检索

针对图像检索中图像相似性判断所面临的"语义鸿沟"问题,本文提出了基于关联规则挖掘的图像检索。该方法利用数据挖掘技术,对图像纹理的各种低层可视化特征进行分析挖掘,获得一系列的图像低层特征值与高层概念之间的各种规则,将这些规则构成图像知识库,并与概念集合相对应。实验结果表明,采用关联规则挖掘能很好的提高图像检索的准确率。     

Optimal hybrid fault recovery in a team of unmanned aerial vehicles

This paper introduces and develops an optimal hybrid fault recovery methodology for a team of unmanned vehicles by taking advantage of the cooperative nature of the team to accomplish the desired mission requirements in presence of faults/failures. The proposed methodology is developed in a hybrid framework that consists of a low-level (an agent level and a team level) and a high-level (discrete-event system level) fault diagnosis and recovery modules. A high-level fault recovery scheme is proposed within the discrete-event system (DES) supervisory control framework, whereas it is assumed that a low-level fault recovery designed based on classical control techniques is already available. The low-level recovery module employs information on the detected and estimated fault and modifies the controller parameters to recover the team from the faulty condition. By taking advantage of combinatorial optimization techniques, a novel reconfiguration strategy is proposed and developed at the high-level so that the faulty vehicles are recovered with minimum cost to the team. A case study is provided to illustrate and demonstrate the effectiveness of our proposed approach for the icing problem in unmanned aerial vehicles, which is a well-known structural problem in the aircraft industry.     

Fuzzy sets of rules for system identification

The synthesis of fuzzy systems involves the identification of a structure and its specialization by means of parameter optimization. In doing this, symbolic approaches which encode the structure information in the form of high-level rules allow further manipulation of the system to minimize its complexity, and possibly its implementation cost, while all-parametric methodologies often achieve better approximation performance. In this paper, we rely on the concept of a fuzzy set of rules to tackle the rule induction problem at an intermediate level. An online adaptive algorithm is developed which almost surely learns the extent to which inclusion of a rule in the rule set significantly contributes to the reproduction of the target behavior. Then, the resulting fuzzy set of rules can be defuzzified to give a conventional rule set with similar behavior. Comparisons with high-level and low-level methodologies show that this approach retains the most positive features of both     

一种用于Java程序验证编译的标签类型

在基于语言考虑代码安全性的工作中,往往需要将高级语言程序翻译成类型化低级语言的程序进行类型检查.许多高级语言具有类型调度结构,在向低级语言的编译过程中需要用标签机制来实现.针对具有多继承接口的Java程序包含的一种特殊的类型调度结构,提出了一种新的标签类型.包含这种标签类型的低级语言能够有效地实现Java程序中的接口调用.这种对接口调用的编译方法被用在一个以类型化低级语言为验证语言的Java字节码即时编译器中.     

基于循环生成对抗网络的图像去雾算法

大气散射模型与有雾图像及对应清晰图像间的映射模型不适配,导致使用大气散射模型进行图像去雾处理时,图像存在颜色偏差、纹理细节粗糙等问题。基于模拟生物视觉系统的反馈原理,提出一种端到端的循环生成对抗网络算法,以解决误差累积造成的去雾图像低质的问题。通过生成模块将循环神经网络的隐藏状态作为反馈信息,以指导低级模糊特征信息生成更加丰富的高级特征。循环结构能够保证先前的网络层可以使用到后面网络层的高级特征信息,从而减少误差累积。此外,该算法能够根据判别模块的损失来评估重建图像的质量。实验结果表明,与GCANet算法相比,所提算法在SOTS测试集上的平均峰值信噪比和结构相似性,在室内分别提升3.41%和0.57%,在室外分别提升3.48%和1.39%,且在真实世界的数据集上进行图像去雾后,在视觉上避免了颜色失真和光晕问题。     

Orthogonal multiprocessor sharing memory with an enhanced mesh for integrated image understanding

This paper proposes a new parallel architecture, which has the potential to support low-level image processing as well as intermediate and high-level vision analysis tasks efficiently. The integrated architecture consists of an SIMD mesh of processors enhanced with multiple broadcast buses, and MIMD multiprocessor with orthogonal access buses, and a two-dimensional shared memory array. Low-level image processing is performed on the mesh processor, while intermediate and high-level vision analysis is performed on the orthogonal multiprocessor. The interaction between the two levels is supported by a common shared memory. Concurrent computations and I/O are made possible by partitioning the memory into disjoint spaces so that each processor system can access a different memory space. To illustrate the power of such a two-level system, we present efficient parallel algorithms for a variety of problems from low-level image processing to high-level vision. Representative problems include matrix based computations, histogramming and key counting operations, image component labeling, pyramid computations, Hough transform, pattern clustering, and scene labeling. Through computational complexity analysis, we show that the integrated architecture meets the processing requirements of most image understanding tasks.     

面向方面的MDA开发方法

MDA中提出了两种重要的模型:平台无关模型和平台相关模型.PIM是反映系统功能性需求的业务模型,PSM是PIM针对实现技术的映射.对于系统的非功能性需求,如安全性、性能、内存管理和通信等,MDA中未提出明确的模型.借鉴面向方面的编程(AOP)的思想,提出了一种基于UML Profile的"方面"建模表示法,用于在MDA中对系统的非功能性需求建立方面模型(AOM),并在MDA方法中增加模型编织(Weaver)环节,得到功能更为强大的基于方面的MDA开发方法.     

模型驱动的测试用例自动生成框架

提出一个基于模型驱动架构(MDA)的测试用例生成框架,其中,平台无关的系统模型通过水平转换成平台无关的测试模型,平台无关的测试模型通过竖直转换生成相应的测试用例。利用MDA转换工具ATL和MOFScript制定相应的转换规则作用于元模型,使测试者只须提供源模型和测试数据即可生成相应的测试用例。     

针对规则更新操作的测试数据包选取算法*

防火墙规则集中存在的配置错误主要来源于规则的添加、删除等更新操作。因此进行规则更新时,需要使用测试算法判断更新操作的正确性。现有的测试算法仅从被添加或被删除规则的顶点选取测试数据包,不能检测出所有因规则冲突而导致的配置错误。基于此,提出了一种针对规则更新操作的测试数据包选取算法PCRU。该算法从两处选取测试数据包,即被添加或者被删除的规则的顶点和规则冲突区域。理论分析和仿真实验表明,与现有测试算法相比,在进行规则更新时,PCRU算法只需使用少量的测试数据包,即可检测出所有因规则冲突而导致的配置错误。