Taxonomy of conflicts in network security policies

Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.     

Analyzing competitive and collaborative differences among mobile ecosystems using abstracted strategy networks

During the last 5 years, we have witnessed extraordinary development in the mobile market. Apple’s launch of the iOS platform and associated App Store marketplace turned the market around, and Apple became the leading company in the business. This development caused existing players, such as Nokia, to renew their business and attracted new players, such as Google and Microsoft, to enter the market and introduce their own mobile platforms. To understand this development, we suggest that a generic abstracted model of the ecosystem around mobile platforms should be developed describing how the actors, including users, individual app developers, companies, and digital services, are connected and interact. In this work, we propose that competition and collaboration in this kind of abstracted ecosystem can be modeled and analyzed using network analysis. In our research, we derived weighted competition and collaboration networks for each mobile platform from an expert survey, and by calculating companies’ degree centrality in their networks at different times we were able to illustrate how companies’ strategies to build and maintain an ecosystem differ and develop over time. We believe that this kind of analysis is useful both for companies that build ecosystems and also for companies that plan to do business in them. The former can use it to compare their strategy with existing competitors and also evaluate emerging new ecosystems and the latter to compare and choose between possible ecosystems with which to do business.     

Project scheduling conflict identification and resolution using genetic algorithms (GA)

Project management has gained a lot of application in software development activity in the past two decades. It is now considered to be one of the most critical component of software development lifecycle. Project management is traditionally defined as the discipline of planning, organizing, and managing activities and resources for successful execution and completion of project goals and objectives. In this respect, project management holds a key position in satisfactory completion of projects. That is the reason that we have a complete knowledge domain we know as software project management (SPM). The main purpose of SPM is to achieve all the project goals and objectives while working within the constraints posed by project environment and stakeholders. These constraints include (but not limited to) time, scope, resources, resource allocation and optimization etc. Successful project planning involved careful selection and synchronization of resources in order to achieve satisfactory completion of projects. These resources include human resource, rime, infrastructure etc. While planning software projects, it is natural to be confronted with various conflicts in resource allocation. It becomes a very time consuming activity to identify and sort out these conflicts when project size is large and time constraints are severe. A good project management activity is one which can effectively foresee these conflicts and resolve them in an optimal fashion. Computationally intelligent techniques are a good candidate to be used for the purpose of automation of this task. In this paper, a genetic algorithm based technique for conflict identification and resolution for project activities has been proposed. The effectiveness and utility of such a technique has also been discussed in this paper. The technique has been subjected to extensive experimentation and results have been presented.     

Netpiler: detection of ineffective router configurations

Configuring a network is a tedious and error-prone task. In particular, configuring routing policies for a network is complex as it involves subtle dependencies in multiple routers across the network. Misconfigurations are common and certain misconfigurations can bring the Internet down. In 2005, a misconfigured router in AS 9121 blackholed traffic for tens of thousands of networks in the Internet. This paper describes NetPiler, a system that detects router misconfigurations. NetPiler consists of a routing policy configuration model and a misconfiguration detection algorithm. The model is applicable to routing policies configured on a single router as well as to network-wide configuration. Using the model, NetPiler detects configuration commands that do not influence the behavior of the network - we call these configurations ineffective commands. Although the ineffective commands could be benign, sometimes when the commands are mistakenly configured to be ineffective, they cause the network to misbehave deviating from the intended behavior. We have implemented NetPiler in approximately 128,000 lines of C++ code, and evaluated it on the configurations of four production networks. NetPiler discovers nearly a hundred ineffective commands. Some of these misconfigurations can result in loss of connectivity, access to protected networks, and financial implications by providing free transit services. We believe NetPiler can help networks to significantly reduce misconfigurations.     

防火墙策略冲突检测及冲突策略可视化

为了检测防火墙策略中的所有冲突,避免修改冲突时引入新冲突,文中采用对规则进行分割来检测冲突。其中,冲突检测包括3个部分:防火墙策略分割、对分割的结果进行分析和计算,以及冲突域提取。同时,为了对冲突规则以及产生冲突的原因进行分析,文中采用网格的可视化方法实现了对防火墙规则之间以及规则与冲突域之间的关系。采用这种技术能够提高管理员发现、分析和修改策略冲突的效率和准确性,并通过实验验证了该方法的有效性。     

Traitement d’antenne pour des sources bande large

Since many years, we have been interested in studying wide-band signals. The main objectives are generally detection and localization of the sources radiating these signals. Several methods using the incoherent or the coherent signal subspace are proposed for this problem. In this paper we study the coherent signal subspace. In order to do that, we use a new focalisation operator obtained from the estimated spectral matrix eigenvectors. This operator provides a maximal separation between all sources. With experimental data, we show that this operator improves the localisation of wide-band sources.     

一种新的策略冲突解决方法的研究

在3GPP的PCC（Policy and Charging Control）架构以及TISPAN的RACS（Resource and Admission Control Subsystem）等资源控制平台中,资源控制和计费基于策略实现。在这些系统中,如何准确检测以及有效解决策略问冲突成为策略控制的关键问题。本文在对策略冲突分类和检测的分析基础上,指出了已有解决办法存在的问题,并提出了一种基于优先权设定的新方法,完备有效得解决策略间冲突。     

一种基于QoS的事务工作流并发调度算法

并发冲突引起的连锁夭折会降低系统性能,提出了一种基于QoS的事务工作流调度算法,该算法适应异构环境需求,支持基于QoS的延迟调度优化策略和SAFE集合扩充优化策略,可根据QoS参数调整相应的调度决策,在保证分布异构环境中复杂事务工作流并发正确性的同时减少连锁夭折.证明了算法不会引起循环等待和饿死现象,可保证调度的可串行性和可恢复性,性能模拟表明该算法适用于长期运行的事务工作流的并发调度,可有效减少连锁夭折,从而减少由此带来的性能损失.     

Policy hierarchies for distributed systems management

Distributed system management, involves monitoring the activity of a system, making management decisions and performing control actions to modify the behavior of the system. Most of the research on management has concentrated on management mechanisms related to network management or operating systems. However, in order to automate the management of very large distributed systems, it is necessary to be able to represent and manipulate management policy within the system. These objectives are typically set out in the form of general policies which require detailed interpretation by the system managers. The paper explores the refinement of general high-level policies into a number of more specific policies to form a policy hierarchy in which each policy in the hierarchy represents, to its maker, his plans to meet his objectives and, to its subject, the objectives which he must plan to meet. Management action policies are introduced, and the distinction between imperatival and authority policies is made. The relationship of hierarchies of imperatival policies to responsibility, and to authority policies, is discussed. An outline approach to the provision of automated support for the analysis of policy hierarchies is provided, by means of a more formal definition of policy hierarchy refinement relationships in Prolog     

The Next Problem in Engineering Education

We have read very much in the past few years of the need for more engineers, so I shall not repeat the arguments here. Many of you have taken part in the very excellent programs designed to acquaint high school students with the opportunities in an engineering career, and I should first like to point out how successful these programs have been. This fact, I believe, is not generally realized. To use our own school as an example, enrollments during the past two years for the university as a whole have risen about 14 per cent, using the same standards of admitting only those among the upper 15 per cent of high school graduates. This rise reflects very nearly the increased birth rate at the end of the depression and the population growth of this area. During this same period, enrollment in engineering has increased about 50 per cent, and in electrical engineering 80 per cent. Although we do not break down the fields of interest further in the early undergraduate years, I believe the proportion of those interested in the microwave field is remaining nearly constant in spite of the competition from several newer fields.     

Factors for wireless operators'''' collusion and competition

This article analyses on why China Mobile and China Unicom have chosen price war rather than tacit collusion these years. On the basis of the analysis on factors that influence tacit collusion, and combined with the facts of wireless communication market, the author suggests that the market asymmetries, cost asymmetries, and product differentiation are the basic factors, which trigger price competition between the Chinese wireless operators. By constructing a game model based on Chum rate, this article discusses how these factors cause a fight between the operators and how vigorous the price competition will be. At last, the author suggests that to keep vigor in this industry, continuous structural adjustment is essential. Besides, the number portability policies may cause tacit collusion.     

Design for configurability: rethinking interdomain routing policies from the ground up

Giving ISPs more fine-grain control over interdomain routing policies would help them better manage their networks and offer value-added services to their customers. Unfortunately, the current BGP route-selection process imposes inherent restrictions on the policies an ISP can configure, making many useful policies infeasible. In this paper, we present Morpheus, a routing control platform that is designed for configurability. Morpheus enables a single ISP to safely realize a much broader range of routing policies without requiring changes to the underlying routers or the BGP protocol itself. Morpheus allows network operators to: (1) make flexible trade-offs between policy objectives through a weighted-sum based decision process, (2) realize customer-specific policies by supporting multiple route-selection processes in parallel, and allowing customers to influence the decision processes, and (3) configure the decision processes through a simple and intuitive configuration interface based on the Analytic Hierarchy Process, a decision-theoretic technique for balancing conflicting objectives. We also present the design, implementation, and evaluation of Morpheus as an extension to the XORP software router.     

Factors for wireless operators''''collusion and competition

This article analyses on why China Mobile and China Unicom have chosen price war rather than tacit collusion these years. On the basis of the analysis on factors that influence tacit collusion, and combined with the facts of wireless communication market, the author suggests that the market asymmetries, cost asymmetries, and product differentiation are the basic factors, which trigger price competition between the Chinese wireless operators. By constructing a game model based on Churn rate, this article discusses how these factors cause a fight between the operators and how vigorous the price competition will be. At last, the author suggests that to keep vigor in this industry, continuous structural adjustment is essential. Besides, the number portability policies may cause tacit collusion.     

Mercatus: A Toolkit for the Simulation of Market-Based Resource Allocation Protocols in Grids

Grid technologies enable the sharing and coordinated use of diverse resources distributed all over the world. These resources are owned by different organizations having different policies and objectives, which need to be considered in making the resource allocation decisions. In such complex environments, market-based resource allocation protocols are a better alternative to the classical ones because they take into consideration the policies and preferences of both users and resource owners. The only suitable solution for investigating the effectiveness of these resource allocation protocols over a wide range of scenarios with reproducible results is to consider simulations. Thus, in this paper we present Mercatus, a simulation toolkit that facilitates the simulation of market-based resource allocation protocols. We describe the model and the structure of Mercatus, and present experimental results obtained by simulating five types of auction-based resource allocation protocols.     

An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies

The U.S. legislation at both the federal and state levels mandates certain organizations to inform customers about information uses and disclosures. Such disclosures are typically accomplished through privacy policies, both online and offline. Unfortunately, the policies are not easy to comprehend, and, as a result, online consumers frequently do not read the policies provided at healthcare Web sites. Because these policies are often required by law, they should be clear so that consumers are likely to read them and to ensure that consumers can comprehend these policies. This, in turn, may increase consumer trust and encourage consumers to feel more comfortable when interacting with online organizations. In this paper, we present results of an empirical study, involving 993 Internet users, which compared various ways to present privacy policy information to online consumers. Our findings suggest that users perceive typical, paragraph-form policies to be more secure than other forms of policy representation, yet user comprehension of such paragraph-form policies is poor as compared to other policy representations. The results of this study can help managers create more trustworthy policies, aid compliance officers in detecting deceptive organizations, and serve legislative bodies by providing tangible evidence as to the ineffectiveness of current privacy policies.      

A novel generic graph model for traffic grooming in heterogeneous WDM mesh networks

As the operation of our fiber-optic backbone networks migrates from interconnected SONET rings to arbitrary mesh topology, traffic grooming on wavelength-division multiplexing (WDM) mesh networks becomes an extremely important research problem. To address this problem, we propose a new generic graph model for traffic grooming in heterogeneous WDM mesh networks. The novelty of our model is that, by only manipulating the edges of the auxiliary graph created by our model and the weights of these edges, our model can achieve various objectives using different grooming policies, while taking into account various constraints such as transceivers, wavelengths, wavelength-conversion capabilities, and grooming capabilities. Based on the auxiliary graph, we develop an integrated traffic-grooming algorithm (IGABAG) and an integrated grooming procedure (INGPROC) which jointly solve several traffic-grooming subproblems by simply applying the shortest-path computation method. Different grooming policies can be represented by different weight-assignment functions, and the performance of these grooming policies are compared under both nonblocking scenario and blocking scenario. The IGABAG can be applied to both static and dynamic traffic grooming. In static grooming, the traffic-selection scheme is key to achieving good network performance. We propose several traffic-selection schemes based on this model and we evaluate their performance for different network topologies.     

The convergence of mobile data phones,consumer electronics,and wallets: Lessons from Japan

Japan is leading the world with the adoption of new mobile data services such as Internet services and with a resulting boost in data ARPU (average revenue per user). In the development of these services, many functions have been integrated into mobile handsets, which has resulted in a convergence of, so far, separate consumer electronic devices. This article addresses the following questions: What are the drivers of this process? What could European players, in particular the European policymakers do to catch up? According to our research, a major driver of the process in Japan is tough competition among operators, which in turn is driven by factors such as competition in mobile radio infrastructure. The author arrives at the following conclusions for European policies: (1) There should be more awareness of the Japanese lead, e.g., of the crucial role of Internet push e-mail. (2) Europe could benefit from more operators willing to bear the risk of introducing new technologies. (3) For a successful introduction of infrastructure competition, it could make sense to make spectrum bands available with European-wide licenses.     

Network policy languages: a survey and a new approach

A survey of current network policy languages is presented. Next, a summary of the techniques for detecting policy conflicts is given. Finally, a new language, path-based policy language, which offers improvements to these is introduced. Previous network policy languages vary from the very specific, using packet filters at the bit level, to the more abstract where concepts are represented, with implementation details left up to individual network devices. As background information a policy framework model and policy-based routing protocols are discussed. The PPL's path-based approach for representing network policies is advantageous in that quality of service and security policies can be associated with an explicit path through the network. This assignment of policies to network flows aids in new initiatives such as integrated services. The more stringent requirement of supporting path-based policies can easily be relaxed with the use of wild card characters to also support differentiated services and best-effort service, which is provided by the Internet today     

Simplifying network administration using policy-based management

The management of network infrastructure in an enterprise is a complex and. daunting affair. In an era of increasing technical cornplexity, it is becoming difficult to find trained personnel who can manage the new features introduced into the various servers, routers, and switches. Policy-based network management provides a means by which the administration process can be simplified and largely automated. In this article we look at a general policy-based architecture that can be used to simplify several new technologies emerging in the context of IP networks. We explain how network administration can be simplified by defining two levels of policies, a business level and a technology level. We discuss how business-level policies are validated and transformed into technology-level policies, and present some algorithms that can be used to check for policy conflicts and unreachable policies. We then show how to apply this architecture to two areas: managing performance service level agreements, and supporting enterprise extranets using IPSec communication