云计算数据中心网络安全风险及主动防御技术研究

为进一步提高云计算数据中心的网络安全性能,构建了一种软件定义网络（Software Defined Network,SDN）防火墙与入侵检测系统（Intrusion Detection System,IDS）联动的主动防御系统。该系统弥补了SDN防火墙与IDS的缺陷,SDN防火墙根据IDS识别恶意流量的特征,后期再有此类流量进入,会对恶意流量进行有效识别和阻断。结果表明,通过构建SDN防火墙与IDS联动的多维度主动防御架构,可以提高云计算数据中心抵御网络安全风险的能力。     

VSA和SDS:两种SDN网络安全架构的研究

软件定义网络SDN(Software Defined Networking)的软件编程特性和开放性带来很多新的安全挑战,也给网络安全带来了挑战和机遇.本文提出了两种演进的SDN网络安全架构:虚拟化安全设备(Virtualized Security Appliance)和软件定义安全(Software Defined Security),给出了两种架构的建设要点,并以常规网络入侵、拒绝服务攻击和高级持续威胁等三类典型攻击场景分析了相应的工作原理,以防火墙为例演示了两种架构下的实现,测试表明两种结构在云计算中心环境中性能上是可行的,并且SDN数据和控制分离的特性使防火墙可用更少的代码实现.     

透析分布式防火墙架构

为了满足电信级防火墙的高性能、高可靠性、高扩展性需求,以北京天融信公司的防火墙为基础就分布式防火墙系统做了一些架构上的探讨。硬件上采用分布式crossbar加多核技术,软件上采用控制系统和转发系统分离技术。     

基于WBEM的防火墙策略异常检测系统

面对网络规模的无限量扩大以及新型攻击的不断出现，企业开始采用多级防火墙机制加强对整个网络的安全保护。然而这种保护机制同时向人们提出了如何保证策略与策略之间无异常的问题。因此，从防火墙底层的规则入手，主要针对防火墙的包过滤规则，定义了规则之间可能存在的异常，同时提出相应的检测算法以及基于WBEM架构的异常检测系统，在解决策略异常问题的同时实现防火墙策略整体上的对外一致性。     

全状态防火墙双机热备份的设计与实现

介绍了全状态防火墙的基本概念,阐述双机热备份系统的组成和工作原理,接着详细描述全状态包过滤防火墙的双机热备份模块的设计,包括硬件框架和软件框架,防火墙系统工作状态定义和演变,最后从双机通信、双机同步、双机切换三个方面详细阐明了双机备份系统中的双机控制。     

一种基于OpenFlow的SDN访问控制策略实时冲突检测与解决方法

软件定义网络SDN(Software-Defined Networking)是由美国斯坦福大学Clean Slate研究组提出的一种新型网络创新架构,可通过软件编程的形式定义和控制网络,其控制平面和转发平面分离及开放性可编程的特点,为新型互联网体系结构研究提供了新的实验途径,也极大地推动了下一代互联网的发展.OpenFlow是SDN的主要协议,定义了SDN控制器与交换机之间的通信标准.目前,很多基于OpenFlow的SDN设备已经在实际中得到了部署.但是,基于OpenFlow的SDN却面临很多安全挑战.其中一个重要的挑战是如何建立一个安全可靠的SDN防火墙应用.由于OpenFlow协议的无状态性,现有的SDN防火墙可以被通过改写交换机中的流表项轻松绕过.针对这一安全威胁,作者提出了基于Flowpath的实时动态策略冲突检测与解决方法.通过获取实时的SDN网络状态,能够准确地检测防火墙策略的直接和间接违反,并且一旦发现冲突,可以基于Flowpath进行自动化和细粒度的冲突解决.最后,作者在开源控制器Floodlight上实现了一个安全增强的防火墙应用FlowVerifier,并基于Mininet对FlowVerifier的性能进行了评估.结果表明FlowVerifier能够检测和自动化地解决SDN网络中由于流表改写而引入的策略冲突及其带来的安全威胁.     

基于NP的防火墙技术研究

随着网络安全技术的发展,防火墙技术也得到了发展,出现了一些新的防火墙技术。NP防火墙就是近年出现的一种新型防火墙技术。本文主要从NP防火墙的原理、架构和使用的关键技术方面介绍NP防火墙技术,并对未来防火墙技术的发展趋势进行了分析。     

基于软件定义网络的实验室防火墙架构设计

针对高校网络实验室安全性较弱的问题,提出了一种基于软件定义网络的防火墙系统建设方案。该防火墙系统采用高性能软硬件系统和相结合的设计思路,以信息处理过程与数据交互过程中的安全防护为研究对象,在高校教师团队与专业技术公司的协同合作下,打造提升校园网络安全性,同时具备教学与科研功能的防火墙系统创新实验平台。在该平台上进行了实验,实验结果表明,开发的防火墙不仅可以抑制因控制器系统的引入而导致的网络攻击,而且能够成功地监控所有网络连接。     

基于NPU架构的VPN防火墙硬件结构模型

随着光纤网络的快速发展,网络速度的瓶颈并不在于传输系统,而依赖于数据报的处理速度是否能匹配不断增长的线路速度,尤其是在不断出现新服务和新协议的情况下,基于软件的网络处理已经不能完全胜任了,软硬件协同处理的方法开始不断涌现。防火墙同传统的网络设备一样,硬件体系结构经历了从Intelx86架构到ASIC架构再到NPU架构的发展过程。通过对防火墙硬8件体系结构进行研究,以NPU架构为基础提出一种VPN防火墙的硬件平台模型,建议以“龙芯”或其它国产CPUcore为基础,以网络安全设备的应用为目标,以SOC宽带NPU为切入点,研制具有自主知识产权的NPU及其网络安全产品。     

防火墙架构演变“三步曲”

为了满足用户的更高要求,防火墙体系架构经历了从低性能的x86、 PPC软件防火墙向高性能硬件防火墙的过渡,并逐渐向不但能够满足高性能,也需要支持更多业务能力的方向发展。     

European Community policy and the market

Abstract This paper starts with some reflections on the policy considerations and priorities which are shaping European Commission (EC) research programmes. Then it attempts to position the current projects which seek to capitalise on information and communications technologies for learning in relation to these priorities and the apparent realities of the marketplace. It concludes that while there are grounds to be optimistic about the contribution EC programmes can make to the efficiency and standard of education and training, they are still too technology driven.     

一种自适应子融合集成多分类器方法

融合集成方法已经广泛应用在模式识别领域,然而一些基分类器实时性能稳定性较差,导致多分类器融合性能差,针对上述问题本文提出了一种新的基于多分类器的子融合集成分类器系统。该方法考虑在度量层融合层次之上通过对各类基多分类器进行动态选择,票数最多的类别作为融合系统中对特征向量识别的类别,构成一种新的自适应子融合集成分类器方法。实验表明,该方法比传统的分类器以及分类融合方法识别准确率明显更高,具有更好的鲁棒性。     

Explanation and prediction: an architecture for default and abductive reasoning

Although there are many arguments that logic is an appropriate tool for artificial intelligence, there has been a perceived problem with the monotonicity of classical logic. This paper elaborates on the idea that reasoning should be viewed as theory formation where logic tells us the consequences of our assumptions. The two activities of predicting what is expected to be true and explaining observations are considered in a simple theory formation framework. Properties of each activity are discussed, along with a number of proposals as to what should be predicted or accepted as reasonable explanations. An architecture is proposed to combine explanation and prediction into one coherent framework. Algorithms used to implement the system as well as examples from a running implementation are given.     

Three Process Perspectives: Organizations, Teams, and People

This paper provides the author's personal views and perspectives on software process improvement. Starting with his first work on technology assessment in IBM over 20 years ago, Watts Humphrey describes the process improvement work he has been directly involved in. This includes the development of the early process assessment methods, the original design of the CMM, and the introduction of the Personal Software Process (PSP)^SM and Team Software Process (TSP){^SM}. In addition to describing the original motivation for this work, the author also reviews many of the problems he and his associates encountered and why they solved them the way they did. He also comments on the outstanding issues and likely directions for future work. Finally, this work has built on the experiences and contributions of many people. Mr. Humphrey only describes work that he was personally involved in and he names many of the key contributors. However, so many people have been involved in this work that a full list of the important participants would be impractical.     

基于复小波噪声方差显著修正的SAR图像去噪

提出了一种基于复小波域统计建模与噪声方差估计显著性修正相结合的合成孔径雷达(Synthetic Aperture Radar,SAR)图像斑点噪声滤波方法。该方法首先通过对数变换将乘性噪声模型转化为加性噪声模型,然后对变换后的图像进行双树复小波变换(Dualtree Complex Wavelet Transform,DCWT),并对复数小波系数的统计分布进行建模。在此先验分布的基础上,通过运用贝叶斯估计方法从含噪系数中恢复原始系数,达到滤除噪声的目的。实验结果表明该方法在去除噪声的同时保留了图像的细节信息,取得了很好的降噪效果。     

How do children do mathematics with LOGO?

Abstract  This paper considers some results of a study designed to investigate the kinds of mathematical activity undertaken by children (aged between 8 and 11) as they learned to program in LOGO. A model of learning modes is proposed, which attempts to describe the ways in which children used and acquired understanding of the programming/mathematical concepts involved. The remainder of the paper is concerned with discussing the validity and limitations of the model, and its implications for further research and curriculum development.     

Editorial: Special issue on recent advances in hybrid control theory and applications

正The demands of a rapidly advancing technology for faster and more accurate controllers have always had a strong influence on the progress of automatic control theory.In recent years control problems have been arising with increasing frequency in widely different areas,which cannot be addressed using conventional control techniques.The principal reason for this is the fact that a highly competitive economy is forcing systems to operate in regimes where     

Information for Authors

正Aim The Journals of Zhejiang University-SCIENCE(A/B/C)areedited by the international board of distinguished Chinese andforeign scientists,and are aimed to present the latest devel-opments and achievements in scientific research in China andoverseas to the world’s scientific circles,especially to stimulateand promote academic exchange between Chinese and for-eign scientists everywhere.     

Enhancing a leaf radiative transfer model to estimate concentrations and in vivo specific absorption coefficients of total carotenoids and chlorophylls a and b from single-needle reflectance and transmittance

The relative concentrations of different pigments within a leaf have significant physiological and spectral consequences. Photosynthesis, light use efficiency, mass and energy exchange, and stress response are dependent on relationships among an ensemble of pigments. This ensemble also determines the visible characteristics of a leaf, which can be measured remotely and used to quantify leaf biochemistry and structure. But current remote sensing approaches are limited in their ability to resolve individual pigments. This paper focuses on the incorporation of three pigments—chlorophyll a, chlorophyll b, and total carotenoids—into the LIBERTY leaf radiative transfer model to better understand relationships between leaf biochemical, biophysical, and spectral properties.Pinus ponderosa and Pinus jeffreyi needles were collected from three sites in the California Sierra Nevada. Hemispheric single-leaf visible reflectance and transmittance and concentrations of chlorophylls a and b and total carotenoids of fresh needles were measured. These data were input to the enhanced LIBERTY model to estimate optical and biochemical properties of pine needles. The enhanced model successfully estimated reflectance (RMSE = 0.0255, BIAS = 0.00477, RMS%E = 16.7%), had variable success estimating transmittance (RMSE = 0.0442, BIAS = 0.0294, RMS%E = 181%), and generated very good estimates of carotenoid concentrations (RMSE = 2.48 µg/cm², BIAS = 0.143 µg/cm², RMS%E = 20.4%), good estimates of chlorophyll a concentrations (RMSE = 10.7 µg/cm², BIAS = − 0.992 µg/cm², RMS%E = 21.1%), and fair estimates of chlorophyll b concentrations (RMSE = 7.49 µg/cm², BIAS = − 2.12 µg/cm², RMS%E = 43.7%). Overall root mean squared errors of reflectance, transmittance, and pigment concentration estimates were lower for the three-pigment model than for the single-pigment model. The algorithm to estimate three in vivo specific absorption coefficients is robust, although estimated values are distorted by inconsistencies in model biophysics. The capacity to invert the model from single-leaf reflectance and transmittance was added to the model so it could be coupled with vegetation canopy models to estimate canopy biochemistry from remotely sensed data.     

Mr. Twinn’s bombes

This article discusses the history and design of the special versions of the bombe key-finding machines used by Britain’s Government Code & Cypher School (GC&CS) during World War II to attack the Enigma traffic of the Abwehr (the German military intelligence service). These special bombes were based on the design of their more numerous counterparts used against the traffic of the German armed services, but differed from them in important ways that highlight the adaptability of the British bombe design, and the power and flexibility of the diagonal board. Also discussed are the changes in the Abwehr indicating system that drove the development of these machines, the ingenious ways in which they were used, and some related developments involving the bombes used by the U.S. Navy’s cryptanalytic unit (OP-20-G).