基于OpenFlow的虚拟机流量检测系统的设计与实现

云平台下的虚拟机在物理机内部交互流量,而不通过防火墙等安全组件。针对这类流量无法在网络边界被获取并检测的问题,分析了OpenFlow技术的原理,提出了一种基于OpenFlow技术将虚拟机流量重定向到入侵检测系统进行检测的方案。方案使用OpenFlow虚拟交换机和控制器替代传统交换机,然后基于OpenFlow技术控制流量转发过程,将其导向外部的安全组件进行处理,并构建了由虚拟交换机、控制单元、入侵检测和系统配置管理4个模块组成的流量检测系统。实验结果表明,系统能够在满足虚拟机网络正常使用的前提下,将待监管流量导向入侵检测系统进行处理,而且能够同时提供交换机级及虚拟机级两种粒度的流量重定向控制。通过对虚拟机引流的方式实现在传统场景中解决云计算环境下流量检测问题,同时能够基于OpenFlow轻松实现流量处理的扩展操作。     

基于Renyi熵的SDN自主防护系统

针对SDN架构下的常见网络异常行为，提出了一套基于Renyi熵的SDN自主防护系统，该系统可实现网络异常行为检测、诊断及防御。系统无须引入第三方测量设备，直接利用OpenFlow交换机流表信息。首先，通过计算和检测特征熵值，实现异常网络行为的检测。然后，进一步分析OpenFlow流表信息，实现异常行为的诊断。最后，实施防御控制措施，建立一套黑名单机制，将产生异常行为的主机加入黑名单，并阻塞相应的异常流量。为了验证系统的有效性，在Floodlight控制器上开发了原型。Mininet上的仿真实验表明，系统能够有效检测、诊断及防御网络中常见的异常行为，且具有较低的部署成本，增强了SDN的安全性。     

基于OpenFlow的入侵检测评估模型

针对传统测评方法依赖模拟环境来仿真真实网络流量的现状,提出一种基于OpenFlow的入侵检测评估系统.该系统基于软件定义网络技术（OpenFlow）的入侵检测评估模型,随后对该模型的框架、设置方法、具体工作过程等进行详细阐述,设计了基于该模型的测评系统,该系统利用OpenFlow灵活的网络控制能力为IDS测评搭建真实可控的网络环境,提供入侵检测所需的真实网络流量和攻击数据.最后利用该测评系统对该模型进行试验仿真,实验结果表明传统方法相比,本文提出的基于OpenFlow的入侵检测评估模型在测评效果和准确性上有较好的性能.     

DAFT:一种OpenFlow大规模流表区分存储与加速查找架构

软件定义网络作为一种数据转发与逻辑控制相解耦的创新网络范式,当采用OpenFlow协议进行大规模部署时,其数据平面的流表规模急剧增大,对OpenFlow交换机的流表存储资源和分组转发性能提出了严峻的挑战.对此,本文构建了一种OpenFlow大规模流表区分存储与加速查找架构DAFT.该架构根据流量分布特性将OpenFlow网络流区分为重要流和次要流,进而采用TCAM和SRAM分别存储其标识字段,并采用DRAM单独存储其内容字段,有效缓解OpenFlow流表存储资源紧张问题.针对重要流/次要流区分问题,在分析传统大象流/老鼠流区分方法的基础上,基于OpenFlow网络流的包成批特性,提出活跃流/空闲流区分方法,以提高TCAM命中率.针对SRAM流表查找性能瓶颈,利用掩码访问不均匀的特点,采用"往前移1"启发法自适应调整掩码顺序,以减少后续数据包的掩码失败探测次数;利用掩码探测多数会失败的特点,借助计数型布鲁姆过滤器预测元组查找失败结果,从而绕过对应的子流表遍历过程.最后,借助骨干网络流量样本,对本文所提DAFT流表架构的查找性能进行实验评估.实验结果表明:DAFT流表架构的TCAM命中率、SRAM平均查找长度和平均流表访问时间均明显优于传统的大象流/老鼠流架构,且稳定性强,有效提升了OpenFlow交换机的分组转发性能.     

基于OpenFlow的软件定义网络虚拟化方案

软件定义网络(SDN)可以将网络控制平面与数据平面分离开来,为网络虚拟化提供了良好的平台。为了解决SDN中多租户下的虚拟化,提出了一种基于OpenFlow的网络虚拟化方案。通过一个中间代理来转换并匹配物理MAC地址与虚拟MAC地址,以及物理流表项和虚拟流表项,以此实现流量空间的虚拟化。其中,根据实际数据包的惰性计算,使用前缀或通配符来精确匹配流表项。另外,为了保障物理OpenFlow网络上不同租户之间的隔离,将单个虚拟MAC-通配符流表项映射为多个具有精确MAC地址的物理流表项。实验结果表明,该方案成功的实现了网络虚拟化,且虚拟化开销较小,具有可行性。     

Multi-GPU performance of incompressible flow computation by lattice Boltzmann method on GPU cluster

GPGPU has drawn much attention on accelerating non-graphic applications. The simulation by D3Q19 model of the lattice Boltzmann method was executed successfully on multi-node GPU cluster by using CUDA programming and MPI library. The GPU code runs on the multi-node GPU cluster TSUBAME of Tokyo Institute of Technology, in which a total of 680 GPUs of NVIDIA Tesla are equipped. For multi-GPU computation, domain partitioning method is used to distribute computational load to multiple GPUs and GPU-to-GPU data transfer becomes severe overhead for the total performance. Comparison and analysis were made among the parallel results by 1D, 2D and 3D domain partitionings. As a result, with 384 × 384 × 384 mesh system and 96 GPUs, the performance by 3D partitioning is about 3-4 times higher than that by 1D partitioning. The performance curve is deviated from the idealistic line due to the long communicational time between GPUs. In order to hide the communication time, we introduced the overlapping technique between computation and communication, in which the data transfer process and computation were done in two streams simultaneously. Using 8-96 GPUs, the performances increase by a factor about 1.1-1.3 with a overlapping mode. As a benchmark problem, a large-scaled computation of a flow around a sphere at Re = 13,000 was carried on successfully using the mesh system 2000 × 1000 × 1000 and 100 GPUs. For such a computation with 2 Giga lattice nodes, 6.0 h were used for processing 100,000 time steps. Under this condition, the computational time (2.79 h) and the data communication time (3.06 h) are almost the same.     

OpenFlow在下一代数据中心网络的应用研究

主要阐述了转发面开放协议(OpenFlow)的概念,并介绍了其控制和转发分离的核心思想,分析了其开放性、智能化和高性价比特性。同时,分析了下一代数据网络中心对网络的需求(流量快速增长、横向流量大幅提升、对网络智能化管理需求不断提升、增值业务快速部署等),并对OpenFlow在数据中心的应用场景进行探讨。最后,对OpenFlow进行了展望。     

Two-dimensional side-by-side circular cylinders at moderate Reynolds numbers

In a companion article [1], we described computer simulations of the flow around 2 two-dimensional, tandem circular cylinders in a flow for 1?Re?20. In this article we adopt a similar approach to characterize the flow around side-by-side cylinders with surface-to-surface separation/diameter in the range 0.1 < s/D < 30. The results revealed some distinct and interesting features of the flow, which are completely different than those observed at higher Reynolds numbers.At low Reynolds numbers, 1?Re?5, for all gap spacings, the flow contains no regions of flow separation. At higher Re, four distinct flow behaviors were observed. For very small gap spacings, e.g. 0.1 < s/D < 0.6 at Re = 20, two elongated “detached vortices” form downstream of the cylinders. The drag coefficient increases sharply with the gap spacing. For gap spacings 0.6 < s/D < 0.7 at Re = 20, no vortices form anywhere in the flow. For gap spacings around s/D ≈ 1 separation regions form only on the inside portions of the cylinders. For larger gap spacings s/D > 1 the flow reverts to something similar to that around an isolated cylinder in the flow, i.e. two attached vortices on the rear side of each cylinder. In general, the drag coefficient increases as the gap spacing increases. At higher Reynolds number it is known that the cylinder lift coefficients decrease monotonically with gap spacing. In contrast, at these lower Reynolds number the lift coefficient curves rise to a maximum for 0.3 < s/D < 3 and then decrease monotonically for larger s/D.     

Preliminary study on the accuracy of respiratory input impedance measurement using the interrupter technique

Respiratory input impedance contains information about the state of pulmonary mechanics in the frequency domain. In this paper the possibility of respiratory impedance measurement by interrupter technique as well as the accuracy of this approach are assessed. Transient states of flow and pressure recorded during expiratory flow interruption are simulated with a complex, linear model for the respiratory system and then used to calculate the impedance, including three states of respiratory mechanics and the influence of the measurement noise. The results of computations are compared to the known, theoretical impedance of the model. At 1 kHz sampling rate, the optimal time window lays between 100 and 200 ms and is centred around the pressure jump caused by the flow interruption. The proposed algorithm yields satisfactory accuracy in the range from 10 to 400 Hz, particularly to 150 Hz. Depending on the simulated respiratory system state, the error of calculated impedance (relative Euclidean distance between the vectors of computed and theoretical values), for the window of 190 ms, varies between 5.0% and 7.1%.     

Porous GaN on Si(1 1 1) and its application to hydrogen gas sensor

The growth of heterostructure of n-type GaN/AlN/Si(1 1 1) is carried out using the molecular beam epitaxy (MBE) Veeco model Gen II system. The surface morphology of the as-grown GaN sample showed pits on the GaN surface in a ratio small than those found by other research groups. Porous GaN samples were synthesized by an electrochemical etching technique combined with increasing the current density to 75 mA/cm². The formation of pore structures are of different sizes, the etched surface became hexagonal, and pore structures are confined to a smaller size. The PL results showed greater blue shift luminescence in comparison to results found by other research groups. The reduction in crystallite size is confirmed by an increase in the broadening of XRD spectra. Raman spectra also displayed a strong band at 522 cm⁻¹ from the Si(1 1 1) substrate, and a small band at 301 cm⁻¹. These are due to the acoustic phonons of Si. Two Raman active optical phonons are assigned to h-GaN at 139 cm⁻¹ and 568 cm⁻¹, due to E2 (low) and E2 (high) respectively. The sensitivity of the gas sensor is increased as a function of the hydrogen flow rate and they became much higher compared to the as-grown sample.