基于Grid Of Tries的无冲突多维IP分类算法

快速IP分类算法是提高网络设备性能的关键，无冲突规则集则是正确进行IP报文分类的前提和保证、本文首先形式化描述了IP分类算法和规则冲突问题，介绍了常用的IP分类算法及冲突解决策略，并提出了一种基于Grid Of Tries的无冲突多维IP分类算法，解决了规则集中存在冲突的问题，最后对该算法进行了性能分析和展望。     

多维过滤规则无冲突的高速分组分类算法

为了有效地实现防火墙及QoS路由等功能,路由器等网络元素必须能高速地对分组分类.对一维分组分类,已有很多成熟方案,而多维算法由于实现复杂,还没有有效的分类算法.本文对无过滤规则无冲突的数据库进行了研究,提出了基于元组空间多维分组分类算法:元组空间矢量位映射算法.对多维和二维分类在最不利情况下分别进行了性能分析,指出与已有的方案相比,在存贮空间、查找时间等性能上,本文提出的算法是效率最佳的.本文的算法不仅可以由软件实现,也很容易由硬件实现.     

新的证据冲突衡量标准下的D-S改进算法

 针对传统证据冲突衡量标准存在的不足及高冲突下Dempster证据组合规则失效的问题,通过pignistic变换,定义了新的证据冲突衡量标准,基于此,提出了一种新的D-S改进算法.该方法依据少数服从多数的决策思想,引入了描述证据重要度的权重系数,对证据进行预处理,再采用Dempster规则进行组合.通过仿真算例分析,并与其它改进方法进行对比,验证了新算法在处理证据冲突方面的性能显著改进,加快了收敛速度,同时降低了决策风险.     

基于遗传算法进化业务冲突检测规则的研究

完备和正确的检测规则是业务冲突管理器在线检测冲突时提高检测率的关键.该文借鉴遗传算法的随机搜索能力提出一种冲突检测规则进化算法,通过加入已知冲突信息的指导和以概率递减选择新业务参与变异的方式提高系统进化速度,对检测规则集进行优化降低系统时间和空间复杂度.实验证明此算法提高了系统检测率.     

基于改进D-S证据理论的数据融合目标分类

首先采用分类算法对MSTAR数据集进行十类目标分类识别、三类目标的变体分类识别,然后根据分类调参过程中的先验知识修正证据即分类器输出,构造基本置信函数,并采用改进的合成规则即基于冲突系数K和Pignistic概率距离相结合的冲突度量方法,对冲突证据采用按比例分配冲突度的合成规则进行合成。未融合时,三类目标的变体分类准确率最高为93.553%,融合后三类目标变体分类识别率为95.092%,提升幅度约是理想状态的37%。     

广播发射射频系统中的信号冲突消除方法研究

本文就在对广播发射机射频系统中的信号冲突进行简单分析的基础上,提出一种射频标签防冲突算法,并应用相关的算法对其进行仿真验证,这对于消除广播发射射频系统中的信号冲突具有积极的作用。     

报文过滤策略的逻辑表示及冲突解决方法

报文过滤策略是基于报文头部及相关信息对其进行分类的规则集合，报文分类是提供网络服务如路由、QoS、安全等的关键技术．策略中的冲突会导致不一致的系统行为．提出了一种具有精确语义的过滤策略语言，并给出了该语言到Horn程序的转换规则，从而可以利用逻辑推理技术检测和解析冲突．理论分析和原型实现验证了该方法的有效性．     

基于比例冲突再分配规则的目标识别方法

高冲突证据下的目标识别方法研究一直是热点和难点问题。比例冲突再分配规则正是处理高冲突证据的一种有效方法。介绍并分析了比例冲突再分配系列规则,并通过具体的例子对不同方法进行了仿真验证,说明了比例冲突再分配规则能很好地处理目标识别问题中的高冲突证据。     

D—S证据理论在多源数据融合中的应用及改进

在不确定性处理算法中,D-S证据理论具有较好的应用效果.阐述了D-S证据理论及其在多传感器数据融合中的应用.从改进合成规则和证据源数据两方面对当前的一些改进方法进行了分析比较.提出一种基于冲突强度的证据合成规则,并在Murphy证据平均合成规则的基础上提出一种基于证据间相似系数的证据合成规则,通过实例对这几种方法进行了比较,证明了基于相似系数证据合成规则的有效性.     

异常证据及其检测算法研究

分析了异常证据的概念及其分类,提出了基于证据距离和证据冲突程度的异常证据检测算法.该算法讨论了异常证据检测算法中的距离和冲突程度两个重要参数,具有计算量小、简便实用等优势.实例表明算法有效可行.     

An MTIDD Based Firewall

This paper explores the use of Multi-Terminal Interval Decision Diagrams (MTIDDs) as the central structure of a firewall packet filtering mechanism. This is done by first relating the packet filtering problem to predicate logic, then implementing a prototype which is used in an empirical evaluation. The main benefits of the MTIDD structure are that it provides access to Boolean algebra over filters, efficient classification time, and a compact representation. Results from the empirical evaluation shows that MTIDDs are scalable in terms of memory usage: a 50,000 rule filter requires only 3MB of memory, and efficient for packet classification: it is able to handle more rules than the schemes it was compared to without causing a degradation in performance.     

基于操作系统内核的包过滤防火墙系统的设计与实现

主要研究如何通过基于Windows操作系统内核的包过滤防火墙系统来实现网络安全防护.基于操作系统内核的包过滤防火墙系统是基于网络层实现的包过滤防火墙系统,该系统要求能够对所有进出计算机的IP数据包进行灵活控制,实现包过滤的核心问题是如何截获所有的IP数据包.首先介绍了包过滤防火墙的基本结构和原理,然后在剖析操作系统内核的基础上,研究并设计了基于Windows操作系统内核的包过滤防火墙系统.     

Scalable packet classification

Packet classification is important for applications such as firewalls, intrusion detection, and differentiated services. Existing algorithms for packet classification reported in the literature scale poorly in either time or space as filter databases grow in size. Hardware solutions such as TCAMs do not scale to large classifiers. However, even for large classifiers (say, 100 000 rules), any packet is likely to match a few (say, 10) rules. This paper seeks to exploit this observation to produce a scalable packet classification scheme called Aggregated Bit Vector (ABV). It takes the bit vector search algorithm (BV) described in Lakshman and Stidialis, 1998 (which takes linear time) and adds two new ideas, recursive aggregation of bit maps and filter rearrangement, to create ABV (which can take logarithmic time for many databases). We show that ABV outperforms BV by an order of magnitude using simulations on both industrial firewall databases and synthetically generated databases.     

一种新的策略冲突解决方法的研究

在3GPP的PCC（Policy and Charging Control）架构以及TISPAN的RACS（Resource and Admission Control Subsystem）等资源控制平台中,资源控制和计费基于策略实现。在这些系统中,如何准确检测以及有效解决策略问冲突成为策略控制的关键问题。本文在对策略冲突分类和检测的分析基础上,指出了已有解决办法存在的问题,并提出了一种基于优先权设定的新方法,完备有效得解决策略间冲突。     

Conflict detection and resolution in two-dimensional prefix router tables

We show that determining the minimum number of resolve filters that need to be added to a set of two-dimensional (2-D) prefix filters so that the filter set can implement a given policy using the first-matching-rule-in-table tie breaker is NP-hard. Additionally, we develop a fast O(nlogn+s) time, where n is the number of filters and s is the number of conflicts, plane-sweep algorithm to detect and report all pairs of conflicting 2-D prefix filters. The space complexity of our algorithm is O(n). On our test set of 15 2-D filter sets, our algorithm runs between 4 and 17 times as fast as the 2-D trie algorithm of A. Hari et al. (2000) and uses between 1/4th and 1/8th the memory used by the algorithm of Hari et al. On the same test set, our algorithm is between 4 and 27 times as fast as the bit-vector algorithm of Baboescu and Varghese (2002) and uses between 1/205 and 1/6 as much memory. We introduce the notion of an essential resolve filter and develop an efficient algorithm to determine the essential resolve filters of a prefix filter set.     

一种自适应的时空视频去噪算法

该文提出了一种基于运动估计的自适应时空视频去噪算法。算法直接嵌入在视频压缩编码中。空域上通过局部相似性寻找候选滤波点避免由噪声干扰形成的伪相似点,提高滤波点的有效性。时域上对各像素点进行运动预测,既增加了滤波点数量,减弱帧与帧之间的闪烁现象,又避免了因帧间运动而带来的运动模糊。另一方面,通过噪声强度和图像边缘信息自适应调节滤波窗口大小及滤波权重大小,实现了滤波强度自适应和空间细节的保护。     

包分类算法在防火墙中的应用研究

包分类算法的性能直接影响数据包的收发速度,决定了网络的时延和吞吐量。防火墙中使用分类算法进行过滤规则的匹配查找,能有效降低规则匹配搜索时间,极大地提升防火墙的性能。递归流分类（RFC,Recursive Flow Classification）算法查找速度快,但预处理时间长,存储开销大。现在RFC算法的基础上,结合哈希树算法对数据包各字段分开处理。将两种算法结合,综合考虑了空间和时间性能,不仅减少了存储开销,而且能保持相对快的查找速度。     

Performance Improvement of Two-Dimensional Packet Classification by Filter Rephrasing

Packet classification categorizes incoming packets into multiple forwarding classes in a router based on predefined filters. It is important in fulfilling the requirements of differentiated services. To achieve fast packet classification, a new approach, namely ldquofilter rephrasing,rdquo is proposed to encode the original filters by exploiting the hierarchical property of the filters. Filter rephrasing could dramatically reduce the search and storage complexity incurred in packet classification. We incorporate a well-known scheme-rectangle search-with filter rephrasing to improve the lookup speed by at least a factor of 2 and decreases 70% of the storage expenses. As compared with other existing schemes, the proposed scheme exhibits a better balance between speed, storage, and computation complexity. Consequently, the scalable effect of filter rephrasing is suitable for backbone routers with a great number of filters.     

基于NDIS内核过滤技术的截获网络包技术研究

对网络包的截获技术是防火墙技术的一部分,很多场合都采用的是这种技术,具有较大的商业价值。介绍了现有的一些网络包截获技术,包括SPI技术、NDIS技术。并且对现在应用最广泛的内核过滤技术进行了研究与实现,经测试表明,与传统的那些技术相比,这种技术确实可以取得比其它技术更有效率,更稳定。     

Efficient Multimatch Packet Classification for Network Security Applications

New network applications like intrusion detection systems and packet-level accounting require multimatch packet classification, where all matching filters need to be reported. Ternary content addressable memories (TCAMs) have been adopted to solve the multimatch classification problem due to their ability to perform fast parallel matching. However, TCAMs are expensive and consume large amounts of power. None of the previously published multimatch classification schemes are both memory and power efficient. In this paper, we develop a novel scheme that meets both requirements by using a new set splitting algorithm (SSA). The main idea behind SSA is that it splits filters into multiple groups and performs separate TCAM lookups into these groups. It guarantees the removal of at least 1/2 the intersections when a filter set is split into two sets, thus resulting in low TCAM memory usage. SSA also accesses filters in the TCAM only once per packet, leading to low-power consumption. We compare SSA with two best known schemes: multimatch using discriminators (MUD) (Lakshminarayanan and Rangarajan, 2005) and geometric intersection-based solutions (Yu and Katz, 2004). Simulation results based on the SNORT filter sets show that SSA uses approximately the same amount of TCAM memory as MUD, but yields a 75%–95% reduction in power consumption. Compared with geometric intersection-based solutions, SSA uses 90% less TCAM memory and power at the cost of one additional TCAM lookup per packet. We also show that SSA can be combined with SRAM/TCAM hybrid approaches to further reduce energy consumption.