P2DR模型中策略部署模型的研究与设计

分析动态自适应网络安全模型P2DR的缺陷,提出对P2DR模型的几点改进建议。针对模型中策略相关不足设计了一个策略部署模型,该部署模型实现了策略统一定制、自动分发、自适应管理等功能,同时在部署模型中引入了安全事件关联分析的思想,共享设备间安全信息以实现安全策略的联动操作,达到安全事故及时响应的目标。该部署模型实现了P2DR模型的动态性和自适应以及策略核心作用。     

Objective Risk Evaluation for Automated Security Management

Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.     

计算机网络管理困境与对策

随着5G时代的到来，网络业务的快速部署能力和网络运维能力需求对网络管理提出了新的挑战。一方面，网络正在进行功能虚拟化转型，切片和微服务使网络更复杂；另一方面，网络管理人员需要更加简单的自动化工具集合支持按需、实时、灵活的网络服务。分析了当前网络管理面临的困境和产生困境的原因，提出了网络自主管理研究框架，为进一步研究提供参考。     

Intelligent Network Provisioning for Dynamically Downloadable Applications in Beyond 3G Mobile Networks

Mobile communications beyond 3G will integrate different (but complementary) access technologies into a common platform to deliver value-added services and multimedia content in an optimum way. However, the numerous possible configurations of mobile networks complicated the dynamic deployment of mobile applications. Therefore, research is intensely seeking a service provisioning framework that is technology-independent, supports multiple wireless network technologies, and can interwork high-level service management tasks to network management operations. This paper presents an open value chain paradigm, a model for downloadable applications and a mediating platform for service provisioning in beyond 3G mobile settings. Furthermore, we introduce mechanisms that support a coupled interaction between service deployment and network configuration operations, focusing on the dynamic provisioning of QoS state to data path devices according to the requirements of dynamically downloadable mobile value-added services (VAS).

身份管理发展趋势和中国科学院身份管理系统

用户通过使用网络身份访问互联网应用及服务。身份管理整合了用户身份信息保护和资源访问控制等诸多技术,为优化用户体验奠定基础。本文基于网络身份特点及身份管理基础框架,分析了身份管理的发展趋势,并介绍了基于云架构的中国科学院统一身份管理系统应用案例,该系统使用单点登录、多重认证和多级安全策略,实现了应用服务间网络身份的安全高效部署及融合。     

Managing service level agreements in Premium IP networks: a business-oriented approach

This paper presents a market-enabling framework where users, content providers and network operators can interact in the seamless, transparent sale and delivery of a wide range of services. The framework allows for dynamic creation, configuration and delivery of services with quality assurance, via automated management of Service Level Agreements (SLAs). We propose an approach relying on a systemic treatment of business, service and network layer issues, which translates into a layered architecture where components belonging to different levels interact on the basis of a mediation paradigm. We use mediation as a generic term for a combination of negotiation, brokerage and state notification, jointly concurring to the realization of the entire life-cycle of a service.     

基于Policy的网络管理模型的研究与实现

基于policy的网络管理支持管理系统动态扩充，得到越来越多的研究与应用，首先给出了基于policy的网络管理模型，然后定义policy服务器的体系结构和支持协同的基于policy的网络管理框架，管理框架支持管理人员对任务进行分解，用ploicy描述子任务，然后将ploicy分发到policy服务器，由policy服务器解释执行，多个域的ploicy服务器之间可以发送和接收消息以协调地运行，完成全局的管理任务，管理人员可以动态地对ploicy进行修改以适应系统的变化。     

Mobile Agent-Based Performance Management for the Virtual Home Environment

Virtual Home Environment (VHE) encompasses the deployment and management of adaptable services that retain any personalized service aspects, irrespective of terminal, network' and geographic location. We assert that the dynamic nature of the VHE requires management capabilities that can be suitably provided through the use of mobile agent technology. We examine four different engineering solutions for the realization of a VHE performance management component that allows service adaptation in relation to the available network Quality-of-Service (QoS). The mobile agent approach is compared with competing technologies in order to identify the benefits of this novel application of mobile agents, discuss its drawbacks' and finally focus on the lessons learned from our prototype system. Although mobile agents are typically associated with increased performance costs, it is through agent migration that we were able to address the VHE requirements of universality, dynamic programmability, and network technology independence.     

一种基于主动网络的高效的网络管理模型

首先分析了传统网管的各种弊端，然后在研究主动网技术和基于策略管理的基础上．提出了一种基于策略管理的主动式网管逻辑体系结构来实现高效的分布式网络管理．该网管模型集中了主动网技术和策略管理的优点．同时克服了策略管理的缺点；可实现管理策略实施的自动化，管理策略定义和传播机制的共享；为定制动态的网管服务提供了支撑．通过仿真实验表明基于该逻辑结构网管系统不仅能够较好地解决传统网管的弊端，同时在性能方面也有所提高．     

Autonomic configuration and recovery in a mobile agent‐based distributed event monitoring system

In this paper we present a framework for building policy‐based autonomic distributed agent systems. The autonomic mechanisms of configuration and recovery are supported through a distributed event processing model and a set of policy enforcement mechanisms embedded in an agent framework. Policies are event‐driven rules derived from the system's functional and non‐functional requirements. Agents in the network monitor the system state for policy violation conditions, generate appropriate events, and communicate them to other agents for cooperative filtering, aggregation, and handling. A set of agents perform policy enforcement actions whenever events signifying any policy violation conditions occur. Policies are defined using a specification framework based on XML. The policy enforcement agents interpret the policies given in XML. We illustrate the utility of this framework in the context of an agent‐based distributed network monitoring application. We also present an experimental evaluation of our approach. Copyright © 2006 John Wiley & Sons, Ltd.     

Achieving dynamicity in security policies enforcement using aspects

The dynamic configuration and evolution of large-scale heterogeneous systems has made the enforcement of security requirements one of the most critical phases throughout the system development lifecycle. In this paper, we propose a framework architecture to associate the security policies with the specification and the execution phases of applications defined for these systems. Our proposed framework is based on an aspect-oriented programming approach and on the organization-based access control model to dynamically enforce and manage the access and the usage control. The deployment of the framework modules, proposed in this paper, takes into account the changes that may occur in the security policy during the application execution. We also present the implementation as well as the evaluation of our proposition.     

A trust negotiation system for digital library Web services

A scalable approach to trust negotiation is required in digital library (DL) environments that have large and dynamic user populations. In this paper we introduce Trust-Serv, a model-driven trust negotiation framework for Web services, and show how it can be used to effectively handle trust negotiation in DLs. The framework employs a model for trust negotiation based on state machines, extended with security abstractions. High-level specifications expressed with the state-machine-based model are then translated into formats suitable for automating the trust negotiation process. The proposed framework also supports negotiation policy lifecycle management, an important trait in the dynamic environments that characterize DLs. In particular, we present a set of policy change operations that enable the dynamic evolution of negotiation policies without disrupting ongoing negotiations. The proposed approach has been implemented as a container-centric mechanism that is transparent to the DL and to the developers of DL Web services, simplifying DL development and management as well as enabling scalable deployments.     

基于SDN和NFV技术的网络安全架构

基于软件定义网络(SDN)和网络功能虚拟化(NFV)的新型网络取代传统网络势在必行,因此研究基于新网络环境的网络安全体系结构迫在眉睫.介绍了一种开放且通用的软件定义的SDS安全架构,它可以为安全服务、安全设备和安全管理提供一个开放的接口,并且支持不同的网络安全供应商部署其安全产品和安全解决方案.此外,可以实现虚拟安全功...     

Towards automating overlay network management

Overlay networks are becoming widely used for content delivery because they provide effective and reliable services that are not otherwise available. However, they can negatively affect each other as well as the underlying network. A management system that controls and adapts their behavior is therefore needed. This will meet not only the specific demands of the users but also those of the network and service providers. This paper presents a novel approach to the issue of automating overlay network management. In contrast to existing management approaches which require static a priori policy configurations, policies are created dynamically. A policy layer consists of a set of policy enforcement points and policy decision points. This is used to capture the goals of users, services, and networks into network-level objectives. The behavior of the overlay network is adapted to the changing conditions in its environment. The creation, adaptation, and termination of overlays are achieved through policies. Policies are generated and enforced on the fly from the context information of the user, the network and the service provider. The new approach provides users and applications with more flexibility to dynamically change their quality-of-service requirements while maintaining smooth quality-of-service delivery. We show the advantages of our architecture and provide simulation results to verify its effectiveness.     

基于软件定义网络的流量工程

作为一种新型网络架构,软件定义网络(software defined network,简称SDN)将网络的数据层和控制层分离,通过集中化控制和提供开放控制接口,简化网络管理,支持网络服务的动态应用程序控制.流量工程通过对网络流量的分析、预测和管理,实现网络性能的优化.在SDN中开展流量工程,可以为网络测量和管理提供实时集中的网络视图,灵活、抽象的控制方式以及高效、可扩展的维护策略,具有突出的研究意义.对基于SDN的流量工程相关工作进行综述.分别从测量的方法、应用和部署角度出发,对SDN中流量测量的基本框架、基于测量的正确态检测以及测量资源的管理进行概述.分析传统网络流量调度方案的问题,介绍SDN中数据流量和控制流量调度的主要方法.从数据层和控制层两个方面概述SDN中故障恢复方法.最后,总结并展望未来工作.     

计算机网络防御策略描述语言研究

定义了一种计算机网络防御策略描述语言CNDPSL(computer network defense policy specification language).该语言面向CNDPM模型,能够统一描述保护、检测和响应策略.在CNDPM模型中,给出了抽象策略细化为具体规则的推导原理,并以形式化的方法分析并验证了策略的完备性、一致性和有效性.CNDPSL是一种声明式语言,抽象了网络防御控制的行为,对网络防御需求具有较好的灵活性、可扩展性和适应性.最后给出了策略引擎的原型及其实现.在GTNetS仿真平台中的实验表明,该语言能够自动地转化为具体的技术规则并实现其表达的防御效能.     

基于机构知识库的数字资产管理框架与实现

机构知识库是实现机构知识资产管理的平台和机制,政策驱动机制和技术平台建设是机构知识库建设和发展的主要支撑,本文主要讨论以机构知识库方式实现数字科研数字资产管理的基本框架和实践.以中国科学院研究所机构知识库建设为例,文章探讨了机构知识库政策框架建设、技术平台功能服务体系的设计与构建等实践问题,并简要介绍了中国科学院研究所机构知识库建设的进展及其实施效果.     

An Approach to Quality of Service Management in Distributed Multimedia Application: Design and an Implementation

Most work related to quality of service (QoS) is concerned with individual system components, such as the operating system or the network. However, to support distributed multimedia applications, the entire distributed system must participate in providing the guaranteed performance levels. In recognition of this, a number of QoS architectures have been proposed to provide QoS guarantees. The mechanisms and schemes proposed by those architectures are used in a rather static manner since the involved entities, e.g., the network, sender and receiver, are known before the connection (call) set-up phase. In contrast to these architectures, we propose a general QoS management framework which supports the dynamic choice of a configuration of system components to support the QoS requirements for the user of a specific application. We consider different possible system configurations and select the most appropriate one depending on the desired QoS and the available resources. In this paper we present an overview of this general framework; especially, we concentrate on QoS negotiation and adaptation mechanisms. To show the feasibility of this approach, we designed and implemented a QoS manager for distributed multimedia presentational applications, such as news-on-demand. The negotiation and adaptation mechanisms which are supported by the QoS manager are specializations of the general framework. The proposed framework allows to improve the utilization of system resources, and thus to increase the system availability; it also allows to recover automatically, if this is possible, from QoS degradations. Furthermore, it provides the flexibility to incorporate different resource reservation schemes and scheduling policies, and to accommodate new system component technologies.     

基于下一代Internet的服务管理研究

Internet is best effort network, on the whole, it doesn't provide any quality of service assurance for services. Especially,all kinds of stream media need more network performance and quality of service. Currently, because of existing many heterogeneous networks, such as telecommunication network, IP data network , mobile network and so on ,in order to break off this heterogeneous network isolated complexion ,research and developmentnext generation network must be carried out,only by this way,can these isolated heterogeneous network be merged into an all IP network. This network will provide enormous services for service users,how to manage these services effectively is a topic proposed by next generation internet. [1] gave research status for service management and advance,this paper researches service management requirement for next generation Internet and workflow etc,and based on these technique,a service management architecture model is proposed. It consists of service access layer, service deployment layer, service providing layer, service mapping layer, policy control layer and network element managing layer. These layers coordinate to implement service management.