NP防火墙中异常策略检测的研究与实现

为了适应复杂的网络环境,防火墙的规则集往往非常庞大,因此人工的方法很难保证防火墙安全策略的正确配置。文中对防火墙中异常策略的检测方法进行了深入的研究,并在此基础上给出了NP防火墙中异常策略检测模块的设计与实现。测试结果表明,该模块可以有效地检测出防火墙规则集中的各种异常,避免安全隐患的产生。     

基于RBAC的多域策略冲突及其检测方法

针对多安全域之间的访问控制问题提出了策略冲突分类及其检测方法。研究了基于RBAC的多域安全互操作模型及其安全特性,分析了由于引入角色映射带来的策略冲突并对这些冲突进行分类。根据多域环境的特点将安全域角色系统抽象成有向图,利用有效角色系统和角色层次关系,提出了基于角色系统有向图的策略冲突检测方法。最后对方法的计算复杂度进行了分析并给出策略冲突的解决方法。     

基于入侵检测的分布式防火墙的应用研究

针对分布式防火墙和入侵检测技术各自存在的不足,文中提出基于入侵检测的分布式防火墙的解决方案,通过在主机防火墙内部增加入侵检测模块,形成一种动态分布式防火墙.主机防火墙过滤模块通过修改数据包结构以减少入侵检测量,入侵检测结果快速返回管理中心,及时动态更新策略.实验结果表明:该方案解决了分布式防火墙策略更新慢、内部通信被非法用户截获、无法及时发现入侵攻击等问题,同时也解决了入侵检测模块的数据检测量大和无法阻断攻击等问题.     

防火墙性能优化

论文研究了防火墙性能优化的问题,提出了利用对防火墙规则集的冲突检测,消除规则之间的冗余和异常,缩小防火墙规则集的规模,从而减少规则匹配次数.同时,在保持防火墙策略原始语义不变和安全性的前提下,从规则的匹配概率入手,对规则进行重排,以提高防火墙规则匹配效率,实现防火墙性能的优化.     

包过滤防火墙策略的应用

在TCP/IP网络中,包过滤防火墙的策略制定是至关重要的。策略就是让包过滤防火墙在转发数据包之前打开TCP/IP封装,检查进出网络的数据包的各种属性,决定是否允许该数据包通过防火墙。文中对TCP、IP数据包进行了描述,给出了一些策略实例。     

报文过滤策略的逻辑表示及冲突解决方法

报文过滤策略是基于报文头部及相关信息对其进行分类的规则集合，报文分类是提供网络服务如路由、QoS、安全等的关键技术．策略中的冲突会导致不一致的系统行为．提出了一种具有精确语义的过滤策略语言，并给出了该语言到Horn程序的转换规则，从而可以利用逻辑推理技术检测和解析冲突．理论分析和原型实现验证了该方法的有效性．     

基于机器学习优化策略的漏洞检测技术研究

文中研究了渗透测试中漏洞规则库的优化问题。针对利用漏洞规则库进行漏洞检测中高效率、低损耗的需求,文中通过对漏洞规则库的工作机制进行研究分析,完成了漏洞规则库的构造,并提出了基于机器学习的优化策略。通过执行机器学习模型和学习算法,完成对攻击参数的威胁定级,以此优化模拟攻击时攻击规则的匹配顺序,达到提高测试效率、降低系统占用的目的。实验表明,基于机器学习的漏洞规则库优化策略是可行有效的,并且能够使渗透测试保持在一个高效率、低损耗的状态。     

基于隔离域的工作流动态修改策略

为了保证动态修改后工作流系统的正确性和数据一致性,需要将一些事务处理的方法引入到动态修改策略中去。本文首先改进了文献中提出的执行路径生成算法,为每条并发支路生成一条独立的执行路径,然后对每条执行路径进行迁移。同时将隔离域与动态修改策略相结合,使过程模型在修改完成后的实例启动时,各个过程实例能正确访问共享数据。     

一种基于切割映射的规则冲突消除算法

防火墙规则冲突不仅使规则集变得难于管理,而且会影响报文分类的效率.现有的规则冲突消除算法不能完全消除冲突.针对这一情况,从计算几何角度对规则冲突进行了分析,提出了一种基于切割映射的冲突消除算法.该算法对规则冲突进行了详细的分类,并根据不同的类型消除冲突.算法以两条冲突规则为基本处理对象,在其冲突消除过程中,顺序切割优先级较低的规则的每一维分量.理论分析和测试表明,算法达到了只需增加少量规则即能彻底消除冲突的目的.     

面向社会网络的个性化隐私策略定义与实施

为了实现社会网络中个性化隐私保护,提出了支持个性化隐私偏好授权模型,采用基于一阶逻辑隐私偏好描述语言,表达用户个性化隐私需求;引入基于主体属性的访问者－角色授权规则和基于客体标签的角色－权限指派规则,解决了动态用户授权和细粒度访问权限指派问题;分析了隐私策略冲突各种情况,实现了基于Prolog逻辑编程的策略一致性自动验证;设计了面向社会网络个性化隐私策略管理和实施中间件,将个性化隐私策略管理有效地集成到对既有资源的访问控制系统中,实验表明策略冲突分析具有良好的执行效率。     

Knowledge-Based Policy Conflict Analysis in Mobile Social Networks

Mobile social networks give online social networking sites the capabilities to extend their services to mobile device users. Smart phones and tablets allow users to interact with each other when they are moving. Policy-based management simplifies the management of interaction functionalities by establishing policies to control various activities involved in these functionalities. To detect and resolve potential dynamic conflicts between the rules and configurations from different administrative domains, a knowledge-based policy analysis framework is proposed in this paper. It incorporates relationships between different elements in policy rules into temporal logic using a knowledge extension, which makes dynamic policy conflict analysis more accurate. A prototype system for mobile social networks is implemented to illustrate the capability of this framework.     

Conflict classification and analysis of distributed firewall policies

Firewalls are core elements in network security. However, managing firewall rules, particularly, in multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intrafirewall and interfirewall analysis to determine the proper rule placement and ordering in the firewalls. In this paper, we identify all anomalies that could exist in a single- or multifirewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls.     

防火墙策略建模与其全局冲突分析(英文)

The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.     

A Model for Static Conflict Analysis of Management Policies

Management of today's distributed systems is becoming increasingly complex. There is an obvious requirement for a flexible mechanism to help manage such systems. Rule-based management is one such mechanism. However, in order for rule-based management to become widely usable a method is required by which conflicts between management policies (defined as rules) can be identified and resolved. This paper creates a set theoretic model for rules as a trituple of the relationship between the subject, action and target of a policy. It also identifies two classes of policy set — 'syntactically easy policy set' (SEPS) and 'syntactically non-easy policy set' (SNEPS). SEPSs are policies which are sets of all the Cartesian products of its subjects, actions and targets, whereas SNEPSs are only a subset of that Cartesian product. Conflict analysis of SEPSs has been handled in other papers; this paper addresses conflict analysis of SNEPSs. A method for resolving conflict is suggested. The paper also raises some issues that arise when considering a database of policies.     

下一代网络业务冲突问题研究与解决方法

分析了通信网络中业务冲突问题产生的根源,并根据业务冲突产生的原因对业务冲突进行了分类。针对下一代网络中所存在的业务冲突问题,提出了一种新的业务能力交互管理器体系架构,通过混合采用二维分析表冲突检测器和动态协商处理器,在加快对业务冲突检测速度的同时,还提高了检测的准确度。实验结果表明,该方法能够有效检测出并解决大部分的业务冲突。     

策略检查与冲突避免方法研究

策略检查与冲突避免是基于策略的网络管理框架中的一个重要研究内容,为了维护系统处于良好的运行状态,必须具有能够确保策略合法性、有效性和一致性的检查机制。提出基于多维空间的全局冲突检测方法,对策略的有效性进行判定;对策略进行必要的验证以免策略存在语法或语义上的冲突。研究有效的策略冲突消解方法,实现基于有向无环图的策略冲突避免算法。     

Segmenting high-frequency intracardiac ultrasound images ofmyocardium into infarcted, ischemic, and normal regions

Segmenting abnormal from normal myocardium using high-frequency intracardiac echocardiography (ICE) images presents new challenges for image processing. Gray-level intensity and texture features of ICE images of myocardium with the same structural/perfusion properties differ. This significant limitation conflicts with the fundamental assumption on which existing segmentation techniques are based. This paper describes a new seeded region growing method to overcome the limitations of the existing segmentation techniques. Three criteria are used for region growing control: 1) Each pixel is merged into the globally closest region in the multifeature space. 2) "Geographic similarity" is introduced to overcome the problem that myocardial tissue, despite having the same property (i.e., perfusion status), may be segmented into several different regions using existing segmentation methods. 3) "Equal opportunity competence" criterion is employed making results independent of processing order. This novel segmentation method is applied to in vivo intracardiac ultrasound images using pathology as the reference method for the ground truth. The corresponding results demonstrate that this method is reliable and effective.     

User‐Centric Conflict Management for Media Services Using Personal Companions

In this paper, we propose a user‐centric conflict management method for media services which exploits personal companions for the harmonious detection and resolution of service conflicts. To detect conflicts based on the varying characteristics of individual users, the proposed method exploits the unified context describing all users attempting to access media services. It recommends and mediates users' preferred media contents through a shared screen and personal companions to resolve the detected conflicts. During the recommendation, a list of preferred media contents is displayed on the shared screen, and a personally preferred content list is shown on the user's personal companion comprising the selection of media contents. Mediation assists the selection of a consensual service by gathering the users' selections and highlighting the common media contents. In experiments carried out in a ubiHome, we observed that recommendations and mediation are useful in harmoniously resolving conflicts by encouraging user participation in conflict situations.