首页 | 本学科首页   官方微博 | 高级检索  
相似文献
 共查询到20条相似文献,搜索用时 187 毫秒
1.
SYN Flood攻击可在短时间内发送大量的SYN数据包给防火墙,造成状态检测防火墙的状态表溢出,使其无法响应合法请求,从而导致整个网络的系统性能下降。在防御SYN Flood攻击的状态检测模型的基础上,提出一种自适应阈值状态检测模型。它利用自适应阈值算法对流量进行预处理,保障防火墙在高强度攻击下的自身安全。实验表明,该模型能有效抵御SYN Flood对内网主机的攻击,同时在一定程度上提高了状态检测防火墙自身防御的能力。  相似文献   

2.
针对云原生环境下攻击场景的复杂性导致移动目标防御策略配置困难的问题,该文提出一种基于深度强化学习的移动目标防御策略优化方案(SmartSCR)。首先,针对云原生环境容器化、微服务化等特点,对其安全威胁及攻击者攻击路径进行分析;然后,为了定量分析云原生复杂攻击场景下移动目标防御策略的防御效率,提出微服务攻击图模型并对防御效率进行刻画。最后,将移动目标防御策略的优化问题建模为马尔可夫决策过程,并使用深度强化学习解决云原生应用规模较大时带来的状态空间爆炸问题,对最优移动目标防御配置进行求解。实验结果表明,SmartSCR能够在云原生应用规模较大时快速收敛,并实现逼近最优的防御效率。  相似文献   

3.
文章在PPDR动态防御模型的基础上,综合防火墙、入侵检测和蜜罐等技术,提出了一种主动防御的网络安全动态防御模型,它侧重于早期发现攻击,分析攻击者,形成新的防御策略,从而使网络防御入侵始终处于主动地位。  相似文献   

4.
防火墙作为一种可以对内网与外网通信的数据进行审计、筛查、过滤的设备,在当前的网络中应用较为广泛。本文主要通过对防火墙的体系结构及相关防御技术进行分析,探索防火墙在整个网络安全中的相关应用及其防御策略。  相似文献   

5.
从防火墙和入侵检测技术的优缺点和互补性说明了两者的结合点,提出了防火墙与入侵检测技术两种融合策略:规则转换策略和联动策略.由比提出一种基种CVE的网络入侵防御系统.系统以CVE中文漏洞库为研究平台,基于Linux平台.通过测试证明:该系统能够实现及时、全面的网络安全防御.  相似文献   

6.
栾忠洋 《信息技术》2007,31(12):151-154
针对防火墙和入侵检测技术在网络安全防御上存在的缺陷,提出了一种融合式入侵防御系统。该系统通过增加入侵检测系统的联动响应插件,扩展防火墙动态加入过滤规则的功能,实现了两者的紧密结合。详细介绍了系统的结构、工作流程以及融合策略的具体实现,并给出了攻击实验。实验结果证明该防御系统对大规模的蠕虫攻击起到了实时抵制作用。  相似文献   

7.
基于概率图模型目标建模的视觉跟踪算法   总被引:2,自引:0,他引:2  
提出了一种视觉跟踪任务中基于局部特征和概率图模型的目标建模方法,将目标表示为一组具有仿射不变性的区域特征,并通过概率图模型描述特征之间的空间约束关系。在目标跟踪过程中,首先在空域上利用信任传播算法,推断概率图模型中各个特征的状态,然后根据推断的结果设计改进的重要性采样函数,采用粒子滤波算法在时间域上对目标进行跟踪。为了适应目标在运动中的变化,模型根据特征的稳定程度自适应地进行更新。实验结果表明,该方法具有较强的鲁棒性,能够有效实现复杂场景下的目标跟踪。  相似文献   

8.
高飞 《通信技术》2011,44(5):74-76
为了在网络设备中嵌入防火墙状态检测系统,研究防火墙状态检测技术,设计了一种状态检测系统,以及通用的状态机模型,记录和维护网络中所有通信连接的状态和过程,并根据状态机模型进行连接的状态变迁,保证通信的完整性和安全性,支持更多应用、协议。同时还提出了一种基于IP流的报文快速转发算法,实验证明该算法可以加快报文的转发效率,并在保证系统安全的同时,有效提高系统性能。  相似文献   

9.
针对传统深度强化学习算法难以快速解决长时序复杂任务的问题,提出了一种引入历史信息和人类知识的深度强化学习方法,对经典近端策略优化(Proximal Policy Optimization, PPO)强化学习算法进行改进,在状态空间引入历史状态以反映环境的时序变化特征,在策略模型中基于人类认知增加无效动作掩膜,禁止智能体进行无效探索,提高探索效率,从而提升模型的训练性能。仿真结果表明,所提方法能够有效解决长时序复杂任务的智能决策问题,相比传统的深度强化学习算法可显著提高模型收敛效果。  相似文献   

10.
群体行为识别任务中,行为特征具有复杂的时空特性。为了实现有效的行为特征时间编码,本文提出一种融合时间和空间上下文特征的群体行为识别模型。为了分析个体行为特征的时间上下文依赖关系,设计了通道级时间上下文模块,该模块对个体特征的多个通道进行时间平移;分别研究时间延迟移动、时间双向移动、时间循环双向移动的3种策略,并讨论各种策略下通道比例对时间上下文估计的作用。其次,构建了基于融合通道级时间上下文特征的空间图模型,用于对个体空间上下文的编码。该模型使用外观和位置估计初步的个体之间的空间上下文关系,并进一步设计多图策略,来估计多种可能的个体之间的关系。最后,对图模型编码的个体特征,使用个体池化获得群体特征,并使用多层感知器来识别群体行为。本文方法在Volleyball和Collective Activity数据集上优于现有群体行为识别方法,设计的时间上下文特征具有良好个体行为编码能力。  相似文献   

11.
Independent component analysis (ICA) has proven quite useful for the analysis of real world datasets such as functional resonance magnetic imaging (fMRI) data, where the underlying nature of the data is hard to model. It is particularly useful for the analysis of fMRI data in its native complex form since very little is known about the nature of phase. Phase information has been discarded in most analyses as it is particularly noisy. In this paper, we show that a complex ICA approach using a flexible nonlinearity that adapts to the source density is the more desirable one for performing ICA of complex fMRI data compared to those that use fixed nonlinearity, especially when noise level is high. By adaptively matching the underlying fMRI density model, the analysis performance can be improved in terms of both the estimation of spatial maps and the task-related time courses, especially for the estimation of phase of the time course. We also define a procedure for analysis and visualization of complex-valued fMRI results, which includes the construction of bivariate t-maps for multiple subjects and a complex-valued ICASSO scheme for evaluating the consistency of ICA algorithms.  相似文献   

12.
Core-stateless scheduling algorithms have been proposed in the literature to overcome the scalability problem of the stateful approach. Instead of maintaining per-How information or performing per-packet How classification at core routers, packets are scheduled according to the information (time stamps) carried in their headers. They can hence provision quality of service (QoS) and achieve high scalability. In this paper, which came from our observation that it is more convenient to evaluate a packet's delay in a core-stateless network with reference to its time stamp than to the real time, we propose a new traffic model and derive its properties. Based on this model, a novel time-stamp encoding scheme, which is theoretically proven to be able to minimize the end-to-end worst case delay in a core-stateless network, is presented. With our proposed traffic model, performance analysis in core-stateless networks becomes straightforward.  相似文献   

13.
Network Function Virtualization (NFV) is known for its ability to reduce deployment costs and improve the flexibility and scalability of network functions. Due to processing capacity limitations, the infrastructure provider may need to instantiate multiple instances of the same network function. However, most of network functions are stateful, meaning that the instances of the same function need to keep a common state and hence the need for synchronization among them. In this paper, we address this problem with the goal of identifying the optimal synchronization pattern between the instances in order to minimize the synchronization costs and delay. We propose a novel network function named Synchronization Function able to carry out data collection and further minimize these costs. We first mathematically model this problem as an integer linear program that finds the optimal synchronization pattern and the optimal placement and number of synchronization functions that minimize synchronization costs and ensure a bounded synchronization delay. We also put forward three greedy algorithms to cope with large-scale scenarios of the problem, and we explore the possibility to migrate network function instances to further reduce costs. Extensive simulations show that the proposed algorithms efficiently find near-optimal solutions with minimal computation time and provide better results compared to existing solutions.  相似文献   

14.
We often encounter in distributed systems the need to model, access, and manage state. This state may be, for example, data in a purchase order, service level agreements representing resource availability, or the current load on a computer. We introduce two closely related approaches to modeling and manipulating state within a Web services (WS) framework: the Open Grid Services Infrastructure (OGSI) and WS-Resource Framework (WSRF). Both approaches define conventions on the use of the Web service definition language schema that enable the modeling and management of state. OGSI introduces the idea of a stateful Web service and defines approaches for creating, naming, and managing the lifetime of instances of services; for declaring and inspecting service state data; for asynchronous notification of service state change; for representing and managing collections of service instances; and for common handling of service invocation faults. WSRF refactors and evolves OGSI to exploit new Web services standards, specifically WS-addressing, and to respond to early implementation and application experiences. WSRF retains essentially all of the functional capabilities present in OGSI, while changing some syntax (e.g., to exploit WS-addressing) and also adopting a different terminology in its presentation. In addition, WSRF partitions OGSI functionality into five distinct composable specifications. We explain the relationship between OGSI and WSRF and the related WS-notification specifications, explain the common requirements that both address, and compare and contrast the approaches taken to the realization of those requirements.  相似文献   

15.
We propose and develop a novel virtual time reference system as a unifying scheduling framework to provide scalable support for guaranteed services. This virtual time reference system is designed as a conceptual framework upon which guaranteed services can be implemented in a scalable manner using the DiffServ paradigm. The key construct in the proposed virtual time reference system is the notion of packet virtual time stamps, whose computation is core stateless, i.e., no per-flow states are required for its computation. We lay the theoretical foundation for the definition and construction of packet virtual time stamps. We describe how per-hop behavior of a core router (or rather its scheduling mechanism) can be characterized via packet virtual time stamps, and based on this characterization establish end-to-end per-flow delay bounds. Consequently, we demonstrate that, in terms of its ability to support guaranteed services, the proposed virtual time reference system has the same expressive power and generality as the IntServ model. Furthermore, we show that the notion of packet virtual time stamps leads to the design of new core stateless scheduling algorithms, especially work-conserving ones. In addition, our framework does not exclude the use of existing scheduling algorithms such as stateful fair queuing algorithms to support guaranteed services  相似文献   

16.
Impact of Packet Sampling on Portscan Detection   总被引:1,自引:0,他引:1  
Packet sampling is commonly deployed in high-speed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of nonvolume-based anomalies, portscans, which are associated with worm/virus propagation. Existing portscan detection algorithms fall into two general approaches: target-specific and traffic profiling. We evaluated representative algorithms for each class, namely: 1) TRWSYN that performs stateful traffic analysis; 2) TAPS that tracks connection pattern of scanners; and 3) entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider's backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives. Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling  相似文献   

17.
针对装甲车辆铅酸蓄电池特殊变电流工况,文中在对开路电压法和内阻法深入分析的基础上提出了一种新的荷电状态辨识方法,并对其进行了硬件电路设计。该辨识方法适合装甲车辆复杂的变电流工况,可实现电池荷电状态与性能状态的在线准确评估,实现蓄电池高效管理。  相似文献   

18.
SummarySoftware‐defined network (SDN) is constructed by decoupling the control and data plane from the forwarding devices. The control plane operations are managed by centralized or distributed controllers, and the data plane operation is managed by respective forwarding devices. SDN provides an easy and efficient management solutions for software‐programmed consolidated middlebox in virtual machines. Additionally, SDN with centralized controller faces complications like scalability, network bottle neck, and single point failure. In this study, a stateful inspection firewall acts as a middlebox in distributed SDN‐controlled network. The controller is programmed with a failure detection and recovery mechanism to provide reliability and redundancy and enhance the overall performance of the network. The objective of stateful firewall on SDN architecture is to secure the network by monitoring the current connections and maintain its state information until the connection is active. In this paper, the performance of firewall‐enabled SDN with centralized and distributed controllers are measured, compared, and analyzed. The experiments are done using POX controller, and the results are verified by Mininet network emulation tool. The results show that the stateful firewall‐enabled SDN with distributed controller network improves the security, reliability, availability, and overall performance of the network. In the proposed SDN, average network throughput is improved by 43%, average network delay is reduced by 4%, average channel utilization is increased by 40%, average network overhead is reduced by 26%, and average network response time is reduced by 23%.  相似文献   

19.
网络安全本质在对抗。针对现有研究缺乏从博弈视角分析网络攻防行为与态势演化关系的问题,该文提出一种网络攻防博弈架构模型(NADGM),借鉴传染病动力学理论以不同安全状态网络节点密度定义网络攻防态势,分析网络节点安全状态转移路径;以网络勒索病毒攻防博弈为例,使用NetLogo多Agent仿真工具开展不同场景下攻防态势演化趋势对比实验,得出增强网络防御效能的结论。实验结果验证了模型方法的有效性和可行性。  相似文献   

20.
In order to solve the problem that the load of big data stream computing platform is increasing with fluctuation while the cluster was not able to rescale efficiently,the Flow-network based auto rescale strategy for Flink was proposed.Firstly,the flow-network model was set up and the capacity of each edge that was calculated by self-learning algorithm.Secondly,the bottleneck of the cluster was acquired by maximum-flow algorithm and the resource rescheduling plan was drawn up.Finally,the resource rescheduling plan was executed and the stateful data was migrated efficiently by the data migration algorithm based on the strategy of data partitioning by bulk and bucket.The experimental results show that the strategy can effectively provide performance promotion in the application with complex stateful data.It improved the throughput of the cluster and reduced the time overhead of the data migration on the premise of satisfying the latency constrain of the application,which means that the strategy promotes the scalability of the cluster efficiently.  相似文献   

设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号