Multimedia and firewalls: a performance perspective

Firewalls are a well-established security mechanism to restrict the traffic exchanged between networks to a certain subset of users and applications. In order to cope with new application types like multimedia, new firewall architectures are necessary. The performance of these new architectures is a critical factor because Quality of Service (QoS) demands of multimedia applications have to be taken into account. We show how the performance of firewall architectures for multimedia applications can be determined. We present a model to describe the performance of multimedia firewall architectures. This model can be used to dimension firewalls for usage with multimedia applications. In addition, we present the results of a lab experiment, used to evaluate the performance of a distributed firewall architecture and to validate the model.     

Implementation of an ADI Method on parallel computers

In this paper we discuss the implementation of an ADI method for solving the diffusion equation on three parallel/vector computers. The computers were chosen so as to encompass a variety of architectures. They are the MPP, an SIMD machine with 16-Kbit serial processors; Flex/32, an MIMD machine with 20 processors; and Cray/2, an MIMD machine with four vector processors. The Gaussian elimination algorithm is used to solve a set of tridiagonal systems on the Flex/32 and Cray/2 while the cyclic elimination algorithm is used to solve these systems on the MPP. The implementation of the method is discussed in relation to these architectures and measures of the performance on each machine are given. Simple performance models are used to describe the performance. These models highlight the bottlenecks and limiting factors for this algorithm on these architectures. Finally conclusions are presented.     

防火墙性能测试研究

防火墙作为应用最广泛的网络安全产品,其本身的性能如何将对最终网络用户得到的实际带宽有决定性的影响,因此对防火墙性能的要求越来越高,性能测试也成为防火墙测试的最重要的一部分。本文结合防火墙性能指标探讨了性能测试指标、常用测试工具,并研究提出了使用测量不确定度评定测试指标值的方法。     

容错电子系统体系结构述评

高可靠电子系统(例如飞机的飞行控制系统、全权限数字化发动机控制系统和其它系统)已被引入商用、军用飞机和航天器。早期有代表性的飞控系统,如F16和A320的飞控系统成功地利用冗余和容错电子设备提供所需的可靠性和安全性,但却有着显著不同的结构。本文对容错结构进行分类,介绍了不同容错结构的特征,还指出了各自的优缺点。     

A testbed for evaluation of fault-tolerant routing inmultiprocessor interconnection networks

This paper presents a comprehensive evaluation testbed for interconnection networks and routing algorithms using real applications. The testbed is flexible enough to implement any network topology and fault-tolerant routing algorithm, and allows the system architect to study the cost versus performance trade-offs for a range of network parameters. We illustrate its use with one fault-tolerant algorithm and analyze the performance of four shared memory applications with different fault conditions. We also show how the testbed can be used to drive future research in fault-tolerant routing algorithms and architectures by proposing and evaluating novel architectural enhancements to the network router, called path selection heuristics (PSH). We propose three such schemes and the Least Recently Used (LRU) PSH is shown to give the best performance in the presence of faults     

Synthesis of algorithm-based fault-tolerant systems from dependencegraphs

Algorithm-based fault tolerance (ABFT) is a method for improving the reliability of parallel architectures used for computation-intensive tasks. A two-stage approach to the synthesis of ABFT systems is proposed. In the first stage, a system-level code is chosen to encode the data used in the algorithm. In the second stage, the optimal architecture to implement the scheme is chosen using dependence graphs. Dependence graphs are a graph-theoretic form of algorithm representation. The authors demonstrate that not all architectures are ideal for the implementation of a particular ABFT scheme. They propose new measures to characterize the fault tolerance capability of a system to better exploit the proposed synthesis method. Dependence graphs can also be used for the synthesis of ABFT schemes for non-linear problems. An example of a fault-tolerant median filter is provided to illustrate their utility for such problems     

Modeling and performance evaluation of transport protocols for firewall control

Firewalls are a crucial building block for securing IP networks. The usage of out-of-band signaling protocols such as SIP for IP telephony and multimedia applications requires a dynamic control of these firewalls and imposes several challenges. Recently, several firewall control architectures and protocols have been developed. The main focus of this paper is the simple middlebox configuration protocol (SIMCO), which is a new transaction-based firewall control protocol. Due to the impact on call setup delays, firewall signaling requires small end-to-end delays and thus mandates a careful choice of the transport protocol. Therefore, this paper studies SCTP, TCP and UDP-based transport for SIMCO and compares different configurations that allow to optimize the performance. We present an analytical model to quantify the impact of head-of-line blocking in SCTP and TCP and verify it with measurements. Both the model and measurements reveal that SCTP can significantly reduce the SIMCO response times by leveraging transmission over multiple parallel streams. While already a few SCTP streams can almost completely avoid head-of-line blocking, our results show that TCP- and UDP-based transport may suffer from significantly larger delays.     

网络化控制系统的故障诊断与容错控制

介绍了网络化控制系统几类故障诊断与容错控制方法的基本思想。故障诊断与容错控制对于控制工程实践特别是对安全性有严格要求的控制系统是十分重要的。网络化控制系统通过共享网络资源实现控制而带来了各种优越性的同时,也给传统的控制理论带来了新的挑战。因此需要发展适用于此类异步的、基于信包的控制系统的控制理论与技术。网络化控制系统基于数学模型的故障诊断问题,在建立恰当的网络化系统模型后,可转化一类特定的时延系统故障诊断问题。     

Encapsulation of parallelism and architecture-independence inextensible database query execution

Emerging database application domains demand not only high functionality, but also high performance. To satisfy these two requirements, the Volcano query execution engine combines the efficient use of parallelism on a wide variety of computer architectures with an extensible set of query processing operators that can be nested into arbitrarily complex query evaluation plans. Volcano's novel exchange operator permits designing, developing, debugging, and tuning data manipulation operators in single-process environments but executing them in various forms of parallelism. The exchange operator shields the data manipulation operators from all parallelism issues. The design and implementation of the generalized exchange operator are examined. The authors justify their decision to support hierarchical architectures and argue that the exchange operator offers a significant advantage for development and maintenance of database query processing software. They discuss the integration of bit vector filtering into the exchange operator paradigm with only minor modifications     

Ray casting architectures for volume visualization

Real-time visualization of large volume data sets demands high-performance computation, pushing the storage, processing and data communication requirements to the limits of current technology. General-purpose parallel processors have been used to visualize moderate-size data sets at interactive frame rates; however, the cost and size of these supercomputers inhibits the widespread use for real-time visualization. This paper surveys several special-purpose architectures that seek to render volumes at interactive rates. These specialized visualization accelerators have cost, performance and size advantages over parallel processors. All architectures implement ray casting using parallel and pipelined hardware. We introduce a new metric that normalizes performance to compare these architectures. The architectures included in this survey are VOGUE, VIRIM, Array-Based Ray Casting, EM-Cube and VIZARD II. We also discuss future applications of special-purpose accelerators     

Architecture-based design and optimization of genetic algorithms on multi- and many-core systems

A Genetic Algorithm (GA) is a heuristic to find exact or approximate solutions to optimization and search problems within an acceptable time. We discuss GAs from an architectural perspective, offering a general analysis of performance of GAs on multi-core CPUs and on many-core GPUs. Based on the widely used Parallel GA (PGA) schemes, we propose the best one for each architecture. More specifically, the Asynchronous Island scheme, Island/Master–Slave Hierarchy PGA and Island/Cellular Hierarchy PGA are the best for multi-core, multi-socket multi-core and many-core architectures, respectively. Optimization approaches and rules based on a deep understanding of multi- and many-core architectures are also analyzed and proposed. Finally, the comparison of GA performance on multi-core and many-core architectures are discussed. Three real GA problems are used as benchmarks to evaluate our analysis and findings.There are three extra contributions compared to previous work. Firstly, our findings based on deeply analyzing architectures can be applied to all GA problems, even for other parallel computing, not for a particular GA problem. Secondly, the performance of GAs in our work not only concerns execution speed, also the solution quality has not been considered seriously enough. Thirdly, we propose the theoretical performance and optimization models of PGA on multi-core and many-core architectures, finding a more practical result of the performance comparison of the GA on these architectures, so that the speedup presented in this work is more reasonable and is a better guide to practical decisions.     

多层交换技术在宽带防火墙系统中的应用

随着网络的宽带化,传统的防火墙已经无法适应这样的变化。对于防火墙来说,需要支持1G,甚或10G这样的链路。无论是基于包过滤的防火墙,还是基于应用网关的防火墙都必须满足这样的要求。文章利用作者研究的高性能包分类算法和基于粘结的技术可以极大地提高基于包过滤和应用网关防火墙的性能。在一个商业化的防火墙的环境下测试了采用新包分类算法和基于粘结技术的原型的性能。在目前的测试环境下,根据理论分析,可以达到1G的性能。     

混合型防火墙的研究与设计

本文主要讨论混合型防火墙的实现技术。首先对防火墙概念和功能作简单的介绍。其次,对有状态包检查防火墙技术和应用代理防火墙技术进行性能的比较,讨论了它们在网络安全领域的优势和不足。最后介绍了混合型防火墙系统的设计和实现过程。     

基于Petri网的容错计算机可靠性

应用双模型混合Petri网描述与分析容错计算机系统。在分析容错系统的可靠性时，把复杂的混合Petri网模型简化为GSPN模型，并利用GSPN与马尔可夫链同构的性质，来计算系统的可靠性。     

一种基于嵌入式协议栈的内容过滤防火墙技术

针对传统包过滤防火墙解决不了的基于内容的网络攻击,而可以完成内容过滤的应用层代理型的防火墙又效率低下的问题,文章提出了一种基于嵌入式协议栈的内容过滤防火墙方案,通过在包过滤防火墙结构中增加嵌入式协议栈模块完成内容过滤,提高了内容过滤的效率。     

Hardware Transactional Memory Exploration in Coherence-Free Many-Core Architectures

High-end embedded systems, like their general-purpose counterparts, are turning to many-core cluster-based shared-memory architectures that provide a shared memory abstraction subject to non-uniform memory access costs. In order to keep the cores and memory hierarchy simple, many-core embedded systems tend to employ simple, scratchpad-like memories, rather than hardware managed caches that require some form of cache coherence management. These “coherence-free” systems still require some means to synchronize memory accesses and guarantee memory consistency. Conventional lock-based approaches may be employed to accomplish the synchronization, but may lead to both usability and performance issues. Instead, speculative synchronization, such as hardware transactional memory, may be a more attractive approach. However, hardware speculative techniques traditionally rely on the underlying cache-coherence protocol to synchronize memory accesses among the cores. The lack of a cache-coherence protocol adds new challenges in the design of hardware speculative support. In this article, we present a new scheme for hardware transactional memory (HTM) support within a cluster-based, many-core embedded system that lacks an underlying cache-coherence protocol. We propose two alternative data versioning implementations for the HTM support, Full-Mirroring and Distributed Logging and we conduct a performance comparison between them. To the best of our knowledge, these are the first designs for speculative synchronization for this type of architecture. Through a set of benchmark experiments using our simulation platform, we show that our designs can achieve significant performance improvements over traditional lock-based schemes.     

Robust codes and robust,fault-tolerant architectures of the Advanced Encryption Standard

Hardware implementations of cryptographic algorithms are vulnerable to fault analysis attacks. Methods based on traditional fault-tolerant architectures are not suited for protection against these attacks. To detect these attacks we propose an architecture based on robust nonlinear systematic error-detecting codes. These nonlinear codes are capable of providing uniform error detecting coverage independently of the error distributions. They make no assumptions about what faults or errors will be injected by an attacker. Architectures based on these robust constructions have fewer undetectable errors than linear codes with the same n, k. We present the general properties and construction methods of these codes as well as their application for the protection of a cryptographic devices implementing the Advanced Encryption Standard.     

Raising the bar on software security testing

Industry and government are promoting open security testing. The authors consider how one free tool can help find malicious code in Java apps. They discuss white-box testing, cryptography and firewall testing     

Internet防火墙及其发展趋势

本文叙述了Internet来自外部、内部、硬件、软件方面的十种安全威胁和攻击，给出了防火墙的限制、隔离、筛选、过滤和屏蔽作用，介绍了防火墙的六种基本结构类型，论述了过滤路由器、双宿主主机、主机过滤、过滤子网和吊带式五种安全结构，分析了传统防火墙的七种不足，给出了目前防火墙混合应用包过滤技术、代理服务技术和其它一些技术的发展趋势。