SeWDReSS: on the design of an application independent,secure, wide-area disaster recovery storage system

Distributed wide-area storage systems must tolerate both physical failure and logic errors. In particular, these functions are needed to enable the storage system to support remote disaster recovery. There are several solutions for distributed wide-area backup/archive systems implemented at application level, file system level or at storage subsystem level. However, they suffer from high deployment cost and security issues. Moreover, previous researches in literature only focus on any disk-related failures and ignore the fact that storage server linked predominantly to a Wide-Area-Network (WAN) which may be unavailable or owing to network failures. In this paper, we first model the efficiency and reliability of distributed wide area storage systems for all media, taking both network failures and disk failures into consideration. To provide higher performance, efficiency, reliability, and security to the wide-area disaster recovery storage systems, we present a configurable RAID-like data erasure-coding scheme referred to as Replication-based Snapshot Redundant Array of Independent Imagefiles (RSRAII). We argue that this scheme has benefits resulting from the consolidation of both erasure-coding and replication strategies. To this end, we propose a novel algorithm to improve the snapshot performance referred to as SMPDP (Snapshot based on Multi-Parallel Degree Pipeline). We also extend this study towards implementing a prototype system, called as SeWDReSS, which is shown to strike a tradeoff between reliability, storage space, security, and performance for distributed wide-area disaster recovery.     

Web应用服务器的适应性失效检测

失效检测是分布式系统的基本可靠性保障技术,它对运行时系统的存活状态进行及时检测.作为网络分布计算环境中的主流中间件,Web应用服务器(Web application server,简称WAS)需要提供良好的检测机制,并且要能满足适应性的需求.适应性失效检测要求失效检测器能够根据应用需求和系统环境的变化而动态地改变检测的质量.首先给出了WAS的多层失效检测模型,然后基于失效检测器的服务质量规约,提出了适应性失效检测算法,并设计了一个WAS的适应性失效检测框架.它能够满足动态调整失效检测质量和灵活集成失效检测器的要求.该工作在OnceAS应用服务器中进行了实现,并给出了OnceAS平台上的实验及数据.     

一种分布计算系统自适应故障侦测方法

面向高可靠智能应用的分布计算系统,首先提出一组故障侦测服务的QoS度量标准,其次给出一种自适应故障侦测方法.该方法使用一个无需统计行为的高度动态的计算方法,动态地估算心跳消息超时时限,并协商改变心跳消息的发送周期,以适应分布计算系统计算节点和网络状态变化,提高故障侦测服务的QoS.模拟实验表明,该方法能够适应分布计算系统状况的变化,在侦测的实时性和正确性上提供较好的平衡.     

On Reliability and Security of Randomized Detectors Against Sensitivity Analysis Attacks

Despite their popularity, spread spectrum schemes are vulnerable against sensitivity analysis attacks on standard deterministic watermark detectors. A possible defense is to use a randomized watermark detector. While randomization sacrifices some detection performance, it might be expected to improve detector security to some extent. This paper presents a framework to design randomized detectors with exponentially large randomization space and controllable loss in detection reliability. We also devise a general procedure to attack such detectors by reducing them into equivalent deterministic detectors. We conclude that, contrary to prior belief, randomization of the detector is not the ultimate answer for providing security against sensitivity analysis attacks in spread spectrum systems. Instead, the randomized detector inherits the weaknesses of the equivalent deterministic detector.      

基于Hash函数的分布式路由算法

随着Internet的发展,路由器成为了网络性能的瓶颈。路由算法的效率和鲁棒性成为网络研究领域的热点之一。分布式系统采用并行运行,避免了单点故障。本文提出的分布式路由器使用IP做为任务分配粒度,利用Hash算法实现负载均衡。改进了基于心跳和检测点的故障检测机制,在较低的系统开销下缩短了系统检测的响应时间。仿真试验的结果表明,该机制可行且高效。     

区分服务网络基于测量的接纳控制方案的设计与应用

提出了一种分布式可扩展的接纳控制方案，其目的是为区分服务网络提供端到端服务质量（Quality of Services,QoS)保证，该方案主要由以下部分构成：（1）连接接纳控制协议，主要负责主机和网络节点以及网络节点和带宽代理之间的信息传送，实现对连接请求的串行操作；（2）位于网络核心节点的可用带宽估计算法；（3）位于网络边缘节点的接纳控制算法；给出了该方案在视频传输方面的应用实例；利用多种网络拓扑结构和QoS指标评价该方案的性能，实验结果表明该方案能准确地控制可接纳区域和提高网络资源的利用率。     

基于人工免疫的记忆检测器研究

传统的手段已不能充分地解决计算机网络的安全问题。为了确保计算机网络系统安全,建立一个有效的入侵检测系统IDS,针对IDS中成熟检测器检测率低和错误肯定率高的问题,根据人工免疫记忆原理,研究了免疫检测器集中成熟检测器激活,记忆检测器生成与变异机制以及演化,给出了记忆检测器生成算法,研究了记忆检测器变异和淘汰机制。实验结果证明记忆检测器为主的检测器集合实现了检测器自学习和联想记忆的功能,提高了入侵检测系统的自适应能力和检测率,减少了错误肯定率。     

邻域形态空间多源免疫检测器生成与检测

人工免疫系统（artificial immune system,简称AIS）是人工智能技术的重要分支之一,被广泛应用于异常检测、数据挖掘、机器学习等多个领域.检测器是其核心知识集,其生成、优化和检测操作决定了人工免疫的应用效果.目前,人工免疫的问题空间以实值形态空间为主,但实值非自体空间“黑洞”、检测器生成速率慢、检测器高重叠冗余、“维度灾难”等问题,使得人工免疫检测的效果不甚理想.鉴于此,使用邻域形态空间,并改进邻域否定选择算法（neighborhood negative selection algorithm,简称NNSA）,引入混沌理论和遗传算法,提出了一种多源邻域否定选择算法（multi-source-inspired NNSA,简称MSNNSA）,并基于此提出邻域形态空间多源免疫检测器生成与检测方法,改进邻域形态空间下检测器的构造与生成机制,使其更具靶向性,并使获得的检测器具有更好的分布性,提高其生成效率和整体的检测性能,解决以上实值形态空间下存在的问题.实验结果表明,该方法提高了检测器生成效率以及检测的整体性能和稳定性.     

Anonymous asynchronous systems: the case of failure detectors

Due to the multiplicity of loci of control, a main issue distributed systems have to cope with lies in the uncertainty on the system state created by the adversaries that are asynchrony, failures, dynamicity, mobility, etc. Considering message-passing systems, this paper considers the uncertainty created by the net effect of asynchrony and process crash failures in systems where the processes are anonymous (i.e., processes have no identity and locally execute the same algorithm). Trivially, agreement problems such as consensus, that cannot be solved in non-anonymous asynchronous systems prone to process failures, cannot be solved either if the system is anonymous. The paper investigates failure detectors that allow processes to circumvent this impossibility. It has several contributions. It first presents four failure detectors (denoted AP, ${\overline{AP}}$ , AΩ, and AΣ) and show that they are the “identity-free” counterparts of perfect failure detectors, eventual leader failure detectors, and quorum failure detectors, respectively. AΣ is new and showing that AΣ and Σ have the same computability power in a non-anonymous system is not trivial. The paper also shows that the notion of failure detector reduction is related to the computation model. Then, the paper presents and proves correct a uniform anonymous consensus algorithm based on the failure detector pair (AΩ, AΣ) (“uniform” means here that not only processes have no identity, but no process is aware of the total number of processes). This new algorithm is not a simple “straightforward extension” of an algorithm designed for non-anonymous systems. To benefit from AΣ, it uses a novel broadcast facility which encapsulates an AΣ-based message exchange pattern that provides the processes with an interesting intersection property on the set of messages they have exchanged. Finally, the paper discusses the notions of failure detector hierarchy, weakest failure detector for anonymous consensus, and the implementation of identity-free failure detectors in anonymous systems.     

基于多主体技术的分布式入侵检测系统的研究与设计

本文提出了一种基于多主体技术的分布式入侵检测系统。该系统将整个网络的入侵检测工作分配到各台主机上进行,克服亍中心化和层次化入侵检测系统所存在的单点失效和处理能力瓶颈问题;将面向整个网络的管理任务和分布式入侵检测任务交给网络安全管理主体NSMA来处理,用NSMA之间的协作代替各个底层检测节点间的协作,提高了系统的的检测和管理能力;在系统设计上引入了功能冗余的思想,在有效克服单点失效问题的同时提高了系统对入侵的实时枪测能力．太文详细论述了系统设计思想和实现方案．并给出了相关技术问题的解决方法。     

报文分类技术的研究及其应用

Internet网络应用的发展要求路由器支持诸如服务质量(QoS)、网络入侵检测、传输测量与记账、负载平衡、拥塞控制等多种不同的技术，虽然实现这些不同技术的细节变化可能很大，但一个公共的要求是路由器能够基于报文的头的某些字段对报文进行分类．从已有的研究表明，实现高速多维报文分类算法是非常困难的，它已成为路由器的新的瓶颈，因此吸引了许多研究人员的注意．系统论述了报文分类的相关技术，包括分类的模型、可能分类的字段，评价分类的基本标准等，通过对现有报文分类算法的比较和性能分析并结合分类规则所具有的特性，提出了设计报文分类算法所应遵循的原则和思路，同时还讨论了报文分类在网络技术领域中的应用和还需解决的一些相关问题．     

Multiuser Receiver for DS-CDMA Signals in Multipath Channels: An Enhanced Multisurface Method

This paper deals with the problem of multiuser detection in direct-sequence code-division multiple-access (DS-CDMA) systems in multipath environments. The existing multiuser detectors can be divided into two categories: 1) low-complexity poor-performance linear detectors and 2) high-complexity good-performance nonlinear detectors. In particular, in channels where the orthogonality of the code sequences is destroyed by multipath, detectors with linear complexity perform much worse than the nonlinear detectors. In this paper, we propose an enhanced multisurface method (EMSM) for multiuser detection in multipath channels. EMSM is an intermediate piecewise linear detection scheme with a run-time complexity linear in the number of users. Its bit error rate performance is compared with existing linear detectors, a nonlinear radial basis function detector trained by the new support vector learning algorithm, and Verdu's optimal detector. Simulations in multipath channels, for both synchronous and asynchronous cases, indicate that it always outperforms all other linear detectors, performing nearly as well as nonlinear detectors     

一种面向IDS的检测器动态生成算法研究

针对目前基于免疫的入侵检测系统中报警可信性较低的问题,提出一种有效的检测器动态生成算法,并给出了其在入侵检测系统中的具体实现。该算法借鉴免疫系统的激活克隆和亲和力变异机制,能够依据实际情况不断调整当前检测器集合,并仅用较小的检测器集就能够快速检测到大规模非我空间中的异常变化。实验表明,算法用于入侵检测系统,提高了检测的准确率,降低了虚警率。同时,算法对各种异常检测向题具有一定的适用性。     

区分服务网络基于覆盖的拥塞管理方案

提出一种面向区分服务网络确保转发的覆盖式拥塞管理方案,基本思想是利用控制分组在网络的入口和出口节点之间传递网络服务质量的状态信息,入口节点利用加性增加和显性降低的算法调节聚集通信量的发送速率.实验结果表明,与标准的区分服务网络相比,该方案能在聚集之间公平地分配带宽并能显著地降低分组丢失率.     

基于局部线性嵌入的免疫检测器优化生成算法

网络安全已上升到国家安全战略层面,入侵检测技术是其重要的组成部分,已得到广泛关注.在基于免疫的入侵检测研究中,针对传统实值否定选择算法不利于高效分析数据而造成的检测器生成速度慢、检测效率低等问题,引入局部线性嵌入算法,借鉴其能对高维数据进行映射降维的特点,提出一种基于局部线性嵌入的免疫检测器优化生成算法,利用局部线性嵌入对高维数据预处理优化降维,并结合实值否定选择算法生成检测器.将该算法用于检测模型,从而提升检测器的生成速率,并可保证生成的检测器高效地处理高维数据.该算法在降维前后可保证样本的局部线性结构不变,具有可变参数少、计算时间短的特点.实验结果表明,所提出算法在显著提高检测器生成速率和对数据检测效率的基础上,检测性能也表现出很好的水平.     

Non-blocking atomic commit in asynchronous distributed systems with failure detectors

This paper addresses the Non-Blocking Atomic Commit (NB-AC) problem in asynchronous distributed systems augmented with failure detectors. We first show that, in these systems, NB-AC and Consensus are incomparable. Roughly speaking, there is a failure detector that solves NB-AC but not Consensus and a failure detector that solves Consensus but not NB-AC. Then we introduce the Anonymously Perfect failure detector . We show that, to solve NB-AC, is necessary (while is not), whereas is sufficient when a majority of the processes are correct. We draw from our results some observations on the practical solvability of NB-AC. Received: August 2000 / Accepted: May 2001     

检测器自适应生成算法研究

如何有效生成检测器是用于异常检测的非选择算法的核心问题,也是非选择算法能否实际应用的关键问题.本文提出了一种有效的检测器自适应生成算法,能够依据实际情况不断调整当前检测器集合,在使得仅用较小的检测器集就能够快速检测到大规模非我空间中的异常变化的同时,也保证了算法的普适性,对各种异常检测问题具有一定的适用性.文中对算法的理论基础进行了分析,给出了算法的实现范例和实验结果.实验结果表明了算法的有效性.     

Vision,application scenarios,and key technology trends for 6G mobile communications

Multiuser detection based on the message passing algorithm (MPA) has been considered for sparse code multiple access (SCMA) systems. Recently, some complexity-reduced MPA detectors have been proposed, among which the MPA detector based on dynamic factor graph (DFG-MPA) has been shown to outperform other MPA detectors with comparable complexities. However, all these MPA detectors are somehow not very flexible in terms of performance-complexity tradeoff, i.e., the granularities of computational complexity reduction are relatively large. In this paper, a generalized scheme of DFG-MPA, termed as GDFG-MPA, is proposed to make a better and more flexible performance-complexity tradeoff. The proposed scheme features two aspects: (1) instead of banning a message update forever, a banned message update at some iteration is allowed to be updated at later iterations; (2) different numbers of message updates are banned from updating at different iterations. Optimization of GDFG-MPA can be made by allocating banned message updates among iterations. Numerical results have demonstrated that compared to DFG-MPA the proposed GDFG-MPA can achieve much better performance at the same computational complexity or achieve the same performance with much lower complexity. Moreover, the proposed GDFG-MPA is more flexible in tuning the performance and complexity tradeoff.

     

Supporting SIP-based end-to-end Data Distribution Service QoS in WANs

Assuring end-to-end QoS in enterprise distributed real-time and embedded (DRE) systems is hard due to the heterogeneity and transient behavior of communication networks, the lack of integrated mechanisms that schedule communication and computing resources holistically, and the scalability limits of IP multicast in wide-area networks (WANs). This paper makes three contributions to research on overcoming these problems in the context of enterprise DRE systems that use the OMG Data Distribution Service (DDS) quality-of-service (QoS)-enabled publish/subscribe (pub/sub) middleware over WANs. First, it codifies the limitations of conventional DDS implementations deployed over WANs. Second, it describes a middleware component called Proxy DDS that bridges multiple, isolated DDS domains deployed over WANs. Third, it describes the NetQSIP framework that combines multi-layer, standards-based technologies including the OMG-DDS, Session Initiation Protocol (SIP), and IP DiffServ to support end-to-end QoS in a WAN and shield pub/sub applications from tedious and error-prone details of network QoS mechanisms. The results of experiments using Proxy DDS and NetQSIP show how combining DDS with SIP in DiffServ networks significantly improves dynamic resource reservation in WANs and provides effective end-to-end QoS management.