微软新一代操作系统下的个人防火墙研究

基于微软网络驱动程序接口规范NDIS的数据包拦截方法,在微软的新一代操作系统下,并不十分有效.深入研究了各个层次的网络数据包拦截技术,并探索它们在微软新一代操作系统中的可行性,最后在Ⅵsta环境下,利用WindowsDriverKit工具包,实现了基于轻型筛选器驱动程序的个人防火墙.在驱动级别上做过滤的方法能对所有数据封包,做到高效的拦截,运行速度和系统的稳定性都是令人满意的.LWF驱动程序是微软提供的一种技术,它功能强大,是个人防火墙技术的未来发展趋势.     

Edge-Cut Bounds on Network Coding Rates

Active networks are network architectures with processors that are capable of executing code carried by the packets passing through them. A critical network management concern is the optimization of such networks and tight bounds on their performance serve as useful design benchmarks. A new bound on communication rates is developed that applies to network coding, which is a promising active network application that has processors transmit packets that are general functions, for example a bit-wise XOR, of selected received packets. The bound generalizes an edge-cut bound on routing rates by progressively removing edges from the network graph and checking whether certain strengthened d-separation conditions are satisfied. The bound improves on the cut-set bound and its efficacy is demonstrated by showing that routing is rate-optimal for some commonly cited examples in the networking literature.     

Distributed resolution of network congestion and potential deadlock using reservation-based scheduling

Efficient and reliable communication is essential for achieving high performance in a networked computing environment. Finite network resources bring about unavoidable competition among in-flight network packets, resulting in network congestion and, possibly, deadlock. Many techniques have been proposed to improve network performance by efficiently handling network congestion and potential deadlock. However, none of them provide an efficient way of accelerating the movement of network packets in congestion toward their destinations. In this paper, we propose a new mechanism for detecting and resolving network congestion and potential deadlocks. The proposed mechanism is based on efficiently tracking paths of congestion and increasing the scheduling priority of packets along those paths. This acts to throttle other packets trying to enter those congested regions - in effect, locking out packets from congested regions until congestion has had the opportunity to disperse. Simulation results show that the proposed technique effectively disperses network congestion and is also applicable in helping to resolve potential deadlock.     

SPI截获Windows个人防火墙系统设计

SPI服务提供者接口(Service Provider Interface)进行网络数据包截获能够最完备地得到进程访网信息,是Windows平台个人防火墙系统数据包截获的首选技术方案。本项目遵循SPI规范实现了一Windows下的个人防火墙系统,本文给出了其功能定义、体系结构图和模块设计。     

Detecting Malicious Packet Losses

In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.     

结合遗传算法的NIDS多媒体包多线程择危模型

当网络流量超出网络入侵检测系统（NIDS）负载能力时,漏检将不可避免,此时应选择较危险的数据包优先处理。因多媒体数据包在流量中所占比例较大,故曾提出对其识别和特殊处理的方法,收效良好。在此基础上,提出结合遗传算法的NIDS多媒体包多线程择危模型,该模型能在漏检发生时,根据不同线程的最大处理能力,按照多媒体数据包的危险程度择危优先处理。实验结果表明,使用该模型能够有效提高NIDS在每个线程内所选择的多媒体数据包序列的危险系数。     

能量驱动的移动Ad Hoc网络概率组播路由协议

在ODMRP协议中，由于采用周期性地广播Join-Query包来更新成员信息和路由信息，因此网络中流动着大量平凡的Join-Query控制包，造成网络开销增大，网络拥塞。采用能量驱动的概率转发的方法，根据每个节点的能量资源信息为每个节点设置相应的转发投递概率，抑制网络中的Join-Query控制包。模拟结果显示，能量驱动的MANET概率组播路由协议(p-ODMRP)在投递率满足需求的情况下，网络的控制开销减小20%左右，增加了网络寿命，协议的综合性能有明显提高。     

Distributed deadlock resolution in store-and-forward networks

We present a simple distributed algorithm that resolves store-and-forward deadlocks in data communication networks. The basic idea of the algorithm is to detect cycles of nodes that may cause store-and-forward deadlocks, and to rotate packets along these cycles. The algorithm uses a fixed amount of storage in each node for its execution, and, under reasonable assumptions upon the routing and packet handling, it ensures that packets that enter the network arrive at their destinations in finite time.     

基于网桥的高速动态分流研究

高速入侵检测是当前网络安全领域研究的热点问题之一,而高速分流设计是高速入侵检测的一个关键技术。基于网桥的高速动态分流设计利用Linux网桥的防火墙架构,按照动态负载均衡的分流算法在数据链路层对网络数据包重新封装,再路由到各个探测器中,该方法针对入侵检测的分流特点,能够转发所有网络层数据,且成本低、易控制、扩展能力强。实验分析表明该方法在高速网中具有动态负载均衡的效果。     

基于随机线性网络编码的改善无线网络广播能量效率的方法*

提出了一种应用网络编码技术改善无线网络广播能量效率的分布式完全编码广播策略（DAEBNC）,其核心思想是发送节点通过获得邻居节点记录数据的情况,应用随机线性网络编码选择多个源数据包生成编码组合包,依次发送;接收节点使用线性运算解码编码包获得源数据包。理论分析表明,该方法编码包在所有接收节点具有可解性,有效地减少了数据广播次数。仿真结果证实,与普通泛洪方法相比,DAEBNC可以有效地提高能量利用效率,改善无线网络性能。     

A note on models for non-probabilistic analysis of packet switching networks

We consider two models commonly used in the literature to model adversarial injection of packets into a packet switching network. We establish the relation between these two types of models, and between them and the set of sequences of packets that allow stability. We also consider the adaptive setting in which packets are injected with only their source and destination but without a prescribed path to follow.     

MANET中TCP数据包的乱序问题及其解决方案

在MANET中,节点的移动性会导致不同的TCP数据包沿不同的路径到达接收端,进而在接收端产生大量的乱序数据包,影响TCP协议的性能.提出了一种延时响应TCP协议(TCP-D),通过延时触发拥塞控制算法来提高TCP协议在MANET中的性能.对延时响应TCP协议的吞吐量分析表明,增加延时定时器后,TCP_D协议仍能保证对标准TCP协议的友好性.仿真实验表明,TCP_D算法可以明显减少乱序数据包的数量,获得较标准TCP协议更高的网络吞吐量.而在网络结构稳定、无乱序数据包的情况下,改进协议仍具有很好的公平性和友好性.     

On a Self-Organizing Multipath Routing Protocol in Mobile Wireless Networks

In this paper, we present a self-organizing multipath (SOMP) routing protocol aiming at enhancing success rates of delivery of data packets end-to-end, restricting the routing overhead, and being robust to unstable network conditions. In this SOMP protocol, each mobile host sets up multiple beacons at other hosts to indicate routes to reach it. A beacon is an ordered list of mobile hosts along a path going from the host which holds the beacon, to the host which sets up the beacon. Two functionalities are used for routing data packets to their destinations. The first functionality is a beacon-seeking mechanism, which helps data packets to obtain beacons leading to the destinations of the data packets. The second functionality is a source routing mechanism, which is similar to the one used in Dynamic Source Routing (DSR) protocol and is used to forward data packets to their destinations using the beacons obtained. A balanced binary search tree is used in the SOMP protocol as the embedded forwarding structure, which is built on the identifiers of mobile hosts. This search tree serves for both distributing beacon updates and routing data packets to obtain beacons. The actual routes taken by data packets are jointly determined by the embedded forwarding structure and the underlying network connectivity.     

面向众核GPU加速系统的网络编码并行化及优化

网络编码允许网络节点在数据存储转发的基础上参与数据处理,已成为提高网络吞吐量、均衡网络负载和提高网络带宽利用率的有效方法,但是网络编码的计算复杂性严重影响了系统性能。基于众核GPU加速的系统可以充分利用众核GPU强大的计算能力和有效利用GPU的存储层次结构来优化加速网络编码。基于CUDA架构提出了以片段并行的技术来加速网络编码和基于纹理Cache的并行解码方法。利用提出的方法实现了线性随机编码,同时结合体系结构对其进行优化。实验结果显示,基于众核GPU的网络编码并行化技术是行之有效的,系统性能提升显著。     

An admission control scheme for end-to-end statistical QoS provision in IP networks

This paper presents a distributed and scalable admission control scheme to provide end-to-end statistical QoS guarantees in IP network.The basic idea of the scheme is that the ingress routers make admission control decisions according to the network status information obtained by sending probing packets along the selected routing path.Each router passively monitors the arriving traffic and marks the probing packets with its network status.The performance of the presented scheme is evaluated with a variety of traffic models,QoS metrics and network topologies,The simulation results show that the proposed scheme can accurately control the admissible region and effectively improve the utilization of network resource.     

10GE-RapidIO网关的设计与实现

为了实现RapidIO网络和万兆以太网网络之间的高速数据通信,文章提出了10GE-RapidIO网关的设计方案,采用IP-over-RapidIO的方法即将以太网数据包封装进RapidIO数据包中实现以太网数据包在RapidIO网络中的数据传输。此网关能够高效的连接万兆以太网和RapidIO网络,实现RapidIO传输数据包和万兆以太网数据包的转换。     

Networks on which hot-potato routing does not livelock

Summary. Hot-potato routing is a form of synchronous routing which makes no use of buffers at intermediate nodes. Packets must move at every time step, until they reach their destination. If contention prevents a packet from taking its preferred outgoing edge, it is deflected on a different edge. Two simple design principles for hot potato routing algorithms are minimum advance, that advances at least one packet towards its destination from every nonempty node (and possibly deflects all other packets), and maximum advance, that advances the maximum possible number of packets. Livelock is a situation in which packets keep moving indefinitely in the network without any packet ever reaching its destination. It is known that even maximum advance algorithms might livelock on some networks. We show that minimum advance algorithms never livelock on tree networks, and that maximum advance algorithms never livelock on triangulated networks. Received: March 1999 / Accepted: August 1999     

Distributed deadlock resolution in store-and-forward networks

We present a simple distributed algorithm that resolves store-and-forward deadlocks in data communication networks. The basic idea of the algorithm is to detect cycles of nodes that may cause store-and-forward deadlocks, and to rotate packets along these cycles. The algorithm uses a fixed amount of storage in each node for its execution, and, under reasonable assumptions upon the routing and packet handling, it ensures that packets that enter the network arrive at their destinations in finite time.Part of this work was done while this author was on sabbatical leave with IBM, Thomas J. Watson Research Center, Yorktown Heights, NY 10598, USA.     

通过流量和数据包综合估计内网感染蠕虫概率的研究*

提出了一种分析内网感染蠕虫可能性大小的方法。对通过内网交换机上的数据包使用蠕虫行为进行分析,得到行为异常的数据包数量,然后使用AR模型分析异常数据包的数量得到异常数据包的增长率;对内网异常流量和异常数据包增长率加权,并对它们综合估计得到内网中感染蠕虫概率的大小。实验表明该方法有效可行。     

GRE-over-IPsec vPN工程设计及实现——基于合肥百大集团网络的VPN应用

人类社会已经进入21世纪,计算机信息网络已深入到世界的各个角落,地域、国家、政府、企业甚至家庭。计算机网络的飞速发展给人来带来了诸多便利,而然其潜在的网络信息安全威胁也弥漫在各个领域。探讨的VPN技术则是建立在GRE over IPSec技术之上,并通过合肥百大集团的网络拓扑对其进行设计与仿真。GREoverIPSecVPN技术是通过GRE与IPSec相结合,而形成的一种安全性更好VPN技术,其主要借用IPSec的安全加密和GRE支持多播的优点,从而使得VPN网络更加安全。该项技术的主要工作原理：将一个完整的组播、广播数据包或非IP数据包封装在一个单播数据包（IPSEC）里,以处理如OSPF的组播或RIP的广播数据流,以完成在IPSec隧道里通信实体之间的动态路由学习。