TD-SCDMA PS域业务互操作参数的研究

随着TD-SCDMA网络的广泛部署,TD-SCDMA与GSM互操作已成为不可避免的技术问题.文章在对TD-SCDMA与GSM互操作策略分析的基础上,针对某地TD-SCDMA与GSM网络PS域业务互操作中的问题进行了分析和研究,并提出相应的解决方案,使得PS域业务互操作的成功率得到提升.     

基于安全相似域的风险评估模型

评估模型是风险评估的基础。本文从评估实体安全属性的相似性出发，提出安全相似域的概念，并在此基础上建立起一种网络风险评估模型SSD—REM。另外，还给出了基于该模型的一种评估算法和示例。     

基于分层自治域空间信息网络模型与拓扑控制算法

针对空间信息网络结构复杂、拓扑动态变化以及空间尺度大等特点,提出一种面向空间信息网的分层自治域模型。该模型根据节点属性、链路能力、任务特点、分布区域等不同,将整个网络划分为不同的自治域和子自治域,各域内可采用相对独立的控制策略,从而将子网间各动态因素解耦合。然后,基于该分层自治域模型,提出了一种最小化时延的拓扑控制算法。与现有的集中式和分布式拓扑控制方法不同,该算法采用混合式方法,将控制信息约束在相邻子自治域范围内,既保证了网络的连通性,又减少了控制信息的开销。理论分析表明,若网络的物理拓扑是k连通的,则该算法得到的拓扑控制结果一定是k连通的。仿真结果验证了理论分析和所提出算法的有效性。     

基于语义互操作的政务知识协同模型研究

基于语义互操作的电子政务协同系统是电子政务的发展趋势。分析了构建基于语义互操作的政务知识协同系统的主要任务和方法,提出了一个基于语义互操作的政务知识协同系统框架模型,详细阐明了其设计思路及各部分功能,重点给出电子政务信息单元自治模型和政务信息本体互操作模型的组成结构和工作机制。     

无线通信网络中基于信息流向的多域安全机制

介绍了一种新的以信息的流向为分析对象,根据信息论和通信协议体系中信息的运动方向,构建保证无线通信网络中信息可靠、安全到达的安全机制——多域安全机制。具体论述了该方法的基本思路、方法和内容。     

多保护域进程模型及其实现

在很多安全操作系统中都存在一些安全关键进程或可信进程,一旦它们被黑客入侵则会破坏整个系统的安全性.本文的多保护域进程模型在进程内部通过细粒度的内核级保护域隔离机制对进程数据和代码实施访问控制,从而防止黑客利用程序局部漏洞劫持整个进程,以达到增强安全关键进程自身安全的目的.本文为该模型提供了两种设计方案并对其中一种设计做了原型实现.     

面向自治域的DoS攻击流抑制模型

针对因特网上的DoS攻击,结合下一代安全因特网架构,分析了现有权证方案在申请、授权和解授权等方面的问题。兼顾网络拥塞反馈机制,结合多级主动队列、信誉计算等思想,提出了一种面向自治域的DoS攻击流抑制模型,并进一步分析其有效性。通过在NS2上利用权威的CAIDA真实拓扑数据集,对权证授权时间和授权通信量、平均权证获取时间、不同方案的文件传输时间进行对比分析和评价,结果表明本方案能有效降低平均权证获取时间,提高文件传输效率,使权证方案更具可行性和顽健性。     

基于角色的域-类型增强访问控制模型研究及其实现

安全系统只有能够支持多种安全政策才能满足实际需求.基于角色的访问控制(Role-Based Access Control,RBAC)是一种政策中性(Policy Neutral)的新模型,已经实现了多种安全政策.域-类型增强(Domain and Type Enforcement,DTE)安全政策充分体现了最小特权(Least Privilege)和职责分离(Separation of Duty)的安全原则,但是,RBAC96不便于直接实现DTE.根据RBAC和DTE的思想,本文提出了"基于角色的域-类型增强访问控制"(Role-Based Domain and Type Enforcement Access Control,RDTEAC)模型.该模型继承了RBAC96的优点,又体现了DTE的安全思想,并易于实现DTE安全政策.此外,我们还在Linux上实现了RDTEAC模型的一个原型.     

一种基于策略的跨自主域访问控制模型研究

针对分布式环境下各自主域访问控制模型的异构性以及跨域访问中域自治与协作问题,提出了一种基于策略的跨自主域访问控制模型.该模型通过自主域间访问主体的不同粒度映射机制,支持域间的安全互操作;通过安全控制器并结合基于XACML的访问控制策略,实现了域间用户权限的逻辑整合.各域的相关权限信息封装在域内,既保持原有的独立性又实现了域间的协作,同时屏蔽了域间主体差异,解决了不同域系统互不认知和异构访问控制模型映射问题.     

基于安全保护域的增强型多点协作传输机制

现有针对异构蜂窝网多点协作安全传输的研究集中于增强主信道质量以提升安全性,然而多基站协作又使基站和窃听者之间的平均距离变近,网络的安全性受限于距离协作基站较近的窃听者。针对该问题,该文提出一种基于安全保护域的增强型多点协作传输机制。然后,理论分析了用户的连接中断概率、安全中断概率以及安全吞吐量。进一步,以最大化安全吞吐量为目标,优化协作微基站的发射功率以及有用信息功率分配比例系数。仿真结果表明,相比于传统的多点协作安全传输机制,在存在严重安全威胁(窃听者密度较大)的场景下,所提机制可以实现非零系统安全吞吐量;在存在较小安全威胁(窃听者密度较小)的场景下,系统安全吞吐量最大可提升76.1%。     

P2P电子商务环境下的动态安全信任管理模型

针对P2P电子商务中的信任评估问题,提出一种基于信任云的动态安全信任管理模型(TCDSTM).TCDSTM利用云理论来刻画信任及信任等级,然后给出具有抗攻击能力的全局信任度融合算法、节点的类型识别和拓扑重构机制.理论分析和仿真实验一致表明,TCDSTM小仅可以抵御共谋、振荡等恶意攻击,而且大大提高了交易成功率.此外,该模型具有较低的通信丌销.     

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.     

基于NS2多域ASON仿真平台设计与实现

对一个基于单域ASON仿真平台扩展实现了多域ASON仿真平台.通过对网络节点Id进行分域,实现了ASON中的多域分层网络结构,引入了一种基于全网抽象的路由信息汇聚策略.在ASON网络的分层路由中的每个路由域中加入备份Speaker节点,使网络具有更好的生存性.仿真测试表明当网络规模较大时,多域ASON网络在拓扑收敛速度、连接建立时间等方面的性能均优于单域.     

SIM：应用于MANET的安全IP协议

参考IP Sec的核心思想,并结合MANET的具体实际,提出了一种安全的IP协议SIM（secure IP protocol for manet）。通过在网络层和数据链路层之间添加一个无连接的安全层,对进出协议栈的数据报文进行安全处理。通过将IP Sec的安全协定SA简化为轻量级的适合MANET的SSA,在保持IP安全性的同时降低了协议开销和部署复杂度。进行了基于Linux的协议栈设计和原型系统实现。     

SSCAN:一种安全的基于CAN的语义网络

现有的基于DHT（Distributed Hash Table）模型的P2P网络并不能很好支持语义查询,只提供针对某个关键字单一的准确查询,为了实现语义搜索,人们提出若干基于VSM的改进方案,而这些模型存在各种问题。本文首次分析了P2P中语义网络可能存在的安全问题,阐述了哈希算法和语义网络之间的固有矛盾;构建一个支持语义搜索的安全CAN网络SSCAN（Secure and Semantic CAN）,设计了一种在SSCAN中进行语义搜索的算法,并对搜索性能进行评估。该模型具有安全性高,搜索高效的特点。     

Techniques for secure execution of mobile code: a review

Code mobility can be defined as the capability to dynamically change the bindings between code fragments and the location in which they are executed. The concept of code mobility is not new, but in recent years has become a hot topic. Web browsers are able to download programs attached to web pages that are executed locally. On the other hand, mobile agent technology allows for agents to autonomously migrate to new hosts. A major concern involved in the use of these technologies is security: the integrity of the receiving host must not be compromised by the execution of mobile code. The local host needs to define a security policy that specifies which resources are made available to mobile code, potentially untrusted. On the other hand, the runtime system must, somehow, enforce such policy. In this paper, we present a survey of different techniques aimed at resolving the problem of secure resource management, and argue within which context they are appropriate.     

Constructing secure group communication over wireless ad hoc networks based on a virtual subnet model

Recently, more and more people have begun using mobile devices such as PDAs and notebooks. Our lives have been profoundly affected by such devices. A MANET, a mobile ad hoc network, is an effective networking system facilitating an exchange data between mobile devices, without the support of wireless access points and base stations. A MANET is not restricted to unicast or multicast communication, but can also provide "many-to-many" transmission, which can be treated as a group communication. Until recently, however, the way in which such groups are formed had not drawn much attention. Because communication in wireless networks is broadcast and a certain amount of devices can receive transmitted messages, the risk of unsecured sensitive information being intercepted by unintended recipients is a real concern. Consequently, efforts to ensure the security of group communications in MANETs are essential. This article proposes a virtual subnet model to construct secure group communication over a MANET. With the model, the composition of groups is established as the forming of group keys. Our results show that this approach can completely satisfy the needs for both security and efficiency.     

Extending hybrid approach to secure Trivial File Transfer Protocol in M2M communication: a comparative analysis

Telecommunication Systems - Embedded Machine-to-Machine (M2M) is one of the hottest research topics in recent industrial Internet of Things. In order to serve the communication to effectively...     

UCAP:a PCL secure user authentication protocol in cloud computing

As the combine of cloud computing and Internet breeds many flexible IT services,cloud computing becomes more and more significant.In cloud computing,a user should be authenticated by a trusted third party or a certification authority before using cloud applications and services.Based on this,a protocol composition logic (PCL) secure user authentication protocol named UCAP for cloud computing was proposed.The protocol used a symmetric encryption symmetric encryption based on a trusted third party to achieve the authentication and confidentiality of the protocol session,which comprised the initial authentication phase and the re-authentication phase.In the initial authentication phase,the trusted third party generated a root communication session key.In the re-authentication phase,communication users negotiated a sub session key without the trusted third party.To verify the security properties of the protocol,a sequential compositional proof method was used under the protocol composition logic model.Compared with certain related works,the proposed protocol satisfies the PCL security.The performance of the initial authentication phase in the proposed scheme is slightly better than that of the existing schemes,while the performance of the re-authentication phase is better than that of other protocols due to the absence of the trusted third party.Through the analysis results,the proposed protocol is suitable for the mutual authentication in cloud computing.     

LiteST：一种无线传感器网络轻量级安全时间同步协议

提出了一个简单的时间同步广播报文完整性认证方法.在此基础上,结合单向链(而非复杂得多的μTESLA)提供的发送节点身份认证功能和冗余机制提供的防止内部节点攻击功能,设计了一个轻量级的安全时间同步协议LiteST(lightweight secure time).理论分析和仿真实验结果表明,LiteST能够防御外部攻击并能容忍内部攻击节点发送错误信息,达到了目前虽好的安全时间同步协议TinySeRSync类似的安全性.32个Mica2节点组成的原型系统实验结果表明LiteST协议取得了与没有安全机制的FrSP协议几乎相同的时间同步精度.LiteST协议与安全相关的计算开销大约只有TinySeRSync的五分之一:通信开销为其1/(2m+2),其中m为网络节点的平均邻居数;其存储开销在实际的场景下也显著降低.