This paper proposes a virtual router cluster system based on the separation of the control plane and the data plane from multiple perspectives,such as architecture,key technologies,scenarios and standardization.To som...This paper proposes a virtual router cluster system based on the separation of the control plane and the data plane from multiple perspectives,such as architecture,key technologies,scenarios and standardization.To some extent,the virtual cluster simplifies network topology and management,achieves automatic conFig.uration and saves the IP address.It is a kind of low-cost expansion method of aggregation equipment port density.展开更多
Dynamic bandwidth allocation(DBA)is a fundamental challenge in the realm of networking.The rapid,accurate,and fair allocation of bandwidth is crucial for network service providers to fulfill service-level agreements,a...Dynamic bandwidth allocation(DBA)is a fundamental challenge in the realm of networking.The rapid,accurate,and fair allocation of bandwidth is crucial for network service providers to fulfill service-level agreements,alleviate link congestion,and devise strategies to counter network attacks.However,existing bandwidth allocation algorithms operate mainly on the control plane of the software-defined networking paradigm,which can lead to considerable probing overhead and convergence latency.Moreover,contemporary network architectures necessitate a hierarchical bandwidth allocation system that addresses latency requirements.We introduce a finegrained,hierarchical,and scalable DBA algorithm,i.e.,the HSDBA algorithm,implemented on the programmable data plane.This algorithm reduces network overhead and latency between the data plane and the controller,and it is proficient in dynamically adding and removing network configurations.We investigate the practicality of HSDBA using protocol-oblivious forwarding switches.Experimental results show that HSDBA achieves fair bandwidth allocation and isolation guarantee within approximately 25 packets.It boasts a convergence speed 0.5times higher than that of the most recent algorithm,namely,approximate hierarchical allocation of bandwidth(AHAB);meanwhile,it maintains a bandwidth enforcement accuracy of 98.1%.展开更多
The sea-surface height (SSH) signatures of internal tides extracted from the TOPEX/Poseidon (T/P) altimeter data along satellite tracks are fitted with superposition of several plane waves which have different wav...The sea-surface height (SSH) signatures of internal tides extracted from the TOPEX/Poseidon (T/P) altimeter data along satellite tracks are fitted with superposition of several plane waves which have different wavenumber vectors. The key problem of plane wave fitting with iterative method is how to determine the initial value of wavenumber of each plane wave. The previous solving method is to analyze the internal tidal SSH signatures along each track with wavenumber spectrum. But it is found that the problem cannot be solved completely with the wavenumber spectrum analysis method only. The method based on the combination of wavenumber spectrum analysis method and the exhaustive method is proposed to determine the initial values of wavenumbers for iteration. Numerical results indicate that the proposed method is not only reasonable and feasible but also better than the previous method. The proposed method is an improvement of the previous one, which is beneficial to improving the precision of plane wave fitting of the T/P internal tidal SSH signatures and deepening the understanding of the internal tides in ocean.展开更多
The rapid growth of distributed data-centric applications and AI workloads increases demand for low-latency,high-throughput communication,necessitating frequent and flexible updates to network routing configurations.H...The rapid growth of distributed data-centric applications and AI workloads increases demand for low-latency,high-throughput communication,necessitating frequent and flexible updates to network routing configurations.However,maintaining consistent forwarding states during these updates is challenging,particularly when rerouting multiple flows simultaneously.Existing approaches pay little attention to multi-flow update,where improper update sequences across data plane nodes may construct deadlock dependencies.Moreover,these methods typically involve excessive control-data plane interactions,incurring significant resource overhead and performance degradation.This paper presents P4LoF,an efficient loop-free update approach that enables the controller to reroute multiple flows through minimal interactions.P4LoF first utilizes a greedy-based algorithm to generate the shortest update dependency chain for the single-flow update.These chains are then dynamically merged into a dependency graph and resolved as a Shortest Common Super-sequence(SCS)problem to produce the update sequence of multi-flow update.To address deadlock dependencies in multi-flow updates,P4LoF builds a deadlock-fix forwarding model that leverages the flexible packet processing capabilities of the programmable data plane.Experimental results show that P4LoF reduces control-data plane interactions by at least 32.6%with modest overhead,while effectively guaranteeing loop-free consistency.展开更多
The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust netw...The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.展开更多
As is well known, Greece has a significant number of earthquakes each year. Ιn recent years, several earthquakes have occurred in Greece. For this scope, a methodology was used to determine the source parameters. Thi...As is well known, Greece has a significant number of earthquakes each year. Ιn recent years, several earthquakes have occurred in Greece. For this scope, a methodology was used to determine the source parameters. This methodology is based on minimizing the difference between the observed and the synthetic waveforms, using the method Source Parameters Calculation—SPCa <a href="#ref1" target="_blank">[1]</a>. The source parameters, using the proposed methodology, are calculated by comparing observed seismograms and synthetic by inverting data. The synthetics are calculated using the reflectivity method (Kennett, 1983) as implemented by Randall et al. (1994) for a given earth structure. This study includes inversion results for the strongest events that occurred in Greece from 2008 to 2014. For the same events calculated the main fault plane, using the method of Hypocenter Centroid-plot (HC-plot) <a href="#ref2" target="_blank">[2]</a> <a href="#ref3" target="_blank">[3]</a>. This methodology is a simple geometrical method based on the combination between the hypocentral position and the two possible fault planes.展开更多
针对实际点云数据中存在的噪点与缺陷对拟合平面时带来的影响,提出一种基于最小平方中值算法(least median of squares,LMedS)与距离加权总体最小二乘法(weighted total least squares based on distance,WTLSD)相结合的平面拟合算法。...针对实际点云数据中存在的噪点与缺陷对拟合平面时带来的影响,提出一种基于最小平方中值算法(least median of squares,LMedS)与距离加权总体最小二乘法(weighted total least squares based on distance,WTLSD)相结合的平面拟合算法。通过最小平方中值算法初步去除点云中的噪点,并基于距离构建初始权重矩阵,利用距离加权总体最小二乘法对点云进行平面拟合,减少平面中凸起与凹陷等缺陷对平面拟合的影响,该算法与传统平面拟合算法相比具备消除异常点与平面缺陷的优点,具备更高的拟合精度;与随机采样一致性算法(random sample consensus,RANSAC)相比具有更高的拟合效率与相近的拟合精度。展开更多
Software-Defined Perimeter(SDP)provides a logical perimeter to restrict access to services.However,due to the security vulnerability of a single controller and the programmability lack of a gateway,existing SDP is fac...Software-Defined Perimeter(SDP)provides a logical perimeter to restrict access to services.However,due to the security vulnerability of a single controller and the programmability lack of a gateway,existing SDP is facing challenges.To solve the above problems,we propose a flexible and secure SDP mechanism named Mimic SDP(MSDP).MSDP consists of endogenous secure controllers and a dynamic gateway.The controllers avoid single point failure by heterogeneity and redundancy.And the dynamic gateway realizes flexible forwarding in programmable data plane by changing the processing of packet construction and deconstruction,thereby confusing the potential adversary.Besides,we propose a Markov model to evaluate the security of our SDP framework.We implement a prototype of MSDP and evaluate it in terms of functionality,performance,and scalability in different groups of systems and languages.Evaluation results demonstrate that MSDP can provide a secure connection of 93.38%with a cost of 6.34%under reasonable configuration.展开更多
End-host address mutation is one of the key network moving target defense mechanisms to defend against reconnaissance.However,frequently changing host addresses increases the transmission de-lay of active sessions,whi...End-host address mutation is one of the key network moving target defense mechanisms to defend against reconnaissance.However,frequently changing host addresses increases the transmission de-lay of active sessions,which may cause serious ram-ifications.In this paper,by leveraging the advanced DPDK technology,we proposed a high-performance MTD gateway framework,called HPMG,which can not only prevent adversaries from reconnaissance ef-fectively,but also retain high-speed data packet pro-cessing capabilities.Firstly,every moving target host is assigned three different IP addresses,called real IP,virtual IP,and external IP,to realize multi-level net-work address architecture.To delay the scanning tech-niques of adversaries,HPMG mutates virtual IP and virtual MAC addresses,and replies with fake host re-sponses.Besides,to be transparent to the end-hosts,HPMG keeps real IP and real MAC unchanged.Fi-nally,we optimized the forwarding and processing performance of the HPMG based on the fast path framework of DPDK.Our theoretical analysis,imple-mentation,and evaluation show that HPMG can effec-tively defend against reconnaissance attacks and de-crease the processing delay caused by address muta-tion.展开更多
可编程数据平面(Programmable Data Plane,PDP)允许用户自定义网络设备的数据包处理方式,支持定制化网络操作,利用PDP的特性实施网络防御,在实时性、灵活性、扩展性等方面取得了良好效果,近年来受到学术界和工业界的广泛关注。本文以基...可编程数据平面(Programmable Data Plane,PDP)允许用户自定义网络设备的数据包处理方式,支持定制化网络操作,利用PDP的特性实施网络防御,在实时性、灵活性、扩展性等方面取得了良好效果,近年来受到学术界和工业界的广泛关注。本文以基于PDP的网络防御技术为主要研究内容,首先介绍了PDP的基本概念,并结合典型案例阐述其应用于网络防御的优势;随后根据实施网络防御的阶段,将基于PDP的网络防御技术分为防护技术、检测技术、响应技术3大类,对各类方案的现有研究进行深入分析、概括总结,归纳不同方法的优缺点;最后,本文对基于PDP的网络防御技术未来的研究方向进行展望。展开更多
基金supported by the Collaboration Research on Key Techniques of Future Network between China,Japan and Korea(2010DFB13470)~~
文摘This paper proposes a virtual router cluster system based on the separation of the control plane and the data plane from multiple perspectives,such as architecture,key technologies,scenarios and standardization.To some extent,the virtual cluster simplifies network topology and management,achieves automatic conFig.uration and saves the IP address.It is a kind of low-cost expansion method of aggregation equipment port density.
基金Project supported by the Strategic Priority Research Program of Chinese Academy of Sciences(No.XDA031050100。
文摘Dynamic bandwidth allocation(DBA)is a fundamental challenge in the realm of networking.The rapid,accurate,and fair allocation of bandwidth is crucial for network service providers to fulfill service-level agreements,alleviate link congestion,and devise strategies to counter network attacks.However,existing bandwidth allocation algorithms operate mainly on the control plane of the software-defined networking paradigm,which can lead to considerable probing overhead and convergence latency.Moreover,contemporary network architectures necessitate a hierarchical bandwidth allocation system that addresses latency requirements.We introduce a finegrained,hierarchical,and scalable DBA algorithm,i.e.,the HSDBA algorithm,implemented on the programmable data plane.This algorithm reduces network overhead and latency between the data plane and the controller,and it is proficient in dynamically adding and removing network configurations.We investigate the practicality of HSDBA using protocol-oblivious forwarding switches.Experimental results show that HSDBA achieves fair bandwidth allocation and isolation guarantee within approximately 25 packets.It boasts a convergence speed 0.5times higher than that of the most recent algorithm,namely,approximate hierarchical allocation of bandwidth(AHAB);meanwhile,it maintains a bandwidth enforcement accuracy of 98.1%.
基金The National Natural Science Foundation of China under contract No. 41076006the State Ministry of Science and Technology of China under contract No. 2008AA09A402the Ministry of Education’s "111" Project of China under contract No. B07036
文摘The sea-surface height (SSH) signatures of internal tides extracted from the TOPEX/Poseidon (T/P) altimeter data along satellite tracks are fitted with superposition of several plane waves which have different wavenumber vectors. The key problem of plane wave fitting with iterative method is how to determine the initial value of wavenumber of each plane wave. The previous solving method is to analyze the internal tidal SSH signatures along each track with wavenumber spectrum. But it is found that the problem cannot be solved completely with the wavenumber spectrum analysis method only. The method based on the combination of wavenumber spectrum analysis method and the exhaustive method is proposed to determine the initial values of wavenumbers for iteration. Numerical results indicate that the proposed method is not only reasonable and feasible but also better than the previous method. The proposed method is an improvement of the previous one, which is beneficial to improving the precision of plane wave fitting of the T/P internal tidal SSH signatures and deepening the understanding of the internal tides in ocean.
基金supported by the National Key Research and Development Program of China under Grant 2022YFB2901501in part by the Science and Technology Innovation leading Talents Subsidy Project of Central Plains under Grant 244200510038.
文摘The rapid growth of distributed data-centric applications and AI workloads increases demand for low-latency,high-throughput communication,necessitating frequent and flexible updates to network routing configurations.However,maintaining consistent forwarding states during these updates is challenging,particularly when rerouting multiple flows simultaneously.Existing approaches pay little attention to multi-flow update,where improper update sequences across data plane nodes may construct deadlock dependencies.Moreover,these methods typically involve excessive control-data plane interactions,incurring significant resource overhead and performance degradation.This paper presents P4LoF,an efficient loop-free update approach that enables the controller to reroute multiple flows through minimal interactions.P4LoF first utilizes a greedy-based algorithm to generate the shortest update dependency chain for the single-flow update.These chains are then dynamically merged into a dependency graph and resolved as a Shortest Common Super-sequence(SCS)problem to produce the update sequence of multi-flow update.To address deadlock dependencies in multi-flow updates,P4LoF builds a deadlock-fix forwarding model that leverages the flexible packet processing capabilities of the programmable data plane.Experimental results show that P4LoF reduces control-data plane interactions by at least 32.6%with modest overhead,while effectively guaranteeing loop-free consistency.
基金funded by the Basic Research Operating Expenses Postgraduate Innovation Programme(Grant No.W24YJS00010,received by J.Yan)the National Key R&D Program of China(Grant No.2018YFA0701604,received by H.Zhou)the National Natural Science Foundation of China(NSFC)(Grant No.62341102,received by H.Zhou).
文摘The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.
文摘As is well known, Greece has a significant number of earthquakes each year. Ιn recent years, several earthquakes have occurred in Greece. For this scope, a methodology was used to determine the source parameters. This methodology is based on minimizing the difference between the observed and the synthetic waveforms, using the method Source Parameters Calculation—SPCa <a href="#ref1" target="_blank">[1]</a>. The source parameters, using the proposed methodology, are calculated by comparing observed seismograms and synthetic by inverting data. The synthetics are calculated using the reflectivity method (Kennett, 1983) as implemented by Randall et al. (1994) for a given earth structure. This study includes inversion results for the strongest events that occurred in Greece from 2008 to 2014. For the same events calculated the main fault plane, using the method of Hypocenter Centroid-plot (HC-plot) <a href="#ref2" target="_blank">[2]</a> <a href="#ref3" target="_blank">[3]</a>. This methodology is a simple geometrical method based on the combination between the hypocentral position and the two possible fault planes.
文摘针对实际点云数据中存在的噪点与缺陷对拟合平面时带来的影响,提出一种基于最小平方中值算法(least median of squares,LMedS)与距离加权总体最小二乘法(weighted total least squares based on distance,WTLSD)相结合的平面拟合算法。通过最小平方中值算法初步去除点云中的噪点,并基于距离构建初始权重矩阵,利用距离加权总体最小二乘法对点云进行平面拟合,减少平面中凸起与凹陷等缺陷对平面拟合的影响,该算法与传统平面拟合算法相比具备消除异常点与平面缺陷的优点,具备更高的拟合精度;与随机采样一致性算法(random sample consensus,RANSAC)相比具有更高的拟合效率与相近的拟合精度。
基金supported by the National Key Research and Development Program of China(Grant No.2022YFB2901304)。
文摘Software-Defined Perimeter(SDP)provides a logical perimeter to restrict access to services.However,due to the security vulnerability of a single controller and the programmability lack of a gateway,existing SDP is facing challenges.To solve the above problems,we propose a flexible and secure SDP mechanism named Mimic SDP(MSDP).MSDP consists of endogenous secure controllers and a dynamic gateway.The controllers avoid single point failure by heterogeneity and redundancy.And the dynamic gateway realizes flexible forwarding in programmable data plane by changing the processing of packet construction and deconstruction,thereby confusing the potential adversary.Besides,we propose a Markov model to evaluate the security of our SDP framework.We implement a prototype of MSDP and evaluate it in terms of functionality,performance,and scalability in different groups of systems and languages.Evaluation results demonstrate that MSDP can provide a secure connection of 93.38%with a cost of 6.34%under reasonable configuration.
基金supported by National Natural Science Foundation of China(No.61821001)Science and Tech-nology Key Project of Guangdong Province,China(2019B010157001).
文摘End-host address mutation is one of the key network moving target defense mechanisms to defend against reconnaissance.However,frequently changing host addresses increases the transmission de-lay of active sessions,which may cause serious ram-ifications.In this paper,by leveraging the advanced DPDK technology,we proposed a high-performance MTD gateway framework,called HPMG,which can not only prevent adversaries from reconnaissance ef-fectively,but also retain high-speed data packet pro-cessing capabilities.Firstly,every moving target host is assigned three different IP addresses,called real IP,virtual IP,and external IP,to realize multi-level net-work address architecture.To delay the scanning tech-niques of adversaries,HPMG mutates virtual IP and virtual MAC addresses,and replies with fake host re-sponses.Besides,to be transparent to the end-hosts,HPMG keeps real IP and real MAC unchanged.Fi-nally,we optimized the forwarding and processing performance of the HPMG based on the fast path framework of DPDK.Our theoretical analysis,imple-mentation,and evaluation show that HPMG can effec-tively defend against reconnaissance attacks and de-crease the processing delay caused by address muta-tion.
文摘可编程数据平面(Programmable Data Plane,PDP)允许用户自定义网络设备的数据包处理方式,支持定制化网络操作,利用PDP的特性实施网络防御,在实时性、灵活性、扩展性等方面取得了良好效果,近年来受到学术界和工业界的广泛关注。本文以基于PDP的网络防御技术为主要研究内容,首先介绍了PDP的基本概念,并结合典型案例阐述其应用于网络防御的优势;随后根据实施网络防御的阶段,将基于PDP的网络防御技术分为防护技术、检测技术、响应技术3大类,对各类方案的现有研究进行深入分析、概括总结,归纳不同方法的优缺点;最后,本文对基于PDP的网络防御技术未来的研究方向进行展望。
