为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥...为了更高效地推广科学施肥技术,开发集成了基于Arc GIS Runtime for WPF的触摸屏施肥咨询系统。使用既有瓦片影像高效生成高清离线多级瓦片缓存地图包技术和基于专家知识库的施肥方案,降低了用户门槛,提升了用户体验,使得测土配方施肥技术面向基层的全面推广变得更为可行。展开更多
近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编...近年来,传统的外业调绘模式逐渐向内外业一体化模式转变。本文以地理国情内外业一体化系统为依托,重点研究了ESRI的离线编辑关键技术,介绍了基于ArcGIS Runtime SDK for Android实现的离线编辑功能,以面修形算法为例,在细粒度的几何编辑基础上实现了常见的外业编辑业务。展开更多
Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users...Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.展开更多
Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns...Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.展开更多
Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of th...Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.展开更多
To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is propose...To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.展开更多
The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing rese...The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.展开更多
In order to guarantee the correctness of business processes, not only control-flow errors but also data-flow errors should be considered. The control-flow errors mainly focus on deadlock, livelock, soundness, and so o...In order to guarantee the correctness of business processes, not only control-flow errors but also data-flow errors should be considered. The control-flow errors mainly focus on deadlock, livelock, soundness, and so on. However, there are not too many methods for detecting data-flow errors. This paper defines Petri nets with data operations(PN-DO) that can model the operations on data such as read, write and delete. Based on PN-DO, we define some data-flow errors in this paper. We construct a reachability graph with data operations for each PN-DO, and then propose a method to reduce the reachability graph. Based on the reduced reachability graph, data-flow errors can be detected rapidly. A case study is given to illustrate the effectiveness of our methods.展开更多
文摘Runtime systems play an important role in parallel programming and parallel compilation. In this paper,goals and key techniques of runtime systems are presented. And some experiences and its trend are given in the end.
基金the National Defence Foundation of China(Grant No.10104010201)
文摘Reflective real-time component model is a special component model, which can identify timing constraint characteristics of component and support dynamic design-time amendment of real-time component according to users' requirements. The reflective real-time component runtime environment is a bearing space and reflective infrastructure for this special component model. It consists of three parts and manages the lifecycle and various relevant services of reflective real-time component. In this paper its mechanism and relevant key techniques in design and realization are formally specified with the communicating sequential processing (CSP) and the extended timed communicating sequential processing (TCSP). Finally a prototype is established. Experimental study shows that this runtime environment can introduce a relevant reflective infrastructure guaranteeing dynamic and real-time features of software component.
基金supported by the Institute of Information&Communications Technology Planning&Evaluation (IITP)grant funded by the Korea Government (MSIT), (No.2020-0-00952,Development of 5G edge security technology for ensuring 5G+service stability and availability,50%)the Institute of Information and Communications Technology Planning and Evaluation (IITP)grant funded by the MSIT (Ministry of Science and ICT),Korea (No.IITP-2023-2020-0-01602,ITRC (Information Technology Research Center)support program,50%).
文摘Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.
文摘Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources.Thus,different approaches to protect web applications have been proposed to date.Of them,the two major approaches are Web Application Firewalls(WAF)and Runtime Application Self Protection(RASP).It is,thus,essential to understand the differences and relative effectiveness of both these approaches for effective decisionmaking regarding the security of web applications.Here we present a comparative study between WAF and RASP simulated settings,with the aim to compare their effectiveness and efficiency against different categories of attacks.For this,we used computation of different metrics and sorted their results using F-Score index.We found that RASP tools scored better than WAF tools.In this study,we also developed a new experimental methodology for the objective evaluation ofweb protection tools since,to the best of our knowledge,nomethod specifically evaluates web protection tools.
文摘To quick customize and develop intelligent campus internet of things (ICIOT) system more efficiently, in this paper an approach based on runtime model to managing intelligent campus wireless sensor networks is proposed. Firstly, manageability of intelligent campus wireless sensors is abstracted as runtime models which automatically and immediately propagate any observable runtime changes of target resources to corresponding architecture models. Then, a composite model of intelligent campus wireless sensors is constructed through merging their runtime models in order to manage different kinds of devices in a unified way. Finally, a customized model is constructed according to the personalized management requirement and the synchronization between the customized model and the composite model is ensured through model transformation. Thus, all the management tasks can be carried through executing operating programs on the customized model. In the part of the teaching area schools conducted experiments and compared with the traditional method, this method can be more effective management of campus facilities, more energy efficient and orderly, which can reach a 16.7% energy saving.
基金supported in part by the Intelligent Policing and National Security Risk Management Laboratory 2023 Opening Project(No.ZHKFYB2304)the Fundamental Research Funds for the Central Universities(Nos.SCU2023D008,2023SCU12129)+2 种基金the Natural Science Foundation of Sichuan Province(No.2024NSFSC1449)the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.
基金supported in part by the National Key R&D Program of China(2017YFB1001804)Shanghai Science and Technology Innovation Action Plan Project(16511100900)
文摘In order to guarantee the correctness of business processes, not only control-flow errors but also data-flow errors should be considered. The control-flow errors mainly focus on deadlock, livelock, soundness, and so on. However, there are not too many methods for detecting data-flow errors. This paper defines Petri nets with data operations(PN-DO) that can model the operations on data such as read, write and delete. Based on PN-DO, we define some data-flow errors in this paper. We construct a reachability graph with data operations for each PN-DO, and then propose a method to reduce the reachability graph. Based on the reduced reachability graph, data-flow errors can be detected rapidly. A case study is given to illustrate the effectiveness of our methods.
