Please wait a minute...

Current Issue

    25 October 2014, Volume 35 Issue Z1
    Design and implementation of 10 Gbit network access control gateway
    2014, 35(Z1):  1-4. 
    Asbtract ( 202 )   Knowledge map   
    Related Articles | Metrics
    To meet the 10 gigabit Ethernet transmission rate, a second generation network access control gateway (IPcG-10G) is redeveloped following the open and general design principle. IPcG-10G can dynamically control authenticated users to access to network resources based on their network authorization, thereby establishing the real-name registration network accessing mechanism in order to strengthen the network security and guarantee the rational use of network bandwidth. By utilizing a variety of optimal techniques, like zero-copy and socket buffer recycling, this system improves the performance of 10Gbps traffic forwarding. IPcG-10G breaks through the transmission bottleneck of the first generation gigabit IPcG, thus solving the mismatched rate problem and facilitating the network link management and planning.
    DNS abnormal behavior detection based on IPFIX
    2014, 35(Z1):  2-9. 
    Asbtract ( 317 )   Knowledge map   
    Related Articles | Metrics
    An algorithm based on IPFIX network flow data is proposed. By using proposed algorithm, suspicious and abnormal DNS will be detected accurately, and DNS traffic amplification attack will be distinguished rapidly. This algorithm has been applied in the Tsinghua University campus network. In our practice, DNS abnormal behaviors have been detected and alarm information has been sent to administrators. Thus, abnormal attack behaviors are restrained in time, and the monitoring and warning for abnormal traffic are all realized.
    Design and implementation of server security alarm system in campus network
    2014, 35(Z1):  3-13. 
    Asbtract ( 256 )   Knowledge map   
    Related Articles | Metrics
    A safety test using open source tools was put forward to construct four layer network scan architecture pattern for monitoring server safety, it also can get an automatic analysis report of threaten for the administrators. Through the timing detection mechanism based on process from hardware to software, from the operating system to the service application even to the dynamic page script to build a full range, customizable,flexible combination of multi-level security scan and collect the results which are analyzed, the results are directly sent the mail to the administrators, and the suggestions for repair are put forward. Therefore, the server security vulnerabilities can be found and the purpose of repair can be achieved in time. And this method can reduce the burden of manual detection monitoring server for administrators, and effectively avoid security problems for administrators’ technical reasons. Finally the experimental results also show that the establishment of security vulnerability scanning alarm system will make the security of campus network servers more reliable than before.
    Network log analysis with SQL-on-Hadoop
    2014, 35(Z1):  4-19. 
    Asbtract ( 301 )   Knowledge map   
    Related Articles | Metrics
    With the rapid expansion of network bandwidth, devices and applications, log management is facing the challenge of exploding data volumes. Log analysis platform built on SQL-on-Hadoop is capable of storing and querying hundreds of billions of log entries effectively. Columnar and compressed data formats for Hadoop are benchmarked with real-world multi-TB dataset. Conditional and statistical querying efficiency of Hive and Impala is tested. With gzipped parquet format, log data can be compressed by 80%, and querying with impala is 5 times faster. On this platform, six security incident analysis and detection applications are already deployed.
    Trustworthy identity system based on IPv6 source address validation
    2014, 35(Z1):  5-26. 
    Asbtract ( 306 )   Knowledge map   
    Related Articles | Metrics
    In the Internet, there are no mechanisms to verify the identity of a message sender, resulting in a large number of forged identity attacks, such as phishing websites. By mapping the user identity into the rightmost 64 bit of the IPv6 address, this paper tries to make every message embedded with an identity, which lay a credible foundation for communications on the Internet. We design and realize a true identity communication system based on source address validation improvement, which can protect the privacy of the users, and ensure the verifiability and authenticity of the user identities.
    Cyberspce Security
    DNS abnormal behavior detection based on IPFIX
    Yun-long MA,Cai-ping JIANG,Qian-li ZHANG,Ji-long WANG
    2014, 35(Z1):  5-9.  doi:10.3969/j.issn.1000-436x.2014.z1.002
    Asbtract ( 289 )   HTML ( 7)   PDF (271KB) ( 974 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    An algorithm based on IPFIX network flow data is proposed.By using proposed algorithm,suspicious and abnormal DNS will be detected accurately,and DNS traffic amplification attack will be distinguished rapidly.This algorithm has been applied in the Tsinghua University campus network.In our practice,DNS abnormal behaviors have been detected and alarm information has been sent to administrators.Thus,abnormal attack behaviors are restrained in time,and the monitoring and warning for abnormal traffic are all realized.

    Video steganalysis scheme based on weighted undirected graph
    2014, 35(Z1):  6-30. 
    Asbtract ( 210 )   Knowledge map   
    Related Articles | Metrics
    A new steganalysis scheme based on taking the inter-frame correlation as the undirected graph weights was proposed utilizing the temporal correlation among video frames. First, getting the eigenvector of every video frame brightness by calculating its gray-level co-occurrence matrix, the eigenvector is an eight-dimensional vector. Then, computing the weights of each video frame by using the euclide distance algorithm. The weighted undirected graph which representing the correlations between each frame is constructed. Finally, according to the change of correlations between the frames after embedding information determine whether the video is embedded confidential information. Experimental results show that the method using weighted undirected graph can quickly discriminate stego video and the original video, and have a high accuracy rate.
    Research on tracking DDoS based on NTP reflection amplification attack
    2014, 35(Z1):  7-35. 
    Asbtract ( 313 )   Knowledge map   
    Related Articles | Metrics
    Based on characteristics of NTP reflection amplification attack, proposes a method of regularly launching active detection to hosts of public NTP services in Chinese mainland (execution of monlist instruction) and doing a long-term follow-up observation and statistical analysis of global NTP reflection DRDoS attacks based on the return information. The track began in February 2014, the initial detection range covered 14 000 NTP servers in China mainland, and detection period is 164 days with two hours for each cycle, observed suspected DDOS attacks against hundreds of thousands of IP addresses.
    Wav-audio steganography algorithm based on amplitude modifying
    2014, 35(Z1):  8-40. 
    Asbtract ( 286 )   Knowledge map   
    Related Articles | Metrics
    Algorithms in different effective domains are analysed, and a wav-audio steganography algorithm based on amplitude modifying is proposed. The secret audio is scrambled through a random number generator. Amplitude values of each sampling point group are compared in original audio.While amplitude values are modified, the secret information bits are embedded. Embedding strength can be adjusted according to the key. Simulation results demonstrate that hiding capacity of this algorithm is large and good invisibility can be achieved. The anti-steganalysis ability of this algorithm is good and blind extraction can be realized.
    Net traffic identifier based on hierarchical clustering
    2014, 35(Z1):  9-45. 
    Asbtract ( 255 )   Knowledge map   
    Related Articles | Metrics
    An improved net traffic identifier algorithm was proposed based on semi-supervised clustering. Symmetrical uncertainty was used to reduce the net flow attributes, and then kernel function was used to project the rest attributes to higher dimentional space. The train net flow was clustered in high dimentional space hierarchically. Smooth factor, sihouette coefficient and entropy controlled the cluster process to get a well result. Experiments show that the algorithm got flat clusters without any huge cluster and could identify most net flow even encrypted ones.
    Design and implementation of high-speed network traffic sensor for emergency response
    2014, 35(Z1):  10-51. 
    Asbtract ( 251 )   Knowledge map   
    Related Articles | Metrics
    In the network analysis and tracking, network security emergency response needs a emsrgency sensor that captures saw packets of specific IP, port, protocol. Base on the high-speed packet capture tool PF_RING DNA, it uses mutil-thread to capture network packets that match sensor rules, and allocates the shared buffer to improve the performance of the disk storage of packets, at the same time through setting different states for the packet sensor rule, impliments adding sensor rules and human intervention dynamically. The experimental results show that in the dual 10 Gigabit NICs environment, emergency sensor can capture and handle network traffic of 19.98 Gbit/s(3.5 Mpacket/s), and the maximum rate of emergency sensor is 1 297 Mbit/s(204.9 kpacket/s).
    Design and implementation ofserver security alarm system in campus network
    Bin PANG,Hua LI,You-yi WANG,Shuai YAN,Zhi-he YANG
    2014, 35(Z1):  10-13.  doi:10.3969/j.issn.1000-436x.2014.z1.003
    Asbtract ( 224 )   HTML ( 0)   PDF (255KB) ( 189 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    A safety test using open source tools was put forward to construct four layer network scan architecture pattern for monitoring server safety,it also can get an automatic analysis report of threaten for the administrators.Through the timing detection mechanism based on process from hardware to software,from the operating system to the service application even to the dynamic page script to build a full range,customizable,flexible combination of multi-level security

    Study on modern malware analysis system
    2014, 35(Z1):  11-57. 
    Asbtract ( 260 )   Knowledge map   
    Related Articles | Metrics
    The analysis of malicious code’s network behavior is an important research field of network security. This function of existed systems is incomplete and not deep. The functions of malicious code are summarized and a comprehensive content is presented. Moreover the network behavior analysis function of existed analysis systems is introduced and CUCKOO which is able to satisfy the requirements of involved study is found. Finally the advantage and points of this application platform were summarized, and an expansion of the system was proposed.
    Efficent-cutting packet classification algorithm based on the statistical decision tree
    2014, 35(Z1):  12-64. 
    Asbtract ( 342 )   Knowledge map   
    Related Articles | Metrics
    Packet classification algorithms based on decision tree are easy to implement and widely employed in high-speed packet classification. The primary objective of constructing a decision tree is minimal storage and searching time complexity. An improved decision-tree algorithm is proposed based on statistics and evaluation on filter sets. HyperEC algorithm is a multiple dimensional packet classification algorithm. The proposed algorithm allows the tradeoff between storage and throughput during constructing decision tree. For it is not sensitive to IP address length, it is suitable for IPv6 packet classification as well as IPv4. The algorithm applies a natural and performance-guided decision-making process. The storage budget is preseted and then the best throughput is achieved. The results show that the HyperEC algorithm outperforms the HiCuts and HyperCuts algorithm, improving the storage and throughput performance and scalable to large filter sets.
    PSO based task scheduling for medical big data
    2014, 35(Z1):  13-71. 
    Asbtract ( 297 )   Knowledge map   
    Related Articles | Metrics
    How to select a suitable task scheduling strategy to accomplish the task of medical data query in scheduling and allocation inside each hospital is a important problem demanded to be dealt with in medical big data processing. In order to content the optimal medical data corresponding time and optimal cost considered in task scheduling, a improved particle swarm algorithm was proposed. The algorithm constructs the dual fitness function of optimal time and optimal cost to adjusted the inertia weight of the update of particle velocity adaptively, fasten the speed of optimal particle searching, and find out the most reasonable task scheduling scheme of data query, maximize the efficiency of medical data query in medical information sharing platform. Experiment results demonstrate the effectiveness of the proposed algorithm.
    Method of KVM virtual machine live migration in cross-platform based on Cloudstack and OpenStack
    2014, 35(Z1):  14-75. 
    Asbtract ( 849 )   Knowledge map   
    Related Articles | Metrics
    To make KVM virtual machine which have been created in CloudStack platform identified and taken over correctly in CloudStack and OpenStack concomitant environment, propose a method for live migration of KVM virtual machine from CloudStack to OpenStack. By combining traditional KVM virtual machine migration method based on local storage and the characteristics of CloudStack and OpenStack cloud computing platform, regrouping virtual machine migration-related documents, we achieved the dynamic migration of virtual machines across platforms. The experimental results show that the method can not only successfully completed the KVM virtual machine migration task from CloudStack to OpenStack, but also have no more other time cost than the traditional method.
    Network log analysis with SQL-on-Hadoop
    Si-yu ZHANG,Kai-da JIANG,Jian-wen WEI,Xuan LUO,Hai-yang WANG
    2014, 35(Z1):  14-19.  doi:10.3969/j.issn.1000-436x.2014.z1.004
    Asbtract ( 186 )   HTML ( 5)   PDF (358KB) ( 152 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    With the rapid expansion of network bandwidth,devices and applications,log management is facing the challenge of exploding data volumes.Log analysis platform built on SQL-on-Hadoop is capable of storing and querying hundreds of billions of log entries effectively.Columnar and compressed data formats for Hadoop are benchmarked with real-world multi-TB dataset.Conditional and statistical querying efficiency of Hive and Impala is tested.With gzipped parquet format,log data can be compressed by 80%,and querying with impala is 5 times faster.On this platform,six security incident analysis and detection applications are already deployed.

    IMISA:interconnection mechanism for IP subnet and SDN subnet in autonomous system
    2014, 35(Z1):  15-81. 
    Asbtract ( 400 )   Knowledge map   
    Related Articles | Metrics
    The interconnection mechanism for SDN network and traditional IP network has been the focus in academia, but the current solution can’t be used in every condition. To solve this problem, an architecture named IMISA was proposed which was based on the OSPF protocol. In the autonomous system with both SDN subnet (based on OpenFlow) and IP subnet, an OSPF routing module was added to the SDN controller to help exchanging network informations and finally the networks can communicate with each other.
    Application of unified IP address management technologies in large-scale IPv4/IPv6 transition environment
    2014, 35(Z1):  16-86. 
    Asbtract ( 216 )   Knowledge map   
    Related Articles | Metrics
    Some basic requirements of IP address management (IPAM) in large-scale IPv4/IPv6 transition environment in campus wired LAN and WLAN is summarized, and analyzes some special technologies of IPv6 address management as well as some operating key technologies of IPAM service in such environment. Finally, a real deployment of IPAM service in such a large-scale IPv4/IPv6 transition environment is introduced. Experience of unified IPAM service oriented next-generation wired LAN and WLAN are gathered.
    Bulid campus network authentication system based on centralized 802.1x
    2014, 35(Z1):  17-90. 
    Asbtract ( 214 )   Knowledge map   
    Related Articles | Metrics
    802.1x authentication was usually distributed deployment. However, With the expansion of the campus network and increasement of the number of control devices, the management of equipment and authentication system become so inconvenience. On the other hand, centralized 802.1x could not locate the terminal. The problem of terminal location under centralized 802.1x was solved by using (NAS IP, Port, Vlan)three tuple, Super Vlan and dynamic address allocation technology. Centralized 802.1x authentication system was tested in the of Huazhong Science and Technology University campus network, and achieved good results.
    Design and implement of integrative access layer in campus network
    2014, 35(Z1):  18-97. 
    Asbtract ( 245 )   Knowledge map   
    Related Articles | Metrics
    At the moment, the access layer network in campus network has some problems, including hysteretic wireless network, resource deployment imbalance between the wired network and wireless network and weak support for private local network. To resolve these problems and make the access layer network satisfy the developing user request better, we give the definition of the integrative access layer network and implement it in Peking University. The result shows that the integrative access layer network works well and improves the service provided by campus network.
    Asymmetric routing detection based on flow records
    2014, 35(Z1):  19-102. 
    Asbtract ( 288 )   Knowledge map   
    Related Articles | Metrics
    The misconfiguration of border routers may cause asymmetric routing in campus networks which connect to multiple ISP. A method FARD was proposed according to the phenomenon. This method uses TCP connection-oriented transmission characteristics combined with the home IP address, locating the possible asymmetric routing IP address in the network based on the flow records provided by the router. Experiment on the access router flow records from the main point of CERNET network to demonstrate the proposed method.
    Portal authentication HTTP redirection using netfilter NFQUEUE
    2014, 35(Z1):  20-106. 
    Asbtract ( 441 )   Knowledge map   
    Related Articles | Metrics
    When using portal for user authentication, unauthorized user's HTTP access should be redirected to portal login page to help user do authentication.Using netfilter NFQUEUE target send unauthorized user TCP port 80 packets to user-space program redir_http. Redir_http will send IP reply packets to user do HTTP redirection with the help of raw socket. Using NFQUEUE can ensures high performance redirection, avoid troublesome development in the Linux kernel,simplify application development and improve system stability.
    Trustworthy identity system based on IPv6 source address validation
    Duan-qi ZHOU,Jun BI,Guang YAO
    2014, 35(Z1):  20-26.  doi:10.3969/j.issn.1000-436x.2014.z1.005
    Asbtract ( 244 )   HTML ( 12)   PDF (383KB) ( 166 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    In the Internet,there are no mechanisms to verify the identity of a message sender,resulting in a large number of forged identity attacks,such as phishing websites.By mapping the user identity into the rightmost 64 bit of the IPv6 address,this paper tries to make every message embedded with an identity,which lay a credible foundation for communications on the Internet.We design and realize a true identity communication system based on source address validation improvement,which can protect the privacy of the users,and ensure the verifiability and authenticity of the user identities.

    Research at flat underlying network architecture of campus
    2014, 35(Z1):  21-112. 
    Asbtract ( 237 )   Knowledge map   
    Related Articles | Metrics
    By systematic analysis of the status quo on the campus network, via deployment of BRAS and high-density switches, we deployed a flat network core, by deployment of accounting system through a bypass way, using IPOE access technology, combined with local forwarding wireless networking, assisted with linkage logging system, we achieved a unified user access certification, and we optimized the network boundary by integrating of global security policy, strategies for Internet traffic optimization base on application protocols and the deployment of caching system. Practice shows, flat underlying network architecture improves the network performance, meets the inherent requirements of campus network, while also improves users’ experience. Flat network architecture is feasible for campus network.
    Mechanism for green unicast routing protection in multi-granularity transport networks
    2014, 35(Z1):  22-117. 
    Asbtract ( 262 )   Knowledge map   
    Related Articles | Metrics
    The mechanism for green unicast routing protection is designed with the constraint of quality of service (QoS), energy consumption and the survivability of single link or node failure considered. The path is calculated under the constraint of QoS based on K-shortest path algorithm. The resource allocation is done on multi-layer auxiliary graph considering the minimum times of wavelength conversion. Three protection levels are provided according to the service demands. The mechanism is implemented over EON (Europe optical network) topology by simulation. Performance evaluation has been done on the blocking probability, the protecting/working resource ratio and the load balance degree by comparing with certain existent mechanism. It has been shown that the proposed mechanism is both feasible and effective.
    Research and practice on self-service terminal in smart campus
    2014, 35(Z1):  23-123. 
    Asbtract ( 226 )   Knowledge map   
    Related Articles | Metrics
    Aiming at construction of smart campus, a solution of using self-service terminal to provide intelligent service for campus users was proposed. The features of smart campus and the concept of self-service were expounded. The self-service terminal applications on campus was analyzed. An architecture was designed, including terminal hardware, terminal software, supporting software for monitoring and management, external services interface etc. Used it as a blueprint for the development of a self-service terminal system on Peking University campus. Practices shows that self-service terminal system improves the intelligence level and efficiency of campus services.
    Terminals behavior testing research under IPv6 Wi-Fi
    2014, 35(Z1):  24-128. 
    Asbtract ( 228 )   Knowledge map   
    Related Articles | Metrics
    As lack of essential data, carrier operators are afraid to promote IPv6 in mobile Internet due to they cannot forecast the influence of user experience. The main current mobile terminals behavior under IPv6 Wi-Fi was tested, the key point to impact user experience was analyzed and the practicability of large-scale deployment of IPv6 in mobile Internet was studied.The main steps of establishing the test platform were detailed. Test results show that the operating systems and browsers with big market share supporting for IPv6 are still not perfect. They lead to worse user experience by bad internetworking. It is the main obstacle to promote IPv6 in mobile Internet.
    Development of log management system in CoolView
    2014, 35(Z1):  25-133. 
    Asbtract ( 260 )   Knowledge map   
    Related Articles | Metrics
    In order to realize the normalized management of the tasks such as auditing, tracking and warning in video conference system. A log management subsystem structure was built using AOP. Its log module adopting Syslog and Log4j technology was designed, and using SSH framework was implemented. The above subsystem also has been enbeded in CoolView video conference system, and it provides foundation data for daily operation and maintenance of CoolView.
    Low-power multicast routing algorithm in green Internet
    2014, 35(Z1):  26-140. 
    Asbtract ( 258 )   Knowledge map   
    Related Articles | Metrics
    A path node-driven strategy based one-to-many multicast routing algorithm in green Internet (GIOMR) is proposed to generate a low-power shortest path tree, fully making use of the path node sharing paths and meanwhile improving user’s QoS satisfaction degree. The GIOMR is implemented over CERNET2 topology by simulation. It has been shown that GIOMR has better performance on the network power consumption, the success rate of routing and the running time than efficient heuristics for energy-aware routing (EHER) algorithm.
    Implementation and analysis of PANET
    2014, 35(Z1):  27-145. 
    Asbtract ( 250 )   Knowledge map   
    Related Articles | Metrics
    Partial-state asymmetric NAT (PANAT) could translate any prefixes of IPv6 address seamlessly. With the implementation of PANAT method by using Netfilter framework, it does both the quantitative research and qualitative research for PANET. Some suggestions are given for using PANET in the real environment though comparison of the translation efficiency and the hosts scales.
    Video steganalysis scheme based on weighted undirected graph
    Ting DA,Zhi-tang LI
    2014, 35(Z1):  27-30.  doi:10.3969/j.issn.1000-436x.2014.z1.006
    Asbtract ( 188 )   HTML ( 0)   PDF (213KB) ( 154 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    A new steganalysis scheme based on taking the inter-frame correlation as the undirected graph weights was proposed utilizing the temporal correlation among video frames.First,getting the eigenvector of every video frame brightness by calculating its gray-level co-occurrence matrix,the eigenvector is an eight-dimensional vector.Then,computing the weights of each video frame by using the euclide distance algorithm.The weighted undirected graph which representing the correlations between each frame is constructed.Finally,according to the change of correlations between the frames after embedding information determine whether the video is embedded confidential information.Experimental results show that the method using weighted undirected graph can quickly discriminate stego video and the original video,and have a high accuracy rate.

    User filtering based campus WLAN user clustering method
    2014, 35(Z1):  28-149. 
    Asbtract ( 207 )   Knowledge map   
    Related Articles | Metrics
    With the widespread of smart terminals such as smart phones and smart pads, using MAC address as user identification in campus wireless local area network (WLAN) user clustering research cannot exactly represent user behavior. An user filtering based user clustering is proposed. This method filters users’ behavior data by their degree of activeness, and then further conducts clustering analysis of campus WLAN user behavior. The experimental result verifies the effectiveness of the proposed method.
    3G network coverage hole detection based on user behaviors
    2014, 35(Z1):  29-155. 
    Asbtract ( 269 )   Knowledge map   
    Related Articles | Metrics
    Conventional methods of coverage holes detection are very much resource consuming. A new detection method is proposed which make use of the massive amount of user behavior information from mobile signal system. A user behavior based EDBSCAN-smallest enclosing circle method to model the coverage hole is described and simulated.The result shows this model outperforms conventional models let alone being fast, precise and free of manual intervention.
    Research on Jersey and application in Web services
    2014, 35(Z1):  30-159. 
    Asbtract ( 191 )   Knowledge map   
    Related Articles | Metrics
    In order to solve the current Web components appear weak poor scalability, the generality of the interface, interactive delay time problem, put forward the lightweight REST architecture, the Jersey is the REST architecture - the realization of the JAX-RS interface standards, through the research of its connectivity, addressable, statelessness, and stability and ease of use features, design a set of unified, efficient, fast and convenient access to the server Client API, implemented as different intelligent mobile terminal with unified Web application services.
    Improvement on moving object tracking method for network video surveillance
    2014, 35(Z1):  31-164. 
    Asbtract ( 253 )   Knowledge map   
    Related Articles | Metrics
    To improve the performance of the traditional MeanShift algorithm based on Kalman filter, acceleration to solve the problem that the moving target changes the direction abruptly is proposed. Another algorithm using simplified Camshift algorithm to keep track of the blob size has low time complexity which meets the real time requirement of network video surveillance.
    Research on tracking DDoS based on NTP reflection amplification attack
    Kai-da JIANG,Si-yu ZHANG,Qiang SUN
    2014, 35(Z1):  31-35.  doi:10.3969/j.issn.1000-436x.2014.z1.007
    Asbtract ( 291 )   HTML ( 15)   PDF (254KB) ( 393 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Based on characteristics of NTP reflection amplification attack,proposes a method of regularly launching ac

    Research and implementation of college students full information inquiry common information model
    2014, 35(Z1):  32-169. 
    Asbtract ( 213 )   Knowledge map   
    Related Articles | Metrics
    Information query common information model plays important role in college student integrated data query. Proposed a common information model of full information query.Based on an analysis of actual demand, proposed structure of the data and card data two concepts.Through in-depth needs analysis, summarized five basic elements :data entry model, data views, user roles, permissions management and root permissions.Elaborate model implementation in view of the establishment for the data source integration, data entry and other key issues . Practice shows that the model has a high degree of adaptation and practicality. Basically solve the issues such as data entry permissions, roles classified staff, administrative-level permissions, a variety of data sources.
    Research and implementation on college students internet addiction disorder and anti-addict system
    2014, 35(Z1):  33-177. 
    Asbtract ( 229 )   Knowledge map   
    Related Articles | Metrics
    Based on the traffic analysis on Cernet2, a new discovery mechanism of games service provider IP address is proposed, including Boilerpipe text extraction algorithm and Stanford Chinese NLP, realize this new general method and computing architecture of college student internet addiction. Three kinds of Internet addiction behaviors-online games, video viewing and social networking sites visit, including the total hours spend, length of continuous addiction, frequency, selected time of addiction are analyzed. Concept of Internet addiction disorder index is proposed with quantization on the internet addiction disorder made through AHP. Finally, Internet addiction prevention system is designed and implemented.
    Design and application research on management information system security architecture in digital campus
    2014, 35(Z1):  34-184. 
    Asbtract ( 246 )   Knowledge map   
    Related Articles | Metrics
    Aiming at the university management information system security threats and challenges, a security architecture named 1C4GS was proposed. First connotation and function of five important components of 1C4GS was expounded, which named security management center, security communication network, security region boundary, security computing environment and security application. Then we used “basic personal data reporting system” as an example to construct the management information system security arrangement application based on 1C4AS, this arrangement application integrated a variety of security technologies and strategies such as transparent data encryption, user Identify, form edit cache as a whole to, and achieved the management information system’s network security, border security, computing environment security and application security.
    Wav-audio steganography algorithm based on amplitude modifying
    2014, 35(Z1):  36-40.  doi:10.3969/j.issn.1000-436x.2014.z1.001
    Asbtract ( 365 )   HTML ( 13)   PDF (250KB) ( 1264 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Algorithms in different effective domains are analysed,and a wav-audio steganography algorithm based on amplitude modifying is proposed.The secret audio is scrambled through a random number generator.Amplitude values of each sampling point group are compared in original audio.While amplitude values are modified,the secret information bits are embedded.Embedding strength can be adjusted according to the key.Simulation results demonstrate that hiding capacity of this algorithm is large and good invisibility can be achieved.The anti-steganalysis ability of this algorithm is good and blind extraction can be realized.

    New network technology and its application
    Net traffic identifier based on hierarchical clustering
    Wei DING,Jie XU,Weng-hui ZHUO
    2014, 35(Z1):  41-45.  doi:10.3969/j.issn.1000-436x.2014.z1.009
    Asbtract ( 272 )   HTML ( 0)   PDF (262KB) ( 319 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    An improved net traffic identifier algorithm was proposed based on semi-supervised clustering.Symmetrical uncertainty was used to reduce the net flow attributes,and then kernel function was used to project the rest attributes to higher dimentional space.The train net flow was clustered in high dimentional space hierarchically.Smooth factor,sihouette coefficient and entropy controlled the cluster process to get a well result.Experiments show that the algorithm got flat clusters without any huge cluster and could identify most net flow even encrypted ones.

    Design and implementation of high-speed network traffic sensor for emergency response
    Ya-zhou MA,Jian GONG,Wang YANG
    2014, 35(Z1):  46-51.  doi:10.3969/j.issn.1000-436x.2014.z1.010
    Asbtract ( 234 )   HTML ( 4)   PDF (317KB) ( 377 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    In the network analysis and tracking,network security emergency response needs a emsrgency sensor that captures saw packets of specific IP,port,protocol.Base on the high-speed packet capture tool PF_RING DNA,it uses mutil-thread to capture network packets that match sensor rules,and allocates the shared buffer to improve the performance of the disk storage of packets,at the same time through setting different states for the packet sensor rule,impliments adding sensor rules and human intervention dynamically.The experimental results show that in the dual 10 Gigabit NICs environment,emergency sensor can capture and handle network traffic of 19.98 Gbit/s(3.5 Mpacket/s),and the maximum rate of emergency sensor is 1 297 Mbit/s(204.9 kpacket/s).

    Study on modern malware analysis system
    Yi ZHAO,Jian GONG,Wang YANG
    2014, 35(Z1):  52-57.  doi:10.3969/j.issn.1000-436x.2014.z1.011
    Asbtract ( 266 )   HTML ( 2)   PDF (415KB) ( 1317 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The analysis of malicious code’s network behavior is an important research field of network security.This function of existed systems is incomplete and not deep.The functions of malicious code are summarized and a comprehensive content is presented.Moreover the network behavior analysis function of existed analysis systems is introduced and CUCKOO which is able to satisfy the requirements of involved study is found.Finally the advantage and points of this application platform were summarized,and an expansion of the system was proposed.

    Efficent-cutting packet classification algorithm based on the statistical decision tree
    Li-nan CHEN,Yang LIU,Yan MA,Xiao-hong HUANG,Qing-cong ZHAO,Wei WEI
    2014, 35(Z1):  58-64.  doi:10.3969/j.issn.1000-436x.2014.z1.012
    Asbtract ( 285 )   HTML ( 8)   PDF (854KB) ( 581 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Packet classification algorithms based on decision tree are easy to implement and widely employed in high-speed packet classification.The primary objective of constructing a decision tree is minimal storage and searching time complexity.An improved decision-tree algorithm is proposed based on statistics and evaluation on filter sets.HyperEC algorithm is a multiple dimensional packet classification algorithm.The proposed algorithm allows the tradeoff between storage and throughput during constructing decision tree.For it is not sensitive to IP address length,it is suitable for IPv6 packet classification as well as IPv4.The algorithm applies a natural and performance-guided decision-making process.The storage budget is preseted and then the best throughput is achieved.The results show that the HyperEC algorithm outperforms the HiCuts and HyperCuts algorithm,improving the storage and throughput performance and scalable to large filter sets.

    Virtualization and cloud computing
    PSO based task scheduling for medical big data
    Chao HU,Jun PENG,Wen-tao YU
    2014, 35(Z1):  65-71.  doi:10.3969/j.issn.1000-436x.2014.z1.013
    Asbtract ( 308 )   HTML ( 6)   PDF (517KB) ( 539 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    How to select a suitable task scheduling strategy to accomplish the task of medical data query in scheduling and allocation inside each hospital is a important problem demanded to be dealt with in medical big data processing.In order to content the optimal medical data corresponding time and optimal cost considered in task scheduling,a improved particle swarm algorithm was proposed.The algorithm constructs the dual fitness function of optimal time and optimal cost to adjusted the inertia weight of the update of particle velocity adaptively,fasten the speed of optimal particle searching,and find out the most reasonable task scheduling scheme of data query,maximize the efficiency of medical data query in medical information sharing platform.Experiment results demonstrate the effectiveness of the proposed algorithm.

    Method of KVM virtual machine live migration in cross-platform based on Cloudstack and OpenStack
    Nan ZHENG,Li-nan CHEN,Li-xiong ZHENG,Yan MA
    2014, 35(Z1):  72-75.  doi:10.3969/j.issn.1000-436x.2014.z1.014
    Asbtract ( 467 )   HTML ( 18)   PDF (451KB) ( 549 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    To make KVM virtual machine which have been created in CloudStack platform identified and taken over correctly in CloudStack and OpenStack concomitant environment,propose a method for live migration of KVM virtual machine from CloudStack to OpenStack.By combining traditional KVM virtual machine migration method based on local storage and the characteristics of CloudStack and OpenStack cloud computing platform,regrouping virtual machine migration-related documents,we achieved the dynamic migration of virtual machines across platforms.The experimental results show that the method can not only successfully completed the KVM virtual machine migration task from CloudStack to OpenStack,but also have no more other time cost than the traditional method.

    IMISA:interconnection mechanism for IP subnet and SDN subnet in autonomous system
    Yan-wei SHI,Zheng CAO
    2014, 35(Z1):  76-81.  doi:10.3969/j.issn.1000-436x.2014.z1.015
    Asbtract ( 286 )   HTML ( 0)   PDF (662KB) ( 372 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The interconnection mechanism for SDN network and traditional IP network has been the focus in academia,but the current solution can’t be used in every condition.To solve this problem,an architecture named IMISA was proposed which was based on the OSPF protocol.In the autonomous system with both SDN subnet (based on OpenFlow) and IP subnet,an OSPF routing module was added to the SDN controller to help exchanging network informations and finally the networks can communicate with each other.

    Compus network engineering
    Application of unified IP address management technologies in large-scale IPv4/IPv6 transition environment
    Zi-mu LI,Yi-qi FU,Li PAN
    2014, 35(Z1):  82-86.  doi:10.3969/j.issn.1000-436x.2014.z1.016
    Asbtract ( 236 )   HTML ( 4)   PDF (650KB) ( 981 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Some basic requirements of IP address management (IPAM) in large-scale IPv4/IPv6 transition environment in campus wired LAN and WLAN is summarized,and analyzes some special technologies of IPv6 address management as well as some operating key technologies of IPAM service in such environment.Finally,a real deployment of IPAM service in such a large-scale IPv4/IPv6 transition environment is introduced.Experience of unified IPAM service oriented next-generation wired LAN and WLAN are gathered.

    Bulid campus network authentication system based on centralized 802.1x
    Bin LIU,Yu-zhi HE,Yong ZHANG
    2014, 35(Z1):  87-90.  doi:10.3969/j.issn.1000-436x.2014.z1.017
    Asbtract ( 266 )   HTML ( 1)   PDF (1727KB) ( 154 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    802.1x authentication was usually distributed deployment.However,With the expansion of the campus net-work and increasement of the number of control devices,the management of equipment and authentication system be-come so inconvenience.On the other hand,centralized 802.1x could not locate the terminal.The problem of terminal lo-cation under centralized 802.1x was solved by using (NAS IP,Port,Vlan)three tuple,Super Vlan and dynamic address allocation technology.Centralized 802.1x authentication system was tested in the of Huazhong Science and Technology University campus network,and achieved good results.

    Design and implement of integrative access layer in campus network
    Zhong-nan FU,Qun SHANG,Xu-xiao GONG
    2014, 35(Z1):  91-97.  doi:10.3969/j.issn.1000-436x.2014.z1.018
    Asbtract ( 196 )   HTML ( 8)   PDF (534KB) ( 159 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    At the moment,the access layer network in campus network has some problems,including hysteretic wireless network,resource deployment imbalance between the wired network and wireless network and weak support for private local network.To resolve these problems and make the access layer network satisfy the developing user request better,we give the definition of the integrative access layer network and implement it in Peking University.The result shows that the integrative access layer network works well and improves the service provided by campus network.

    Asymmetric routing detection based on flow records
    Hao-liang LAN,Wei DING,Zhen XIA
    2014, 35(Z1):  98-102.  doi:10.3969/j.issn.1000-436x.2014.z1.019
    Asbtract ( 298 )   HTML ( 3)   PDF (336KB) ( 310 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The misconfiguration of border routers may cause asymmetric routing in campus networks which connect to multiple ISP.A method FARD was proposed according to the phenomenon.This method uses TCP connection-oriented transmission characteristics combined with the home IP address,locating the possible asymmetric routing IP address in the network based on the flow records provided by the router.Experiment on the access router flow records from the main pointof CERNET network to demonstrate the proposed method.

    Portal authentication HTTP redirection using netfilter NFQUEUE
    Huan-jie ZHANG,Yu-liang XIA
    2014, 35(Z1):  103-106.  doi:10.3969/j.issn.1000-436x.2014.z1.020
    Asbtract ( 323 )   HTML ( 6)   PDF (651KB) ( 709 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    When using portal for user authentication,unauthorized user's HTTP access should be redirected to portal login page to help user do authentication.Using netfilter NFQUEUE target send unauthorized user TCP port 80 packets to user-space program redir_http.Redir_http will send IP reply packets to user do HTTP redirection with the help of raw socket.Using NFQUEUE can ensures high performance redirection,avoid troublesome development in the Linux kernel,simplify application development and improve system stability.

    Research at flat underlying network architecture of campus
    Chu-jian LIN,Si-hai ZHANG
    2014, 35(Z1):  107-112.  doi:10.3969/j.issn.1000-436x.2014.z1.021
    Asbtract ( 264 )   HTML ( 6)   PDF (775KB) ( 275 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    By systematic analysis of the status quo on the campus network,via deployment of BRAS and high-density switches,we deployed a flat network core,by deployment of accounting system through a bypass way,using IPOE access technology,combined with local forwarding wireless networking,assisted with linkage logging system,we achieved a unified user access certification,and we optimized the network boundary by integrating of global security policy,strategies for Internet traffic optimization base on application protocols and the deployment of caching system.Practice shows,flat underlying network architecture improves the network performance,meets the inherent requirements of campus network,while also improves users’ experience.Flat network architecture is feasible for campus network.

    IPv6 Next generation Internet technology
    Mechanism for green unicast routing protection in multi-granularity transport networks
    Jun-ling SHI,Xing-wei WANG,Min HUANG
    2014, 35(Z1):  113-117.  doi:10.3969/j.issn.1000-436x.2014.z1.022
    Asbtract ( 167 )   HTML ( 0)   PDF (1212KB) ( 153 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    The mechanism for green unicast routing protection is designed with the constraint of quality of service (QoS),energy consumption and the survivability of single link or node failure considered.The path is calculated under the constraint of QoS based on K-shortest path algorithm.The resource allocation is done on multi-layer auxiliary graph considering the minimum times of wavelength conversion.Three protection levels are provided according to the service demands.The mechanism is implemented over EON (Europe optical network) topology by simulation.Performance evaluation has been done on the blocking probability,the protecting/working resource ratio and the load balance degree by comparing with certain existent mechanism.It has been shown that the proposed mechanism is both feasible and effective.

    Research and practice on self-service terminal in smart campus
    Cheng-jie XING,Ling YUAN,Xu YANG,Tian-ping LAI,Zhi-kun ZHANG
    2014, 35(Z1):  118-123.  doi:10.3969/j.issn.1000-436x.2014.z1.023
    Asbtract ( 180 )   HTML ( 0)   PDF (764KB) ( 554 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Aiming at construction of smart campus,a solution of using self-service terminal to provide intelligent service for campus users was proposed.The features of smart campus and the concept of self-service were expounded.The self-service terminal applications on campus was analyzed.An architecture was designed,including terminal hardware,terminal software,supporting software for monitoring and management,external services interface etc.Used it as a blueprint for the development of a self-service terminal system on Peking University campus.Practices shows that self-service terminal system improves the intelligence level and efficiency of campus services.

    Terminals behavior testing research under IPv6 Wi-Fi
    Jie ZHANG,Qin ZHAO,Tian-le YANG
    2014, 35(Z1):  124-128.  doi:10.3969/j.issn.1000-436x.2014.z1.024
    Asbtract ( 253 )   HTML ( 3)   PDF (582KB) ( 379 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    As lack of essential data,carrier operators are afraid to promote IPv6 in mobile Internet due to they cannot forecast the influence of user experience.The main current mobile terminals behavior under IPv6 Wi-Fi was tested,the key point to impact user experience was analyzed and the practicability of large-scale deployment of IPv6 in mobile Internet was studied.The main steps of establishing the test platform were detailed.Test results show that the operating systems and browsers with big market share supporting for IPv6 are still not perfect.They lead to worse user experience by bad internetworking.It is the main obstacle to promote IPv6 in mobile Internet.

    Development of log management system in CoolView
    Kai-shuo XU,Hua YUAN
    2014, 35(Z1):  129-133.  doi:10.3969/j.issn.1000-436x.2014.z1.025
    Asbtract ( 253 )   HTML ( 1)   PDF (345KB) ( 157 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    In order to realize the normalized management of the tasks such as auditing,tracking and warning in video conference system.A log management subsystem structure was built using AOP.Its log module adopting Syslog and Log4j technology was designed,and using SSH framework was implemented.The above subsystem also has been enbe-ded in CoolView video conference system,and it provides foundation data for daily operation and maintenance of CoolView.

    Low-power multicast routing algorithm in green Internet
    Jin-hong ZHANG,Xing-wei WANG,Min HUANG
    2014, 35(Z1):  134-140.  doi:10.3969/j.issn.1000-436x.2014.z1.026
    Asbtract ( 202 )   HTML ( 0)   PDF (720KB) ( 300 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    A path node-driven strategy based one-to-many multicast routing algorithm in green Internet (GIOMR) is proposed to generate a low-power shortest path tree,fully making use of the path node sharing paths and meanwhile improving user’s QoS satisfaction degree.The GIOMR is implemented over CERNET2 topology by simulation.It has been shown that GIOMR has better performance on the network power consumption,the success rate of routing and the running time than efficient heuristics for energy-aware routing (EHER) algorithm.

    Implementation and analysis of PANET
    Yu-xuan1 ZHANG,Shen YAN,Xi-wei XU
    2014, 35(Z1):  141-145.  doi:10.3969/j.issn.1000-436x.2014.z1.027
    Asbtract ( 244 )   HTML ( 1)   PDF (954KB) ( 176 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Partial-state asymmetric NAT (PANAT) could translate any prefixes of IPv6 address seamlessly.With the implementation of PANAT method by using Netfilter framework,it does both the quantitative research and qualitative research for PANET.Some suggestions are given for using PANET in the real environment though comparison of the translation efficiency and the hosts scales.

    Wireless mobile technology and its application
    User filtering based campus WLAN user clustering method
    Yi-hong QIU,Ting-juan YAO,Feng-lin QIN,Lian-sheng GE
    2014, 35(Z1):  146-149.  doi:10.3969/j.issn.1000-436x.2014.z1.028
    Asbtract ( 227 )   HTML ( 0)   PDF (503KB) ( 153 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    With the widespread of smart terminals such as smart phones and smart pads,using MAC address as user identification in campus wireless local area network (WLAN) user clustering research cannot exactly represent user behavior.An user filtering based user clustering is proposed.This method filters users’ behavior data by their degree of activeness,and then further conducts clustering analysis of campus WLAN user behavior.The experimental result verifies the effectiveness of the proposed method.

    Research on Jersey and application in Web services
    Yi-ming CHEN,Li-nan CHEN
    2014, 35(Z1):  150-159.  doi:10.3969/j.issn.1000-436x.2014.z1.030
    Asbtract ( 260 )   HTML ( 4)   PDF (192KB) ( 358 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    In order to solve the current Web components appear weak poor scalability,the generality of the interface,interactive delay time problem,put forward the lightweight REST architecture,the Jersey is the REST architecture-the realization of the JAX-RS interface standards,through the research of its connectivity,addressable,statelessness,and stability and ease of use features,design a set of unified,efficient,fast and convenient access to the server Client API,implemented as different intelligent mobile terminal with unified Web application services.

    Digital campus aand its application
    Improvement on moving object tracking method for network video surveillance
    Guang-xing HAN,Chong-rong LI
    2014, 35(Z1):  160-164.  doi:10.3969/j.issn.1000-436x.2014.z1.031
    Asbtract ( 251 )   HTML ( 1)   PDF (1716KB) ( 179 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    To improve the performance of the traditional MeanShift algorithm based on Kalman filter,acceleration to solve the problem that the moving target changes the direction abruptly is proposed.Another algorithm using simplified Camshift algorithm to keep track of the blob size has low time complexity which meets the real time requirement of network video surveillance.

    Research and implementation of college students full information inquiry common information model
    Tian-ping LAI,Su-mei WANG,Yi-ming PENG,Miao SHEN,Zhi-tong GAO
    2014, 35(Z1):  165-169.  doi:10.3969/j.issn.1000-436x.2014.z1.032
    Asbtract ( 225 )   HTML ( 0)   PDF (416KB) ( 133 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Information query common information model plays important role in college student integrated data query.Proposed a common information model of full information query.Based on an analysis of actual demand,proposed structure of the data and card data two concepts.Through in-depth needs analysis,summarized five basic elements :data entry model,data views,user roles,permissions management and root permissions.Elaborate model implementation in view of the establishment for the data source integration,data entry and other key issues .Practice shows that the model has a high degree of adaptation and practicality.Basically solve the issues such as data entry permissions,roles classified staff,administrative-level permissions,a variety of data sources.

    Research and implementation on college students internet addiction disorder and anti-addict system
    Hai-zhuo LIN,Ji-long WANG,Yi-zhe ZHANG,Jing ZHU
    2014, 35(Z1):  170-177.  doi:10.3969/j.issn.1000-436x.2014.z1.033
    Asbtract ( 372 )   HTML ( 15)   PDF (633KB) ( 572 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Based on the traffic analysis on Cernet2,a new discovery mechanism of games service provider IP address is proposed,including Boilerpipe text extraction algorithm and Stanford Chinese NLP,realize this new general method and computing architecture of college student internet addiction.Three kinds of Internet addiction behaviors-online games,video viewing and social networking sites visit,including the total hours spend,length of continuous addiction,frequency,selected time of addiction are analyzed.Concept of Internet addiction disorder index is proposed with quantization on the internet addiction disorder made through AHP.Finally,Internet addiction prevention system is designed and implemented.

    Design and application research on management information system security architecture in digital campus
    Xin-zheng LONG,Cheng-jie XING,Rong-bin OUYANG,Qian-yi WANG,Li LI,Yun-feng LIU
    2014, 35(Z1):  178-184.  doi:10.3969/j.issn.1000-436x.2014.z1.034
    Asbtract ( 223 )   HTML ( 0)   PDF (509KB) ( 68 )   Knowledge map   
    Figures and Tables | References | Related Articles | Metrics

    Aiming at the university management information system security threats and challenges,a security architecture named 1C4GS was proposed.First connotation and function of five important components of 1C4GS was expounded,which named security management center,security communication network,security region boundary,security computing environment and security application.Then we used “basic personal data reporting system” as an example to construct the management information system security arrangement application based on 1C4AS,this arrangement application integrated a variety of security technologies and strategies such as transparent data encryption,user Identify,form edit cache as a whole to,and achieved the management information system’s network security,border security,computing environment security and application security.

Copyright Information
Authorized by: China Association for Science and Technology
Sponsored by: China Institute of Communications
Editor-in-Chief: Zhang Ping
Associate Editor-in-Chief:
Zhang Yanchuan, Ma Jianfeng, Yang Zhen, Shen Lianfeng, Tao Xiaofeng, Liu Hualu
Editorial Director: Wu Nada, Zhao Li
Address: F2, Beiyang Chenguang Building, Shunbatiao No.1 Courtyard, Fengtai District, Beijing, China
Post: 100079
Tel: 010-53933889、53878169、
53859522、010-53878236
Email: xuebao@ptpress.com.cn
Email: txxb@bjxintong.com.cn
ISSN 1000-436X
CN 11-2102/TN
Visited
Total visitors:
Visitors of today:
Now online: