Modem network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing...Modem network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation oi1 many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.展开更多
This paper investigates the social-aware cooperation(SAC) among mobile terminals(MTs), motivated by the fact that modern smart devices have much improved context awareness. Aware of the social ties, the cooperative ne...This paper investigates the social-aware cooperation(SAC) among mobile terminals(MTs), motivated by the fact that modern smart devices have much improved context awareness. Aware of the social ties, the cooperative network contains two layers of property: social and physical. In order to observe how the social awareness benefit the cooperation performance, we first formulate the social ties between MTs into parameters that can describe the cooperative behaviors by taking the mobility feature into account, defined as the conviction-approval-suspicion(CAS) model. Limited by the processing capability, partner selection is of great practical significance. To this end, the social-aware partner selection strategy is analyzed, and a significant superiority is observed compared to social-unaware selection. By analyzing the cooperative throughput, an explicit relationship between the degrees-of-freedom gain and the social-physical property is finally derived. Simulation results validate the theoretical analysis.展开更多
A data center is an infrastructure that supports Internet service. Cloud comput the face of the Internet service infrastructure, enabling even small organizations to quickly ng is rapidly changing build Web and mobile...A data center is an infrastructure that supports Internet service. Cloud comput the face of the Internet service infrastructure, enabling even small organizations to quickly ng is rapidly changing build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used n a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet nspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for ntelligence flow processing to protect from possible network attacks inside a data center network展开更多
Cascading failures are common phenomena in many of real-world networks,such as power grids,Internet,transportation networks and social networks.It's worth noting that once one or a few users on a social network ar...Cascading failures are common phenomena in many of real-world networks,such as power grids,Internet,transportation networks and social networks.It's worth noting that once one or a few users on a social network are unavailable for some reasons,they are more likely to influence a large portion of social network.Therefore,an effective mitigation strategy is very critical for avoiding or reducing the impact of cascading failures.In this paper,we firstly quantify the user loads and construct the processes of cascading dynamics,then elaborate the more reasonable mechanism of sharing the extra user loads with considering the features of social networks,and further propose a novel mitigation strategy on social networks against cascading failures.Based on the realworld social network datasets,we evaluate the effectiveness and efficiency of the novel mitigation strategy.The experimental results show that this mitigation strategy can reduce the impact of cascading failures effectively and maintain the network connectivity better with lower cost.These findings are very useful for rationally advertising and may be helpful for avoiding various disasters of cascading failures on many real-world networks.展开更多
Network traffic classification plays an important role and benefits many practical network issues,such as Next-Generation Firewalls(NGFW),Quality of Service(QoS),etc.To face the challenges brought by modern high speed...Network traffic classification plays an important role and benefits many practical network issues,such as Next-Generation Firewalls(NGFW),Quality of Service(QoS),etc.To face the challenges brought by modern high speed networks,many inspiring solutions have been proposed to enhance traffic classification.However,taking many factual network conditions into consideration,e.g.,diversity of network environment,traffic classification methods based on Deep Inspection(DI) technique still occupy the top spot in actual usage.In this paper,we propose a novel classification system employing Deep Inspection technique,aiming to achieve Parallel Protocol Parsing(PPP).We start with an analytical study of the existing popular DI methods,namely,regular expression based methods and protocol parsing based methods.Motivated by their relative merits,we extend traditional protocol parsers to achieve parallel matching,which is the representative merit of regular expression.We build a prototype system,and evaluation results show that significant improvement has been made comparing to existing open-source solutions in terms of both memory usage and throughput.展开更多
Traffic classification is critical to effective network management. However, more and more pro- prietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and ...Traffic classification is critical to effective network management. However, more and more pro- prietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation (MCC) method was developed to identify interactive protocols (such as P2P file sharing protocols and Instant Messaging (IM) protocols) by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit- Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.展开更多
Strain-relaxed SiGe virtual substrates are of great importance for fabricating strained Si materials. Instead of using graded buffer method to obtain fully relaxed SiGe film, in this study a new method to obtain relax...Strain-relaxed SiGe virtual substrates are of great importance for fabricating strained Si materials. Instead of using graded buffer method to obtain fully relaxed SiGe film, in this study a new method to obtain relaxed SiGe film and strained Si film with much thinner SiGe film was proposed. Almost fully relaxed thin SiGe buffer layer was obtained by Si/SiGe/Si multi-structure oxidation and the SiO2 layer removing before SiGe regrowth. Raman spectroscopy analysis indicates that the regrown SiGe film has a strain relaxation ratio of about 93% while the Si cap layer has a strain of 0.63%. AFM shows good surface roughness. This new method is proved to be a useful approach to fabricate thin relaxed epilayers and strain Si films.展开更多
China Unicorn, the largest WCDMA 3G operator in China, meets the requirements of the historical Mobile Internet Explosion, or the surging of Mobile Internet Traffic from mobile terminals. According to the internal sta...China Unicorn, the largest WCDMA 3G operator in China, meets the requirements of the historical Mobile Internet Explosion, or the surging of Mobile Internet Traffic from mobile terminals. According to the internal statistics of China Unicom, mobile user traffic has increased rapidly with a Compound Annual Growth Rate (CAGR) of 135%. Currently China Unicorn monthly stores more than 2 trillion records, data volume is over 525 TB, and the highest data volume has reached a peak of 5 PB. Since October 2009, China Unicom has been developing a home-brewed big data storage and analysis platform based on the open source Hadoop Distributed File System (HDFS) as it has a long-term strategy to make full use of this Big Data. All Mobile Internet Traffic is well served using this big data platform. Currently, the writing speed has reached 1 390 000 records per second, and the record retrieval time in the table that contains trillions of records is less than 100 ms. To take advantage of this opportunity to be a Big Data Operator, China Unicom has developed new functions and has multiple innovations to solve space and time constraint challenges presented in data processing. In this paper, we will introduce our big data platform in detail. Based on this big data platform, China Unicom is building an industry ecosystem based on Mobile Internet Big Data, and considers that a telecom operator centric ecosystem can be formed that is critical to reach prosperity in the modern communications business.展开更多
Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares a...Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine(Droid Detector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test Droid Detector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. Droid Detector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.展开更多
With the explosion of network bandwidth and the ever-changing requirements for diverse network-based applications,the traditional processing architectures,i.e.,general purpose processor(GPP) and application specific...With the explosion of network bandwidth and the ever-changing requirements for diverse network-based applications,the traditional processing architectures,i.e.,general purpose processor(GPP) and application specific integrated circuits(ASIC) cannot provide sufficient flexibility and high performance at the same time.Thus,the network processor(NP) has emerged as an alternative to meet these dual demands for today's network processing.The NP combines embedded multi-threaded cores with a rich memory hierarchy that can adapt to different networking circumstances when customized by the application developers.In today's NP architectures,multithreading prevails over cache mechanism,which has achieved great success in GPP to hide memory access latencies.This paper focuses on the efficiency of the cache mechanism in an NP.Theoretical timing models of packet processing are established for evaluating cache efficiency and experiments are performed based on real-life network backbone traces.Testing results show that an improvement of nearly 70% can be gained in throughput with assistance from the cache mechanism.Accordingly,the cache mechanism is still efficient and irreplaceable in network processing,despite the existing of multithreading.展开更多
Modern datacenter and enterprise networks require application identification to enable granular traffic control that eJther Jmproves data transfer rates or ensures network security. Providing application visi- bility ...Modern datacenter and enterprise networks require application identification to enable granular traffic control that eJther Jmproves data transfer rates or ensures network security. Providing application visi- bility as a core network function is challenging due to its performance requirements, including high through- put, low memory usage, and high identification accuracy. This paper presents a payload-based application identification method using a signature matching engine utilizing characteristics of the application identifica- tion. The solution uses two-stage matching and pre-classification to simultaneously improve the throughput and reduce the memory. Compared to a state-of-the-art common regular expression engine, this matching engine achieves 38% memory use reduction and triples the throughput. In addition, the solution is orthogonal to most existing optimization techniques for regular expression matching, which means it can be leveraged to further increase the performance of other matching algorithms.展开更多
With the proliferation of cloud services and development of fine-grained virtualization techniques, the Cloud Management System (CMS) is required to manage multiple resources efficiently for the large-scale, highden...With the proliferation of cloud services and development of fine-grained virtualization techniques, the Cloud Management System (CMS) is required to manage multiple resources efficiently for the large-scale, highdensity computing units. Specifically, providing guaranteed networking Service Level Agreement (SLA) has become a challenge. This paper proposes MN-SLA (Modular Networking SLA), a framework to provide networking SLA and to enable its seamless integration with existing CMSes. Targeting at a modular, general, robust, and efficient design, MN-SLA abstracts general interacting Application Programming Interfaces (APIs) between CMS and SLA subsystem, and it is able to accomplish the integration with minor modifications to CMS. The evaluations based on large scale simulation show that the proposed networking SLA scheduling is promising in terms of resource utilization, being able to accommodate at least 1.4x the number of instances of its competitors.展开更多
Curve and surface blending is an important operation in CAD systems, in which a non-uniform rational B-spline (NURBS) has been used as the de facto standard. In local comer blending, two curves intersecting at that ...Curve and surface blending is an important operation in CAD systems, in which a non-uniform rational B-spline (NURBS) has been used as the de facto standard. In local comer blending, two curves intersecting at that comer are first made disjoint, and then the third blending curve is added-in to smoothly join the two curves with G^1- or G^2-continuity. In this paper we present a study to solve the joint problem based on curve extension. The following nice properties of this extension algorithm are exploited in depth: (1) The parameterization of the original shapes does not change; (2) No additional fragments are created. Various examples are presented to demonstrate that our solution is simple and efficient.展开更多
Most types of Software-Defined Networking (SDN) architectures employ reactive rule dispatching to enhance real-time network control. The rule dispatcher, as one of the key components of the network controller, gener...Most types of Software-Defined Networking (SDN) architectures employ reactive rule dispatching to enhance real-time network control. The rule dispatcher, as one of the key components of the network controller, generates and dispatches the cache rules with response for the packet-in messages from the forwarding devices. It is important not only for ensuring semantic integrity between the control plane and the data plane, but also for preserving the performance and efficiency of the forwarding devices. In theory, generating the optimal cache rules on demands is a knotty problem due to its high theoretical complexity. In practice, however, the characteristics lying in real-life traffic and rule sets demonstrate that temporal and spacial localities can be leveraged by the rule dispatcher to significantly reduce computational overhead. In this paper, we take a deep-dive into the reactive rule dispatching problem through modeling and complexity analysis, and then we propose a set of algorithms named Hierarchy-Based Dispatching (HBD), which exploits the nesting hierarchy of rules to simplify the theoretical model of the problem, and trade the strict coverage optimality off for a more practical but still superior rule generation result. Experimental result shows that HBD achieves performance gain in terms of rule cache capability and rule storage efficiency against the existing approaches.展开更多
This article presents the formal definition and description of popular topics on the Internet,analyzes the relationship between popular words and topics,and finally introduces a method that uses statistics and correla...This article presents the formal definition and description of popular topics on the Internet,analyzes the relationship between popular words and topics,and finally introduces a method that uses statistics and correlation of the popular words in traffic content and network flow characteristics as input for extracting popular topics on the Internet.Based on this,this article adapts a clustering algorithm to extract popular topics and gives formalized results.The test results show that this method has an accuracy of 16.7%in extracting popular topics on the Internet.Compared with web mining and topic detection and tracking(TDT),it can provide a more suitable data source for effective recovery of Internet public opinions.展开更多
文摘Modem network security devices employ packet classification and pattern matching algorithms to inspect packets. Due to the complexity and heterogeneity of different search data structures, it is difficult for existing algorithms to leverage modern hardware platforms to achieve high performance. This paper presents a Structural Compression (SC) method that optimizes the data structures of both algorithms. It reviews both algorithms under the model of search space decomposition, and homogenizes their search data structures. This approach not only guarantees deterministic lookup speed but also optimizes the data structure for efficient implementation oi1 many-core platforms. The performance evaluation reveals that the homogeneous data structure achieves 10Gbps line-rate 64byte packet classification throughput and multi-Gbps deep inspection speed.
基金supported by the National Basic Research Program of China (2013CB329001)the National Natural Science Foundation of China (61132002, 61201186)
文摘This paper investigates the social-aware cooperation(SAC) among mobile terminals(MTs), motivated by the fact that modern smart devices have much improved context awareness. Aware of the social ties, the cooperative network contains two layers of property: social and physical. In order to observe how the social awareness benefit the cooperation performance, we first formulate the social ties between MTs into parameters that can describe the cooperative behaviors by taking the mobility feature into account, defined as the conviction-approval-suspicion(CAS) model. Limited by the processing capability, partner selection is of great practical significance. To this end, the social-aware partner selection strategy is analyzed, and a significant superiority is observed compared to social-unaware selection. By analyzing the cooperative throughput, an explicit relationship between the degrees-of-freedom gain and the social-physical property is finally derived. Simulation results validate the theoretical analysis.
基金supported in part by the National Key Basic Research and Development(973)Program of China(Nos.2013CB228206 and 2012CB315801)the National Natural Science Foundation of China(Nos.61233016 and 61140320)+1 种基金supported by the Intel Research Council with the title of "Security Vulnerability Analysis based on Cloud Platform with Intel IA Architecture"Huawei Corp
文摘A data center is an infrastructure that supports Internet service. Cloud comput the face of the Internet service infrastructure, enabling even small organizations to quickly ng is rapidly changing build Web and mobile applications for millions of users by taking advantage of the scale and flexibility of shared physical infrastructures provided by cloud computing. In this scenario, multiple tenants save their data and applications in shared data centers, blurring the network boundaries between each tenant in the cloud. In addition, different tenants have different security requirements, while different security policies are necessary for different tenants. Network virtualization is used to meet a diverse set of tenant-specific requirements with the underlying physical network enabling multi-tenant datacenters to automatically address a large and diverse set of tenants requirements. In this paper, we propose the system implementation of vCNSMS, a collaborative network security prototype system used n a multi-tenant data center. We demonstrate vCNSMS with a centralized collaborative scheme and deep packet nspection with an open source UTM system. A security level based protection policy is proposed for simplifying the security rule management for vCNSMS. Different security levels have different packet inspection schemes and are enforced with different security plugins. A smart packet verdict scheme is also integrated into vCNSMS for ntelligence flow processing to protect from possible network attacks inside a data center network
基金supported by the National Key Technology R&D Program of China under Grant No.2012BAH46B04
文摘Cascading failures are common phenomena in many of real-world networks,such as power grids,Internet,transportation networks and social networks.It's worth noting that once one or a few users on a social network are unavailable for some reasons,they are more likely to influence a large portion of social network.Therefore,an effective mitigation strategy is very critical for avoiding or reducing the impact of cascading failures.In this paper,we firstly quantify the user loads and construct the processes of cascading dynamics,then elaborate the more reasonable mechanism of sharing the extra user loads with considering the features of social networks,and further propose a novel mitigation strategy on social networks against cascading failures.Based on the realworld social network datasets,we evaluate the effectiveness and efficiency of the novel mitigation strategy.The experimental results show that this mitigation strategy can reduce the impact of cascading failures effectively and maintain the network connectivity better with lower cost.These findings are very useful for rationally advertising and may be helpful for avoiding various disasters of cascading failures on many real-world networks.
基金supported by the National Key Technology R&D Program of China under Grant No.2012BAH46B04
文摘Network traffic classification plays an important role and benefits many practical network issues,such as Next-Generation Firewalls(NGFW),Quality of Service(QoS),etc.To face the challenges brought by modern high speed networks,many inspiring solutions have been proposed to enhance traffic classification.However,taking many factual network conditions into consideration,e.g.,diversity of network environment,traffic classification methods based on Deep Inspection(DI) technique still occupy the top spot in actual usage.In this paper,we propose a novel classification system employing Deep Inspection technique,aiming to achieve Parallel Protocol Parsing(PPP).We start with an analytical study of the existing popular DI methods,namely,regular expression based methods and protocol parsing based methods.Motivated by their relative merits,we extend traditional protocol parsers to achieve parallel matching,which is the representative merit of regular expression.We build a prototype system,and evaluation results show that significant improvement has been made comparing to existing open-source solutions in terms of both memory usage and throughput.
基金Supported by the National Natural Science Foundation of China (Nos. 60833004 and 60970002)Prof. Yingfei Dong's current research is supported in part by US NSF (Nos. CNS-1041739, CNS-1120902, CNS-1018971, and CNS-1127875)
文摘Traffic classification is critical to effective network management. However, more and more pro- prietary, encrypted, and dynamic protocols make traditional traffic classification methods less effective. A Message and Command Correlation (MCC) method was developed to identify interactive protocols (such as P2P file sharing protocols and Instant Messaging (IM) protocols) by session analyses. Unlike traditional packet-based classification approaches, this method exploits application session information by clustering packets into application messages which are used for further classification. The efficacy and accuracy of the MCC method was evaluated with real world traffic, including P2P file sharing protocols Thunder and Bit- Torrent, and IM protocols QQ and GTalk. The tests show that the false positive rate is less than 3% and the false negative rate is below 8%, and that MCC only needs to check 8.7% of the packets or 0.9% of the traffic. Therefore, this approach has great potential for accurately and quickly discovering new types of interactive application protocols.
基金This project was financially supported by the National Natural Science Foundation of China(No.60476017).
文摘Strain-relaxed SiGe virtual substrates are of great importance for fabricating strained Si materials. Instead of using graded buffer method to obtain fully relaxed SiGe film, in this study a new method to obtain relaxed SiGe film and strained Si film with much thinner SiGe film was proposed. Almost fully relaxed thin SiGe buffer layer was obtained by Si/SiGe/Si multi-structure oxidation and the SiO2 layer removing before SiGe regrowth. Raman spectroscopy analysis indicates that the regrown SiGe film has a strain relaxation ratio of about 93% while the Si cap layer has a strain of 0.63%. AFM shows good surface roughness. This new method is proved to be a useful approach to fabricate thin relaxed epilayers and strain Si films.
基金supported in part by the National Key Basic Research and Development(973)Program of China(Nos.2013CB228206 and 2012CB315801)the National Natural Science Foundation of China(Nos.61233016 and 61140320)supported by the Intel Research Council under the title of"Security Vulnerability Analysis Based on Cloud Platform with Intel IA Architecture"
文摘China Unicorn, the largest WCDMA 3G operator in China, meets the requirements of the historical Mobile Internet Explosion, or the surging of Mobile Internet Traffic from mobile terminals. According to the internal statistics of China Unicom, mobile user traffic has increased rapidly with a Compound Annual Growth Rate (CAGR) of 135%. Currently China Unicorn monthly stores more than 2 trillion records, data volume is over 525 TB, and the highest data volume has reached a peak of 5 PB. Since October 2009, China Unicom has been developing a home-brewed big data storage and analysis platform based on the open source Hadoop Distributed File System (HDFS) as it has a long-term strategy to make full use of this Big Data. All Mobile Internet Traffic is well served using this big data platform. Currently, the writing speed has reached 1 390 000 records per second, and the record retrieval time in the table that contains trillions of records is less than 100 ms. To take advantage of this opportunity to be a Big Data Operator, China Unicom has developed new functions and has multiple innovations to solve space and time constraint challenges presented in data processing. In this paper, we will introduce our big data platform in detail. Based on this big data platform, China Unicom is building an industry ecosystem based on Mobile Internet Big Data, and considers that a telecom operator centric ecosystem can be formed that is critical to reach prosperity in the modern communications business.
文摘Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine(Droid Detector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test Droid Detector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. Droid Detector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.
基金Supported by the Basic Research Foundation of Tsinghua National Laboratory for Information Science and Technology (TNList)the National High-Tech Research and Development (863) Program of China (No.2007AA01Z468)
文摘With the explosion of network bandwidth and the ever-changing requirements for diverse network-based applications,the traditional processing architectures,i.e.,general purpose processor(GPP) and application specific integrated circuits(ASIC) cannot provide sufficient flexibility and high performance at the same time.Thus,the network processor(NP) has emerged as an alternative to meet these dual demands for today's network processing.The NP combines embedded multi-threaded cores with a rich memory hierarchy that can adapt to different networking circumstances when customized by the application developers.In today's NP architectures,multithreading prevails over cache mechanism,which has achieved great success in GPP to hide memory access latencies.This paper focuses on the efficiency of the cache mechanism in an NP.Theoretical timing models of packet processing are established for evaluating cache efficiency and experiments are performed based on real-life network backbone traces.Testing results show that an improvement of nearly 70% can be gained in throughput with assistance from the cache mechanism.Accordingly,the cache mechanism is still efficient and irreplaceable in network processing,despite the existing of multithreading.
基金Supported by the National High-Tech Research and Development(863) Program of China (No. 2007AA01Z468)
文摘Modern datacenter and enterprise networks require application identification to enable granular traffic control that eJther Jmproves data transfer rates or ensures network security. Providing application visi- bility as a core network function is challenging due to its performance requirements, including high through- put, low memory usage, and high identification accuracy. This paper presents a payload-based application identification method using a signature matching engine utilizing characteristics of the application identifica- tion. The solution uses two-stage matching and pre-classification to simultaneously improve the throughput and reduce the memory. Compared to a state-of-the-art common regular expression engine, this matching engine achieves 38% memory use reduction and triples the throughput. In addition, the solution is orthogonal to most existing optimization techniques for regular expression matching, which means it can be leveraged to further increase the performance of other matching algorithms.
文摘With the proliferation of cloud services and development of fine-grained virtualization techniques, the Cloud Management System (CMS) is required to manage multiple resources efficiently for the large-scale, highdensity computing units. Specifically, providing guaranteed networking Service Level Agreement (SLA) has become a challenge. This paper proposes MN-SLA (Modular Networking SLA), a framework to provide networking SLA and to enable its seamless integration with existing CMSes. Targeting at a modular, general, robust, and efficient design, MN-SLA abstracts general interacting Application Programming Interfaces (APIs) between CMS and SLA subsystem, and it is able to accomplish the integration with minor modifications to CMS. The evaluations based on large scale simulation show that the proposed networking SLA scheduling is promising in terms of resource utilization, being able to accommodate at least 1.4x the number of instances of its competitors.
基金supported by the National Natural Science Foundation of China (Nos. 60603085 and 60736019)the Hi-Tech Research and Development (863) Program of China (No. 2007AA01Z336)Tsinghua Basic Research Foundation, China # Expanded based on "Note on industrial applications of Hu’s surface
文摘Curve and surface blending is an important operation in CAD systems, in which a non-uniform rational B-spline (NURBS) has been used as the de facto standard. In local comer blending, two curves intersecting at that comer are first made disjoint, and then the third blending curve is added-in to smoothly join the two curves with G^1- or G^2-continuity. In this paper we present a study to solve the joint problem based on curve extension. The following nice properties of this extension algorithm are exploited in depth: (1) The parameterization of the original shapes does not change; (2) No additional fragments are created. Various examples are presented to demonstrate that our solution is simple and efficient.
文摘Most types of Software-Defined Networking (SDN) architectures employ reactive rule dispatching to enhance real-time network control. The rule dispatcher, as one of the key components of the network controller, generates and dispatches the cache rules with response for the packet-in messages from the forwarding devices. It is important not only for ensuring semantic integrity between the control plane and the data plane, but also for preserving the performance and efficiency of the forwarding devices. In theory, generating the optimal cache rules on demands is a knotty problem due to its high theoretical complexity. In practice, however, the characteristics lying in real-life traffic and rule sets demonstrate that temporal and spacial localities can be leveraged by the rule dispatcher to significantly reduce computational overhead. In this paper, we take a deep-dive into the reactive rule dispatching problem through modeling and complexity analysis, and then we propose a set of algorithms named Hierarchy-Based Dispatching (HBD), which exploits the nesting hierarchy of rules to simplify the theoretical model of the problem, and trade the strict coverage optimality off for a more practical but still superior rule generation result. Experimental result shows that HBD achieves performance gain in terms of rule cache capability and rule storage efficiency against the existing approaches.
基金was supported by the National Natural Science Foundation of China (Grant No.60574087)the Hi-Tech Research and Development Program of China (2007AA01Z475,2007AA01Z480,2007A-A01Z464)the 111 International Collaboration Program of China.
文摘This article presents the formal definition and description of popular topics on the Internet,analyzes the relationship between popular words and topics,and finally introduces a method that uses statistics and correlation of the popular words in traffic content and network flow characteristics as input for extracting popular topics on the Internet.Based on this,this article adapts a clustering algorithm to extract popular topics and gives formalized results.The test results show that this method has an accuracy of 16.7%in extracting popular topics on the Internet.Compared with web mining and topic detection and tracking(TDT),it can provide a more suitable data source for effective recovery of Internet public opinions.
