电信与移动互联网行业 市场 企业 产品应用及无线网民的特点、行业发展.doc

Multicast receiver access control by IGMP-ACOriginal Research ArticleComputer NetworksIP multicast is best-known for its bandwidth conservation and lower resource utilization. The present service model of multicast makes it difficult to restrict access to authorized End Users (EUs) or paying customers. Without an effective receiver access control, an adversary may exploit the existing IP multicast model, where a host or EU can join any multicast group by sending an Internet Group Management Protocol (IGMP) join message without prior authentication and authorization. We have developed a novel, scalable and secured access control architecture for IP multicast that deploys Authentication Authorization and Accounting (AAA) protocols to control group membership. The principal feature of the access control architecture, receiver access control, is addressed in this paper. The EU or host informs the multicast Access Router (AR) of its interest in receiving multicast traffic using the IGMP protocol. We propose the necessary extensions of IGMPv3 to carry AAA information, called IGMP with Access Control (IGMP-AC). For EU authentication, IGMP-AC encapsulates Extensible Authentication Protocol (EAP) packets. EAP is an authentication framework to provide some common functions and a negotiation of the desired authentication mechanism. Thus, IGMP-AC can support a variety of authentications by encapsulating different EAP methods. Furthermore, we have modeled the IGMP-AC protocol in PROMELA, and also verified the model using SPIN. We have illustrated the EAP encapsulation method with an example EAP method, EAP Internet Key Exchange (EAP-IKEv2). We have used AVISPA to validate the security properties of the EAP-IKEv2 method in pass-through mode, which fits within the IGMP-AC architecture. Finally, we have extended our previously developed access control architecture to accomplish inter-domain receiver access control and demonstrated the applicability of IGMP-AC in a multi-domain environment.Article Outline1. Introduction2. Background work 2.1. Internet Group Management Protocol (IGMP)2.2. AAA protocols2.3. Access control architecture with e-commerce communication 2.3.1. Participant access control2.3.2. e-Commerce communication2.3.3. Policy enforcement2.3.4. Limitation of the architecture3. Problem definition 3.1. Effects of forged IGMP report messages3.2. Goals of receiver access control3.3. Group key management vs. receiver access control3.4. Relationship of receiver access control to key management and accounting3.5. Receiver access control through extended IGMP 3.5.1. Coupling access control with IGMP3.5.2. Extending the IGMPv3 protocol4. Related work5. IGMP with Access Control (IGMP-AC) 5.1. Requirements5.2. Protocol descriptions 5.2.1. Host behavior5.2.2. Role of AAA Server (AAAS)5.2.3. Role of Access Router (AR)5.3. Additional messages5.4. Required reception states 5.4.1. Reception states maintained by the host5.4.2. Reception states maintained by the AR5.5. Securing IGMP-AC messages6. Verification of IGMP-AC using SPIN 6.1. Model description6.2. Verification results7. Authentication using EAP 7.1. EAP encapsulation over IGMP-AC7.2. EAP-IKEv2 protocol7.3. Enhanced security for IGMP-AC messages8. Validation of EAP-IKEv2 method using AVISPA 8.1. Security properties of the EAP-IKEv2 method8.2. The peer-to-peer model 8.2.1. Limitations of the peer-to-peer model8.2.2. Security goals8.2.3. Finding the attack8.2.4. Securing the peer-to-peer model8.3. The pass-through model9. Inter-domain receiver access control 9.1. Diameter agents9.2. Proposed inter-domain architecture 9.2.1. Enforcing secured-group status for inter-domain groups9.2.2. IGMP-AC behavior9.2.3. Distributed vs. centralized database10. Discussion 10.1. Scalability10.2. Delay in packet delivery10.3. Message complexity10.4. Mobility of End Users11. Conclusion and future workAcknowledgementsReferencesZone-based virtual backbone formation in wireless ad hoc networksOriginal Research ArticleAd Hoc NetworksEfficient protocol for clustering and backbone formation is one of the most important issues in wireless ad hoc networks. Connected dominating set (CDS) formation is a promising approach for constructing virtual backbone. However, finding the minimum CDS in an arbitrary graph is a NP-Hard problem. In this paper, we present a novel zone-based distributed algorithm for CDS formation in wireless ad hoc networks. In this Zone algorithm, we combine the zone and level concepts to sparsify the CDS constructed by previous well-known approaches. Therefore, this proposed algorithm can significantly reduce the CDS size. Particularly, we partition the wireless network into different zones, construct a dominating tree for each zone and connect adjacent zones by inserting additional connectors into the final CDS (at the zone borders). Our comprehensive simulation study using a custom simulator shows that this zone-based algorithm is more effective than previous approaches. The number of nodes in the CDS formed by this Zone algorithm is up to around 66% less than that constructed by others. Moreover, we also compare the performance of Zone algorithm with some recently proposed CDS formation protocols in ns2 simulator.Article Outline1. Introduction2. Related work3. Network assumptions and preliminaries4. Zone-based CDS formation algorithm 4.1. Overview4.2. Degree based algorithm 4.2.1. Zone partition4.2.2. Dominating tree formation4.2.3. Adjustment along the zone borders4.2.4. Example5. Performance analysis6. Discussions 6.1. Approximation ratio and network model6.2. Implementation issues6.3. Backbone maintenance7. Experimental results 7.1. Simulation in ideal networks 7.1.1. Size of CDS7.1.2. Node degree in the CDS7.1.3. Hop stretch7.1.4. Message overhead7.2. Simulation in realistic networks 7.2.1. Simulation setup7.2.2. Performance evaluation in ns28. Conclusion and future workAcknowledgementsReferencesModel-Based Development of firewall rule sets: Diagnosing model inconsistenciesThe design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments.Article Outline1. Introduction2. Firewall open problems: Related works 2.1. Rule set design2.2. Consistency and redundancy diagnosis2.3. Rule set conformity3. Model-Based Development for firewalls 3.1. Verification and Validation of Models in MBD4. A PIM for firewalls 4.1. PIM construction alternatives 4.1.1. Factorization of selectors4.1.2. Aggregation of selectors4.1.3. Customization of selectors4.2. Platform-Independent Model, PIM 4.2.1. Addition of non-common selectors4.2.2. Adding more syntaxes to selectors4.3. PIM specification for firewall ACLs4.4. Example5. PIM verification: consistency-based diagnosis process 5.1. Step 1. Detection of inconsistent pairs of rules5.2. Step 2. Identification of the set of conflicting rules5.3. Experimental results6. Conclusions and future worksAcknowledgementsAnnex I. Comparative analysis of firewall filtering selectorsI.1. Source and Destination addresses (Table I.1)I.2. Interface (Table I.2)I.3. Interface direction (Table I.3)I.4. Protocol (Table I.4)I.5. Source and Destination ports (Table I.5)I.6. TCP flags (Table I.6)I.7. TCP options (Table I.7)I.8. ICMP type (Table I.8)I.9. IP options (Table I.9)I.10. IP version (Table I.10)I.11. Source and Destination MAC addresses (Table I.11a and Table I.11b)I.12. Type of Service (ToS) (Table I.12)I.13. Time to Live (TTL) (Table I.13)I.14. Actions (Table I.14)Annex II. Firewall PIM represented as XML SchemaReferencesThe design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments.Article Outline1. Introduction2. Firewall open problems: Related works 2.1. Rule set design2.2. Consistency and redundancy diagnosis2.3. Rule set conformity3. Model-Based Development for firewalls 3.1. Verification and Validation of Models in MBD4. A PIM for firewalls 4.1. PIM construction alternatives 4.1.1. Factorization of selectors4.1.2. Aggregation of selectors4.1.3. Customization of selectors4.2. Platform-Independent Model, PIM 4.2.1. Addition of non-common selectors4.2.2. Adding more syntaxes to selectors4.3. PIM specification for firewall ACLs4.4. Example5. PIM verification: consistency-based diagnosis process 5.1. Step 1. Detection of inconsistent pairs of rules5.2. Step 2. Identification of the set of conflicting rules5.3. Experimental results6. Conclusions and future worksAcknowledgementsAnnex I. Comparative analysis of firewall filtering selectorsI.1. Source and Destination addresses (Table I.1)I.2. Interface (Table I.2)I.3. Interface direction (Table I.3)I.4. Protocol (Table I.4)I.5. Source and Destination ports (Table I.5)I.6. TCP flags (Table I.6)I.7. TCP options (Table I.7)I.8. ICMP type (Table I.8)I.9. IP options (Table I.9)I.10. IP version (Table I.10)I.11. Source and Destination MAC addresses (Table I.11a and Table I.11b)I.12. Type of Service (ToS) (Table I.12)I.13. Time to Live (TTL) (Table I.13)I.14. Actions (Table I.14)Annex II. Firewall PIM represented as XML SchemaReferences了解统计调查知识，熟悉调查问卷设计，对调查数据敏感，有较强的数据分析能力和报告撰写能力； 有较强的项目管理能力，熟悉研究咨询的工作方式； 善于沟通，有较好的社会交往与组织能力； 工作细心，有高度的责任心和强烈的团队意识； 能熟练查阅、翻译和书写英文信息，有较好的英语口语能力； 经验丰富与能力较强者，可适当放宽要求； 在互联网市场研究或咨询公司中担任中高级职位者优先。统计学、社会学、经济学、通信、计算机等相关专业硕士及以上学历； 三年以上工作经验； 对电信与移动互联网行业有较深入的理解，并熟悉传统互联网市场。对移动互联网企业、产品应用及无线网民的特点、行业发展趋势，有独特、深入的认识；紧跟移动互联网发展态势，面向政府、社团、企业，针对移动互联网细分领域，策划与实施互联网研究项目，撰写高质量的调查研究报告。An intelligent backbone formation algorithm for wireless ad hoc networks based on distributed learning automataOriginal Research ArticleComputer NetworksIn wireless ad hoc networks, due to the dynamic topology changes, multi hop communications and strict resource limitations, routing becomes the most challenging issue, and broadcasting is a common approach which is used to alleviate the routing problem. Global flooding is a straightforward broadcasting method which is used in almost all existing topology-based routing protocols and suffers from the notorious broadcast storm problem. The connected dominating set (CDS) formation is a promising approach for reducing the broadcast routing overhead in which the messages are forwarded along the virtual backbone induced by the CDS. In this paper, we propose an intelligent backbone formation algorithm based on distributed learning automata (DLA) in which a near optimal solution to the minimum CDS problem is found. Sending along this virtual backbone alleviates the broadcast storm problem as the number of hosts responsible for broadcast routing is reduced to the number of hosts in backbone. The proposed algorithm can be also used in multicast routing protocols, where the only multicast group members need to be dominated by the CDS. In this paper, the worst case running time and message complexity of the proposed backbone formation algorithm to find a 1/(1-) optimal size backbone are computed. It is shown that by a proper choice of the learning rate of the proposed algorithm, a trade-off between the running time and message complexity of algorithm with the backbone size can be made. The simulation results show that the proposed algorithm significantly outperforms the existing CDS-based backbone formation algorithms in terms of the network backbone size, and its message overhead is only slightly more than the least cost algorithm.Article Outline1. Introduction2. Related work3. Learning automata, distributed learning automata, and variable action-set learning automata 3.1. Learning automata3.2. Distributed learning automata3.3. Variable action-set learning automata4. DLA-based virtual backbone formation 4.1. Action-set formation method4.2. Backbone formation process 4.2.1. Initialization message4.2.2. Activation message4.2.3. Backbone message4.2.4. Rewarding message4.2.5. Penalizing message4.3. An example5. Complexity analysis6. Numerical results7. ConclusionAcknowledgementsAnalysis and modeling of a campus wireless network TCP/IP trafficOriginal Research ArticleComputer NetworksIn this paper we analyzed and modeled wireless TCP/IP traffic. Specifically, we focused on the interarrival times of TCP flows and the number of packets within a flow. We show that the marginal distribution of the flow interarrival times is piecewise Weibull distributed. Second and higher order statistics show that the flow interarrival times are long-range dependent and exhibit multifractal scaling. Taking these higher order properties into consideration, we proposed a multinomial canonical cascade with 3 stages to model the flow interarrival times. Looking at the IP layer, we find that the number of packets in a flow is heavy-tailed distributed. Especially interesting is that in 2 of our data sets, the number of packets in a flow possesses infinite mean. The interarrival time of packets within a flow is highly correlated, bursty, and its statistical characteristics vary from flow to flow.Article Outline1. Introduction2. Measured wireless traffic traces3. Modeling of TCP flow interarrival times 3.1. Marginal distribution 3.1.1. Evaluation of the piecewise Weibull distribution3.2. Long-range dependence3.3. Multifractal scaling3.4. A model for TCP SYN interarrival times3.5. Comparison with wired TCP flow interarrival times3.6. Evaluation of the proposed model via queuing simulations4. IP traffic 4.1. Number of packets per flow4.2. Interarrival time of packets within a flow5. ConclusionAcknowledgementsReferencesVitaeIn this paper we analyzed and modeled wireless TCP/IP traffic. Specifically, we focused on the interarrival times of TCP flows and the number of packets within a flow. We show that the marginal distribution of the flow interarrival times is piecewise Weibull distributed. Second and higher order statistics show that the flow interarrival times are long-range dependent and exhibit multifractal scaling. Taking these higher order properties into consideration, we proposed a multinomial canonical cascade with 3 stages to model the flow interarrival times. Looking at the IP layer, we find that the number of packets in a flow is heavy-tailed distributed. Especially interesting is