Yan Zhuang,Dan Xu,Kailong Zhang,Jingui Pan,Jiming Chen

DOI: https://doi.org/10.1109/iccs.2008.4737241

2008-01-01

Abstract:Collaborative virtual environment (CVE) is a multi-user virtual environment that supports distributed collaboration. The two main issues that CVE is facing are how to improve system scalability and quality of service. Combining Active routing and content-based publish/subscribe and taking bi-directional shared multicast tree as the communication structure of Interest Management, Active interest management (AIM) can effectively improve system scalability. However, due to the lack of network monitoring, it can only provide same services, and consequently cannot guarantee services and alleviate system workload when it gets saturated. In this paper, we propose a QoS-based Adaptive Access control (QAAC) approach which includes dynamic system delay maintenance, active router verification and host low start. By QAAC, we dynamically control the access of hosts based on network status to improve services and scalability in AIM. Finally, experiment results show that this approach can stabilize network traffic, reduce system load and provide better collaboration services.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Shiyong Zheng,Zhao Li,Biqing Li

DOI: https://doi.org/10.1063/1.4977398

2017-01-01

AIP Conference Proceedings

Abstract:In this paper, it firstly introduces the related knowledge of access control list (ACL) technology, hardware requirements and software configuration. Then it discusses the topological structure of campus network from the perspective of campus network planning as well as demonstrates the application of ACL technology in campus network combined with examples.

Xin Liu,Xianmin Song,Zhe Wang,Dianhai Wang,De M. Wang

2010-01-01

Abstract:In order to ensure the safety of Metro intelligent transport network and the reasonable utilization of resources, AAA (Authentication, Authorization, Accounting) mechanism was introduced to the intelligent transportation system, which is used to design the operation mode for the managent of Tansportaion. A plan was proposed, including the security access to the Metro intelligent transport network for the moving vehicles, seamless connection between access points, the accounting for the information of both network and intelligent transportation system, with the algorithm for authentication, authorization and accounting between realms. AAA algorithm was composed with C language, and tested by the data coming from the simulation using Vissim4.20.

Shiwen Kou,Chungang Yang,Mingji Wu

2024-04-19

Abstract:Intent-driven Networks (IDNs) are crucial in enhancing network management efficiency by enabling the translation of high-level intents into executable configurations via a top-down approach. The escalating complexity of network architectures, however, has led to a semantic gap between these intents and their actual configurations, posing significant challenges to the accuracy and reliability of IDNs. While existing methodologies attempt to address this gap through a bottom-up analysis of network metadata, they often fall short, focusing primarily on intent extraction or reasoning without fully leveraging insights to tackle the inherent challenges of IDNs. To mitigate this, we introduce SAFLA, a semantic-aware framework specifically designed to assure the full lifecycle of intents within IDNs. By seamlessly integrating top-down and bottom-up approaches, SAFLA not only provides comprehensive intent assurance but also effectively bridges the semantic gap. This integration facilitates a self-healing mechanism, substantially reducing the need for manual intervention even in dynamically changing network environments. Experimental results demonstrate the framework's feasibility and efficiency, confirming its capacity to quickly adapt intents in response to network changes, thus marking an important advancement in the field of IDNs.

Networking and Internet Architecture

Wei Zhang,Hongcheng Guo,Jian Yang,Yi Zhang,Chaoran Yan,Zhoujin Tian,Hangyuan Ji,Zhoujun Li,Tongliang Li,Tieqiao Zheng,Chao Chen,Yi Liang,Xu Shi,Liangfan Zheng,Bo Zhang

2024-05-04

Abstract:The escalating complexity of micro-services architecture in cloud-native technologies poses significant challenges for maintaining system stability and efficiency. To conduct root cause analysis (RCA) and resolution of alert events, we propose a pioneering framework, multi-Agent Blockchain-inspired Collaboration for root cause analysis in micro-services architecture (mABC), to revolutionize the AI for IT operations (AIOps) domain, where multiple agents based on the powerful large language models (LLMs) perform blockchain-inspired voting to reach a final agreement following a standardized process for processing tasks and queries provided by Agent Workflow. Specifically, seven specialized agents derived from Agent Workflow each provide valuable insights towards root cause analysis based on their expertise and the intrinsic software knowledge of LLMs collaborating within a decentralized chain. To avoid potential instability issues in LLMs and fully leverage the transparent and egalitarian advantages inherent in a decentralized structure, mABC adopts a decision-making process inspired by blockchain governance principles while considering the contribution index and expertise index of each agent. Experimental results on the public benchmark AIOps challenge dataset and our created train-ticket dataset demonstrate superior performance in accurately identifying root causes and formulating effective solutions, compared to previous strong baselines. The ablation study further highlights the significance of each component within mABC, with Agent Workflow, multi-agent, and blockchain-inspired voting being crucial for achieving optimal performance. mABC offers a comprehensive automated root cause analysis and resolution in micro-services architecture and achieves a significant improvement in the AIOps domain compared to existing baselines

Multiagent Systems,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Mudassar Hussain,Rashid Amin,Rahma Gantassi,Asma Hassan Alshehri,Jaroslav Frnda,Syed Mohsan Raza

DOI: https://doi.org/10.1038/s41598-024-65721-x

2024-06-28

Abstract:Software-defined networking (SDN) is a pioneering network paradigm that strategically decouples the control plane from the data and management planes, thereby streamlining network administration. SDN's centralized network management makes configuring access control list (ACL) policies easier, which is important as these policies frequently change due to network application needs and topology modifications. Consequently, this action may trigger modifications at the SDN controller. In response, the controller performs computational tasks to generate updated flow rules in accordance with modified ACL policies and installs flow rules at the data plane. Existing research has investigated reactive flow rules installation that changes in ACL policies result in packet violations and network inefficiencies. Network management becomes difficult due to deleting inconsistent flow rules and computing new flow rules per modified ACL policies. The proposed solution efficiently handles ACL policy change phenomena by automatically detecting ACL policy change and accordingly detecting and deleting inconsistent flow rules along with the caching at the controller and adding new flow rules at the data plane. A comprehensive analysis of both proactive and reactive mechanisms in SDN is carried out to achieve this. To facilitate the evaluation of these mechanisms, the ACL policies are modeled using a 5-tuple structure comprising Source, Destination, Protocol, Ports, and Action. The resulting policies are then translated into a policy implementation file and transmitted to the controller. Subsequently, the controller utilizes the network topology and the ACL policies to calculate the necessary flow rules and caches these flow rules in hash table in addition to installing them at the switches. The proposed solution is simulated in Mininet Emulator using a set of ACL policies, hosts, and switches. The results are presented by varying the ACL policy at different time instances, inter-packet delay and flow timeout value. The simulation results show that the reactive flow rule installation performs better than the proactive mechanism with respect to network throughput, packet violations, successful packet delivery, normalized overhead, policy change detection time and end-to-end delay. The proposed solution, designed to be directly used on SDN controllers that support the Pyretic language, provides a flexible and efficient approach for flow rule installation. The proposed mechanism can be employed to facilitate network administrators in implementing ACL policies. It may also be integrated with network monitoring and debugging tools to analyze the effectiveness of the policy change mechanism.

Hongqiang Harry Liu,Xin Wu,Wei Zhou,Weiguo Chen,Tao Wang,Hui Xu,Lei Zhou,Qing Ma,Ming Zhang

DOI: https://doi.org/10.1145/3229584.3229585

2018-01-01

Abstract:Managing the life cycle of network configurations, including the generation, update, transition and diagnosis of the configurations, is the primary task of network operators and a critical process for the reliability and efficiency of the networks. This paper presents NetCraft, a framework which automates the life cycle management of network configurations with a unified network model. Designed for life cycle automation, NetCraft's network model can expressively encode all parts and protocols in the network; It can be converted to or constructed from configurations with interoperability; It is able to perform fine-grained configurations with flexibility to deactivate or undo any configurations for safe configuration updates; And it can work without cooperations from device vendors. We have built and deployed an initial version of NetCraft in Alibaba's global WAN. Evaluations in real environments show that NetCraft can reduce the network incidents caused by configurations by 95% and cut the average time to plan and execute a network update by up to 93%.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

Lei Yao,Yong Zhang,Zilong Yan,Jialu Tian

2023-10-13

Abstract:In the rapid development of artificial intelligence, solving complex AI tasks is a crucial technology in intelligent mobile networks. Despite the good performance of specialized AI models in intelligent mobile networks, they are unable to handle complicated AI tasks. To address this challenge, we propose Systematic Artificial Intelligence (SAI), which is a framework designed to solve AI tasks by leveraging Large Language Models (LLMs) and JSON-format intent-based input to connect self-designed model library and database. Specifically, we first design a multi-input component, which simultaneously integrates Large Language Models (LLMs) and JSON-format intent-based inputs to fulfill the diverse intent requirements of different users. In addition, we introduce a model library module based on model cards which employ model cards to pairwise match between different modules for model composition. Model cards contain the corresponding model's name and the required performance metrics. Then when receiving user network requirements, we execute each subtask for multiple selected model combinations and provide output based on the execution results and LLM feedback. By leveraging the language capabilities of LLMs and the abundant AI models in the model library, SAI can complete numerous complex AI tasks in the communication network, achieving impressive results in network optimization, resource allocation, and other challenging tasks.

Artificial Intelligence

Zheng Wang,Yanan Jin,Shasha Yang,Jianmin Han,Jianfeng Lu

DOI: https://doi.org/10.1109/access.2021.3072635

IF: 3.9

2021-01-01

IEEE Access

Abstract:Cross-IoT infrastructure access frequently occurs when performing tasks in a distributed computing infrastructure of a cyber-physical system (CPS). The access control technology that ensure secure access cross-IoT infrastructure usually automatically establish relationships between user-attribute/role-permission. How to efficiently determine whether an automatic authorization access control state satisfies the safety and availability requirements of a system is a huge challenge. Existing work often focuses on a single aspect of safety or availability, while ignoring the differences between permissions and the differences between users. In this paper, we first propose a fine-grained personalization policy that takes into account the specificity of permissions/users and describes the safety, availability and efficiency requirements of an access control system in CPS. Second, we define a Personalization Policy Checking (PPC) Problem to determine whether a given personalization policy is satisfied in an access control state. We give the computational complexity of the PPC problem in different subcases, and show that it is NP-complete in general. Third, we design a binary genetic search algorithm, whose improvements mainly include continuous update and selection of the best chromosomes in the population for iteration, and exploring and determining the optimal crossover and mutation probabilities, thereby improving the convergence efficiency of the algorithm. Finally, simulation results show the effectiveness of our proposed algorithm, which is especially fit for the case that the computational overhead is even more important than the accuracy in a large-scale CPS system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Caishuang Huang,Wanxu Zhao,Rui Zheng,Huijie Lv,Shihan Dou,Sixian Li,Xiao Wang,Enyu Zhou,Junjie Ye,Yuming Yang,Tao Gui,Qi Zhang,Xuanjing Huang

2024-06-28

Abstract:As the development of large language models (LLMs) rapidly advances, securing these models effectively without compromising their utility has become a pivotal area of research. However, current defense strategies against jailbreak attacks (i.e., efforts to bypass security protocols) often suffer from limited adaptability, restricted general capability, and high cost. To address these challenges, we introduce SafeAligner, a methodology implemented at the decoding stage to fortify defenses against jailbreak attacks. We begin by developing two specialized models: the Sentinel Model, which is trained to foster safety, and the Intruder Model, designed to generate riskier responses. SafeAligner leverages the disparity in security levels between the responses from these models to differentiate between harmful and beneficial tokens, effectively guiding the safety alignment by altering the output token distribution of the target model. Extensive experiments show that SafeAligner can increase the likelihood of beneficial tokens, while reducing the occurrence of harmful ones, thereby ensuring secure alignment with minimal loss to generality.

Cryptography and Security,Computation and Language

Kaicheng Yang,Yuanpeng Li,Sheng Long,Tong Yang,Ruijie Miao,Yikai Zhao,Chaoyang Ji,Penghui Mi,Guodong Yang,Qiong Xie,Hao Wang,Yinhua Wang,Bo Deng,Zhiqiang Liao,Chengqiang Huang,Yongqiang Yang,Xiang Huang,Wei Sun,Xiaoping Zhu

2023-01-01

Abstract:Network faults occur frequently in the Internet. From the perspective of cloud service providers, network faults can be classified into three categories: cloud faults, client faults, and middle faults. This paper mainly focuses on middle faults. To minimize the harm of middle faults, we build a fully automatic system in Huawei Cloud, namely AAsclepius, which consists of a monitoring subsystem, a diagnosing subsystem, and a detouring subsystem. Through the collaboration of the three subsystems, AAsclepius monitors network faults, diagnoses network faults, and detours the traffic to circumvent middle faults at the Internet peering edge. The key innovation of AAsclepius is to identify the fault direction with a novel technique, namely PathDebugging. AAsclepius has been running for two years stable, protecting Huawei Cloud from major accidents in 2021 and 2022. Our evaluation on three major points of presence in December 2021 shows that AAsclepius can efficiently and safely detour the traffic to circumvent outbound faults within a few minutes.

Libo Feng,Junyu Lin,Fei Qiu,Bei Yu,Zhihua Jin,Jinli Wang,Jing Cheng,Shaowen Yao

DOI: https://doi.org/10.1109/tnsm.2024.3371521

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Industrial big data has experienced from data silos due to its high potential value and strong security requirements, making it difficult to share securely across domains. Blockchain-based solutions allow nodes to establish access control to trusted data on unreliable or trustless networks, but still face issues such as inefficient data sharing and leakage of sensitive information. In this paper, we propose a blockchain-based access control scheme for privacy security and dynamic regulation. First, ciphertext policy attribute-based encryption (CP-ABE) is developed to gain fine-grained access to node resources, with verifiable outsourcing decryption method to significantly reduce computational pressure on end users. Second, a policy hiding method based on multi-chain architecture is proposed, which performs double hiding of attribute information and access policy information on the blockchain. Finally, a supervisory policy that incorporates dynamic trust assessment and smart contracts is proposed to achieve effective detection and hierarchical classification punishment of malicious behavior. Security analysis and experimental results show that our scheme can limit the complexity of terminal decryption at a constant level and effectively achieve secure and efficient access control in the industrial Internet environment.

computer science, information systems

Yahui Li,Han Zhang,Jilong Wang,Xingang Shi,Xia Yin,Zhiliang Wang,Jiankun Hu,Congcong Miao,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2024.3409935

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network managers configure networks to enforce various high-level policies, and to respond to the wide range of network events (e.g., attacks, intrusions, malicious route announcements from neighbors) that may occur. It is incredibly difficult to specify these high-level policies in terms of distributed low-level configuration. These high-level policies hold only if the distributed configurations are well equipped to react to unsafe and unreliable environments (e.g., malicious route announcements, unsafe components and devices). Therefore, it is important to proactively verify whether network policies hold across continually changing environments in terms of current network configurations. State-of-the-art policy verification techniques are limited because they can check only the Boolean policies (e.g., forwarding reachability, waypoint or blackhole-freeness). However, many policy violations express themselves in quantitative ways (e.g., a link becomes overloaded). In this paper, we propose quantitative network verification (QNV) analyzing the quantitative policies of networks across unsafe and unreliable environments. QNV translates network configurations into a symbolic simulation model that captures the stable states to which the network forwarding will converge as a result of interactions between routing protocols. It then generates a logical formula matrix that describes network forwarding in the event of failures and verifies quantitative policies based on the formula matrix. We implement QNV and evaluate it on realistic and synthetic configurations. Our evaluation shows that QNV can precisely verify quantitative policies in only a few minutes, even in large networks.

Yida Wang,Shuangshuang Jiang,Bin Cui

DOI: https://doi.org/10.1145/3524304.3524308

2022-01-01

Abstract:With exploding number of servers in large IT corporations, system environment management of servers at scale is a big challenge. System environment needs to be regularly updated to meet the system demand of services or fix emerging bugs. It is of vital importance to ensure stability of services during these system updates. However, the heterogeneity of workload and diversity of update scripts make it difficult to estimate how a system update affects the servers and services running on them. Unexpected failures caused by various reasons can also arise during or after update execution, making the situation even worse. This paper aims to solve the system management challenge with an operations platform called TJOSConf. During system updates, TJOSConf is able to interact with services to make sure that expected impacts and unexpected failures can be recognized and handled in time, making system update highly automatic and safe. Various system update scripts can be easily incorporated into TJOSConf as plugins, making the platform scalable. Use cases of TJOSConf in Alibaba prove its effectiveness.

Yinan Tang,Tongtong Yuan,Zhiyuan Xu,Weiyi Zhang,Jian Tang,Guoliang Xue,Yanzhi Wang

DOI: https://doi.org/10.1109/mnet.106.2100620

IF: 10.294

2022-01-01

IEEE Network

Abstract:Modern networks have become immensely complicated, while future networks are expected to be more highly dynamic and sophisticated. In such a complex network environment, it is challenging to design effective control schemes to allocate network resources and manage network systems. Recently, Artificial Intelligence (AI) has made tremendous successes and breakthroughs. Particularly, as a branch of AI technology, the model-free experience-based machine learning (ML) technology has attracted widespread attention in the field of Network Control Problems (NCPs). Motivated by recent breakthroughs in AI technology, we share our vision of deploying ML technology to the field of solving NCPs to achieve experience-driven networking. Compared with the domain knowledge-based heuristic algorithms and fixed policies, which face mounting challenges in achieving desirable performance in highly dynamic and complicated networks, the ML-based methods can accumulate experiences by constantly collecting system feedback, and finally learn desirable/optimal control policies. In this article, we first summarize the differences between the traditional solutions and the ML-based methods and highlight the advantages of experience-driven networking with ML. Then we introduce several state-of-the-art AI-enabled experience-driven works for NCPs. In the end, we shed light on the future directions of adapting ML to more networking problems and the emerging opportunities for experience-driven networking. We hope that our work can help and encourage researchers to propose more innovative experience-driven solutions for the NCPs of modern network systems.

Xiaolin Wang,Jinglong Zhang,Cailian Chen,Jianping He,Yehan Ma,Xinping Guan

DOI: https://doi.org/10.1109/tii.2023.3299040

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:The harsh industrial environment and the high exposure of wireless communication networks (WCNs) seriously degrade the control performance of edge-enabled Industrial Internet of Things systems. Recently, the codesign of control and scheduling has been studied as a promising method to improve system performance. However, due to the dynamic feature of multiple unreliable factors, the impact of communication randomness on data timeliness, and the difficulty to gather sensing data, it is challenging to jointly design the schedule and control policy to mitigate the adverse effects of WCNs. To address these issues, this article presents a trust-age of information (AoI)-aware codesign scheme (TACS). We first propose a learning-based trust model with the aid of a conditional generative adversarial network to handle the sparse industrial data and a deep-neural-network-based trust online prediction to comprehensively measure the WCNs' reliability. Then, we study the impact of AoI on control performance and design the optimal controller based on the separation principle. Moreover, we derive a trust-AoI-aware scheduling policy at the edge side to dynamically select the optimal data to participate in plant control, which maximizes the control system performance and the trust of WCNs. Simulation results reveal the effectiveness of the TACS in terms of improving the system performance significantly.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Leila Karimi,Mai Abdelhakim,James Joshi

DOI: https://doi.org/10.48550/arXiv.2105.08587

IF: 5.414

2021-05-18

Machine Learning

Abstract:With rapid advances in computing systems, there is an increasing demand for more effective and efficient access control (AC) approaches. Recently, Attribute Based Access Control (ABAC) approaches have been shown to be promising in fulfilling the AC needs of such emerging complex computing environments. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with a higher cost. Further, increasing complexities of organizational systems and the need for federated accesses to their resources make the task of AC enforcement and management much more challenging. In this paper, we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interacting with users/administrators of the system to receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. We focus on developing an adaptive ABAC policy learning model for a home IoT environment as a running example. We evaluate our proposed approach over real and synthetic data. We consider both complete and sparse datasets in our evaluations. Our experimental results show that the proposed approach achieves performance that is comparable to ones based on supervised learning in many scenarios and even outperforms them in several situations.