安全高效电子政务系统的关键技术研究
摘要
电子政务是国家“十一五”规划提出的信息化建设重点内容,也是当前信息技术研究与开发的重要领域。电子政务本身的特点(开放性、虚拟性、网络化)对其安全性和管理技术与方案提出了严格的要求。根据建设一个安全高效的电子政务系统的需要,论文重点研究了电子政务系统的安全性评估与增强技术,集成管理平台及其关键技术,MPLS承载网络流量工程与流级负载分配技术。具体工作如下:
1.电子政务系统的安全性评估与增强技术研究。针对政务系统的多业务、多平台,以及设备种类繁多,用户分散等特性,本文提出了基于决策树技术与层次分析法的安全树体系,将决策树用于层次分析法,使得评估模型的层次可自动调整,并采用了小样本对模型进行训练与简化,得到了新的信息安全评估模型。采用安全树模型,对实际政务系统进行评估后发现,其主要的安全弱点是已有的大量的政务应用系统采用了基本的HTTP协议提供服务,虽然使用简单、方便,但是此方式的认证强度较低使得政务系统的整体安全性下降。本文针对实际的政务系统中认证强度较低、安全性较差的问题,提出了基于消息摘要的双向认证框架,解决了加密算法简单、固定和用户不能鉴别服务器身份等问题,使得系统的安全“短板”增长,提高了系统的整体安全性。
2.电子政务系统管理平台的优化设计与实现。针对电子政务系统的业务特点和管理需要,本文在LDAP(Light-weight Directory Access Protocol)技术基础上,与SNMP (Simple Network Management Protocol)技术相结合,构建了集SNMP和LDAP于一体的电子政务管理平台。通过将SNMP客户端嵌入到用户端,保证了用户的访问能力。并且引入虚连接的概念,使得用户只能通过管理平台才能访问电子政务系统,保证了系统管理的统一性与安全性。
3.MPLS网络流量分配算法分析与多MPLS路径动态流量分配技术。政务网络的一个主要要求是在有限的传输资源条件下,实现对用户和一些应用的QoS。对基于网络拓扑的负载分配算法和基于资源的负载分配算法的分析表明:单纯的基于拓扑和基于资源的负载分配不能满足诸如QoS等服务需求。本文研究了基于可分配流量的多MPLS路径的动态流量分配算法。考虑到实现的可行性,提出了基于MPLS信道阻力概念的业务分配技术,采用单向延迟测量的方法来间接表示路径的资源使用情况,对流量进行优化。在可分配流量基础上提出了MPLS网络业务流级多径动态流量分配机制,该机制在业务流级对数据包进行分类,基本解决了乱序问题,而且只需要边缘路由器的参与,具有很好的可扩展性。仿真表明:由于新方法综合考虑了排队延迟和丢包率等因素,因此能够保持多条并行的LSP的流量分配的公平性。
E-Government is one of the important parts of informationization contrstruction of the China national Eleventh Five-Year Plan. E-Government with the characteristics of openness, virtualization and networking makes more and more requiremnents to the security and management techniques and scheme. Based on the requirements of the security and efficiency of E-Government, this paper focuses on the evaluation and enhancement techniques of system security, the integrated management platform and the key technologies. Meanwhile, MPLS traffic engineering technology is studied and a new traffic distribution algorithm is proposed. The detailed work can be summaried as following.
a. Research on the evaluation and enhancement technique of E-Government system security. Because E-Government systems are servicing for diversified applications, crossing multiple platforms and supporting multiple kinds of devices. A new mechanism called security factor tree is proposed based on the idea of the decision tree and analytic hierarchy process. By applying the security factor tree to the analytic hierarchy process method, the new evaluation scheme makes the levels adjustable. We use small samples to train the models and get a new simple evaluation model. The evaluation of a working E-Government system shows that the main drawback is the underlying HTTP transmission of applications. Although it is very simple and convenient, the authentication technology of the traditional HTTP is very weak. So a new bidirectional authentication mechanism based on digest is proposed. By the new method, which solves the problem of fixed simple encryption algorithm and no identify, the security level of E-government system is increased.
b. Optimizing Design and Realization of E-Government management platform. Because of the service characteristics and management needs of E-Government system, a new integrated platform is proposed. We integrate LDAP with SNMP, and merge a SNMP client into user client, which ensures the user’s accessing ability. According to the introduction of the virtual link, the users are allowed to access E-government system, only through the management platform, ensuring the secure and uniformed management.
c. Research on MPLS traffic engineering technology and distributing traffic technology over multiple paths dynamically. One of the main requirements of the E-Government networks is to provide QoS guarantee to users and important applications under the resource limited environment. Our analysis shows that static distribution of traffic based on the topology and resources to multi-path could not solve the above problem. This paper proposes a new algorithm of the dynamic traffic distribution over multiple paths. Considering the feasibility,the concept of channel resistance is given,optimizing the traffic,a undirectional delay probing technique is involved. The new algorithm classifies the traffic at the flow level, then the problem of disorder is solved. And only the bound routers are involved, providing extensibility. The simulation result shows that: By considering both the queuing delay and loss rate, the fairness of the new method is guaranteed.
1.电子政务系统的安全性评估与增强技术研究。针对政务系统的多业务、多平台,以及设备种类繁多,用户分散等特性,本文提出了基于决策树技术与层次分析法的安全树体系,将决策树用于层次分析法,使得评估模型的层次可自动调整,并采用了小样本对模型进行训练与简化,得到了新的信息安全评估模型。采用安全树模型,对实际政务系统进行评估后发现,其主要的安全弱点是已有的大量的政务应用系统采用了基本的HTTP协议提供服务,虽然使用简单、方便,但是此方式的认证强度较低使得政务系统的整体安全性下降。本文针对实际的政务系统中认证强度较低、安全性较差的问题,提出了基于消息摘要的双向认证框架,解决了加密算法简单、固定和用户不能鉴别服务器身份等问题,使得系统的安全“短板”增长,提高了系统的整体安全性。
2.电子政务系统管理平台的优化设计与实现。针对电子政务系统的业务特点和管理需要,本文在LDAP(Light-weight Directory Access Protocol)技术基础上,与SNMP (Simple Network Management Protocol)技术相结合,构建了集SNMP和LDAP于一体的电子政务管理平台。通过将SNMP客户端嵌入到用户端,保证了用户的访问能力。并且引入虚连接的概念,使得用户只能通过管理平台才能访问电子政务系统,保证了系统管理的统一性与安全性。
3.MPLS网络流量分配算法分析与多MPLS路径动态流量分配技术。政务网络的一个主要要求是在有限的传输资源条件下,实现对用户和一些应用的QoS。对基于网络拓扑的负载分配算法和基于资源的负载分配算法的分析表明:单纯的基于拓扑和基于资源的负载分配不能满足诸如QoS等服务需求。本文研究了基于可分配流量的多MPLS路径的动态流量分配算法。考虑到实现的可行性,提出了基于MPLS信道阻力概念的业务分配技术,采用单向延迟测量的方法来间接表示路径的资源使用情况,对流量进行优化。在可分配流量基础上提出了MPLS网络业务流级多径动态流量分配机制,该机制在业务流级对数据包进行分类,基本解决了乱序问题,而且只需要边缘路由器的参与,具有很好的可扩展性。仿真表明:由于新方法综合考虑了排队延迟和丢包率等因素,因此能够保持多条并行的LSP的流量分配的公平性。
E-Government is one of the important parts of informationization contrstruction of the China national Eleventh Five-Year Plan. E-Government with the characteristics of openness, virtualization and networking makes more and more requiremnents to the security and management techniques and scheme. Based on the requirements of the security and efficiency of E-Government, this paper focuses on the evaluation and enhancement techniques of system security, the integrated management platform and the key technologies. Meanwhile, MPLS traffic engineering technology is studied and a new traffic distribution algorithm is proposed. The detailed work can be summaried as following.
a. Research on the evaluation and enhancement technique of E-Government system security. Because E-Government systems are servicing for diversified applications, crossing multiple platforms and supporting multiple kinds of devices. A new mechanism called security factor tree is proposed based on the idea of the decision tree and analytic hierarchy process. By applying the security factor tree to the analytic hierarchy process method, the new evaluation scheme makes the levels adjustable. We use small samples to train the models and get a new simple evaluation model. The evaluation of a working E-Government system shows that the main drawback is the underlying HTTP transmission of applications. Although it is very simple and convenient, the authentication technology of the traditional HTTP is very weak. So a new bidirectional authentication mechanism based on digest is proposed. By the new method, which solves the problem of fixed simple encryption algorithm and no identify, the security level of E-government system is increased.
b. Optimizing Design and Realization of E-Government management platform. Because of the service characteristics and management needs of E-Government system, a new integrated platform is proposed. We integrate LDAP with SNMP, and merge a SNMP client into user client, which ensures the user’s accessing ability. According to the introduction of the virtual link, the users are allowed to access E-government system, only through the management platform, ensuring the secure and uniformed management.
c. Research on MPLS traffic engineering technology and distributing traffic technology over multiple paths dynamically. One of the main requirements of the E-Government networks is to provide QoS guarantee to users and important applications under the resource limited environment. Our analysis shows that static distribution of traffic based on the topology and resources to multi-path could not solve the above problem. This paper proposes a new algorithm of the dynamic traffic distribution over multiple paths. Considering the feasibility,the concept of channel resistance is given,optimizing the traffic,a undirectional delay probing technique is involved. The new algorithm classifies the traffic at the flow level, then the problem of disorder is solved. And only the bound routers are involved, providing extensibility. The simulation result shows that: By considering both the queuing delay and loss rate, the fairness of the new method is guaranteed.
引文
[1]孙正兴,戚鲁.电子政务原理与技术[M].北京:人民邮电出版社,2003.4,24-30
[2]中共中央办公厅,国务院办公厅,《国家信息化领导小组关于我国电子政务建设指导意见》(中发办[2002] 17号).北京,2002
[3]王长胜.中国电子政务发展报告No.3 [M].北京:社会科学文献出版社. 2006
[4]邬贺铨.电子政务安全体系[J].信息安全与通信保密. 2003, v4: 23-25
[5]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报. 2004, 25(7):10-18
[6] Butler S A. Multi-Attribute Risk Assessment. Technical Report CMU-CS-01-169 [R], Dec. 2001
[7] RFC 2617, HTTP Authentication: Basic and Digest Access Authentication[EB/OL].
[8]王宇飞,范明钰,王光卫.一种基于HTTP摘要认证的SIP安全机制[J].重庆邮电学院学报.2005,17(6):749-751.
[9]IETF, RFC 1157, A Simple Network Management Protocol (SNMP), Case J., Fedor M., Schoffstall M., 1990
[10]IETF, RFC 1189, The Common Management Information Services and Protocols for the Internet (CMOT and CMIP), Warrier U., Besaw L., LaBarre L., 1990
[11]IEEE, 802.1b, IEEE STANDARDS FOR LOCAL AND METROPOLITAN AREA NETWORKS, 1992, 18~19
[12]IETF, RFC 1028, Simple Gateway Monitoring Protocol, Davin J., Case J., Fedor M., 1987
[13]IETF, RFC 3377, Lightweight Directory Access Protocol (v3): Technical Specification, Hodges J., Morgan R., 2002
[14]IETF, RFC 1309, Technical Overview of Directory Services Using the X.500 Protocol, Weider C., Reynolds J., Heker S., 1992
[15]张军,颜凯,轻度目录访问协议的分析,计算机应用,1999,19(10):1~4
[16] Cisco, CEF, http://www.cisco.com/univercd/cc/td/doc/ product/software/ ios121/121cgcr/switch_c/xcprt2/xcdcef.htm
[17]赵强,鲁昆生, MPLS技术研究及应用, http://www.net130.com /2004/5-25/0723.html
[18] IEFT, Diffserv, http://www.ietf.org/html.charters/OLD/diffserv-charter.html
[19] STD国防部可信计算机系统评测标准(橘皮书),1985年12月26日DoD Trusted Computer System Evaluation Criteria(Orange Book), 26 December 1985
[20]Stallings M. http://williamstallings.com/Extras/Security-Notes/ lectures/trusted.html
[21] ISO 15408. www.iso15408.net
[22] Andrew Blyth and Gerald L. Kovacich. Information Assurance Security in the Information Environment. London:Springer. 2006
[23] OCTAVE. http://www.cert.org/octave/
[24] Han Jiawei,孟小峰译.数据挖掘:概念与技术.北京:机械工业出版社. 2007
[25] Herion R, Herion G.Three- way principal components analysis for fluorescence spectroscopic classification of algae species [J].Fresenius Anal Chem, 1997: 522- 526.
[26] Kiers H A L.Joint orthomax rotation of the core and component matrices resulting from three- mode principal components analysis [J].Journal of Classification, 1998: 245- 263.
[27]余锦华,杨维权.多元统计分析与应用[M].广州:中山大学出版社,2005: 201- 206.
[28] Saaty T. L. The Analytic Hierarchy Process. McGraw-Hill, NewYork, 1980
[29] Vapnik V N. The Nature of Statistical Learning Theory [M]. Newyork”Springer-Verlag, 1995
[30] OPENLDAP, OpenLDAP Software 2.3 Administrator's Guide, OpenLDAP Software 2.3 Administrator's Guide[CP/OL], http://www.openldap.org, 2006
[31]Novell, Novell eDirectory[CP/OL], http://www.novell.com, 2006
[32]Microsoft, Windows Server 2003 Active Directory[CP/OL], http://www.microsoft.com, 2006
[33]任剑勇,肖侬,基于目录服务技术的应用开发,计算机应用研究,2001,18(5),143~145
[34]IETF, RFC 2252, Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions, Wahl M., Coulbeck A., Howes T., 1997
[35]IETF, RFC 2830, Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security, Hodges J., Morgan R., Wahl M., 2000
[36]OpenSSL, OpenSSL Documents and source code[CP/OL], http://www.openssl.org, 1998
[37]Nash Andrew,Duane William,Joseph Celia,公共基础设施(PKI)实现和管理电子安全(张玉清,陈建奇,杨波等译),北京:清华大学出版社,2002,5~6
[38]IETF, RFC 2571, An Architecture for Describing SNMP Management Frameworks, Wijnen B., Harrington D., Presuhn R., 1999
[39]IETF, RFC 2578, Structure of Management Information Version 2 (SMIv2), McCloghrie K., Perkins D., Schoenwaelder J., 1999
[40]IETF, RFC 3727, ASN.1 Module Definition for the LDAP and X.500 Component Matching Rules, Legg S., 2004
[41]魏凌,王玉,SNMP中ASN.1的基本编码规则,RADIO COMMUNICATIONS TECHNOLOGY,2003,29(6),56~58
[43]Hein M., Griffiths D.,简单网络管理协议的理论与实践:SNMP(邢国光译),北京:国防工业出版社,1999,58~359
[44]Mauro Douglas, Schmidt Kevin, Essential SNMP[M], America: O'Reilly, 2001, 54~55
[45] Carter Gerald,LDAP System Administration,America:O'Reilly,2003,10~15
[46] NET-SNMP, NET-SNMP Documents[CP/OL], http://www.net-snmp.org, 2006
[47]IETF, RFC 1229, Extensions to the generic-interface MIB, McCloghrie Keith, 1991
[48]胡亚军,关于ucd-snmp软件包[EB/OL] , http://www.china-pub.com /computers/emook/1100/info.htm,2001
[49]Adventnet, AdventNet SNMP Utilities 4[CP/OL], http://www.adventnet.com, 2005
[50]NET-SNMP, Net-SNMP Tutorial -- MIB Module -- Set Processing[CP/OL], http://www.net-snmp.org/tutorial/tutorial-5/toolkit/mib_module/index.html, 2004
[51]Uugdave, Wurley, phpLDAPadmin source code[CP/OL], http://sourceforge.net/ projects/phpldapadmin/, 2002
[52]Howes A. Timothy, Smith C. Mark, Good S. Gordon, Understanding and Deploying LDAP Directory Services, America:New Riders Publishing, 1998, 129~150
[53]IETF, RFC 2849, The LDAP Data Interchange Format (LDIF) - Technical Specification, Good G., 2000
[54]王海涛,郑少仁.IP QoS服务模型及相关问题的探讨.解放军理工大学学报(自然科学版).第2卷第3期,57-60, 2001年6月
[55]R.Braden,D.Clark, and S. Shenker. Integrated Services in the Internet: Architecture:An overview. RFC1633, 1994
[56] S. Blake et al. An architecture for differentiated services. RFC2475,1998
[57]IETF working group on Integrated Service. http://www.ietf.ors/charters.html/IntServer.html
[58]Braden R, Zhang L, Berson S et al. Resource ReSerVation Protocol (RSVP)-Version 1, Function Specification. RFC2205, September 1997
[59]K.Nichols, S. Blake, F. Baker et al. Definition for the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. RFC2474, December 1998
[60]Bernet Y, Yavatkar R, Ford P, Baker F, Zhang L, Nichols K, and Speer M. A framework for use of RSVP with DiffServ networks, Internet Draft, Draft-ietf-DiffServ-rsvp-01, November 1988
[61]K. Nichols, V.,Jacobson, L. Zhang, et al. A Two-bit Differentiated Services Architecture for the Internet. RFC 2638, July 1999
[62] X. Xiao, et al., "Traffic Engineering with MPLS in the Internet," IEEE network, March 200
[63]Moy J. OSPF Version 2[S]. RFC2328,July 1997
[64]Xiao X,Hannan A,Bailey B,et al. Traffic Engineering With MPLS in the Internet[J].IEEE Network magazine,2000,14(2):28-33
[65] Moy J.IETF RFC2328[EB/OL]. http://www.faqs.org/rfcs/rfc2328.html , 2002
[66]Awduche D,Malcolm J ,Agogbua J,et al .Requirements for Traffic Engineering Over MPLS[S].RFC2702,September 1999
[67] Awduche D,Chiu A ,Elwalid A, et al .Qverview and Principles of Internet Traffic Engineering[S].RFC3272,May 2002
[68] Eric Osborne, Ajay Simha,基于MPLS的流量工程,人民邮电出版社,2003。
[69] D. Awduche, A. Chiu, A. Elwalid, et al. Overview and Principles of Internet Traffic Engineer-ing. RFC 3272. May 2002.
[70]刘涛,李文凯,Juniper公司.用MPLS实现宽带IP网的流量工程.
[71] B. Wang and J. C. Hou. Multicast routing and its QoS extensions: Problems, algorithms and protocols. IEEE Network, January/Feburary 2000:22~36.
[72] H.M.Ahmed et al. IP Switching for Scalable IP Services. Proceedings of the IEEE1997, 85(12): 1984~1997.
[73] D.O.Awduche et al. Requirements for Traffic Engineering Over MPLS. RFC2702,Sep.1999
[74] ROSEN E, CALLON R. Multiprotocol Label Switching Architecture. Internet Draft,working in Progress, 1999.
[75] D.Thaler, C.Hopps. Multipath Issues in Unicast and Multicast Next-Hop Selection,IETF RFC 2991, Nov 2000.
[76] Eric Osborne, Ajay Simha. Trafic Engineering with MPLS. 2003.7
[77]张中山,隆克平,程时端.MPLS业务量工程中负载均衡算法的研究.北京邮电大学学报,2001.1
[78]Keping Long. Zhongshan Zhang.Shiduan Cheng. Load banlancing algorithms in MPLS traffic engineering[C].In:2001 IEEE Workshop on High Performance Switching and Routing,2001:175-179
[79]A.Elwalid,C.Jin,S.Low,and I.Widjaja, Mate:MPLS adaptive traffic engineering,Proc.IEEE INFOCOM’01,pp 22-26,Anchorage,Alaska,April 2001.
[80] Gallager, R. G. "A Minimum Delay Routing Algorithm Using Distributed Computation", IEEE Transactions on Communications, Vol. COM-25, No. l, Jan. 1977, pp. 73-85.
[81]D.Gao,and Y Shu, "Delay-based adaptive load balancing in MPLS networks“,Proceedings of IEEE ICC 2002.
[82]Zenghua ZHAO,Yantai SHU,Lianfang ZHANG,and Oliver YANG,,”FLOW-Level Multipath Load Balancing in MPLS Network”,IEICE TRANS COMMUN .VOL.E88-B,NO5 MAY 2005
[83]Gang Yuan,Yunqing Chen,Yueming Wei,Shizhong Nie,”A Distributable Traffic-based MPLS Dynamic Load Balancing Scheme”,Asia-Pacific Conference on Communication,Perth,Western Australia,3-5 October 2005
[84] Richard J La,Venkat Anantharam.”Charge-sensitive TCP and rate control in the I nternet”[A]. Proceedings of IEEE INFOCOM 2000[C].
[85]A.Feldmann,P.Huang,A,C.Gilbert,and W,Willinger,”Dynamics of IP traffic : A study of the role of variability and the impact of control ,”Computer Communication Review,Sigcomm 29, no.4,1999
[86]S.B.Fredj,T.Bonald,A.Proutiere,G.Regnie,and J.W.Roerts,”Statistical bandwidth sharing:A study of congestion at flow level”,Proc.ACM SIGCOMM’01,pp.27-31,San Diego,California,U.S.A.Aug.2001
[87] IETF, RFC2681, A Round-trip Delay Metric for IPPM, Almes G., Kalidindi S., Zekauskas M., 1999
[88] IETF, RFC2679, A One-way Delay Metric for IPPM, Almes G., Kalidindi S., Zekauskas M., 1999
[89] Hao J., Dovrolis C.. Passive Estimation of TCP Round-trip Times. ACM SIGCOMM Computer Communication Review, 2002, 32(3): 75~88
[90] David L. Mills, NTP, www.ietf.org. RFC 1305, 1992
[91] The Network Simulator, ns-2 , www.isi.edu/nsnam/ns
[2]中共中央办公厅,国务院办公厅,《国家信息化领导小组关于我国电子政务建设指导意见》(中发办[2002] 17号).北京,2002
[3]王长胜.中国电子政务发展报告No.3 [M].北京:社会科学文献出版社. 2006
[4]邬贺铨.电子政务安全体系[J].信息安全与通信保密. 2003, v4: 23-25
[5]冯登国,张阳,张玉清.信息安全风险评估综述[J].通信学报. 2004, 25(7):10-18
[6] Butler S A. Multi-Attribute Risk Assessment. Technical Report CMU-CS-01-169 [R], Dec. 2001
[7] RFC 2617, HTTP Authentication: Basic and Digest Access Authentication[EB/OL].
[8]王宇飞,范明钰,王光卫.一种基于HTTP摘要认证的SIP安全机制[J].重庆邮电学院学报.2005,17(6):749-751.
[9]IETF, RFC 1157, A Simple Network Management Protocol (SNMP), Case J., Fedor M., Schoffstall M., 1990
[10]IETF, RFC 1189, The Common Management Information Services and Protocols for the Internet (CMOT and CMIP), Warrier U., Besaw L., LaBarre L., 1990
[11]IEEE, 802.1b, IEEE STANDARDS FOR LOCAL AND METROPOLITAN AREA NETWORKS, 1992, 18~19
[12]IETF, RFC 1028, Simple Gateway Monitoring Protocol, Davin J., Case J., Fedor M., 1987
[13]IETF, RFC 3377, Lightweight Directory Access Protocol (v3): Technical Specification, Hodges J., Morgan R., 2002
[14]IETF, RFC 1309, Technical Overview of Directory Services Using the X.500 Protocol, Weider C., Reynolds J., Heker S., 1992
[15]张军,颜凯,轻度目录访问协议的分析,计算机应用,1999,19(10):1~4
[16] Cisco, CEF, http://www.cisco.com/univercd/cc/td/doc/ product/software/ ios121/121cgcr/switch_c/xcprt2/xcdcef.htm
[17]赵强,鲁昆生, MPLS技术研究及应用, http://www.net130.com /2004/5-25/0723.html
[18] IEFT, Diffserv, http://www.ietf.org/html.charters/OLD/diffserv-charter.html
[19] STD国防部可信计算机系统评测标准(橘皮书),1985年12月26日DoD Trusted Computer System Evaluation Criteria(Orange Book), 26 December 1985
[20]Stallings M. http://williamstallings.com/Extras/Security-Notes/ lectures/trusted.html
[21] ISO 15408. www.iso15408.net
[22] Andrew Blyth and Gerald L. Kovacich. Information Assurance Security in the Information Environment. London:Springer. 2006
[23] OCTAVE. http://www.cert.org/octave/
[24] Han Jiawei,孟小峰译.数据挖掘:概念与技术.北京:机械工业出版社. 2007
[25] Herion R, Herion G.Three- way principal components analysis for fluorescence spectroscopic classification of algae species [J].Fresenius Anal Chem, 1997: 522- 526.
[26] Kiers H A L.Joint orthomax rotation of the core and component matrices resulting from three- mode principal components analysis [J].Journal of Classification, 1998: 245- 263.
[27]余锦华,杨维权.多元统计分析与应用[M].广州:中山大学出版社,2005: 201- 206.
[28] Saaty T. L. The Analytic Hierarchy Process. McGraw-Hill, NewYork, 1980
[29] Vapnik V N. The Nature of Statistical Learning Theory [M]. Newyork”Springer-Verlag, 1995
[30] OPENLDAP, OpenLDAP Software 2.3 Administrator's Guide, OpenLDAP Software 2.3 Administrator's Guide[CP/OL], http://www.openldap.org, 2006
[31]Novell, Novell eDirectory[CP/OL], http://www.novell.com, 2006
[32]Microsoft, Windows Server 2003 Active Directory[CP/OL], http://www.microsoft.com, 2006
[33]任剑勇,肖侬,基于目录服务技术的应用开发,计算机应用研究,2001,18(5),143~145
[34]IETF, RFC 2252, Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions, Wahl M., Coulbeck A., Howes T., 1997
[35]IETF, RFC 2830, Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security, Hodges J., Morgan R., Wahl M., 2000
[36]OpenSSL, OpenSSL Documents and source code[CP/OL], http://www.openssl.org, 1998
[37]Nash Andrew,Duane William,Joseph Celia,公共基础设施(PKI)实现和管理电子安全(张玉清,陈建奇,杨波等译),北京:清华大学出版社,2002,5~6
[38]IETF, RFC 2571, An Architecture for Describing SNMP Management Frameworks, Wijnen B., Harrington D., Presuhn R., 1999
[39]IETF, RFC 2578, Structure of Management Information Version 2 (SMIv2), McCloghrie K., Perkins D., Schoenwaelder J., 1999
[40]IETF, RFC 3727, ASN.1 Module Definition for the LDAP and X.500 Component Matching Rules, Legg S., 2004
[41]魏凌,王玉,SNMP中ASN.1的基本编码规则,RADIO COMMUNICATIONS TECHNOLOGY,2003,29(6),56~58
[43]Hein M., Griffiths D.,简单网络管理协议的理论与实践:SNMP(邢国光译),北京:国防工业出版社,1999,58~359
[44]Mauro Douglas, Schmidt Kevin, Essential SNMP[M], America: O'Reilly, 2001, 54~55
[45] Carter Gerald,LDAP System Administration,America:O'Reilly,2003,10~15
[46] NET-SNMP, NET-SNMP Documents[CP/OL], http://www.net-snmp.org, 2006
[47]IETF, RFC 1229, Extensions to the generic-interface MIB, McCloghrie Keith, 1991
[48]胡亚军,关于ucd-snmp软件包[EB/OL] , http://www.china-pub.com /computers/emook/1100/info.htm,2001
[49]Adventnet, AdventNet SNMP Utilities 4[CP/OL], http://www.adventnet.com, 2005
[50]NET-SNMP, Net-SNMP Tutorial -- MIB Module -- Set Processing[CP/OL], http://www.net-snmp.org/tutorial/tutorial-5/toolkit/mib_module/index.html, 2004
[51]Uugdave, Wurley, phpLDAPadmin source code[CP/OL], http://sourceforge.net/ projects/phpldapadmin/, 2002
[52]Howes A. Timothy, Smith C. Mark, Good S. Gordon, Understanding and Deploying LDAP Directory Services, America:New Riders Publishing, 1998, 129~150
[53]IETF, RFC 2849, The LDAP Data Interchange Format (LDIF) - Technical Specification, Good G., 2000
[54]王海涛,郑少仁.IP QoS服务模型及相关问题的探讨.解放军理工大学学报(自然科学版).第2卷第3期,57-60, 2001年6月
[55]R.Braden,D.Clark, and S. Shenker. Integrated Services in the Internet: Architecture:An overview. RFC1633, 1994
[56] S. Blake et al. An architecture for differentiated services. RFC2475,1998
[57]IETF working group on Integrated Service. http://www.ietf.ors/charters.html/IntServer.html
[58]Braden R, Zhang L, Berson S et al. Resource ReSerVation Protocol (RSVP)-Version 1, Function Specification. RFC2205, September 1997
[59]K.Nichols, S. Blake, F. Baker et al. Definition for the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. RFC2474, December 1998
[60]Bernet Y, Yavatkar R, Ford P, Baker F, Zhang L, Nichols K, and Speer M. A framework for use of RSVP with DiffServ networks, Internet Draft, Draft-ietf-DiffServ-rsvp-01, November 1988
[61]K. Nichols, V.,Jacobson, L. Zhang, et al. A Two-bit Differentiated Services Architecture for the Internet. RFC 2638, July 1999
[62] X. Xiao, et al., "Traffic Engineering with MPLS in the Internet," IEEE network, March 200
[63]Moy J. OSPF Version 2[S]. RFC2328,July 1997
[64]Xiao X,Hannan A,Bailey B,et al. Traffic Engineering With MPLS in the Internet[J].IEEE Network magazine,2000,14(2):28-33
[65] Moy J.IETF RFC2328[EB/OL]. http://www.faqs.org/rfcs/rfc2328.html , 2002
[66]Awduche D,Malcolm J ,Agogbua J,et al .Requirements for Traffic Engineering Over MPLS[S].RFC2702,September 1999
[67] Awduche D,Chiu A ,Elwalid A, et al .Qverview and Principles of Internet Traffic Engineering[S].RFC3272,May 2002
[68] Eric Osborne, Ajay Simha,基于MPLS的流量工程,人民邮电出版社,2003。
[69] D. Awduche, A. Chiu, A. Elwalid, et al. Overview and Principles of Internet Traffic Engineer-ing. RFC 3272. May 2002.
[70]刘涛,李文凯,Juniper公司.用MPLS实现宽带IP网的流量工程.
[71] B. Wang and J. C. Hou. Multicast routing and its QoS extensions: Problems, algorithms and protocols. IEEE Network, January/Feburary 2000:22~36.
[72] H.M.Ahmed et al. IP Switching for Scalable IP Services. Proceedings of the IEEE1997, 85(12): 1984~1997.
[73] D.O.Awduche et al. Requirements for Traffic Engineering Over MPLS. RFC2702,Sep.1999
[74] ROSEN E, CALLON R. Multiprotocol Label Switching Architecture. Internet Draft,working in Progress, 1999.
[75] D.Thaler, C.Hopps. Multipath Issues in Unicast and Multicast Next-Hop Selection,IETF RFC 2991, Nov 2000.
[76] Eric Osborne, Ajay Simha. Trafic Engineering with MPLS. 2003.7
[77]张中山,隆克平,程时端.MPLS业务量工程中负载均衡算法的研究.北京邮电大学学报,2001.1
[78]Keping Long. Zhongshan Zhang.Shiduan Cheng. Load banlancing algorithms in MPLS traffic engineering[C].In:2001 IEEE Workshop on High Performance Switching and Routing,2001:175-179
[79]A.Elwalid,C.Jin,S.Low,and I.Widjaja, Mate:MPLS adaptive traffic engineering,Proc.IEEE INFOCOM’01,pp 22-26,Anchorage,Alaska,April 2001.
[80] Gallager, R. G. "A Minimum Delay Routing Algorithm Using Distributed Computation", IEEE Transactions on Communications, Vol. COM-25, No. l, Jan. 1977, pp. 73-85.
[81]D.Gao,and Y Shu, "Delay-based adaptive load balancing in MPLS networks“,Proceedings of IEEE ICC 2002.
[82]Zenghua ZHAO,Yantai SHU,Lianfang ZHANG,and Oliver YANG,,”FLOW-Level Multipath Load Balancing in MPLS Network”,IEICE TRANS COMMUN .VOL.E88-B,NO5 MAY 2005
[83]Gang Yuan,Yunqing Chen,Yueming Wei,Shizhong Nie,”A Distributable Traffic-based MPLS Dynamic Load Balancing Scheme”,Asia-Pacific Conference on Communication,Perth,Western Australia,3-5 October 2005
[84] Richard J La,Venkat Anantharam.”Charge-sensitive TCP and rate control in the I nternet”[A]. Proceedings of IEEE INFOCOM 2000[C].
[85]A.Feldmann,P.Huang,A,C.Gilbert,and W,Willinger,”Dynamics of IP traffic : A study of the role of variability and the impact of control ,”Computer Communication Review,Sigcomm 29, no.4,1999
[86]S.B.Fredj,T.Bonald,A.Proutiere,G.Regnie,and J.W.Roerts,”Statistical bandwidth sharing:A study of congestion at flow level”,Proc.ACM SIGCOMM’01,pp.27-31,San Diego,California,U.S.A.Aug.2001
[87] IETF, RFC2681, A Round-trip Delay Metric for IPPM, Almes G., Kalidindi S., Zekauskas M., 1999
[88] IETF, RFC2679, A One-way Delay Metric for IPPM, Almes G., Kalidindi S., Zekauskas M., 1999
[89] Hao J., Dovrolis C.. Passive Estimation of TCP Round-trip Times. ACM SIGCOMM Computer Communication Review, 2002, 32(3): 75~88
[90] David L. Mills, NTP, www.ietf.org. RFC 1305, 1992
[91] The Network Simulator, ns-2 , www.isi.edu/nsnam/ns