Focused on the issue that developers cannot quickly figure out the models they need from various models, an automatic annotation method of visual deep neural network based on natural language processing technology was proposed. Firstly, the field categories of visual neural networks were divided, the keywords and corresponding weights were calculated according to the word frequency and other information. Secondly, a keyword extractor was established to extract keywords from paper abstracts. Finally, the similarities between extracted keywords and the known weights were calculated in order to obtain the application fields of a specific model. With experimental data derived from the papers published in three top international conferences of computer vision: IEEE International Conference on Computer Vision(ICCV), IEEE Conference on Computer Vision and Pattern Recognition(CVPR) and European Conference on Computer Vision(ECCV), the experiments were carried out. The experimental results indicate that the proposed method provides highly accurate classification results with a macro average value of 0.89. The validity of this proposed method is verified.

In the existing French Named Entity Recognition (NER) research, the machine learning models mostly use the character morphological features of words, and the multilingual generic named entity models use the semantic features represented by word embedding, both without taking into account the semantic, character morphological and grammatical features comprehensively. Aiming at this shortcoming, a deep neural network based model CGC-fr was designed to recognize French named entity. Firstly, word embedding, character embedding and grammar feature vector were extracted from the text. Then, character feature was extracted from the character embedding sequence of words by using Convolution Neural Network (CNN). Finally, Bi-directional Gated Recurrent Unit Network (BiGRU) and Conditional Random Field (CRF) were used to label named entities in French text according to word embedding, character feature and grammar feature vector. In the experiments, F1 value of CGC-fr model can reach 82.16% in the test set, which is 5.67 percentage points, 1.79 percentage points and 1.06 percentage points higher than that of NERC-fr, LSTM(Long Short-Term Memory network)-CRF and Char attention models respectively. The experimental results show that CGC-fr model with three features is more advantageous than the others.

In cloud environment, the code of pivotal business in Virtual Machine (VM) can be modified by malicious software in many ways, which can pose a threat to its stable operation. Traditional measurement systems based on host are liable to be bypassed or attacked. To solve the problem that it is difficult to obtain a complete virtual machine running process code and verify its integrity at Virtual Machine Monitor (VMM) layer, a paging-measurement method based on hardware virtualization was proposed. The Kernel-based Virtual Machine (KVM) was used as the VMM to capture the system calls of virtual machine process in VMM and regarde it as the trigger point of the measurement process; the semantic differences of different virtual machine versions were solved by using relative address offset, then the paging-measurement method could verify the code integrity of running process in virtual machine transparently at VMM layer. The implemented prototype system of VMPMS (Virtual Machine Paging-Measurement System) can effectively measure the virtual machine process code with acceptable performance loss.

The Local Image Fitting (LIF) model is sensitive to the size, shape and position of initial contour. In order to solve the problem, a local image intensity fitting model combined with global information was proposed. Firstly, a global term based on global image information was constructed. Secondly, the global term was linearly combined with the local term of LIF model. Finally, an image segmentation model in the form of partial differential equation was obtained. Finite difference method was used in numerical implementation, simultaneously, a level set function was regularized by a Gaussian filter to ensure the smoothness of the level set function. In the segmentation experiments, when different initial contours are selected, the proposed model can get the correct segmentation results, and its segmentation time is only 20% to 50% of LIF model. The experimental results show that, the proposed model is not sensitive to the size, shape and position of the initial contour of evolutionary curve, it can effectively segment images with intensity inhomogeneity, and its segmentation speed is faster. In addition, the proposed model can segment some real and synthetic images quickly without initial contours.

In order to protect the integrity of the Virtual Machine (VM) sensitive files and make up for the shortcomings such as high performance overhead, low compatibility and poor flexibility in out-of-box monitoring based on the instruction monitoring methods, OFM (Out-of-box File Monitoring) based on hardware virtualization was proposed. In OFM, Kernel-based Virtual Machine (KVM) was used as the virtual machine monitor to dynamically configure sensitive file access control strategy in real-time; in addition, OFM could modify the call table entries related to file operations of virtual machine system to determine the legitimacy of the VM process operation files, and deal with the illegal processes. Unixbench was deployed in a virtual machine to test the performance of OFM. The experimental results demonstrate that OFM outperforms to instruction monitoring methods in file monitoring and has no affect on other types of system calls for virtual machines. Meanwhile, OFM can effectively monitor the integrity of the virtual machine files and provide better compatibility, flexibility and lower performance losses.

In Infrastructure-as-a-Service (IaaS) environment, the limited security service resources and uneven allocation of security resources for multiple tenants causes low efficiency of security service scheduling. To resolve this problem, a tenant security service scheduling framework was designed. Based on the minimum fairness algorithm and the scheduling idea of Fair Scheduler, the minimum sharing resources and resource demand attribute were set for the tenant. Then, the security service resource allocation algorithm was used to satisfy the tenant's resource demand as fair as possible to ensure the minimum sharing resources of the tenant. Finally, a tenant security service scheduling framework was implemented by combining the job scheduling algorithm within tenant and resource preemption algorithm among tenants. The experimental results show that under the condition of random allocation of resources, the proposed security service resource allocation algorithm is better than traditional algorithms in the aspects of resource utilization and operation efficiency, and the security service scheduling framework can solve the uneven allocation of security resources for multiple tenants.

The decryption costs of most Attribute-Based Encryption (ABE) schemes go linearly with the number of attributes used in decryption. Attribute-Based Encryption scheme with Fast decryption (FABE) was used to solve this problem where cipher texts could be decrypted with a constant number of pairings. To solve the problem of existing adaptively secure FABE suffered from superfluous computation overhead because it was designed on composite order groups, an adaptively secure key-policy ABE scheme with fast decryption on prime order groups named PFKP-ABE was proposed. Firstly, based on dual pairing vector space and Linear Secret-Sharing Scheme (LSSS) technology, PFKP-ABE was constructed on prime order groups. Then, a sequence of attacking games indistinguishable from each other was designed to prove that this scheme is adaptively secure in the standard mode when dual system encryption approach was employed. Performance analysis indicates that in comparison with another adaptively secure key-policy ABE scheme with fast decryption on composite order groups (FKP-ABE), the speed of decryption has increased by roughly 15 times.

Since previous Multi-Authority Attribute-Based Encryption (MA-ABE) schemes limit each attribute to appear only once in the access structure, and suffer from superfluous computation overhead on repetitive encoding technique, an adaptively secure and unrestricted Multi-Authority Ciphertext-Policy ABE (MA-CP-ABE) scheme was proposed on prime order groups. Firstly, based on dual pairing vector space and linear secret-sharing schemes technology, an MA-CP-ABE scheme was constructed on prime order groups. Then, q-Parallel BDHE (Bilinear Diffie-Hellman Exponent) assumption was introduced to solve the problem that classical dual system encryption depends on a statistical hypothesis which requires each attribute to appear only once in the access structure, and a series of attacking games indistinguishable from each other was designed to prove that this scheme was adaptively secure in the standard model. Finally, performance analysis indicated that in comparison with another two adaptively secure MA-CP-ABE schemes on prime order groups, the speed of decryption was obviously improved by nearly 20%-40% and 0%-50% respectively as the number of participating attributes increasing, without considering the attribute repetition. This scheme is more efficient in real applications.

Concerning the problem that the network access control of Virtual Machines (VM) in the cloud computing Infrastructure as a Service (IaaS) platforms, a method of communication access control for VM in IaaS platforms was proposed. The method based on Software Defined Networking (SDN) was realized to customize the communication access control rules from Layer 2 to Layer 4. The experimental results show that the method can manage communication access permissions of tenants' VM flexibly, and ensure the security of tenants' network.

In view of the problem that verifying the conformance of e-government network structure, a conformance verification method for e-government network based on graph approximate matching was proposed. The method firstly abstracted the graph model of e-government network, then used the modular characteristic of network structure and k-hop neighboring relationship of vertices to realize extendible approximate graph matching which got all the similar structures between the two graphs. And then it proposed an improved graph similarity measure function by introducing the node importance factor and path distance attenuation factor so as to make the conformity assessment results more accurate. The experimental result shows that the method can accurately evaluate the conformance degree of e-government network structure, and fine-grainedly reflect the similarities or differences between the network structures which include all kinds of violations in the network topology and system deployment.

The virtual machines in cloud computing platform exchange data in the shared memory of physical machine. In view of the problem that the traffic cannot be captured and detected in firewall or other security components, the OpenFlow technology was analyzed, and a traffic redirection method based on OpenFlow was presented. To control traffic forwarding process and redirect it to security components, the method provided network connection for virtual machines with OpenFlow controller and virtual switches instead of physical switches, and built a traffic detection system composed of four modules including virtual switch, control unit, intrusion detection and system configuration management. The experimental results show that the proposed scheme can realize traffic redirection and the subsequent detection processing, and the system can provide switch-level and host-level control granularity. It also solves traffic detection problem under cloud computing environment in traditional scene by traffic redirection, and provides great expansion of the traffic processing based on OpenFlow.

It is difficult to express diversity policy by traditional RBAC (Role-based Access Control) management model. In order to solve the problem, an Attribute based User-Role assignment (ABURA) model was proposed. Attributes were adopted as prerequisite conditions to provide richer semantics for RBAC management policy. In distributed systems, user-role reachability analysis is an important mechanism to verify the correctness of authorization management policy. The definition of user-role reachability analysis problem for ABURA model was given. According to the characteristics of state transition in ABURA model, some reduction theorems for policy were given. Based on these theorems, user-role reachability analysis algorithm was proposed, and the algorithm got verified through examples.

In view of the problems that posture recognition based on vision requires a lot on environment and has low anti-interference capacity, a posture recognition method based on predefined bone was proposed. The algorithm detected human body by combining Kinect multi-scale depth and gradient information. And it recognized every part of body based on random forest which used positive and negative samples, built the body posture vector. According to the posture category, optimal separating hyperplane and kernel function were built by using improved support vector machine to classify postures. The experimental results show that the recognition rate of this scheme is 94.3%, and it has good real-time performance, strong anti-interference, good robustness, etc.

Protocol state machine can describe the behavior of a protocol, which can help to understand the behavior logic of protocol. Oriented towards text protocols, a statistical method was firstly used to extract the semantic keyword of representative message type, and an adjacency matrix was used to describe the sequential relationship between the message types, based on which the protocol states were labeled and a state transition diagram was built. The experimental results show that the method can accurately describe the sequential relationship between the message types and abstract state machine model accurately.

Hot topic mining is an important technical foundation for monitoring public opinion. As current hot topic mining methods cannot solve the affection of word noise and have single hot degree evaluation way, a new mining method based on topic cluster evaluation was proposed. After forum data was modeled by Latent Dirichlet Allocation (LDA) topic model and topic noise was cut off, the data were then clustered by improved cluster center selection algorithm K-means++. Finally, clusters were evaluated in three aspects: abruptness, purity and attention degree of topics. The experimental results show that both cluster quality and clustering speed can rise up by setting topic noise threshold to 0.75 and cluster number to 50. The effectiveness of ranking clusters by their probability of the existing hot topic with this method has also been proved on real data sets tests. At last a method was developed for displaying hot topics.

Nutch crawling performance was optimized by tunning Nutch MapReduce job configurations. In order to optimize Nutch performance, firstly Nutch crawling processes were studied from the view of Hadoop. And based on that, the characters of Nutch jobs workflows were analyzed in detail. Then tunned job configurations were generated by profiling Nutch crawling process. The tunned configurations were set before the next job running of the same type. The appropriate profiling interval was selected to consider the balance between cluster environmental error and profiling load, which improved optimization result. The experimental results show that it is indeed more efficient than the original programs by 5% to 14%. The interval value of 5 makes the best optimization result.

With regard to the singleness of the role establishment method in the traditional cross-domain authorization management models, and the problems such as implicit promotion of privilege and the separation of duties conflict, a new cross-domain authorization management model based on two-tier role mapping was proposed. The two-tier role architecture met the practical needs of role establishment and management. On this basis, unidirectional role mapping can avoid the role mapping rings. By introducing attribute and condition, dynamic adjustment of permissions was realized. The model was formalized by dynamic description logic, including concepts, relations and management actions. In the end, the security of the model was analyzed.

To improve the correctness and feasibility of the implementation of multilevel security in the distributed environment, a distributed multilevel security core architecture — Distributed Trusted Computing Base (DTCB) was proposed. DTCB was divided into three layers, TCB of System layer, TCB of Module layer and TCB of Partition layer, finer multilevel control granularity was realized step by step, greatly reducing the complexity of the implementation of multilevel security in the distributed environment. At last, based on the composable noninterference model, the security of DTCB was formally proved. The result shows that DTCB assures the multilevel security of distributed system as a whole.

With the development of computer technology and Internet, more and more office hosts have been connected to Internet, the threat of sensitive information leakage becomes serious. Therefore, it is extremely necessary to detect whether documents contain sensitive information. In order to solve the low precision and low recall problems caused by the traditional query expansion retrieval methods, this paper built an ontology of sensitive information for users interest, proposed a concept similarity query expansion algorithm based on the interest ontology, and described an experimental case to verify the feasibility of algorithm. The experimental results show that the proposed algorithm can improve the precision and recall of the traditional methods.

Traditional method of color image retrieval based on color histogram has the advantages of simple calculation and scale is not sensitive to change. But the traditional approach has disadvantages: the spatial information of image is lost and the image feature dimension is high. In order to overcome the defects, this paper presents a new method of image retrieval, which based on the difference degree of spatial distribution. First, the image is split into blocks and the similarity of these blocks is formed; Second, the difference degree of spatial distribution is calculated, then the weight values of each partition are defined. Finally, the similarity in different branch module will be accumulated by weight to get the whole image similarity. Experiments show that this algorithm can overcome the disadvantages of the traditional method, and has better retrieval performance.

Considering the basic need of the attack resistance test for trustworthiness, controllability and effectiveness of attack operation, a Denial of Service (DoS) Attack Script Language (DASL) was designed based on Domain Specific Language (DSL), which could be used to develop DoS attacks simply, quickly and conveniently. In this article, attack unit was defined, the domain specific syntactic was constructed based on the analysis of attack samples, the semantic function was realized based on LIBNET, and the interpreter of DASL was designed on the basis of ANTLR. The experimental results show that, attacks developed by DASL were effective and controllable. And DASL can lower the complexity of development, reduce the amount of code to write, increase the efficiency of development and provide powerful support for DoS penetration testing.

Based on the access logs of network users, Feature Weighting Naive Bayes Classification(FWNBC) algorithm is used to identify users. Firstly, the data acquisition system based on WinPcap framework was used to collect the access logs of network users, characteristics are counted from five aspects by analyzing these access logs, and then selected after filtering, at last the FWNBC algorithm is used to identify the 3300 samples, and the recognition rate reached 85.73%.The experiment results show that this algorithm is effective to identify the identity of network users.

The analysis results on PPStream-VOD System client behavior characteristics were presented in this paper. This study began from researching on peer-distributing protocol and the architecture of Buffer-Map based on passive measurement. A dedicated PPS-VOD crawler was deployed to capture clients’ Buffer-Map and study the characteristics of client watching behavior. By accurate data analysis, the client behavior was classified as Long-Smoother, Short-Smoother and Jumper. Then the proportion of three kinds of clients and their different watching behaviors were proposed. The concept watching viscosity was put forward to reveal the attraction of program to users, which is in direct proportion to average watching time, and in inverse proportion to slope of probabillty accumulation curve.

Privilege deduction relation makes the authorization management easier, and at the same time it also causes the calculation of valid privileges more difficult. Therefore, it is important for authorization and access control to calculate deduction relations between privileges correctly and efficiently. Based on the resource hierarchy and operation hierarchy, the rule of privilege deduction was given in this paper. According to the fact that privilege query happens more frequently than privilege update, a new method of calculating deduction relations based on reachability matrix of privilege deduction was proposed. The experimental results show that the new method is more efficient than the way calculating deduction relations directly.