《電子與通信工程專業(yè)英語》課件第15章

Unit15NetworkSecurityBasicsNEWWORDSANDPHRASES

NOTES EXERCISES

參考譯文

EXTENSIVETEXT

Thefirstquestiontoaddressiswhatwemeanby“networksecurity”.Severalpossiblefieldsofendeavorcometomindwithinthisbroadtopic,andeachisworthyofalengthyarticle.Tobegin,virtuallyallthesecuritypolicyissuesraisedinMattBishop’sbook,ComputerSecurityArtandScience,applytonetworkaswellasgeneralcomputersecurityconsiderations.Infact,viewedfromthisperspective,networksecurityisasubsetofcomputersecurity.Theartandscienceofcryptographyanditsroleinprovidingconfidentiality,integrity,andauthenticationrepresentsanotherdistinctfocuseventhoughit’sanintegralfeatureofnetworksecuritypolicy[1].Readerslookingforagoodintroduction(andmore)tothisareashouldconsiderPracticalCryptographybyNielsFergusonandBruceSchneier.

Thetopicalsoincludesdesignandconfigurationissuesforbothnetwork-perimeterandcomputersystemsecurity.ReferencesinthisareaincludeStephenNorthcuttandcolleagues’InsideNetworkPerimeterSecurity,theclassicFirewallsandNetworkSecuritybyStevenBellovinandWilliamCheswick,andtoomanyspecificsystemconfigurationtextstolist.Thesearemerelystartingpointsfortheinterestednovice.

Thepracticalnetworkingaspectsofsecurityincludecomputerintrusiondetection,trafficanalysis,andnetworkmonitoring.Thisarticlefocusesontheseaspectsbecausetheyprincipallyentailanetworkingperspective.

1．Networktraffic

Toanalyzenetworktraffic,weneedabasicunderstandingofitscomposition.Inthisregard,networkingpeopleoftenspeakofflowsandformats.Flowisalaconicreferencetonetworkingprotocolsandthemessagesthattravelbackandforthbetweentheirendpoints.Formatreferstothestructureofthecells,frames,packets,datagrams,andsegments(theawkwardgenerictermisprotocoldataunits)thatcomprisetheflow.ThevastmajorityofnetworktraffictodayusestheInternetProtocol(IP)asitsnetwork-layerprotocol.IPaddressesrepresentsourcesanddestinations,andIProutersworktogethertoforwardtrafficbetweenthem.Link-layerprotocolssuchasEthernet(IEEE802.3),tokenring,framerelay,andasynchronoustransfermode(ATM)forwardIPpackets,calleddatagrams,acrossmanytypesoflinks.

Networkscanbeattackedatmultiplelayers;here,Ifocusonthenetworklayerandthelayeraboveit(thetransportlayer).TheInternetnetworklayeris“unreliable”,meaningitdoesn’tguaranteeend-to-enddatadelivery.Togetreliableend-to-endservice,auserinvokestheTransportControlProtocol(TCP).Fig15.1showstheformatforanIPdatagram;Fig15.2showstheformatforaTCPsegment,whichistheprotocoldataunitassociatedwiththeTCPprotocol.Theseformatsareessentialforunderstandingnetworktrafficcompositionandsomethingofthemethodsthatcanbeusedtocorruptthem.TCP/IPtrafficaccountsformuchofthetrafficontheInternet(althoughTCPisn’ttypicallyusedforvoiceorvideotraffic).

Fig15.1Internetdatagramheaderformat

Fig15.2TransportControlProtocolheaderformat

WenowhaveafairlyrepresentativepictureofthetrafficflowingacrosstheInternet.ItconsistsofIPdatagrams(whichcanbecarriedinsidelink-layerframes,forexample)carryinghigher-layerinformation,oftenincludingTCPsegments.

ThosewithmaliciousintentcouldmisuseanyofthefieldsshowninFig15.1andFig15.2.Theattackerswouldknowtheprotocol’sintentandtherulestousetointerprettheassociatedformatsandflows.Theycancreateanetworkingattackbychangingvaluesinanyofthefields—anyensuingproblemsconstituteattacksonthenetwork.Spoofing,orchangingthesourceaddress,letsanattackerdisguisemalicioustraffic’sorigin.

2．Networkintrusions

TypicalnetworktrafficconsistsofmillionsofpacketspersecondbeingexchangedamonghostsonaLANandbetweenhostsontheLANandotherhostsontheInternetthatcanbereachedviarouters.Networkintrusionsconsistofpacketsthatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons[2]:

toconsumeresourcesuselessly,

tointerferewithanysystemresource’sintendedfunction,or

togainsystemknowledgethatcanbeexploitedinlaterattacks.

Thesimplestexampleofanetworkintrusionisprobablythelandattack.SomeearlyIPimplementationsfailedtotakeintoaccountthatadatagrammightbegeneratedwithidenticalsourceanddestinationIPaddresses.Someolderoperatingsystems(andperhapsunpatchedones)simplycrashediftheyreceivedsuchdatagrams.

Somewhatmorecomplicatedoneisthesmurfattackinwhichanattackerspoofsthesourceaddressandsetsitequaltothetargetedmachine’saddress.Theattackerthenbroadcastsanechorequesttoperhapshundredsofmachinesondistantnetworks—acapabilityprovidedbytheInternetControlMessageProtocol(ICMP).EachdistantmachinerespondstothereceivedechorequestwithanechoresponsemessagetothetargetedIPaddress,thusoverwhelmingthetargetedmachine’sresources.

TheteardropattackissomewhatmoresophisticatedinitsuseoftheheaderfieldsshowninFig15.1.IPversion4(IPv4)canbreaklargedatagramsintosequencesofsmallerIPdatagramsthroughaprocessreferredtoasfragmentation.Itusescertainbitflagsandthefragmentoffsetfieldtoensurethatthefragmentscanbereassembledatthedestination(seeFig15.1).Inateardropattack,anattackersendsfragmentsthatarepurposelymadetooverlapsothattheydon’tfittogetherproperlyatthedestination.Again,older(orunpatched)operatingsystemscouldhavesevereproblemswithsuchfragments.

3．DDoSattacks

InFebruary2000,hackersattackedseveralhigh-profileWebsites,includingA,B,CNNInteractive,andeBay,bysendinglargenumbersofboguspacketswiththeintentofslowingorinterruptingofferedservices.Manyarticleshavesinceexaminedtheseattacksandpotentialdefenses,andseveralWebsitesofferoverviews,casehistories,suggesteddefenses,andotherresources.Inspiteofalltheworkdoneinthisarea,thethreatofDoSattacksremains,ashigh-profileattacksdescribedperiodicallyinthenetworkingtradepresswillattest.Typically,ahackerlaunchesadistributeddenial-of-service(DDoS)attackbyissuingcommandsto“attackzombie”computerprogramsthathavepenetratedunsuspectingusers’machinesviatheInternet—perhapspropagatedbyvirusesorworms,forexample.Oncepresent,thezombiesallowhackerstoleverageusermachinesaspartofanattackagainstagiventarget.NotethatthegeneratedtrafficmightseemtobenormalWebbrowserrequestsandotherinnocent-lookingtrafficthat,infact,differsfromvalidtrafficprincipallyinitsintent.Thismakesidentifyingsuchattacksextremelydifficult.

4．Intrusiondetectionsystems

Nosingletechniqueislikelytodetectallpossibletypesofnetworkintrusions—especiallybecausenewintrusiontypesarestillwaitingtobeexploited.Reviewingtheattacksdescribedhere,it’sclearthatlandattackscanbediscoveredbylookingforarrivingpacketsinwhichthesourceanddestinationIPaddressesareidentical.Smurfattackscan’tbedetectedonthebasisofcontentfromsinglepackets;onlythearrivalofanunusuallylargenumberofICMPechorequestsandresponseswouldsignalsuchanattack’spresence.Wecouldrespondbykillingallechorequestsatagatewayrouter,butdoingsowouldinterferewithothernetworkfunctionsthatmightbevitaltotheorganizationbeingprotected.Wemightdiscovertheteardropattackbylookingforillegalfragmentationinarrivingpackettrains,buttherouter(orfirewall)wouldhavetomaintainasignificantamountofstateinformation.

Intrusiondetectionsystems(IDSs)useparticularcollectionsofanalyticaltechniquestodetectattacks,identifytheirsources,alertnetworkadministrators,andpossiblymitigateanattack’seffects.AnIDSusesoneorbothofthefollowingtechniquestodetectintrusions:

(1)

Signaturedetection—theIDSscanspacketsorauditlogstolookforspecificsignatures(sequencesofcommandsorevents)thatwerepreviouslydeterminedtoindicateagivenattack’spresence.

(2)

Anomalydetection—theIDSusesitsknowledgeofbehaviorpatternsthatmightindicatemaliciousactivityandanalyzespastactivitiestodeterminewhetherobservedbehaviorsarenormal.

It’sfairlyeasytounderstandhowsignaturedetectioncanhelpfindidentifyingcharacteristicsinpreviouslyobservedattacks.Thisisfarfromsimpletoaccomplish,however,becauseattackerscanchangesomeidentifier(aportnumber,aparticularsequencenumber,aparticularprotocolindicator)thataltersthesignaturewithoutaffectingtheattack’sfundamentalnature.Moreover,someoneconstructinganalertbasedonsignaturedetectionmustbemindfulthatnormaltrafficcouldhavethesamecharacteristics.

Ausefulsignaturemustreflectareliableattackidentifierthatdoesn’tgeneratemanyalertsonnonmalicioustraffic.Withthehugenumberofpacketsarrivingatmostmodernsubnets,evenaminisculeerrorratecouldgeneratetensofthousandsoffalsealarmswithinafewminutes.

NEWWORDSANDPHRASES

endeavor n. 努力，盡力

cryptography n.密碼術(shù)；密碼系統(tǒng)，密碼使用法

confidentiality n.機(jī)密性

authentication n.證明，鑒定

perimeter n. 周邊，周長；邊緣

novice n. 新手，初學(xué)者

intrusion vt. 入侵，闖入

laconic adj. 簡潔的，簡明的

awkward adj. 難使用的，笨拙的

invoke vt. 調(diào)用

malicious adj. 懷惡意的，惡毒的

spoof vt. 哄騙

disguise vt. 假裝，偽裝，掩飾

fragmentation n. 分段，

bogus adj. <美>假的,偽造的

attest vt. 證明

zombie n. 巫毒崇拜，蛇神，生性怪僻的人

NOTES

[1]Theartandscienceofcryptographyanditsroleinprovidingconfidentiality,integrity,andauthenticationrepresentsanotherdistinctfocuseventhoughit’sanintegralfeatureofnetworksecuritypolicy.

本句可譯為：盡管密碼技術(shù)是網(wǎng)絡(luò)安全策略的一個(gè)不可分割的特征，但在提供機(jī)密性、完整性和認(rèn)證方面它代表了另一個(gè)截然不同的觀點(diǎn)。

[2]Networkintrusionsconsistofpacketsthatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons:

“thatareintroducedspecificallytocauseproblemsforanyofthefollowingreasons:”是修飾前面的“packets”的后置定語從句；“tocauseproblems”是不定式短語，作目的狀語。

本句可譯為：網(wǎng)絡(luò)入侵包括了一些特別導(dǎo)入的分組，它們可由于以下任何原因而導(dǎo)致問題。

EXERCISES

Ⅰ.

Translatethefollowingwordsorphrases.

networksecuritypolicy computerintrusiondetection trafficanalysis

networkmonitoring networkadministrator DDoS

ICMP false-alarm 敏感數(shù)據(jù)

惡意代碼行為模式分析信號(hào)檢測

Ⅱ.TranslatethefollowingparagraphsintoChinese.

(1)

Inthisregard,networkingpeopleoftenspeakofflowsandformats.Flowisalaconicreferencetonetworkingprotocolsandthemessagesthattravelbackandforthbetweentheirendpoints.Formatreferstothestructureofthecells,frames,packets,datagrams,andsegments(theawkwardgenerictermisprotocoldataunits)thatcomprisetheflow.ThevastmajorityofnetworktraffictodayusestheInternetProtocol(IP)asitsnetwork-layerprotocol.IPaddressesrepresentsourcesanddestinations,andIProutersworktogethertoforwardtrafficbetweenthem.Link-layerprotocolssuchasEthernet(IEEE802.3),tokenring,framerelay,andasynchronoustransfermode(ATM)forwardIPpackets,calleddatagrams,acrossmanytypesoflinks.

(2)

Inspiteofalltheworkdoneinthisarea,thethreatofDoSattacksremains,ashigh-profileattacksdescribedperiodicallyinthenetworkingtradepresswillattest.Typically,ahackerlaunchesadistributeddenial-of-service(DDoS)attackbyissuingcommandsto“attackzombie”computerprogramsthathavepenetratedunsuspectingusers’machinesviatheInternet—perhapspropagatedbyvirusesorworms,forexample.Oncepresent,thezombiesallowhackerstoleverageusermachinesaspartofanattackagainstagiventarget.Notethatthegeneratedtrafficmightseemtobenormal.

(3)

SeveralcommercialandafewpublicIDSsareavailable.Thetradepressfrequentlyevaluatesthem,butresearchjournalsgenerallydonot.EarlyIDSslargelyusedsignaturedetection.Generallyspeaking,theydetectedalltheattackscapturedintheirsignaturedatabases,buttheysufferedfromunacceptablyhighfalse-alarmrates.

參考譯文

第十五單元網(wǎng)絡(luò)安全基礎(chǔ)

要解決的第一個(gè)問題是“網(wǎng)絡(luò)安全”的含義。腦海里想到的幾個(gè)領(lǐng)域都處在這個(gè)寬泛的主題下，而每個(gè)領(lǐng)域都值得長篇大論。事實(shí)上，MattBishop的著作《網(wǎng)絡(luò)安全技術(shù)和科學(xué)》中提出的安全策略既可以應(yīng)用到網(wǎng)絡(luò)中，也可以應(yīng)用到計(jì)算機(jī)安全中。從這個(gè)角度上說網(wǎng)絡(luò)安全實(shí)際上是計(jì)算機(jī)安全的一個(gè)子集。盡管密碼技術(shù)是網(wǎng)絡(luò)安全策略的一個(gè)不可分割的特征，但在提供機(jī)密性、完整性和認(rèn)證方面，它代表了另一個(gè)截然不同的觀點(diǎn)。對此領(lǐng)域期望更多了解的讀者可以閱讀NielsFerguson和BruceSchneier所著的《實(shí)踐密碼學(xué)》一書。

主題也包括了網(wǎng)絡(luò)邊緣和計(jì)算機(jī)系統(tǒng)的設(shè)計(jì)和配置問題。這方面的參考資料包括StephenNorthcutt及其同事所編寫的《網(wǎng)絡(luò)邊緣安全內(nèi)幕》、StevenBellovin和WilliamCheswick的經(jīng)典著作《防火墻和網(wǎng)絡(luò)安全》，其中列出了許多的特定系統(tǒng)設(shè)置。這些僅僅是對此有興趣的初學(xué)者的啟蒙書籍。

實(shí)際的網(wǎng)絡(luò)安全包括計(jì)算機(jī)入侵檢測、業(yè)務(wù)分析和網(wǎng)絡(luò)監(jiān)控。由于它們體現(xiàn)了網(wǎng)絡(luò)的各個(gè)方面，因此本文集中討論這幾個(gè)問題。

1．網(wǎng)絡(luò)業(yè)務(wù)量

為了分析網(wǎng)絡(luò)業(yè)務(wù)量，我們需要對它的組成有一個(gè)基本的了解。在此方面，網(wǎng)民們常常提到流量和格式。流量是對端點(diǎn)間傳輸組網(wǎng)協(xié)議和信息的簡稱。格式指的是組成數(shù)據(jù)流的信元、幀、分組、數(shù)據(jù)報(bào)和分段(難懂的專業(yè)術(shù)語是協(xié)議數(shù)據(jù)單元)的結(jié)構(gòu)。今天，大多數(shù)的網(wǎng)絡(luò)流量使用IP協(xié)議作為網(wǎng)絡(luò)層協(xié)議。IP地址描述了源和目的地址，IP路由器在它們之間轉(zhuǎn)發(fā)業(yè)務(wù)數(shù)據(jù)。鏈路層協(xié)議穿過多種類型的鏈路轉(zhuǎn)發(fā)稱為數(shù)據(jù)報(bào)的IP分組，這些鏈路層協(xié)議包括以太網(wǎng)(IEEE802.3)、令牌環(huán)、幀中繼和異步傳輸模式。網(wǎng)絡(luò)可能在很多層上遭到攻擊，這里集中(討論)網(wǎng)絡(luò)層和它的上層(傳輸層)?；ヂ?lián)網(wǎng)層是“不可靠的”，這意味著它不能保證端到端的數(shù)據(jù)傳遞。為了確保端到端的數(shù)據(jù)的可靠傳遞，使用者調(diào)用了傳輸控制協(xié)議(TCP)。圖15.1所示為IP數(shù)據(jù)報(bào)的格式，圖15.2所示為TCP分段的格式，這是與TCP協(xié)議相關(guān)的協(xié)議數(shù)據(jù)單元。這些格式對于了解網(wǎng)絡(luò)業(yè)務(wù)組成是重要的，并且也是攻擊它們的方法(出處)。TCP/IP業(yè)務(wù)占據(jù)了大部分的互聯(lián)網(wǎng)的流量(盡管TCP通常不用于話音和視頻業(yè)務(wù))。

圖15.1互聯(lián)網(wǎng)數(shù)據(jù)報(bào)頭部格式

圖15.2傳輸控制協(xié)議頭部格式

我們現(xiàn)在對Internet內(nèi)的業(yè)務(wù)量給出相當(dāng)有代表性的描述。它包含了傳送高層信息的IP數(shù)據(jù)報(bào)(比如，數(shù)據(jù)報(bào)可被鏈路層幀傳送)，這些高層信息通常包含了TCP分段。

那些帶有惡意的人可以濫用圖15.1和圖15.2中所示的任何字段。攻擊者知道協(xié)議的意圖和相關(guān)格式的解釋及業(yè)務(wù)流的規(guī)則。他們通過改變(格式中)任何字段的值來創(chuàng)造一個(gè)網(wǎng)絡(luò)攻擊——所有相繼發(fā)生的問題構(gòu)成了網(wǎng)絡(luò)攻擊。哄騙或改變業(yè)務(wù)源的地址可讓攻擊者掩蓋惡意業(yè)務(wù)的來源。

2．網(wǎng)絡(luò)入侵

典型的網(wǎng)絡(luò)業(yè)務(wù)包括了一個(gè)LAN內(nèi)的主機(jī)間、LAN內(nèi)的主機(jī)和互聯(lián)網(wǎng)內(nèi)的主機(jī)(通過路由器可到達(dá))間每秒交換的成千上萬的分組。網(wǎng)絡(luò)入侵包括了一些特別導(dǎo)入的分組，它們可由于以下任何原因而導(dǎo)致問題：

無謂的消耗網(wǎng)絡(luò)資源；

妨礙任何系統(tǒng)資源的既定功能；

獲取可用于以后攻擊的系統(tǒng)知識(shí)。最簡單的網(wǎng)絡(luò)入侵例子可能是登錄攻擊。一些早期的IP實(shí)現(xiàn)未能考慮到可能產(chǎn)生相同源和目的IP地址的數(shù)據(jù)報(bào)。如果一些舊的操作系統(tǒng)(以及可能未打補(bǔ)丁的操作系統(tǒng))接收這樣的數(shù)據(jù)報(bào)，它們很快就會(huì)崩潰。

稍微更復(fù)雜的是smurf攻擊，在這種攻擊中攻擊者哄騙源地址，并把源地址設(shè)為與目標(biāo)機(jī)地址相同。然后，攻擊者會(huì)把echo請求廣播到遠(yuǎn)方網(wǎng)絡(luò)中的成百上千臺(tái)主機(jī)中——這是ICMP協(xié)議提供的功能。每臺(tái)遠(yuǎn)方主機(jī)都以echo信息回復(fù)給目標(biāo)IP地址，因此遠(yuǎn)遠(yuǎn)超過了目標(biāo)主機(jī)(所能接受)的資源能力。

teardrop攻擊利用圖15.1所示的字段頭部，這種攻擊更復(fù)雜。IP版本4(IPv4)能把大的數(shù)據(jù)報(bào)通過一個(gè)稱為分段的過程分割成一系列小的IP數(shù)據(jù)報(bào)。它利用某些標(biāo)記比特和分段偏移字段來保證分段能在目的端被重新組合在一起(如圖15.1所示)。在teardrop攻擊中，攻擊者故意傳送重復(fù)的分段，這樣在目的端它們就不能被正確地組合在一起。此外，使用這樣的分段，較舊(或未打補(bǔ)丁的)的操作系統(tǒng)可能會(huì)有更嚴(yán)重的問題。

3．DDoS(拒絕服務(wù))攻擊

2000年2月，黑客通過發(fā)送大量的偽造分組攻擊了幾個(gè)引人注目的網(wǎng)站，包括A、B、CNN交互頻道和eBay，目的是減慢、妨礙它們提供的服務(wù)。自此，許多文章仔細(xì)研究了這些攻擊和潛在的防御手段，一些站點(diǎn)提供了觀察項(xiàng)、病例、建議的防御措施和其他資源。盡管人們在這個(gè)領(lǐng)域做的工作不少，但是DoS攻擊仍然保持著引人注目的狀態(tài)，(攻擊事實(shí))被周期性地刊登在網(wǎng)絡(luò)商業(yè)新聞上就是證明。典型地，黑客通過發(fā)布命令給“攻擊怪人”計(jì)算機(jī)程序來發(fā)動(dòng)分布式拒絕服務(wù)攻擊(DDoS)，這些程序能通過互聯(lián)網(wǎng)滲透到信任者的機(jī)器中——例如，可能通過病毒或蠕蟲傳播。一旦確定目標(biāo)，“怪人”允許黑客利用用戶機(jī)作為攻擊特定目標(biāo)的一部分。注意：產(chǎn)生的業(yè)務(wù)量要看起來(像)正常的網(wǎng)絡(luò)瀏覽器請求和其他看起來正常的數(shù)據(jù)流。事實(shí)上，它們主要在目的上與正常的業(yè)務(wù)不同，這也使得要鑒別這些攻擊特別困難。

4．入侵檢測系統(tǒng)

沒有單個(gè)技術(shù)能夠檢測到所有可能的網(wǎng)絡(luò)入侵類型——主要因?yàn)槿杂行碌娜肭诸愋偷却龣z測出來?；仡櫱懊嫣岬降墓?，很明顯，登錄攻擊可通過查找具有相同源和目的IP地址的到達(dá)分組來發(fā)現(xiàn)?；趩蝹€(gè)分組的內(nèi)容檢測不出smurf攻擊；只有不正常的大量ICMPecho請求和回復(fù)的到達(dá)能給出這種攻擊來到的信號(hào)。我們的反應(yīng)是：在網(wǎng)關(guān)路由器處殺死所有的echo請求，但是這樣做可能干擾網(wǎng)絡(luò)的其他功能，而這些功能對于被保護(hù)的組織也許是至關(guān)重要的。我們可以通過在到達(dá)的分組隊(duì)列中查找非正常的分段來發(fā)現(xiàn)teardrop攻擊，但是路由器(或防火墻)可能必須維護(hù)數(shù)量驚人的狀態(tài)信息。

入侵檢測系統(tǒng)(IDS)利用特殊的分析技術(shù)來檢測攻擊、識(shí)別攻擊來源、向網(wǎng)絡(luò)管理員發(fā)出警報(bào)，這樣才有可能減輕(被攻擊)后果。入侵檢測系統(tǒng)采用以下一種或兩種技術(shù)來檢測入侵：

(1)簽名檢測——入侵檢測系統(tǒng)通過掃描數(shù)據(jù)包或?qū)徲?jì)日志來尋找特殊的簽名(命令或事件序列)，而這些簽名可預(yù)先暗示特定攻擊的存在。

(2)異常檢測——入侵檢測系統(tǒng)運(yùn)用行為模式知識(shí)來分析過往行為，進(jìn)而確定觀察到的行為是否正常。簽名檢測能夠幫助識(shí)別過往攻擊中的一些特征，理解這些是相當(dāng)容易的。但是，完成簽名檢測遠(yuǎn)不止如此簡單。因?yàn)楣粽呖赡軙?huì)改變某一標(biāo)識(shí)符(端口號(hào)、特別的序列號(hào)、特別的協(xié)議指示器)，但是某些標(biāo)識(shí)符的改變并不影響攻擊的基本特征。此外，有人基于簽名檢測構(gòu)建了報(bào)警系統(tǒng)，但是(在使用時(shí))必須謹(jǐn)慎，因?yàn)檎５臉I(yè)務(wù)可能也具有相同的特征。

一個(gè)有用的簽名檢測必須能夠可靠地識(shí)別攻擊，(此處)可靠的識(shí)別攻擊指的是對非惡意業(yè)務(wù)不能產(chǎn)生大量虛警。在大部分的現(xiàn)代子網(wǎng)中，短短幾分鐘內(nèi)可能就會(huì)接收到海量數(shù)據(jù)分組，(所以)即使一個(gè)小小的錯(cuò)誤也可能導(dǎo)致產(chǎn)生好幾萬個(gè)虛警。

EXTENSIVETEXT

TakeThisBlogandShoveIt!

Inthehistoryofweb,lastspringmayfigureasatippingpoint.That’swhenWikipedia,“thefreeencyclopediathatanyonecanedit”—asitethatgrewfrom100,000articlesin2003tomorethan15milliontoday—begantofalterasasocialmovement.Thousandsofvolunteereditors,theloyalWikipedianswhoactuallywrite,fact-check,andupdateallthosearticles,loggedoff-manyforgood.Forthefirsttime,morecontributorsappearedtobedroppingoutthanjoiningup,activityonthesitehasremainedstagnant,accordingtoaspokespersonfortheWikimediaFoundation,thenonprofitbehindthesite,andit’sbecome“areallyseriousissue”.Soserious,infact,thatthisfallWikipediawillturntosomethingithasneverneededbefore:recruiters.

There’snoshortageoftheoriesinwhyWikipediahasstalled.Oneholdsthatthesiteisvirtuallycomplete.Anothersuggeststhataggressiveeditorsandatangleofantivandalismruleshavescaredoffcasualusers.Butsuchexplanationoverlookafardeeperandenduringtruthabouthumannature:mostpeoplesimplydon’twanttoworkforfree.TheyliketheideaoftheWebasaplacewherenoonegoesunheardandthecontributionsofmillionsofamateurscanchangedtheworldandturnontheircomputer,itturnsoutmanyofthemwouldratherwatchfunnyvideosofkittensorshopforcheapairfaresthancontributetothegreatergood.EventheInternetisnomatchforsloth.

That’swhyWikipedia’snewrecruitingpushwillnotrelymerelyonhighfalutinpromisesaboutpooledgreatnessand“thesumofallhumanknowledge”.Instead,theorganizationishopingtogetstudentstowriteandeditentriesaspartofeightprofessorsatschoolsincludingGeorgeWashingtonandPrincetontointegratetheoncefrowned-uponresearchtoolintopublic-policycurricula.Aspartoftheprogram,Wikipedia’s“campusambassadors”willleadin-classtrainingsessionsonhowtoeditthesiteandhelpstartWikipediastudentgroips.

Techwriterscontinuetotoutsocialmediaasatransformativephenomenoninitsinfancy.That’scertainlytrueforsuchsiteasFacebook,whichboastsmorethan500millionactiveusers,orFlickr,whichhostssome4billionphotos.YouTubealsoshowsnosignofslowingdown.Butthosesitesofferclearbenefitstousers,indulgeinagameofMobWars,sharebabypictures,orwatchvideosoffashionmodelsfallingdown,inexchangefortheirtimeandefforts.

Manyotherelementsoftheuser-generatedrevolution,meanwhile,arebeginningtolooksluggish.Thepracticeofcrowdsourcing,inparticular,workedbecausetheearlyWebinspiredakindofcollectivefever,onethatmadetheslogofwritingencyclopediaentriesfeelnew,cool,fun.ButwiththreeoutoffourAmericanhouseholdsonline,contributionstothehivemindcanseemabitpassé,andWebparticipation,well,boring—kingoflikewritingencyclopediaentriesforfree.

Evidenceofthisennuiiseverywhere.Amateurblogs,theoriginalembodimentofWebdemocracy,areshowingsignsofdecline.Whileprofessionalbloggersare“arisingclass”,accordingtoTechnorati,hobbyistsareinretreat,andabout95percentofblogsarelaunchedandquicklyabandoned.ArecentPewstudyfoundthatblogginghaswitheredasapastime,withthenumberof18to24-year-oldswhoidentifythemselvesasbloggersdecliningbyhalfbetween2006and2009.AshifttoTwitter—ormicroblogging,asit’scalled—partlyaccountsforthesenumbers.ButwhileTwittercarriesmorethan50milliontweetsperday,itsarmyofkeystrokersmaynotbeaslargeasitseems.Asmanyas90percentoftweetscomefrom10percentofusers,accordingtoa2009Harvardstudy.Theothersareprimarily“l(fā)urkers”—peoplewhodon’tcontributebuttrackthepostingsofothers.Between60and70percentsofpeoplewhosignupforthe140-characterplatformquitwithinamonth,accordingtoarecentNielsenreport.

Citizenjournalismalsohasstabilized.Fewerthanonein10Webuserssaytheycreatedtheirownoriginalnewsoropinionpiece,accordingtoPew,andcommentsectionsonblogsormainstreammediasites,whichwheresupposedtoturntheoldone-waymediaintoatwo-waystreet,areoftentooprofane,hateful,oroff-pointtoattractpeople.OnlyoneinfourWebusersleftacomment—probablynomorethanwroteletterstotheeditorindecaderspas,saysBrianThornton,aUniversityofNorthFloridaprofessorwhohasstudiedthehistoryoftheletterspage.

Naturally,assomeenergygoesoutoftheWeb,sitethatdependonenthusiasticfreelaborarescramblingtoremainit.Thetaskismademoredifficultbythefactthattheeompetitionissteeperthanever.MichiganStateUniversityprofessorCliffLampe,whostudiesonlinecommunities,saysthatwheretherewereoncethreeorfoursitesarenowthousandsorevenmillions.“You’retakingalimitedresource—people—andspreadingitoveramuchwidersetofopportunities”,hesays.“itchangestheplayingfield.”

Thesmartplayersarechanging,too.Diggbeganas“thenewNewYorkTimes”,adigitalfrontcuratedbyuserswho“voteup”theirfavoritestories.Thesiteq