2004年美國大學生數(shù)學建模競賽題目

1、2004年美國大學生數(shù)學建模競賽題目2004 Mathematical Con test in Modeli ng (MCM ) Problems原文下載網址： dergraduate/c on tests/(李炳照、王宏洲譯，葉其孝、吳慶寶校)A題：指紋是獨一無二的嗎？人們普遍相信每個人的指紋都是不同的。請研制并分析能評估這種說法是正確的可能性的模型，然后把你們在這個問題中發(fā)現(xiàn)的指紋識別 錯誤率與DNA識別錯誤率相比較。PROBLEM A: Are Fingerprints Unique?It is a com mon place belief that the thumbpri nt of

2、 every huma n who has ever lived is differe nt. Develop and analyze a model that will allow you to assess the probability that this is true. Compare the odds (that you found in this problem) of misidentification by fingerprint evidence aga in st the odds of miside ntificati on by DNA evide nce.B題：更快

3、的快通系統(tǒng)無論是在收費站、游樂場或其他地方正出現(xiàn)著越來越多的快通”系統(tǒng)以減少人們排隊等候的時間。請考慮一家游樂場的快通系統(tǒng)的設計。這家游樂場已經為幾種受歡迎的乘騎項目提供快通系統(tǒng)的服務作為試驗。該系統(tǒng)的設計思想是對某些受歡迎的乘騎項目，游客可以到該娛樂項目旁邊的一個機器前并將當天的門票插入,該機器將返回給你一張紙條，上面寫著你可以在某個特定的時間段回來。比如說你把你的門票在1:15pm插到機器里，快通系統(tǒng)就告訴你可以在 3:30 4:30pm回來，你可以憑你的紙條第二次排隊，這時隊伍可能比較短， 你就可以較快進入景點.為了防止游客同時在幾個乘騎娛樂項目上使用這個系統(tǒng)。一個顧客在同一時刻只能得到

4、一次快通系統(tǒng)的服務。為改進快通系統(tǒng)的運作你們隊被聘為幾個合格的顧問之一.游客一直在抱怨該試驗系統(tǒng)的一些異常現(xiàn)象.比如說,顧客有時看到快通系統(tǒng)提供的回到景點時間是4小時以后.但是才過一小會，在相同的景點系統(tǒng)所提供的回到景點的時間只有1小時或稍多一點時間。有時按照快通系統(tǒng)安排的游客的人數(shù)和等待時間幾乎和正常排隊的人數(shù)和所花費的時間一樣 多。于是問題就是要提出并檢驗能提高快通系統(tǒng)效率的方案以使人們可以更多地享受在游 樂場的休閑時光。問題的一部分是要確定評估各種可供選擇的方案的評價準則。你們的報告中要包括一份非技術性的概述，以便游樂場主管從各個顧問所提出的可供選擇的方案中作出 選擇。第極指紋測試中心P

5、ROBLEM B: A Faster QuickPass SystemQuickPass systems are increasingly appearing to reduce peoples time waiting in line, whether it is at tollbooths, amusement parks, or elsewhere. Consider the design of a QuickPass system for an amusement park. The amusement park has experimented by offering QuickPa

6、sses for several popular rides as a test. The idea is that for certain popular rides you can go to a kiosk near that ride and insert your daily park entrance ticket, and out will come a slip that states that you can return to that ride at a specific time later. For example, you insert your daily par

7、k entrance ticket at 1:15 pm, and the QuickPass states that you can come back between 3:30 and 4:30 pm when you can use your slip to enter a second, and presumably much shorter, line that will get you to the ride faster. To prevent people from obtaining QuickPasses for several rides at once, the Qui

8、ckPass machines allow you to have only one active QuickPass at a time.You have been hired as one of several competing consultants to improve the operation of QuickPass. Customers have been complaining about some anomalies in the test system. For example, customers observed that in one instance Quick

9、Passes were being offered for a return time as long as 4 hours later. A short time later on the same ride, the QuickPasses were given for times only an hour or so later. In some instances, the lines for people with Quickpasses are nearly as long and slow as the regular lines.The problem then is to p

10、ropose and test schemes for issuing QuickPasses in order to increase peoples enjoyment of the amusement park. Part of the problem is to determine what criteria to use in evaluating alternative schemes. Include in your report a non-technical summary for amusement park executives who must choose betwe

11、en alternatives from competing consultants.2004 年美國大學生交叉學科建模競賽題目2004 Interdisciplinary Contest in Modeling （ICM） Problem原文下載網址： （李炳照、王宏洲譯，葉其孝、吳慶寶校）安全與否？你大概聽說過計算機黑客和計算機病毒。 除非你的計算機遭到過黑客或病毒的攻擊你或 許不知道它們能怎樣影響個人或機構的。 如果一臺計算機受到黑客或者病毒攻擊， 那么其中 重要的個人信息和軟件就有可能丟失。正在考慮創(chuàng)建一所新的大學校園， 你們的任務是對這所大學的信息技術 （IT ）安全性的 風險評估建

12、立模型。下面的敘述給出了一些背景材料以幫助你形成有關檢驗 IT 安全性的方 案。明確的任務將在后面給出。通過多個防御層來防止計算機系統(tǒng)遭受惡意活動的攻擊。 包括政策層和技術層 （圖 1, 預 防性的防御措施 （略 ）兩者在內的這些防御層將會對機構的風險類型產生各種不同的影響 （圖 2, IT 系統(tǒng)經濟風險的示意圖 （略）。管理和使用方面的政策處理用戶怎樣和機構的計算機和網絡相互作用以及員工（系統(tǒng)管理員 ）怎樣維護網絡。這些政策可以包括密碼驗證，正式的安全審核，使用跟蹤，無線設備 的使用， 有關可移動媒體的關注， 個人應用的限制和用戶培訓。 一種實例性的密碼政策可以 包括對密碼的長度和密碼所用字

13、母的要求， 更改密碼的頻率以及允許登錄錯誤的次數(shù)。 每一 個政策方案都包含與其執(zhí)行相關聯(lián)的直接的費用以及影響到生產效率和安全性的因素。 在圖 1 中，只對最高層面作了詳細說明，其實每個層面的結構都是同樣的。安全狀況的第二個方面就是檢測、 減輕和挫敗來自內部和外部兩方面用戶的未經授權的 活動的一組技術方案。 這些技術方案涵蓋了軟件和硬件兩個方面， 還包括入侵檢測系統(tǒng) （IDS = Intrusion Detection Systems） ，防火墻，防病毒系統(tǒng)，易受攻擊的掃描儀和冗余備份等。比 如說， IDS 監(jiān)視并記錄某一特定計算機或來自具有調查數(shù)據(jù)并能提供識別可疑活動“犯罪之后”的偵破能力的網

14、絡上的重要事件。 SNORT（） 是一個廣受歡迎的 IDS 方案。 圖 1 提供了一個關鍵防御措施的樣本 （管理 /使用的政策和技術解決方案 ）。和政策一樣 , 技術 解決方案也有其直接的費用以及影響到生產效率和安全性的因素。To Be Secureor Not to Be?You probably know about computer hackers and computer viruses. Unless your computer has been targeted by one, you may not know how they could affect

15、an individual or an organization. If a computer is attacked by a hacker or virus, it could lose important personal information and software.The creation of a new university campus is being considered. Your requirement is to model the risk assessment of information technology (IT) security for this p

16、roposed university. The narrative below provides some background to help develop a framework to examine IT security. Specific tasks are provided at the end of this narrative.Computer systems are protected from malicious activity through multiple layers of defenses. These defenses, including both pol

17、icies and technologies (Figure 1 Preventative Defensive Measures), have varying effects on the organization rissk categories (Figure 2 Economic Risk Schematic for IT Systems).Management and usage policies addresshow users interact with the organization comsputers and networks and how people (system

18、administrators) maintain the network. Policies may include password requirements, formal security audits, usage tracking, wireless device usage, removable media concerns, personal use limitations, and user training. An example password policy would include requirements for the length and characters

19、usedin the password, how frequently they must be changed,and the number of failed login attempts allowed. Each policy solution has direct costs associated with its implementation and factors that impact productivity and security. In Figure 1, only the topmost branch is fully detailed. The structure

20、is replicated for each branch.The second aspect of a security posture is the set of technological solutions employed to detect, mitigate, and defeat unauthorized activity from both internal and external users. Technology solutions cover both software and hardware and include intrusion detection syst

21、ems (IDS), firewalls, anti-virus systems, vulnerability scanners, and redundancy. As an example, IDS monitors and records significant events on a specific computer or from the network examining data and providing an “ afterthe fact ”forensic ability to identify suspect activity. SNORT (

22、) is a popular IDS solution. Figure 1 provides a sample of key defensive measures (management/usage policies and technology solutions). As with a policy, a technology solution also has direct costs, as well as factors that impact productivity and security.信息安全風險的來源包括 (但并不限于 )機構內部或者外部的人或硬件(圖2)。不同的預防性

23、防御措施(圖 1)可能在防御內部威脅比防御來自計算機黑客的威脅更有效。另外， 外部威脅的動機往往不同， 這也可能需要不同的安全措施。 比如說， 對付一個正試圖檢索私 人數(shù)據(jù)或客戶數(shù)據(jù)庫的入侵者和對付一個正試圖癱瘓網絡的入侵者很可能要采取極不同的 斗法。屬于機構可能要面對信息安全方面的潛在費用包括機會成本(圖 2) (校注 : 企業(yè)管理當局沒有作出一項決策或未能利用一個能帶來更多收益的機會(例如投資項目 ), 失去的收益就是機會成本 )、人員費用和預防性防御措施的費用。重要的機會成本主要包括：訴訟的賠償 金，私人數(shù)據(jù)的丟失，消費者的信心，直接收入的丟失，重建數(shù)據(jù)，重建服務。每種花費根 據(jù)機構規(guī)模

24、的不同而不同。 比如說， 大學的衛(wèi)生保健院由于在應訴、 病人醫(yī)療記錄可用性方 面的損失比之于重建服務系統(tǒng)需要更大的潛在費用。機構可以通過風險分析來評價潛在的機會成本。風險可以被分成三個風險類型；機密性，完整性和可用性。組合起來，這些分類確定了機構的安全狀況。每種風險類型都會對取決于機構的任務和要求的費用產生影響。機密性指的是保護數(shù)據(jù)不向未經授權的訪問者公開。如果衛(wèi)生保健院的記錄數(shù)據(jù)因疏忽而被公開或者被盜，那么該院可能面臨嚴重的訴訟。數(shù)據(jù)的完整性是指數(shù)據(jù)的狀態(tài)不被改變。如果入侵者修改了某些產品的定價信息或者刪除了全部的數(shù)據(jù)集，機構將會面臨的代價是：與改正由于受錯誤數(shù)據(jù)影響的交易相關聯(lián)的費用、與重

25、新建立正確價值相關聯(lián)的費用以及消費者信心以及收入方面的可能的損失。最后，可用性是指包括數(shù)據(jù)和服務的資源對授權用戶的可利用的。這種風險可以用和機密性、完整性類似的方式從財政上表明自己。為增加機構安全狀況所執(zhí)行的每一種措施都會(正面或反面地)影響到這三種風險類型。每當實施一種新的防御安全措施時，它將會改變當前的安全狀況以及緊隨其后的潛在的機會成本。機構所面臨的一個復雜的問題是怎樣在他們的潛在的機會成本對保護其IT基本設施(預防性的保護措施)費用的平衡。第極指紋測試中心Sources of risk to in formati on security in elude, but are not li

26、mited to, people or hardware within or outside the organization (Figure 2). Different preventive defensive measures (Figure 1) may be more effective aga inst an in sider threat tha n a threat from a computer hacker. Additi on ally, an external threat may vary in motivation, which could also indicate

27、 different security measures. For example, an intruder who is trying to retrieve proprietary data or customer databasesprobably should be combated much differently from an intruder who is trying to shut down a network.Potential costs due to information security that an organization may face (Figure

28、2) include opport unity cost, people, an d the cost of preve ntative defe nsive measures.Sig ni fica nt opport unity costs in clude: litigati on damages, loss of proprietary data, con sumer con fide nee, loss of direct revenue, reconstruction of data, and reconstruction of services. Each cost varies

29、 based on the profile of the organization. For example, a health care component of the university might have a greater potential for loss due to litigation or availability of patient medical records than with reconstruction of services.An orga ni zati on can evaluate pote ntial opport unity costs th

30、rough a risk an alysis. Risks can be broke n dow n into three risk categories; con fide ntiality, in tegrity, and availability. Comb in ed, these categories define the organization security posture. Each of the categories has different impacts on cost depe nding on the missi on and requireme nts of

31、the orga ni zati on. Con fide ntiality refers to the protect ion of data from release to sources that are not authorized with access. A health care organization could face significant litigation if health care records were inadvertently released or stolen. The integrity of the data refers to the una

32、ltered state of the data. If an intruder modifies pricing information for certain products or deletes entire data sets, an organization would face costs associated with correcting transactions affected by the erroneous data, the costs associated with recon struct ing the correct values, and possible

33、 loss of con sumer con fide nee and revenue. Finally, availability refers to resources being available to an authorized user, including both data and services. This risk can mani fest itself finan cially in a similar manner as con fide ntiality and in tegrity.Each measure impleme nted to in crease t

34、he security posture of an orga ni zati on will impact each of the three risk categories (either positively or negatively). As each new defensive security measureis implemented, it will change the current security posture and subsequently the potential opportunity costs. A complicated problem faced b

35、y organizations is how to balance their potential opportunity costs against the expense of securing their IT infrastructure (preventative defensive measures).任務 1： Rite-On 咨詢公司交給你們的任務是要研制一個模型，該模型可以用來確定一所 新大學適當?shù)?IT 安全水平所需要的正確的政策和技術增強。當要申請開張一所新大學時的 即刻需要是 確定能使和采購、 維護與系統(tǒng)管理員的培訓等各項費用一起極小化機會成本的各 種預防性防御措施的最

36、佳組合。Rite-On簽約了一批技術人員去搜集用來支持IT安全規(guī)劃的當前的技術規(guī)范。 一些可能采取的防御措施編目的詳細技術數(shù)據(jù)包含在附件中的表格A 與表格 B 中。 準備這些數(shù)據(jù)表的技術人員提示說，當你組合這些防御措施時，在機密性、完 整性和可用性及其相互之間的累積效應不能只是簡單的相加。打算新建的大學系統(tǒng)有 10 個學術系，一個校際體育部，一個招生辦公室，一家書店， 一個教務辦公室 （成績和學術狀況管理 ），一個可容納 15,000 名學生的綜合宿舍樓。 大學預期 有 600 名職員和教員（不包括 IT 支持人員）來完成日常的工作。 學術系將維護 21 個計算機 實驗室 （每個實驗室有 30

37、 臺計算機 ）以及 600 名職員和教員所使用的計算機 （每個雇員一臺計 算機 ）。宿舍中的每個房間配備兩個可以高速接入校園網的接口。預計每個學生都將有一臺 計算機。其他部門 /機構所需的計算機數(shù)量現(xiàn)時還無法預測。已知書店將有一個 WEB 站點并能提供網上售書服務， 教務辦公室將維護一個 WEB 站點便于學生可以查詢付費情況和成績。 另外，行政辦公室、學生健康中心和體育部也將各自維護一個 WEB 站點。行政人員的平均年薪為 $38,000，教員的平均年薪為 $77,000。當前的行業(yè)通常認為，管 理每個局域網需要雇傭 3到4個系統(tǒng)管理員， 另外，每 300 臺計算機需要雇傭 1個系統(tǒng)管理 員（

38、桌面支持）。另外， （WEB 主機或者數(shù)據(jù)管理系統(tǒng)的）每個獨立的計算機系統(tǒng)一般也是由 1 名系統(tǒng)管理員來管理的。表1列出了當前沒有防御措施的IT機會成本的預測.各種不同風險類型（C表示機密性、I 表示完整性而 A 表示可用性 ）在給定成本中所占的比例也在表1 給出。Task 1: You havebeentaskedbytheRite-On Consulting Firm to develop amodel that can be used to determine an appropriate policy and the technology enhancements for the pr

39、oper level of IT security within a new university campus. The immediate need is to determine an optimal mix of preventive defensive measures that minimizes the potential opportunity costs along with the procurement, maintenance, and system administrator training costs as they apply to the opening of

40、 a new private university. Rite-On contracted technicians to collect technical specifications on current technologies used to support IT security programs. Detailed technical data sheets that catalog some possible defensive measures are contained in Enclosures A and B. The technician who prepared th

41、e data sheets noted that as you combine defensive measures, the cumulative effects within and between the categories confidentiality, integrity, and availability cannot just be added.The proposed university system has 1 0 academicdepartments,adepartmentof intercollegiate athletics, an admissions off

42、ice, a bookstore, a registrar offsice （grade and academic status management）, and a dormitory complex capable of housing 15,000 students. The university expects to have 600 staff and faculty (non IT support) supporting the daily mission. The academic departments will maintain 21 computer labs with 3

43、0 computers per lab, and 600 staff and faculty computers (one per employee). Each dorm room is equipped with two (2) high speed connections to the university network. It is anticipated that each student will have a computer. The total computer requirements for the remaining department/agenciescannot

44、 be anticipated at this time. It is known that the bookstore will have a Web site and the ability to sell books online. The Registrar ffice will maintain a Web site where students can check the status of payments and grades. The admissions office, student health center, and the athletic department w

45、ill maintain Web sites.The average administrative employee earns $38,000 per year and the average faculty employee earns $77,000 per year. Current industry practice employs three to four system administrators (sys admin) per sub-network and there is typically one (1) sys admin (help desk support) em

46、ployee per 300 computers. Additi on ally, each separate system of computers (for web host ing or data ma nageme nt) is typically man aged by on e (1) sys adm in pers on.The current opportunity cost projection (due to IT) with no defensive measuresis shown in Table 1. The c on tributi on of various r

47、isk categories (C on fide ntiality In tegrity, an d Availability) to a given cost is also shown in Table 1.表1當前機會成本和風險類型的貢獻T Mt-1: Crnrrtt Opport ccsh nsd Ritk C itegon eoRtributM（歸因于IT的）機會成本數(shù)額風險類型的貢獻OpportunrtyCosi (due toAmountRisk Category Cailribution&3.8000C (55%), (45%)Pwtary Ma loss51,500.000

48、C (70%). I (30%)Ccnsunec corifni 測強$2.900,000C (40%XAData RecocstrudfonS4D0.000II (100%)Serviw RecoistnjdnnSSO.OOO1 (100%)Dinect Revenue$250,000I (3C% A (?聞訴訟私人數(shù)據(jù)的丟失消費者的信心數(shù)據(jù)重建服務重建直接收入的損失任務2:我們知道技術性的規(guī)范隨時間變化很快。但費用，風險類型和風險的來源之間 的關系和相互影響的變化則比較慢一些。請針對任務1中的問題建立一個模型， 并使得這個模型有足夠的靈活性，既可以適應技術能力的迅速變化，又可以移植應用于不

49、同的機構。精 心描述你在設計模型時所做的假設。 另外， 提供一個例子說明大學怎樣利用你的模型來確定 其最初的 IT 安全系統(tǒng)并定期對它進行更新。任務 3：為大學校長 準備一個 3頁左右 的描述你在任務 2中所建模型的優(yōu)點、弱點和靈 活性的 立場聲明 。另外，解釋一下從你的模型能推斷什么以及不應該推斷什么。任務 4：如果你為一家提供 WWW 搜索引擎的商業(yè)公司(例如 Google, Yahoo, AltaVista,)建立IT安全模型，解釋兩者在初始風險類型貢獻方面(表1)可能存在的差異。你為大學建立的模型同樣適用于 這些商業(yè)性公司嗎？任務 5：Honeynets 是為搜集廣泛的 IT 安全威脅

50、信息而設計的。 給你的主管寫一份兩頁 的備忘錄 對大學或者搜索引擎公司是否應該考慮使用 honeynet 提出建議 . (校注 : Honeynet Project是一個由獻身于信息安全的安全專業(yè)人員的非盈利性研究組織.它創(chuàng)建于1999年4月，其全部工作就是開放資源(OpenSource)并與安全界共享.)任務 6：要想成為一個 IT 安全咨詢方面的領導者， Rite-On 咨詢公司必須能夠有效地預 見到信息技術的未來發(fā)展方向，并能夠向其他公司提出如何應對未來信息安全風險的建議。 在完成你的分析之后，為 Rite-On 咨詢公司的總裁寫一份兩頁的備忘錄，告訴他信息安全的 未來。另外，描述一下怎樣用你的模型來預測和應對不確定的未來。注：原題中的圖 1 、圖2和附錄 1、附錄 2略Task 2: We know that technical specifications will change rapidly over time. However, the relations and interplay among costs, risk categories, and sources of ri