两层架构的可信身份服务平台研究与设计

针对当前网络环境中基于用户真实身份安全管控需求与用户隐私保护需求之间的矛盾,引入主管机构作为可信方,将用户的真实身份管理与虚拟业务账号管理独立开来,建立两层架构的可信身份服务平台。平台通过身份绑定机制,建立用户业务账号与其真实身份之间的映射关系,实现基于真实身份的信任保障;并根据业务的应用场景配置策略为其提供用户属性,以保障用户隐私安全。     

ICENI: Optimisation of component applications within a Grid environment

Effective exploitation of Computational Grids can only be achieved when applications are fully integrated with the Grid middleware and the underlying computational resources. Fundamental to this exploitation is information. Information about the structure and behaviour of the application, the capability of the computational and networking resources, and the availability and access to these resources by an individual, a group or an organisation.

In this paper we describe Imperial College e-Science Networked Infrastructure (ICENI), a Grid middleware framework developed within the London e-Science Centre. ICENI is a platform-independent framework that uses open and extensible XML derived protocols, within a framework built using Java and Jini, to explore effective application execution upon distributed federated resources. We match a high-level application specification, defined as a network of components, to an optimal combination of the currently available component implementations within our Grid environment, by using composite performance models. We demonstrate the effectiveness of this architecture through the high-level specification and solution of a set of linear equations by automatic and selection of optimal resources and implementations.     

Globus Toolkit Version 4: Software for Service-Oriented Systems

The Globus Toolkit （GT） has been developed since the late 1990s to support the development of serviceoriented distributed computing applications and infrastructures. Core GT components address, within a common framework, fundamental issues relating to security, resource access, resource management, data movement, resource discovery, and so forth. These components enable a broader ＂Globus ecosystem＂ of tools and components that build on, or interoperate with, GT functionality to provide a wide range of useful application-level functions. These tools have in turn been used to develop a wide range of both ＂Grid＂ infrastructures and distributed applications. I summarize here the principal characteristics of the recent Web Services-based GT4 release, which provides significant improvements over previous releases in terms of robustness, performance,, usability, documentation, standards compliance, and functionality. I also introduce the new ＂dev.globus＂ community development process, which allows a larger community to contribute to the development of Globus software.     

The Effect of Network Characteristics on Online Identity Management Practices

As online social networking permeates all aspects of personal and professional lives, users of social networking sites (SNSs) are more motivated than ever to manage their online identities to project a favorable impression of themselves to online audiences. This research builds on the boundary management perspective to gain a better understanding of online identity management practices by examining the relationship between characteristics of the online social network, including cognitive homogeneity and social tie variety and the use of identity management practices such as segmentation and self-enhancement. The proposed research model is tested using survey data. The findings suggest cognitive homogeneity is positively related to the use of both identity management practices, segmentation and self-enhancement, whereas social tie variety is positively related to segmentation, but not self-enhancement practices. We conclude with implications of the study results for research and practice, as well as a discussion of directions for future research.     

Full autonomic repair for distributed applications

Grid or cloud environments leverage the need for self‐repair solutions that resist and repair their own failures, something not yet ensured by existing solutions. In this paper, we describe the JADE Autonomic Repair System for legacy applications deployed in a grid or cloud environment. JADE is based on three main design principles. First, legacy applications are wrapped with Java objects, obtaining a uniform set of management operations over the heterogeneous legacy management capabilities. Second, to gain full autonomy, we adopt a replicated design combined with a recursive approach that makes JADE appear to JADE as any distributed application it manages and repairs. Finally, to scale, we rely on tiling the distributed environment and structuring our repair system per tile. To our knowledge, our repair system is the only one that is designed to scale and is fully autonomic, repairing not only the failures of the managed system but also its own. Our repair system has been tested in various realistic scenarios. Copyright © 2013 John Wiley & Sons, Ltd.     

Advanced data processing in KRISYS: modeling concepts, implementation techniques, and client/server issues

The increasing power of modern computers is steadily opening up new application domains for advanced data processing such as engineering and knowledge-based applications. To meet their requirements, concepts for advanced data management have been investigated during the last decade, especially in the field of object orientation. Over the last couple of years, the database group at the University of Kaiserslautern has been developing such an advanced database system, the KRISYS prototype. In this article, we report on the results and experiences obtained in the course of this project. The primary objective for the first version of KRISYS was to provide semantic features, such as an expressive data model, a set-oriented query language, deductive as well as active capabilities. The first KRISYS prototype became completely operational in 1989. To evaluate its features and to stabilize its functionality, we started to develop several applications with the system. These experiences marked the starting point for an overall redesign of KRISYS. Major goals were to tune KRISYS and its query-processing facilities to a suitable client/server environment, as well as to provide elaborate mechanisms for consistency control comprising semantic integrity constraints, multi-user synchronization, and failure recovery. The essential aspects of the resulting client/server architecture are embodied by the client-side data management needed to effectively support advanced applications and to gain the required system performance for interactive work. The project stages of KRISYS properly reflect the essential developments that have taken place in the research on advanced database systems over the last years. Hence, the subsequent discussions will bring up a number of important aspects with regard to advanced data processing that are of significant general importance, as well as of general applicability to database systems. Received June 18, 1996 / Accepted November 11, 1997     

Assessing the Usability of a Science Gateway for Medical Knowledge Bases with TRENCADIS

Biomedical applications are often built on top of knowledge bases that contain medical images and clinical reports. Currently, these bases are being used to improve diagnosis, research and teaching, but in many cases, the infrastructure required has a prohibitive cost for many medical centres. However, resources can be attached from existing e-Science infrastructures. Therefore, many efforts have been made to establish best practices that allow the use of such infrastructures. However, e-Science relies on open, distributed, collaborative environments, built on top of very specialized technologies, such as Grid and Cloud computing, which require reasonable technical skills for their usage. Therefore, science gateways have become essential tools that assist users in interacting with e-Science applications. This paper describes TRENCADIS, a technology that supports the creation and operation of virtual knowledge bases. To this end, it provides developers with components and APIs for building secure data services that can be annotated and queried through ontology templates, based on DICOM and DICOM-SR. This technology was used in this paper to build a gateway for assisting diagnosis and research in breast cancer. We also present here the results of a study conducted to evaluate the gateway, from the point of view of the usability perceived by a group of physicians and radiologists.     

Resource efficiency of the GigaNetIC chip multiprocessor architecture

In this article, we present the prototypical implementation of the scalable GigaNetIC chip multiprocessor architecture. We use an FPGA-based rapid prototyping system to verify the functionality of our architecture in a network application scenario before fabricating the ASIC in a modern CMOS standard cell technology. The rapid prototyping environment gives us the opportunity to test our multiprocessor architecture with Ethernet-based data streams in a real network scenario. Our system concept is based on a massively parallel processor structure. Due to its regularity, our architecture can be easily scaled to accommodate a wide range of packet processing applications with various performance and throughput requirements at high reliability. Furthermore, the composition based on predefined building blocks guarantees fast design cycles and simplifies system verification. We present standard cell synthesis results as well as a performance analysis for a firewall application with various couplings of hardware accelerators. Finally, we compare implementations of our architecture with state-of-the-art desktop CPUs. We use simple, general-purpose applications as well as the introduced packet processing tasks to determine the performance capabilities and the resource efficiency of the GigaNetIC architecture. We show that, if supported by the application, parallelism offers more opportunities than increasing clock frequencies.     

Distributed information service architecture for overlapping multiaccess networks

Multimedia delivery in mobile multiaccess network environments has emerged as a key area within the future Internet research domain. When network heterogeneity is coupled with the proliferation of multiaccess capabilities in mobile handheld devices, one can expect many new avenues for developing novel services and applications. New mechanisms for audio/video delivery over multiaccess networks will define the next generation of major distribution technologies, but will require significantly more information to operate according to their best potential. In this paper we present and evaluate a distributed information service, which can enhance media delivery over such multiaccess networks. We describe the proposed information service, which is built upon the new distributed control and management framework (DCMF) and the mobility management triggering functionality (TRG). We use a testbed which includes 3G/HSPA, WLAN and WiMAX network accesses to evaluate our proposed architecture and present results that demonstrate its value in enhancing video delivery and minimizing service disruption in an involved scenario.     

Toward Efficient Distributed Network Management

The emerging next generation of routers exhibit both high performance and rich functionality, such as support for virtual private networks and quality-of-service (QoS). To achieve this, per flow queueing and fast IP filtering are incorporated into the router hardware. The scalable management of a network comprising such devices and efficient use of the new functionality introduce new challenges. A promising approach is to distribute the network management applications and execute them with minimal central control. This work concentrates on the way multiple distributed control tasks can be deployed in IP networks. By a prototype that uses active network techniques we show how truly distributed applications can be used for control and monitoring. We study basic management applications, show the potential gain from running them distributively, and demonstrate their implementation.     

Call admission control and load balancing for voice over IP

IP networks are traditionally designed to support a best-effort service, with no guarantees on the reliable and timely delivery of packets. With the migration of real-time applications such as voice onto IP-based platforms, the existing IP network capabilities become inadequate to provide the quality-of-service (QoS) levels that the end-users are accustomed to. While new protocols such as DiffServ and MPLS allow some amount of traffic prioritization, guaranteed QoS requires call admission control. This paper reviews several possible implementations and shows simulation results for one promising method that makes efficient use of the network and is scalable to large networks.     

Experience report: evolution of a web‐integrated software development and verification environment

This paper summarizes our experiences over the last 4 years in creating a web‐integrated software development and verification environment. The environment has been used for both research experimentation and education. It has been used in undergraduate computer science courses to teach modular software development and analytical reasoning principles at multiple institutions. In the process, the environment has undergone many refinements to meet demands for improved functionality and to leverage rapidly changing underlying technology for the improvements. The environment is tailored to present formal specifications and alternative implementations of components, and enable correctness checking through a server‐side verifying compiler. This paper presents a detailed account of the development and evolution of the environment—its functionality, user interface, and underlying technology—that we hope will serve as a model for others, especially as the benefits of online learning systems are becoming increasingly obvious. Copyright © 2014 John Wiley & Sons, Ltd.     

分布式网络管理系统中的访问控制

随着通信网络应用的不断增长,网络的结构日趋复杂,在这种情况下,采用分布式结构的网络管理系统应运而生。这一分布式结构为网络管理工作的顺利进行带来了许多便利,但同时也为系统增加了更多的安全威胁。该文针对分布式网络管理系统的这一特点,设计了相应安全架构中的访问控制系统。文中详细说明了该访问控制系统设计过程及思路,并对各个组成模块进行介绍。设计中采用了身份认证、权限控制等技术,实现了对网络管理系统基于应用层的保护。     

Identity Governance Framework for Privileged Users

Information technology companies have grown in size and recognized the need to protect their valuable assets. As a result, each IT application has its authentication mechanism, and an employee needs a username and password. As the number of applications increased, as a result, it became increasingly complex to manage all identities like the number of usernames and passwords of an employee. All identities had to be retrieved by users. Both the identities and the access rights associated with those identities had to be protected by an administrator. Management couldn’t even capture such access rights because they couldn’t verify things like privacy and security. Identity management can help solve this problem. The concept behind identity management is to centralize identity management and manage access identity centrally rather than multiple applications with their authentication and authorization mechanisms. In this research work, we develop governance and an identity management framework for information and technology infrastructures with privileged access management, consisting of cybersecurity policies and strategies. The results show the efficiency of the framework compared to the existing information security components. The integrated identity and access management and privileged access management enable organizations to respond to incidents and facilitate compliance. It can automate use cases that manage privileged accounts in the real world.     

An overview of the Nexus distributed operating system design

Nexus is a distributed operating system designed to support experimental research in fault-tolerance techniques and object-oriented programming in distributed systems. The Nexus programming environment consists of objects, which are instances of abstract data types. Inheritance of types and multiple implementations for a type are supported by the system. Operations on objects are invoked, based on the remote-procedure-call paradigm and executed as atomic actions with provisions for application-controlled checkpointing and restart within actions. Nexus also supports parallel remote procedure calls. Interobject communication and location transparency in accessing objects is supported by the Nexus kernel     

The Requirements of Using Provenance in e-Science Experiments

In e-Science experiments, it is vital to record the experimental process for later use such as in interpreting results, verifying that the correct process took place or tracing where data came from. The process that led to some data is called the provenance of that data, and a provenance architecture is the software architecture for a system that will provide the necessary functionality to record, store and use process documentation to determine the provenance of data items. However, there has been little principled analysis of what is actually required of a provenance architecture, so it is impossible to determine the functionality they would ideally support. In this paper, we present use cases for a provenance architecture from current experiments in biology, chemistry, physics and computer science, and analyse the use cases to determine the technical requirements of a generic, technology and application-independent architecture. We propose an architecture that meets these requirements, analyse its features compared with other approaches and evaluate a preliminary implementation by attempting to realise two of the use cases.     

Ropes: An alternative to strings

Programming languages generally provide a ‘string’ or ‘text’ type to allow manipulation of sequences of characters. This type is usually of crucial importance, since it is normally mentioned in most interfaces between system components. We claim that the traditional implementations of strings, and often the supported functionality, are not well suited to such general-purpose use. They should be confined to applications with specific, and unusual, performance requirements. We present ‘ropes’ or ‘heavyweight’ strings as an alternative that, in our experience leads to systems that are more robust, both in functionality and in performance. Ropes have been in use in the Cedar environment almost since its inception, but this appears to be neither well-known, nor discussed in the literature. The algorithms have been gradually refined. We have also recently built a second similar, but somewhat lighter weight, C-language implementation, which is included in our publically released garbage collector distribution. We describe the algorithms used in both, and give some performance measurements for the C version.