支持虚拟组织的语义基础设施的动态构建方法研究

提出一种从虚拟组织自治域的资源描述中抽取语义，然后聚合为虚拟组织的语义基础设施的方法．该方法引入了一种领域知识学习算法，用以建立当前语境相关的词法空间，以提高语义抽取和聚合的准确性及自动化程度，并且在语义聚合的过程中隐含了虚拟组织语义到自治域语义的映射，更好的支持了虚拟组织应用的构建和跨自治域资源的透明访问．实验表明，该方法能够适应虚拟组织的动态开放环境、有效支持虚拟组织的语义基础设施构建．     

面向虚拟企业的分布式项目管理系统研究

分析虚拟企业项目的特点;针对参与虚拟项目的企业既合作又独立的特点,提出项目自治域的概念,并给出基于自治域的虚拟企业项目管理系统的模型;针对虚拟项目的计划、资源集成、资源建模等关键技术进行深入讨论,提出了受约束的动态关键路径算法和基于多Agent系统的资源集成模型;最后给出实现虚拟项目管理系统的体系结构。     

基于信任度的网格虚拟组织访问控制模型

针对现有网格虚拟组织访问控制模型欠缺描述上下文约束的能力、资源端管理负担沉重以及未能刻画成员间的真实信任关系等不足,给出一种基于信任度的网格虚拟组织访问控制模型TwBAC(Trustworthiness-based Access Control model),该模型能够刻画带有上下文的访问控制策略;对资源实体进行抽象,减轻管理负担;应用信任度刻画虚拟组织成员之间的信任关系,并有效控制委托深度.此外,采用分布式管理模型AdTwBAC实现"虚拟组织成员域管理自治",并结合具体应用实例进行了说明.     

服务网格中基于属性自动合并的访问控制模型

基于属性的访问控制模型具有授权灵活、控制粒度细的特点,针对服务网格的特点,提出基于属性自动合并的访问控制模型.沿服务有向图的服务组合路径,自动进行属性集合的合并计算,从而实现访问控制约束属性在网格虚拟组织内自动生成.授权不需要人工干预和具有用户的先验知识,可使用户在执行需要跨越多个自治域组合服务所需的约束属性集合一次性指派给用户,用户访问时一次性完成多个自治域的访问授权.具有极大的灵活性、动态性和可扩展性.     

网格安全模型中认证策略的研究

对网格安全模型中常用的认证策略Kerberos认证和X．509认证的原理进行了详细分析。针对网格环境下用户和资源数量巨大所带来的管理困难、系统单点失效以及可扩展性差等问题,提出了一种基于自治系统的多级网格安全管理模型（MGSM—AS）,最后给出了该模型中认证策略的实现方案,包括证书的申请及审核和代理证书机制。通过对网格用户进行区域划分,使得这些用户不需要与虚拟组织管理者直接进行交互,而是接收自治系统的组织和管理,这样简化了认证过程。     

面向多自治域网格的信息服务模型及其实现

网格是实现分布异构资源共享的有效模式,而信息服务实现系统服务与资源的有效管理,是网格系统的重要组成部分.ChinaGrid是由多个自治域组成的大规模网格,现有的信息服务不能满足此类系统特性与应用需求.文中提出网格信息服务体系GISA2.0,强化了域自治管理和资源信息的安全性.GISA2.0实现了可扩展的网格信息模型和面向服务、支持多种监控信息聚集的层次化信息管理框架.提出了基于分布XPath引擎的多域资源信息检索机制,实现了安全、快速和用户相关的虚拟全局资源视图.     

一种基于RBAC的多个域之间安全访问控制

在分析基于角色的访问控制模型的自治安全域基础上，提出了一个基于RBAC的多个域之间安全访问控制模型。安全模型定义了3种角色转换策略，进行多个域之间角色的动态转换。通过动态的角色转换，来达到多个域之间的安全访问控制。     

基于知识描述和遗传算法的跨域虚拟网络映射

网络虚拟化环境下的跨域虚拟网络映射是指当物理网络由多个自治域构成时,以最小化虚拟网络映射开销为目标,将虚拟网络请求恰当地划分为多个虚拟子网请求,并分别指派给相应自治域以完成映射。资源匹配和虚拟网络划分是跨域虚拟网络映射中的两个关键阶段。然而,现有的资源匹配算法无法支持精确的数值属性匹配,也无法满足虚拟网络用户对表达多样化映射约束的需求,故实用性不高。此外,虚拟网络划分属于NP问题,目前也缺乏高效的求解方法。针对上述两个阶段中存在的问题,分别提出了基于OWL及SWRL的资源匹配算法和基于遗传算法的虚拟网络划分算法。理论分析证明了该方法的正确性。仿真实验从效率、性能及稳定性方面验证了该方法的有效性。     

基于硬件虚拟接口结构的系统域网络设计

提出了一种硬件虚拟接口结构（HVIA），从硬件逻辑设计的角度介绍了一个基于HVIA结构系统域网络（HVIA—Net）的实现关键技术，给出了33MHz、64位PCI环境下实际测试的通信性能，并与同类流行的高性能网络进行了性能比较．最后简要介绍了基于PCI—E总线的系统域网络HVIA-Net-E的实现方案．     

基于虚拟组织模型与Web服务的MAS平台

虚拟组织是电子商务研究中所提出的智能体协同模型，Web服务则提供了实现互联网上异构智能体间互操作与协同的技术基础｡该文提出了一个基于虚拟组织模型与Web服务技术的MAS平台系统，介绍了系统的体系结构及主要模块的实现｡该平台实现了基于UDDI的Agent注册管理和基于SOAP的消息传递机制，提供了系统管理和监控等功能。     

A secure collaboration service for dynamic virtual organizations

Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.     

多自治域协同环境中群组通信的安全访问控制

支持多自治域协作的安全通信环境是大规模分布式应用的基础，群通信由于高效、可伸缩等特点，成为这种协作环境的一种基本通信方式．然而，由于没有集中的控制中心，实体分别隶属于异构的自治域且动态变化，引发了大量新的安全访问控制问题．针对多域协作的异构性和动态性特点，提出一套基于角色的分布式信任管理的解决方案，重点解决了动态联合授权以及基于属性的委托授权．在此基础上建立了一套较完整的安全通信体系，包括安全策略的协商、信任证的颁发、信任证与安全策略的一致性验证以及用户访问权限论证等．它为多域协作环境的群通信提供了更加灵活、可靠、安全的访问控制模式．     

Striking a balance between trust and control in a virtual organization: a content analysis of open source software case studies

Abstract. Many organization theorists have predicted the emergence of the networked or virtual firm as a model for the design of future organizations. Researchers have also emphasized the importance of trust as a necessary condition for ensuring the success of virtual organizations. This paper examines the open source software (OSS) 'movement' as an example of a virtual organization and proposes a model that runs contrary to the belief that trust is critical for virtual organizations. Instead, I argue that various control mechanisms can ensure the effective performance of autonomous agents who participate in virtual organizations. Borrowing from the theory of the 'McDonaldization' of society, I argue that, given a set of practices to ensure the control, efficiency, predictability and calculability of processes and outcomes in virtual organizations, effective performance may occur in the absence of trust. As support for my argument, I employ content analysis to examine a set of published case studies of OSS projects. My results show that, although that trust is rarely mentioned, ensuring control is an important criterion for effective performance within OSS projects. The case studies feature few references to other dimensions of McDonaldization (efficiency, predictability and calculability), however, and I conclude that the OSS movement relies on many other forms of social control and self-control, which are often unacknowledged in OSS projects. Through these implicit forms of control, OSS projects are able to secure the cooperation of the autonomous agents that participate in project teams. I conclude by extrapolating from these case studies to other virtual organizations.     

Web服务访问控制策略研究

Web服务环境中,交互实体通常位于不同安全域,具有不可预见性。Web服务应该基于其他与领域无关的信息而非身份来实施访问控制,以实现对跨域未知用户的访问授权。为此,提出了适应于Web服务的基于上下文的访问控制策略模型。模型的核心思想是将各种与访问控制有关的信息统一抽象表示为一个上下文概念,以上下文为中心来制定和执行访问控制策略,上下文担当了类似基于角色的访问控制(RBAC)中角色的概念。基于描述逻辑语言(DL),定义了基于上下文的访问控制策略公理,建立了访问控制策略知识库,提出了访问控制策略的逻辑推理方法。最后基于Racer推理系统,通过实验验证了方法的可行性和有效性。     

基于NS2的计算机网络远程虚拟实验室的设计与实现

文章提出了基于NS2模拟器的计算机网络虚拟实验室系统的设计模型和实现方法。该实验室以JavaApplet实现客户端,使用NS2多协议模拟器作为服务器的后台计算平台,Nam作为客户端的可视化工具,通过JavaRMI远程调用机制实现了客户端的远程调用。该系统客户端以JavaApplet实现,具有Java语言的平台独立性和安全性,以JavaBean实现虚拟实验设备(如节点,链路等);以组件的形式开发实验库,易于扩充实验库,提高了开发效率,实现了软件重用。服务器端以NS2作为后台计算平台,提供了强大的模拟仿真能力。该系统基于Web环境在用户和NS2网络模拟器之间提供了实验室平台,既使用户省去难以学习NS2的困难,又可以让用户利用NS2模拟器强大的系统仿真能力进行网络模拟试验,让用户可以更加深入理解网络中的复杂行为。     

Reputation-based Trust Model in Grid Security System

The security problem is a hot topic in grid research due to the dynamics and uncertainty of grid system. There are three entities defined as users, applications and resources in grid environment. In such situation, users are vulnerable to risk because of potential incomplete or distorted information provided by malicious resources, and as grid system grows tremendously in size, the possibility of users to attack the network by providing aggressive or vicious applications will increase greatly. Trust management is an effective method to maintain the credibility of the system and keep honesty of entities. This paper presents a trust model, which is used to compute and compare the trustworthiness of entities in the same autonomous and different domains. This model provides different methods to deal with the problems of users and related resources belonging to the same or different domains. Furthermore, a simulation experiment is provided to evaluate the trust model, and the simulation result shows it is effective to resolve the security problems in grid environment.     

A formal role-based access control model for security policies in multi-domain mobile networks

Mobile users present challenges for security in multi-domain mobile networks. The actions of mobile users moving across security domains need to be specified and checked against domain and inter-domain policies. We propose a new formal security policy model for multi-domain mobile networks, called FPM-RBAC, Formal Policy Model for Mobility with Role Based Access Control. FPM-RBAC supports the specification of mobility and location constraints, role hierarchy mapping, inter-domain services, inter-domain access rights and separation of duty. Associated with FPM-RBAC, we also present a formal security policy constraint specification language for domain and inter-domain security policies. Formal policy constraint specifications are based on ambient logic and predicate logic. We also use ambient calculus to specify the current state of a mobile network and actions within security policies for evaluation of access requests according to security policies. A novel aspect of the proposed policy model is the support for formal and automated analysis of security policies related to mobility within multiple security domains.