一种基于可信等级的安全互操作模型

传统的访问控制方式已不能满足多域环境下的资源共享和跨域访问的安全需求,建立安全互操作模型是进行安全互操作的有效途径。针对现有域间安全互操作模型未考虑用户平台的问题,提出了一种基于可信等级的域间安全互操作(TLRBAC)模型。该模型引入了用户可信等级、平台可信等级和域可信等级,制定了域间安全互操作方法。分析表明该模型既保证了用户的可信接入,又能有效地控制因平台环境而引起的安全风险问题。     

云系统中多域安全策略规范与验证方法

为了有效管理云系统间跨域互操作中安全策略的实施,提出一种适用于云计算环境的多域安全策略验证管理技术。首先,研究了安全互操作环境的访问控制规则和安全属性,通过角色层次关系区分域内管理和域间管理,形式化定义了基于多域的角色访问控制（domRBAC）模型和基于计算树逻辑（CTL）的安全属性规范;其次,给出了基于有向图的角色关联映射算法,以实现domRBAC角色层次推理,进而构造出了云安全策略验证算法。性能实验表明,多域互操作系统的属性验证时间开销会随着系统规模的扩大而增加。技术采用多进程并行检测方式可将属性验证时间减少70.1%～88.5%,其模型优化检测模式相比正常模式的时间折线波动更小,且在大规模系统中的时间开销要明显低于正常模式。该技术在规模较大的云系统安全互操作中具有稳定和高效率的属性验证性能。     

一种面向多域云系统的扩展RBAC模型

提出一种扩展的基于角色的访问控制ERBAC模型,以解决RBAC在多域云系统的资源使用约束、策略管理和互操作安全性等方面存在的不足。首先,通过引入容器元素和两类角色基数约束,构建了基于容器元素+动态角色基数约束的资源使用策略;其次,深入研究了多域角色继承管理,提出基于先检测后建立角色关系的域间策略管理函数,并给出各类安全策略冲突检测算法。分析表明,ERBAC模型实现了资源使用约束、支持高效的安全策略管理,提高了跨域互操作的安全性,且性能测试说明了该模型在多域云系统中具有适应性和可行性。     

多域安全互操作的可管理使用控制模型研究

多域环境的异构、动态和区域自治的特点为安全互操作访问控制研究提出了新的挑战。近来在多域安全互操作访问控制方面做了大量研究,大多在单域内基于角色访问控制的前提下,将外域角色映射到本地角色来实现访问控制,在外域和本地角色的管理上缺乏系统化的统一。本文提出了可管理的使用控制模型,对外域和本地用户角色指派进行统一管理,弥补了原有模型的安全漏洞。该模型提供了足够的灵活性,可以区分外域用户和本地用户,并且对外域用户实施更为严格的控制,同时保留了传统 RBAC 模型的优点。该访问控制模型正在实践中实施。     

基于模糊评判的多自治域风险关联评估算法

多自治域互操作中的风险评估是异构环境下信息安全的重要内容。本文在分析风险特征的基础上给出了基于模糊评判的多自治域互操作风险事件关联算法；同时引入确信度学习方法来为保证精确性，有效检测和识别重复风险事件发生，提取风险事件类别；最后引入互操作服务风险指数概念，实时评估多自治域互操作服务的安全态势和风险状况。
     

多域环境下安全互操作研究进展

多域安全互操作是通过认证机制、访问控制机制和审计机制来实现多个分布、异构、自治区域间安全的资源共享和信息交互的过程.系统介绍了这一新型研究领域的理论基础和应用现状,从解决访问控制安全和域间策略冲突的角度,对域间角色转换技术、基于信任管理、基于PKI和基于时间限制等方向的多项研究成果和关键技术进行分析和点评,重点探讨了多域环境下各自治域间策略集成算法的建模和实现,最后针对目前研究工作中存在的问题,对该领域未来的发展方向和趋势做出展望.     

基于角色映射和PBNM的多域安全访问控制模型*

在分析多安全域间基于RBAC角色映射和PBNM模型的基础上,提出了多域用户之间的安全访问策略配置模型.该模型通过域间角色映射信息来配置域间访问控制策略,在域内则采用基于PBNM的模型机制配置域内用户安全策略,最终解决了在多域间资源访问控制的安全问题.     

多自治域协同环境中群组通信的安全访问控制

支持多自治域协作的安全通信环境是大规模分布式应用的基础,群通信由于高效、可伸缩等特点,成为这种协作环境的一种基本通信方式．然而,由于没有集中的控制中心,实体分别隶属于异构的自治域且动态变化,引发了大量新的安全访问控制问题．针对多域协作的异构性和动态性特点,提出一套基于角色的分布式信任管理的解决方案,重点解决了动态联合授权以及基于属性的委托授权．在此基础上建立了一套较完整的安全通信体系,包括安全策略的协商、信任证的颁发、信任证与安全策略的一致性验证以及用户访问权限论证等．它为多域协作环境的群通信提供了更加灵活、可靠、安全的访问控制模式．     

多域环境中基于蚁群算法的抗攻击时态信任模型

针对多自治域环境中的域间信任关系动态的、不确定性等特点,提出了一种基于时间的动态信任关系模型.每个自治域都维护有一个描述该域和其他域之间的信任度的信任向量.在本模型中,两个域间的信任关系取决于时间和域间的互操作记录.基于蚁群算法给出了根据多自治域的当前环境来实时地计算域间信任关系的基本方法,当局部的信任度发生改变时,可以根据蚁群算法及时调整全局信任关系.最后,通过仿真实验验证了域间信任关系的建立及变化过程.     

一种跨域网络资源的安全互操作模型

网络资源需要在安全策略控制下共享与互操作。针对多异构安全域域间资源互操作的安全问题,提出了一种基于RBAC安全策略的跨域网络资源的安全互操作模型。首先引入域间角色的概念,并定义跨域资源共享访问的要求;其次在跨域操作准则的基础上,提出异构域间资源安全互操作模型和访问算法;最后以实例场境对模型和算法进行了应用分析。结果表明,该方法针对性强,权限控制有效,为实现多域资源共享和互操作的安全保障提供了一种可行的途径。     

虚拟教室中发言权控制策略的设计

发言权控制允许网络上的多个多媒体应用的用户使用和共享远程设备,分布式的数据集合和像视频、音频这样的连续媒体而不至于发生访问冲突,发言权是动态分配给协同工作环境下用户的暂时的访问权,其目的是为了缓和竞争条件和保证互斥地使用共享资源,该文首先描述了远程教育虚拟的教室中的发言权控制策略,然后给出了一个发言权控制的API。     

Coalition-Based Resource Negotiation for Multimedia Applications in Informationally Decentralized Networks

Designing efficient and fair solutions for dividing the network resources in a distributed manner among self-interested multimedia users is recently becoming an important research topic because heterogeneous and high bandwidth multimedia applications (users), having different quality-of-service requirements, are sharing the same network. Suitable resource negotiation solutions need to explicitly consider the amount of information exchanged among the users and the computational complexity incurred by the users. In this paper, we propose decentralized solutions for resource negotiation, where multiple autonomous users self-organize into a coalition which shares the same network resources and negotiate the division of these resources by exchanging information about their requirements. We then discuss various resource sharing strategies that the users can deploy based on their exchanged information. Several of these strategies are designed to explicitly consider the utility (i.e., video quality) impact of multimedia applications. In order to quantify the utility benefit derived by exchanging different information, we define a new metric, which we refer to as the value of information. We quantify through simulations the improvements that can be achieved when various information is exchanged between users, and discuss the required complexity at the user side involved in implementing the various resource negotiation strategies.      

利用结构化对等网络构造计算资源共享平台

设计和构建了一个基于结构化对等网络的计算资源共享平台DHT-CRSP。它可以把因特网上用户提交的科学计算作业高效地映射到平台中合适的工作节点上运行,通过容错和安全机制,能保证系统的可靠性和正确性。描述了DHT-CRSP中支持的两种分布式哈希表：Chord协议节点树和CAN协议空间区域;分析了DHT-CRSP中高效的资源匹配算法。通过构建评测环境,运行各种负载与作业场景下的结果表明,DHT-CRSP系统可以获得好的负载均衡性能、低的资源匹配代价,它提供了一种构建高性能的桌面网格平台的新思路。     

CompuP2P: An Architecture for Internet Computing Using Peer-to-Peer Networks

Internet computing is emerging as an important new distributed computing paradigm in which resource intensive computing is integrated over Internet-scale networks. Over these large networks, different users and organizations share their computing resources, and computations take place in a distributed fashion. In such an environment, a framework is needed in which the resource providers are given incentives to share their resources. CompuP2P is a lightweight architecture for enabling Internet computing. It uses peer-to-peer networks for sharing of computing resources. CompuP2P create dynamic markets of network accessible computing resources, such as processing power, memory storage, disk space, etc., in a completely distributed, scalable, and fault-tolerant manner. This paper discusses the system architecture, functionality, and applications of the proposed CompuP2P architecture. We have implemented a Java-based prototype, and our results show that the system is light-weight and can provide almost a perfect speedup for applications that contain several independent compute-intensive tasks     

基于SDSI规范的角色信任传递模型

网络应用的分布式特点对其涉及的身份认证模型提出了分布式的需求,SDSI规范的提出,为这种需求提供了支持。本文在分析SDSI规范的基础上,引人了基于角色的信任传递模型,方便了资源使用者方便、匿名地访问资源,同时也减轻了资源控制方对数量巨大且动态变化的用户群的管理负担。     

Case for dynamic deployment in a grid-based distributed query processor

Grid computing enables users to perform computationally expensive applications on distributed resources acquired dynamically. Users are allowed to combine structured data and analysis components into new applications from distributed sites into new applications. Distributed query processing offers an established way of structuring such computations, and well-known tools like OGSA-DAI and OGSA-DQP provide respectively a common interface to heterogeneous databases, and a way of exploiting distributed resources. Such significant benefits are however often undermined by high communication costs due to the need to move data between distributed resources. This paper describes an approach that addresses this by dynamically deploying query processing engines, analysis services and databases within virtual machines, on an internet-scale, so as to reduce communication costs. Results of internet-scale experiments are presented to demonstrate the performance benefits. Further, the use of dynamic deployment features based on requirements allows the creation of an ad-hoc runtime engine and thus opens up the possibility of creating a virtual marketplace for software and hardware resources.     

Workflow performance improvement using model-based scheduling over multiple clusters and clouds

In recent years, a variety of computational sites and resources have emerged, and users often have access to multiple resources that are distributed. These sites are heterogeneous in nature and performance of different tasks in a workflow varies from one site to another. Additionally, users typically have a limited resource allocation at each site capped by administrative policies. In such cases, judicious scheduling strategy is required in order to map tasks in the workflow to resources so that the workload is balanced among sites and the overhead is minimized in data transfer. Most existing systems either run the entire workflow in a single site or use naïve approaches to distribute the tasks across sites or leave it to the user to optimize the allocation of tasks to distributed resources. This results in a significant loss in productivity. We propose a multi-site workflow scheduling technique that uses performance models to predict the execution time on resources and dynamic probes to identify the achievable network throughput between sites. We evaluate our approach using real world applications using the Swift parallel and distributed execution framework. We use two distinct computational environments-geographically distributed multiple clusters and multiple clouds. We show that our approach improves the resource utilization and reduces execution time when compared to the default schedule.     

分布式云的研究进展综述

云计算作为全新的计算模式,将数据中心的资源包括计算、存储等基础设施资源通过虚拟化技术以服务的形式交付给用户,使得用户可以通过互联网按需访问云内计算资源来运行应用.为面向用户提供更好的服务,分布式云跨区域联合多个云站点,创建巨大的资源池,同时利用地理分布优势改善服务质量.近年来分布式云的研究逐渐成为学术界和工业界的热点.文中围绕分布式云系统中研究的基本问题,介绍了国际国内的研究现状,包括分布式云系统的架构设计、资源调度与性能优化策略和云安全方案等,并展望分布式云的发展趋势.     

Floor control for multimedia conferencing and collaboration

Floor control allows users of networked multimedia applications to utilize and share resources such as remote devices, distributed data sets, telepointers, or continuous media such as video and audio without access conflicts. Floors are temporary permissions granted dynamically to collaborating users in order to mitigate race conditions and guarantee mutually exclusive resource usage. A general framework for floor control is presented. Collaborative environments are characterized and the requirements for realization of floor control will be identified. The differences to session control, as well as concurrency control and access control are elicited. Based upon a brief taxonomy of collaboration-relevant parameters, system design issues for floor control are discussed. Floor control mechanisms are discerned from service policies and principal architectures of collaborative systems are compared. The structure of control packets and an application programmer's interface are proposed and further implementation aspects are elaborated. User-related aspects such as floor presentation, assignment, and the timely stages of floor-controlled interaction in relation to user-interface design are also presented.