An extended XACML model to ensure secure information access for web services

More and more software systems based on web services have been developed. Web service development techniques are thus becoming crucial. To ensure secure information access, access control should be taken into consideration when developing web services. This paper proposes an extended XACML model named EXACML to ensure secure information access for web services. It is based on the technique of information flow control. Primary features offered by the model are: (1) both the information of requesters and that of web services are protected, (2) the access control of web services is more precise than just “allow or reject” policy in existing models, and (3) the model will deny non-secure information access during the execution of a web service even when a requester is allowed to invoke the web service.     

如何构建安全的企业信息网络

随着企业的信息化程度的提高,越来越多的企业将它们的内部网络联入了互联网,这在给企业带来巨大的便利的同时,也带来了不容忽视的安全问题。本文对企业网络的安全防护所能采取的各种措施作了介绍,并分析了不同方式的优缺点,为构建安全的企业信息网络提供了有价值的参考意见。     

On the secure implementation of security protocols

We consider the problem of implementing a security protocol in such a manner that secrecy of sensitive data is not jeopardized. Implementation is assumed to take place in the context of an API that provides standard cryptography and communication services. Given a dependency specification, stating how API methods can produce and consume secret information, we propose an information flow property based on the idea of invariance under perturbation, relating observable changes in output to corresponding changes in input. Besides the information flow condition itself, the main contributions of the paper are results relating the admissibility property to a direct flow property in the special case of programs which branch on secrets only in cases permitted by the dependency rules. These results are used to derive an unwinding theorem, reducing a behavioural correctness check (strong bisimulation) to an invariant.     

计算机网络信息安全及其防护策略的研究

随着世界信息技术和国内市场经济的不断发展,计算机网络技术在人们的平时生活中得到了全面的普及和应用,但是21世纪新信息技术的发展步伐依然在不断加快,原来的计算机网络信息安全体系已经不能完全适应市场的需求,本文对我国当前存在的计算机网络信息安全的威胁因素作了简单的阐述,并且有针对性的作了相应的策略研究和分析,希望为我国计算机网络信息安全事业的发展提供一些借鉴性的参考.     

Design and implementation of a secure multi-agent marketplace

A multi-agent marketplace, MAGNET (Multi-AGent Negotiation Testbed), is a promising solution for conducting online combinatorial auctions. The trust model of MAGNET is somewhat different from other on-line auction systems since the marketplace, which mediates all communications between agents, acts as a partially trusted third party. We identify the security vulnerabilities of MAGNET and present a solution that overcomes these weaknesses. Our solution makes use of three different existing technologies with standard cryptographic techniques: a publish/subscribe system to provide simple and general messaging, time-release cryptography to provide guaranteed non-disclosure of the bids, and anonymous communication to hide the identity of the bidders until the end of the auction. Using these technologies, we successfully minimize the trust on the market as well as increase the security of the whole system. The protocol that we have developed can be adapted for use by other agent-based auction systems, that use a third party to mediate transactions.     

Mining knowledge demands from information flow

Among a collaborative team, members usually come from diverse disciplines, and their demands for knowledge are also different from each other. Information flow is a type of collaborative process, which exists behind every collaborative team. This paper is concerned with how to obtain team members’ knowledge demands from the information flow. Firstly, the knowledge demands model is defined. Based on the model of knowledge demands and information filtering technologies, some approaches for mining demands from information flow are proposed. This study on the knowledge demand mining can pave the way for developing knowledge recommender systems, which can recommend proper knowledge to proper team members with a collaborative team.     

医院信息网络建设中的安全技术体系

医院网络信息建设是实现医疗系统化的方式,在网络建设中,存在一些安全风险,这就需要建立完整的安全技术体系,保证信息的安全性.本文通过介绍某医院的信息网络建设进行分析,总结保证信息安全的方式,供读者参考.     

Efficient secure data publishing algorithms for supporting information sharing

Many data sharing applications require that publishing data should protect sensitive information pertaining to individuals, such as diseases of patients, the credit rating of a customer, and the salary of an employee. Meanwhile, certain information is required to be published. In this paper, we consider data-publishing applications where the publisher specifies both sensitive information and shared information. An adversary can infer the real value of a sensitive entry with a high confidence by using publishing data. The goal is to protect sensitive information in the presence of data inference using derived association rules on publishing data. We formulate the inference attack framework, and develop complexity results. We show that computing a safe partial table is an NP-hard problem. We classify the general problem into subcases based on the requirements of publishing information, and propose algorithms for finding a safe partial table to publish. We have conducted an empirical study to evaluate these algorithms on real data. The test results show that the proposed algorithms can produce approximate maximal published data and improve the performance of existing algorithms. Supported by the Program for New Century Excellent Talents in Universities (Grant No. NCET-06-0290), the National Natural Science Foundation of China (Grant Nos. 60828004, 60503036), and the Fok Ying Tong Education Foundation Award (Grant No. 104027)     

Modeling information architecture for the organization

The issue of information architecture (IA) for organizations has recently received considerable attention in IS development. However, as yet little research has been reported on modeling IA using a systematic approach. This paper describes an object-oriented method for modeling it. The proposed method extends the traditional concept of IS analysis into the context of contemporary information technology (IT), and is useful for planning IT-enabled business process reengineering for the organization.     

Extraction of user profile based on workflow and information flow

A collaborative team usually consists of team members with various domains. These members’ demands for knowledge are also different from each other. For recommending potentially useful knowledge to suitable members, their user profiles should be well managed and maintained. User profile can be input by the members, but a more intelligent way should be the automatic extraction of the user profiles. Workflow and information flow are two types of collaborative processes, which exist behind every collaborative team. This paper is mainly concerned with how to extract these team members’ user profile from the two types of contexts: workflow and information flow. This paper defines a model for the user profile. Then some methods are proposed for extracting the profile information on the basis of workflow and information flow. This study on the user profile extraction can pave the way for developing knowledge recommender systems, which can recommend proper knowledge to proper team members with a collaborative team.     

Assessing realized information systems strategy

This research developed and validated a tool to measure realized information systems strategy or existing uses of information technology in organizations. It was recognized that intended uses of technology often differ from actual uses. The objective of the study was to determine a valid and reliable way of quantifying how information technology is actually used by organizations to provide support for business operations.     

Extracting trust information from security system of a service

The issue of trust is a research problem in emerging open environments, such as ubiquitous networks. Such environments are highly dynamic and they contain diverse number of services and autonomous entities. Entities in open environments have different security needs from services. Trust computations related to the security systems of services necessitate information that meets needs of each entity. Obtaining such information is a challenging issue for entities. In this paper, we propose a model for extracting trust information from the security system of a service based on the needs of an entity. We formally represent security policies and security systems to extract trust information according to needs of an entity. The formal representation ensures an entity to extract trust information about a security property of a service and trust information about whole security system of the service. The proposed model is applied to Dental Clinic Patient Service as a case study with two scenarios. The scenarios are analyzed experimentally with simulations. The experimental evaluation shows that the proposed model provides trust information related to the security system of a service based on the needs of an entity and it is applicable in emerging open environments.     

The impact of information richness on information security awareness training effectiveness

In recent years, rapid progress in the use of the internet has resulted in huge losses in many organizations due to lax security. As a result, information security awareness is becoming an important issue to anyone using the Internet. To reduce losses, organizations have made information security awareness a top priority. The three main barriers to information security awareness are: (1) general security awareness, (2) employees’ computer skills, and (3) organizational budgets. Online learning appears a feasible alternative to providing information security awareness and countering these three barriers. Research has identified three levels of security awareness: perception, comprehension and projection. This paper reports on a laboratory experiment that investigates the impacts of hypermedia, multimedia and hypertext to increase information security awareness among the three awareness levels in an online training environment. The results indicate that: (1) learners who have the better understanding at the perception and comprehension levels can improve understanding at the projection level; (2) learners with text material perform better at the perception level; and (3) learners with multimedia material perform better at the comprehension level and projection level. The results could be used by educators and training designers to create meaningful information security awareness materials.     

计算机网络信息安全技术探讨

主要探讨计算机网络信息安全技术,对网络信息安全目标进行了阐述,分析总结了影响计算机网络信息安全的不良因素,重点讨论了信息加密技术和防火墙技术。     

Cryptographic techniques of strategic data splitting and secure information management

This publication presents techniques for classifying strategic information, namely financial figures which make it possible to determine the standing of an enterprise or an organisation. These techniques of classifying (hiding) strategic information will be presented based on their application to problems of securely storing data of special significance, i.e. cryptographic information sharing protocols. What will be innovative will be the use of cryptographic information sharing protocols in cognitive systems for data analysis. This class of systems will be discussed based on systems for the semantic analysis of ratio data used to analyse liquidity indicators.     

基于信息流的多级安全策略模型研究

内部威胁是企业组织面临的非常严重的安全问题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。提出了一个崭新的多级安全策略模型,引入了文档信息流和信息流图概念,并提出了相关算法。它能依据系统上下文环境的变化,动态地产生信息流的约束条件,屏蔽可能产生的隐藏信息流通道。     

一个移动Agent安全旅行协议

本文提出了一种保护移动Agent不受Agent平台攻击的旅行协议。该协议基于Agent旅行的历史记录,在一定的条件下允许Agent所有者检测对Agent代码、状态和执行流的非法篡改。这个协议具有很高的安全性能,能够检测旅行途中的Agent平台对Agent数据的篡改,能够防止重播攻击。