Device Personalisation — Where Content Meets Device

The explosive growth of the Internet has come with increasing diversity and heterogeneity in terms of access device, device capability, network access method, bandwidth, and user preferences. Most Internet services and World Wide Web content has been designed with desktop computers in mind, and often contains rich media, such as images, audio, and video. In many cases this content is not suitable for the new (often mobile) client devices because of their limitations in terms of screen size, memory, media support, connection speed, etc. These shortcomings have prompted the need to adapt the services and content of the Internet. This is broadly known as content negotiation and requires consideration of the client device's capabilities and characteristics (both hardware and software), the connection type and speed/bandwidth, and the user's preferences.     

An Architecture for Exploiting Multihoming in Mobile Devices for Vertical Handovers & Bandwidth Aggregation

In recent years, mobile devices with multihoming capabilities i.e. equipped with multiple network interfaces have gained large scale popularity. This multihoming capability enables the mobile devices to connect with multiple diverse access networks simultaneously. However, networking protocol stack implemented in current devices is not capable of exploiting the availability of multiple network interfaces. Multihoming can be used to provide two important services: vertical handovers and bandwidth aggregation. Vertical handover enables a multihomed device to switch its connectivity from one access network to another access network without disrupting the communication session. Bandwidth aggregation enables multihomed device to achieve higher throughput by establishing simultaneous connections over multiple available network interfaces. A number of solutions have been proposed to exploit multihoming for vertical handovers and bandwidth aggregation. However, most of these solutions either require the support of additional network entities such as host agent, foreign agent, mobility gateway, proxy, etc. or they require changes in current widely deployed protocol stack in operating system kernels. Dependence on either network operator, administrator or operating system vendors hinders the large scale deployment of these solutions. This paper presents an end-to-end architecture that offers the vertical handover and bandwidth aggregation services to TCP applications. This architecture neither requires any additional network entity nor it requires the changes in current networking protocol stack in operating system kernels. The paper presents the design, implementation and performance analysis of the proposed architecture.     

Roaming and service management in public wireless networks using an innovative policy management architecture

Nowadays, public wireless local area networks (WLANs), commonly called hotspots, are being largely deployed by WISPs (Wireless Internet Service Providers) as a means of offering ubiquitous Internet access to their customers. Although a substantial number of solutions have been proposed to improve security, mobility and quality of service on the wireless area, access network management which is mandatory remains a very significant concern. This paper describes RSM‐WISP, a new management architecture designed for WISPs to facilitate the implementation and management of the services they offer at the access side of the WLAN, and to manage roaming contracts between WISPs. Our architecture is based upon the policy‐based management principles as introduced by the IETF, combined with more intelligence at the network edge. RSM‐WISP adopts an architecture that is composed of two elements: a WISP management center (MC) that deploys policies and monitors all the WLANs, and a programmable access router (CPE) located in each WLAN. The CPE ensures service enforcement, service differentiation (access to different service levels) and guarantee, user access management, and dynamic WLAN adaptation according to the user's SLA (service level agreement). It also permits automatic service updates according to the user's requirements. Concerning roaming management, this is achieved on the CPE through multiple service provider support capabilities. This approach provides WISPs with a simple, flexible and scalable solution that allows easy service deployment and management at the access. This management architecture has been implemented, tested and validated on the 6WINDGate routers. Copyright © 2005 John Wiley & Sons, Ltd.     

iMobile EE – An Enterprise Mobile Service Platform

iMobile is an enterprise mobile service platform that allows resource-limited mobile devices to communicate with each other and to securely access corporate contents and services. The original iMobile architecture consists of devlets that provide protocol interfaces to different mobile devices and infolets that access and transcode information based on device profiles. iMobile Enterprise Edition (iMobile EE) is a redesign of the original iMobile architecture to address the security, scalability, and availability requirements of a large enterprise such as AT&T. iMobile EE incorporates gateways that interact with corporate authentication services, replicated iMobile servers with backend connections to corporate services, a reliable message queue that connects iMobile gateways and servers, and a comprehensive service profile database that governs operations of the mobile service platform. The iMobile EE architecture was also extended to provide personalized multimedia services, allowing mobile users to remotely control, record, and request video contents. iMobile EE aims to provide a scalable, secure, and modular software platform that makes enterprise services easily accessible to a growing list of mobile devices roaming among various wireless networks.     

Using trusted computing for privacy preserving keystroke-based authentication in smartphones

Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naïve username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device—such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.     

基于CP-ABE算法的云存储数据访问控制

针对云存储服务网络特性和数据共享特性安全问题,提出一种基于CP-ABE算法的密文访问控制机制。从访问权限控制及访问控制体系结构2个方面对上述访问控制机制进行研究。给出相应的安全算法数据结构,并对其进行了仿真和性能分析。该安全机制在服务提供商不可信的前提下,保证在开放环境下云存储系统中数据的安全性,并通过属性管理降低权限管理的复杂度。     

Composable ad hoc location‐based services for heterogeneous mobile clients

This paper introduces a comprehensive architecture that supports adapting a client device's functionality to new services it discovers as it moves into a new environment. Users wish to invoke services – such as controlling the lights, printing locally, gaining access to applicationspecific proxies, or reconfiguring the location of DNS servers – from their mobile devices. But a priori standardization of interfaces and methods for service invocation is infeasible. Thus, the challenge is to develop a new service architecture that supports heterogeneity in client devices and controlled objects while making minimal assumptions about standard interfaces and control protocols. Four capabilities are needed for a comprehensive solution to this problem: (1) allowing device mobility, (2) augmenting controllable objects to make them networkaccessible, (3) building an underlying discovery architecture, and (4) mapping between exported object interfaces and client device controls. We motivate the need for these capabilities by using an example scenario to derive the design requirements for our mobile services architecture. We then present a prototype implementation of elements of the architecture and some example services using it, including controls to audio/visual equipment, extensible mapping, server autoconfiguration, location tracking, and local printer access.     

Network Layer Access Control for Context-Aware IPv6 Applications

As part of the Lancaster GUIDE II project, we have developed a novel wireless access point protocol designed to support the development of next generation mobile context-aware applications in our local environs. Once deployed, this architecture will allow ordinary citizens secure, accountable and convenient access to a set of tailored applications including location, multimedia and context based services, and the public Internet. Our architecture utilises packet marking and network level packet filtering techniques within a modified Mobile IPv6 protocol stack to perform access control over a range of wireless network technologies. In this paper, we describe the rationale for, and components of, our architecture and contrast our approach with other state-of-the-art systems. The paper also contains details of our current implementation work, including preliminary performance measurements.     

Programming Internet telephony services

Internet telephony enables a wealth of new service possibilities. Traditional telephony services such as call forwarding, transfer, and 800 number services, can be enhanced by interaction with e-mail, Web, and directory services. Additional media types, like video and interactive chat, can be added as well. One of the challenges in providing these services is how to effectively program them. Programming these services requires decisions regarding where the code executes, how it interfaces with the protocols that deliver the services, and what level of control the code has. In this article we consider this problem in detail. We develop requirements for programming Internet telephony services, and we show that at least two solutions are required-one geared for service creation by trusted users (such as administrators), and one geared for service creation by untrusted users (such as consumers). We review existing techniques for service programmability in the Internet and in the telephone network, and extract the best components of both. The result is a common gateway interface that allows trusted users to develop services, and the call processing language that allows untrusted users to develop services     

Computational network federations: a middleware architecture for network-based computing

Computational Network Federations (CNFs) enable an arbitrary set of heterogeneous hosts which are connected via any type of network to form dynamic virtual distributed systems that cooperate to execute an application, or serve as generalized application service platforms to end users. CNFs motivate a view of the Internet as a vast unified host: a repository of information, application services, and an omnipresent supercomputing resource regardless of the type of access device or access methodology. CNFs provide a powerful way of virtualizing generalized enterprise networks (or even the Internet), and an economic and resilient model for deploying enterprise applications, (such as CRM) and peer-2-peer services (e.g., chatrooms). This paper describes a middleware architecture that enables network-based computing, communications, and services through a unified, access, and platform-independent approach. CNFs borrow from the capabilities of grid computing and aim toward intelligent computational service networks that are ubiquitous, secure, and adaptive to user and access-method idiosyncrasies. CNFs encompass a set of abstractions and interfaces that provide: 1) a unified service-oriented view of the network to the user; 2) a homogeneous host abstraction to applications; and 3) a shared-memory abstraction to software developers. This paper outlines the architecture of CNFs and describes in more detail i-DVM, a distributed multithreaded meta-OS that forms the core of a CNF and implements the virtual machine abstraction and location transparency.     

A Security Architecture for Reconfigurable Networked Embedded Systems

Nowadays, networked embedded systems (NESs) are required to be reconfigurable in order to be customizable to different operating environments and/or adaptable to changes in operating environment. However, reconfigurability acts against security as it introduces new sources of vulnerability. In this paper, we propose a security architecture that integrates, enriches and extends a component-based middleware layer with abstractions and mechanisms for secure reconfiguration and secure communication. The architecture provides a secure communication service that enforces application-specific fine-grained security policy. Furthermore, in order to support secure reconfiguration at the middleware level, the architecture provides a basic mechanism for authenticated downloading from a remote source. Finally, the architecture provides a rekeying service that performs key distribution and revocation. The architecture provides the services as a collection of middleware components that an application developer can instantiate according to the application requirements and constraints. The security architecture extends the middleware by exploiting the decoupling and encapsulation capabilities provided by components. It follows that the architecture results itself reconfigurable and can span heterogeneous devices. The security architecture has been implemented for different platforms including low-end, resource-poor ones such as Tmote Sky sensor devices.     

Content and Service Protection for the Ubiquitous TV Based on Network Convergence

Today, the ubiquitous multimedia services are becoming more and more popular. However, the secure solutions that confirm the content and service security in these services are still open issues because of various network convergences and device interconnections. This paper investigates an ubiquitous multimedia service architecture and proposes a secure solution for it. In this service architecture, the multimedia content is encoded with scalable video coding and broadcasted via digital video broadcasting for handheld terminals (DVB-H) to mobile terminals, the access right is transmitted by global system for mobile (GSM/GPRS) channel, and the media content and access right can also be transferred from mobile terminals to home TV through WiFi based Wireless Local Area Network. The proposed secure solution supports three kinds of business models by using various content encryption modes and secure transmission protocols. The solution’s security is evaluated and discussed. Since few work has been done to solve this problem, the work proposed in this paper is expected to attract more researchers. Additionally, the solution is also potential for other ubiquitous services.     

BYOD企业移动设备管理技术

提出了中兴通讯自带设备办公（BYOD）解决方案.方案在终端层、接入层、控制层、应用分别解决企业面临的设备安全管理、应用安全管理及数据安全问题.终端层提供BYOD安全套件;接入层提供信令媒体接入网关和统一接入控制服务,提供移动设备安全接入服务,并提供统一的设备鉴权认证及用户鉴权认证;控制层用于控制移动用户及设备的行为模式;应用层用于提供具体的企业移动服务,包括通用的企业通信服务、企业办公应用支撑、虚拟桌面、企业网盘,以及企业业务相关的移动应用.     

Service‐oriented 5G network architecture: an end‐to‐end software defining approach

With the ever‐increasing mobile demands and proliferation of mobile services, mobile Internet has penetrated into every aspect of human life. Although the 4G mobile communication system is now being deployed worldwide, simply evolving or incrementally improving the current mobile networks can no longer keep the pace with the proliferation of mobile services. Against this background, aiming to achieve service‐oriented 5G mobile networks, this article proposes an end‐to‐end software defining architecture, which introduces a logically centralized control plane and dramatically simplifies the data‐plane. The control plane decomposes the diversified mobile service requirements and, correspondingly, controls the functions and behaviors of data‐plane devices. Consequently, the network directly orients towards services, and the devices are dynamically operated according to the service requirements. Therefore, the proposed architecture efficiently guarantees the end‐to‐end QoS and quality of experience. The challenges and key technologies of our architecture are also discussed in this article. Real traces‐based simulations validate the performance advantages of proposed architecture, including energy efficiency and the whole performance. Copyright © 2015 John Wiley & Sons, Ltd.     

Interactive multimedia satellite access communications

Recent advances in satellite technology are making possible the development of broadband satellite access (BSA) systems for two-way access to multimedia Internet services. This article provides an overview of BSA systems with an emphasis on resource management and interworking techniques to support IP-based multimedia services. The article draws on collaborative research performed over the past few years as part of the Broadband Satellite Communications Major Project of the Canadian Institute of Telecommunications Research. Some key innovations are described: combined free/demand assigned multiple access (CFDAMA) for dynamic satellite bandwidth allocation; an architecture for DiffServ provisioning over BSA systems; and a dynamic TCP Vegas protocol as a proxy service for split-TCP connections over BSA systems.     

零信任架构在5G云网中应用防护的研究

通过对5G云网融合时代的安全需求分析,研究零信任的基本原则,包括不依赖位置、不信任流量、动态访问控制等;研究零信任的基本架构,结合5G云网架构,提出了3种可行的应用防护方案,包括客户自建的OTT模式、利用现有VPDN改造模式、公共零信任架构模式,并进行了比较。分析了客户在5G云网中的应用场景,包括远程访问、安全上云、移动办公等,以及在这些场景中零信任架构可以给客户带来的价值,如实现应用隐藏、动态控制,确保应用的安全性。     

Design,Implementation and Evaluation of Programmable Handoff in Mobile Networks

We describe the design, implementation and evaluation of a programmable architecture for profiling, composing and deploying handoff services. We argue that future wireless access networks should be built on a foundation of open programmable networking allowing for the dynamic deployment of new mobile and wireless services. Customizing handoff control and mobility management in this manner calls for advances in software and networking technologies in order to respond to specific radio, mobility and service quality requirements of future wireless Internet service providers. Two new handoff services are deployed using programmable mobile networking techniques. First, we describe a multi-handoff access network service, which is capable of simultaneously supporting multiple styles of handoff control over the same physical wireless infrastructure. Second, we discuss a reflective handoff service, which allows programmable mobile devices to freely roam between heterogeneous wireless access networks that support different signaling systems. Evaluation results indicate that programmable handoff architectures are capable of scaling to support a large number of mobile devices while achieving similar performance to that of native signaling systems.     

On demand network-wide VPN deployment in GPRS

Mobile Internet requires enhanced security services available to all mobile subscribers in a dynamic fashion. A network-wide virtual private network deployment scenario over the General Packet Radio Service is proposed and analyzed from a security viewpoint. The proposed security scheme improves the level of protection that is currently supported in GPRS and facilitates the realization of mobile Internet. It secures data transmission over the entire network route from a mobile user to a remote server by utilizing the default GPRS ciphering over the radio interface, and by deploying an IP VPN over the GPRS core, as well as on the public Internet. Thus, on-demand VPN services are made available for all GPRS network subscribers and roaming users. The VPN functionality, which is based on the IPsec framework, is outsourced to the network infrastructure to eliminate the potential computational overhead on the mobile device. The VPN initialization and key agreement procedures are based on an Internet Key Exchange protocol proxy scheme, which enables the mobile station to initiate VPN establishment, while shifting the complex key negotiation to the network infrastructure. The deployed VPN operates transparently to the mobile subscribers' movement. The required enhancements for security service provision can be integrated in the existing network infrastructure; therefore, the propose security scheme can be employed as an add-on feature to the GPRS standard.     

海外运营商家庭用户发展策略

移动运营商面向家庭用户开展业务创新,很重要的一个因素就是接入带宽。KDDI建设F1TH网络。为家庭用户提供固定移动捆绑的全业务服务;英国H3G在缺乏固定资源的情况下,依靠3G技术实现移动宽带接入,注重移动互联网的发展并实行了包月制资费策略。两种方式均可为我国运营商所借鉴。