基于信任的普适计算安全机制

在普通计算环境中,用户能够在任何时间任何地点访问资源,获得服务。但是这种无处不在性和移动性的环境带来了新的安全问题。资源的拥有者和请求者一般互相不知道。该文给出了主体的信任策略以及基于信仟的普适计算环境认证方法和访问拧制模型。     

普适计算软件体系结构研究

普适计算强调人、计算机以及环境的相互融合,这就对传统的软件技术提出了挑战。需要新型的软件架构与之相适应。本文以普适计算环境下的通用软件架构设计为目标,采用面向服务组件和分层次的设计原则,通过中心服务器的管理机制和服务整合的方法,提出了一种基于Kerberos认证机制的、面向服务的普适计算软件体系结构。这个软件架构的提出,解决了普适计算环境下设备的本地资源受限性、任务多样性、运行环境的异构性和访问的安全性等一系列问题;并将此软件架构应用于“普适计算智能办公系统”的软件实现中。     

普适计算环境下的虚拟机技术研究

普适计算环境中资源和服务利用率较低,传统应用程序在该环境下无法兼容。为此,提出一种适用于普适计算环境的虚拟机技术。使用设备请求代理屏蔽复杂的普适计算网络环境,对上层应用提供统一硬件平台,支持多个普适计算应用同时运行。实验结果表明,该虚拟化技术能兼容传统应用,提高普适计算资源和服务的利用率。     

EH—GRBAC：遍在计算环境中基于知识的访问控制原型

In pervasive computing environment, users can access to various information, resources and services at anytime and anywhere, so access control has become an exigent security problem. In the traditional access control modes, the decisions o[ access control are entirely dependent on the results of authentication. The access control can-not provide the security-relevant fault-tolerant function. But in pervasive computing environment, because of the var-ious reasons, security system can't assure the results of the authentication are absolutely correct. So we propose touse the knowledge-based access control, which can discovery some rules and knowledge from the previous process ofaccess control and combine these rules with traditional access controls to perfect the security system. The essence ofknowledge-based access control is to add some intelligent authentication function into the process of access control. In the paper, we expatiate the idea and principle of knowledge-based access control, as well as the advances of this method. Furthermore, we implement a prototype, called EH-GRBAC, which can discovery historical knowledge from the history of users' using resources to reinforce GRBAC. In the paper, we also explain the architecture and the details of EH_GRBAC.     

基于上下文的普适计算使用控制模型

目前普适计算中的访问控制绝大多数采用基于角色访问控制模型(RBAC);然而使用控制(UCON)模型具有可变性和持续性,更适合普适计算,但没有充分考虑上下文信息。在UCON模型中增加对上下文信息考虑的同时将义务和条件决策因素分为静态和动态,提出了基于上下文的普适计算使用控制(Con_UCON)模型,动态义务和条件作为使用过程中的决策因素;同时建立了模型的核心规则集,并给出了形式语言描述。该模型能满足普适计算环境中访问控制的需求。通过普适计算智能办公系统中的三个实例,证明此模型具有有效性、灵活性和安全性。     

COCOA: COnversation-based service COmposition in pervAsive computing environments with QoS support

Pervasive computing environments are populated with networked services, i.e., autonomous software entities, providing a number of functionalities. One of the most challenging objectives to be achieved within these environments is to assist users in realizing tasks that integrate on the fly functionalities of the networked services opportunely according to the current pervasive environment. Towards this purpose, we present COCOA, a solution for COnversation-based service COmposition in pervAsive computing environments with QoS support. COCOA provides COCOA-L, an OWL-S based language for the semantic, QoS-aware specification of services and tasks, which further allows the specification of services and tasks conversations. Moreover, COCOA provides two mechanisms: COCOA-SD for the QoS-aware semantic service discovery and COCOA-CI for the QoS-aware integration of service conversations towards the realization of the user task’s conversation. The distinctive feature of COCOA is the ability of integrating on the fly the conversations of networked services to realize the conversation of the user task, by further meeting the QoS requirements of user tasks. Thereby, COCOA allows the dynamic realization of user tasks according to the specifics of the pervasive computing environment in terms of available services and by enforcing valid service consumption.     

一种基于情境的语义Web服务发现方法

在普适计算环境下,如何结合情境信息以发现满足用户需求的服务,是目前Web服务研究的一个关键问题.提出一种基于情境的Web服务发现框架,采用本体进行情境建模,利用用户反馈信息进行权重计算,并给出了一个基于相似度的语义Web服务的匹配算法.最后通过实验验证了该方法的有效性.     

高性能计算服务环境应用编程接口

高性能计算服务环境主要面向用户、科研团队提供高性能计算服务.随着环境接入的超算中心以及应用社区和业务平台越来越多,超算中心以及社区和业务平台的用户希望能够使用原有账号登录高性能计算环境使用资源.高性能计算服务环境目前提供的应用编程接口仅支持通过LDAP认证的网格账号.为使得应用社区和业务平台用户使用自己原有的登录方式认证通过后就可访问高性能计算服务环境,我们重新设计开发了高性能计算服务环境应用编程接口.本文着重介绍新版应用编程接口的结构与部署实现,并通过用例来说明如何调用新版接口.新版接口为社区和业务平台接入高性能计算环境提供了更方便且安全地支撑.     

普适计算的信任认证

在普适计算环境中,用户能够在任何时间、任何地点访问资源,获得服务。但是这种无处不在性和移动性的环境带来了新的安全问题。资源的拥有者和请求者一般互相不知道。认证是安全的基石,没有认证,系统的保密性、完整性和可用性都将受到影响。可是传统认证是基于身份的认证,不适合普适环境中对陌生实体的认证。本文在分析普适计算的认证要求后,指出了在普适计算环境中应该先在陌生的实体间建立信任关系,然后可以用几乎所有的标准密钥交换协议进行安全认证。提出了用资源限制信任协商技术在陌生人之间建立信任关系。由于它避免了大量的公钥密码操作所带来的计算负担,因此比较适合计算能力有限的设备之间建立信任关系。     

Context-aware service roaming for heterogeneous embedded devices over cloud

Cloud computing advocates a promising paradigm that facilitates the access within heterogeneous services, platforms, and end users. However, platforms (or host servers) have confined to devices which require a considerable computing resources. In this case, solutions concerning the efficient use of pervasive devices with constrained resources become an open issue. This study investigates the seamless connection between embedded devices and cloud resources to enhance the capability of computing and furthermore provide context-aware services. A method for wireless program dissemination and boot loading is proposed to transfer necessary information and resources between service and target device(s). The experiment results on time delay and energy cost demonstrate the feasibility and performance.     

Trust-based security in pervasive computing environments

Traditionally, stand-alone computers and small networks rely on user authentication and access control to provide security. These physical methods use system-based controls to verify the identity of a person or process, explicitly enabling or restricting the ability to use, change, or view a computer resource. However, these strategies are inadequate for the increased flexibility that distributed networks such as the Internet and pervasive computing environments require because such systems lack central control and their users are not all predetermined. Mobile users expect to access locally hosted resources and services anytime and anywhere, leading to serious security risks and access control problems. We propose a solution based on trust management that involves developing a security policy, assigning credentials to entities, verifying that the credentials fulfill the policy, delegating trust to third parties, and reasoning about users' access rights. This architecture is generally applicable to distributed systems but geared toward pervasive computing environments     

Access control management for ubiquitous computing

The purpose of ubiquitous computing is anywhere and anytime access to information within computing infrastructures that is blended into a background and no longer be reminded. This ubiquitous computing poses new security challenges while the information can be accessed at anywhere and anytime because it may be applied by criminal users. Additionally, the information may contain private information that cannot be shared by all user communities. Several approaches are developed to protect information for pervasive environments against malicious users. However, ad hoc mechanisms or protocols are typically added in the approaches by compromising disorganized policies or additional components to protect from unauthorized access.In this paper, we present a usage control model to protect services and devices in ubiquitous computing environments, which allows the access restrictions directly on services and object documents. The model not only supports complex constraints for pervasive computing, such as services, devices and data types but also provides a mechanism to build rich reuse relationships between models and objects. Finally, comparisons with related works are analysed.     

Context-adaptive and energy-efficient mobile transaction management in pervasive environments

Pervasive computing is a user-centric, scalable, parallel, and distributed computing paradigm, allowing users to access to their preferred services even while moving around. Transaction management for pervasive environments has to provide mobile users with reliable and transparent services anytime anywhere. To make such a vision a reality, the communication of pervasive transaction processing should be context-aware for adapting to dynamically changing execution environments, and energy-efficient for prolonging the lifetime of battery-powered mobile devices. In this paper, we propose a context model and a context-aware transaction model for pervasive transactions, and present a c\underline{\mathrm{c}} ontext-adaptive and e\underline{\mathrm{e}} nergy-efficient t\underline{\mathrm{t}} ransaction m\underline{\mathrm{m}} anagement mechanism (CETM) that can dynamically adjust transaction execution behaviors in terms of current context information. Moreover, we model and verify the correctness of the CETM through Petri nets. The simulation results have demonstrated that our transaction management mechanism CETM can significantly reduce the failed probability of concurrent pervasive transactions.     

Activity-Aware Computing for Healthcare

In this article, we introduce activity-aware computing, which uses activity-based computing to enhance pervasive environments in two ways: to help users associate resources and services with activities, resulting in seamless interaction with those resources and services, and to enable pervasive environments to automatically infer activities and thus opportunistically offer services that support the user's current goal. Thus, activity-aware applications persuade users to commit themselves to the technology, moving from a paradigm of activity-based ";interaction"; toward one of activity-aware ";engagement"; with a computationally augmented environment. We present a set of tools for developing activity-aware applications, including a computational representation of human activities that we defined using data from a hospital case study we conducted. We also used the data to create an activity recognition approach and a set of design principles for developing activity-aware applications. The mobile activity monitor we designed to create a wearable connection between patients and nurses exemplifies our design principles.     

基于上下文的普适计算角色访问控制模型

针对普适计算访问控制上下文感知的特点,分析了现有扩展RBAC模型的不足,提出了基于上下文的角色访问控制模型(CRBAC).模型定义了可执行角色集,引入由时间状态,位置信息、用户信任值组成的上下文信息,由上下文信息激活可执行角色集,并以此代表用户最终获得的权限,这样用户就只能在一定的上下文中才可以执行某个角色的某个权限,实现了细粒度的动态授权.然后分别对此模型下单用户和多用户的访问控制过程进行了描述,最后利用有限状态机验证了模型的安全性.     

A lightweight conditional privacy-preserving authentication and access control scheme for pervasive computing environments

In pervasive computing environments, the users can get access to the services from the service providers in a highly desirable way. But the security of the user's authentication is a challenging field. Pervasive computing environments must provide the service to only legitimate users. On the other hand, some users attempt to keep their anonymity without revealing their identities while using some privacy-related services such as location information, printing, buying shares, etc. In this paper, we propose a conditional privacy-preserving authentication and access control scheme for pervasive computing environments, called CPriauac. Compared with the previous schemes in the literature, registration servers and authentication servers in the proposed scheme need not maintain any sensitive verification tables. The management of public keys is easier. Furthermore, the anonymity of the user can be removed efficiently once the dispute happens. The proposed scheme provides user anonymity against outside and inside parties, mutual authentication, accountability and differentiated access control.     

Contract RBAC in cloud computing

Cloud computing is a fast growing field, which is arguably a new computing paradigm. In cloud computing, computing resources are provided as services over the Internet and users can access resources based on their payments. The issue of access control is an important security scheme in the cloud computing. In this paper, a Contract RBAC model with continuous services for user to access various source services provided by different providers is proposed. The Contract RBAC model extending from the well-known RBAC model in cloud computing is shown. The extending definitions in the model could increase the ability to meet new challenges. The Contract RBAC model can provide continuous services with more flexible management in security to meet the application requirements including Intra-cross cloud service and Inter-cross cloud service. Finally, the performance analyses between the traditional manner and the scheme are given. Therefore, the proposed Contract RBAC model can achieve more efficient management for cloud computing environments.     

Dynamic Service Composition in Pervasive Computing

Service-oriented architectures (SOAs) promise to provide transparency to resource access by exposing the resources available as services. SOAs have been employed within pervasive computing systems to provide essential support to user tasks by creating services representing the available resources. The mechanism of combining two or more basic services into a possibly complex service is known as service composition. Existing solutions to service composition employ a template-matching approach, where the user needs are expressed as a request template, and through composition, a system would identify services to populate the entities within the request template. However, with the dynamism involved in pervasive environments, the user needs have to be met by exploiting available resources, even when an exact match does not exist. In this paper, we present a novel service composition mechanism for pervasive computing. We employ the service-oriented middleware platform called pervasive information communities organization (PICO) to model and represent resources as services. The proposed service composition mechanism models services as directed attributed graphs, maintains a repository of service graphs, and dynamically combines multiple basic services into complex services. Further, we present a hierarchical overlay structure created among the devices to exploit the resource unevenness, resulting in the capability of providing essential service-related support to resource-poor devices. Results of extensive simulation studies are presented to illustrate the suitability of the proposed mechanism in meeting the challenges of pervasive computing user mobility, heterogeneity, and the uncertain nature of involved resources.     

国家高性能计算环境资源评价规范研究

高性能计算资源作为科技创新的重要手段,是当代科技竞争的战略制高点,能集中体现一个国家的综合实力。国家高性能计算环境聚合了国内优秀的高性能计算资源,面向用户提供高效、便捷的高性能计算服务。为加强环境建设、提高服务质量,本文提出了一套可以量化网络服务水平和集群计算服务水平的规范,为高性能计算环境的准入提供理论依据,支持和引导用户合理使用资源,形成全局统筹的资源布局。本文首先提出对高性能计算资源服务水平的评价标准,针对资源的性能、可用性、安全性、可靠性、需求管理、技术支持和服务响应这些内容分别展开介绍。然后介绍了这些评价标准的计算方法,为评价标准的确立提供理论基础。最后以提出的资源评价标准为依据,对资源的分级标准进行制定并提出高性能计算环境的准入标准。     

面向普适计算环境的Android平台服务编排框架

普适计算环境下的智能移动设备是面向终端用户的服务资源聚集和编排的主要载体。普适计算环境中的服务资源具有多种不同的形态,包括基于互联网提供的Web服务、终端设备自身服务和资源(例如本地应用、自带传感器)以及所处环境中可访问的服务(例如环境传感器)。此外,不断变化的上下文环境对软件本身的自适应能力提出了新的要求,而移动设备上的服务编排受设备计算能力和资源的限制。为了解决上述问题,提出了一个面向普适计算环境的Android平台服务编排框架ASOF。通过ASOF,移动终端可在运行时获取所需业务流程的服务模板,并对该模板中的抽象服务进行服务绑定,实现轻量级的混合服务编排,使终端能够动态获得调用普适计算环境中各种类型的服务的能力。随后,基于OSGi Felix框架给出了一套ASOF的标准实现,并以一个具体案例验证其有效性。