Trust-based security in pervasive computing environments

Traditionally, stand-alone computers and small networks rely on user authentication and access control to provide security. These physical methods use system-based controls to verify the identity of a person or process, explicitly enabling or restricting the ability to use, change, or view a computer resource. However, these strategies are inadequate for the increased flexibility that distributed networks such as the Internet and pervasive computing environments require because such systems lack central control and their users are not all predetermined. Mobile users expect to access locally hosted resources and services anytime and anywhere, leading to serious security risks and access control problems. We propose a solution based on trust management that involves developing a security policy, assigning credentials to entities, verifying that the credentials fulfill the policy, delegating trust to third parties, and reasoning about users' access rights. This architecture is generally applicable to distributed systems but geared toward pervasive computing environments     

Access control system for distributed computing networks

The architecture of access control system for user jobs access to computational resources of grid distributed computing networks, which provides protection of data being processed against threats of exceeding user privileges, is presented. The developed system is compared to the available analogues, and the results of efficiency assessment of performance of the developed system are discussed.     

Applying the group signature for entity authentication in distributed grid computing networks

The paper describes the problem of unauthorized access to the data processed in distributed grid computing networks. Existing implementations of entity authentication mechanisms in grid systems are analyzed, and their disadvantages are considered. An approach to the use of group signature schemes, which prevents unauthorized access to a computing environment and provides the integrity of transferred data, is proposed.     

Tasks of providing information security in distributed computing networks

The issue of providing information security for data and computing resources in grid networks is reviewed. Specific features of architecture of distributed computing networks based on grid platforms are analyzed. Security threats specific for grid systems are typified. The available measures ensuring security for grid systems are considered, and their drawbacks are indicated. The set of applied issues associated with ensuring grid protection from unauthorized access is defined.     

面向普适计算的区间值模糊访问控制(英文)

访问控制是普适计算安全的一项关键技术。然而,由于普适计算的分布式、模糊和动态特征,传统的访问控制理论和方法不完全适合普适计算环境下的安全需求。提出普适计算环境下基于区间值模糊集合理论的访问控制新图式,来有效刻画普适计算环境下访问控制的模糊性和不确定性,建立模糊受控系统安全新概念,对模糊受控系统的安全特性进行分析,为普适计算建立模糊访问控制的理论和方法基础。应用实例分析表明,提出的面向普适计算的模糊访问控制是有效的。     

Wireless network extension using mobile IP

Over the last two decades, we have seen a dramatic shift in computing systems, away from the monolithic mainframe and toward increasingly distributed, client-server systems. One of the key elements enabling the success of the distributed computing environment was the interconnecting network technology. High-speed, reliable network hardware and protocols evolved to support client-server applications. Network technology has now progressed to the point that applications are being written to specifically exploit the capabilities of the network. The explosion of World Wide Web applications is the latest example of the fact that the network is now the focus of the distributed computing environment. In a concurrent development, personal computing platforms placed increasingly powerful systems in ever smaller form factors. Users have embraced these advances: Mobile computers, in the form of laptops, palmtops, and personal digital assistants (PDAs), are a significant element of the current computing environment. However, to be fully productive, the mobile computer user requires access to the network. Further, access to a network is not sufficient. Mobile users need access to the same network-the same resources and services and communications capabilities-that they would if they were at their desktops. We refer to this concept of providing home network access to the mobile user as network extension. Addressing many requirements for practical wireless access, this Internet technology aids the development of advanced data services for wireless networks, including the integrated dispatch enhanced network     

Computer networks and distributed systems

Three major justifications for distributed computing-sharing physically distributed resources, combining computers for fast solutions, and providing reliability through replication-are discussed. Distributed computing milestones from 1969 to 1991 are examined, focusing on the ARPAnet national research network, Ethernet and token-ring local area networks, and workstation networks united by distributed systems software. Three themes that dominate current trends in distributed systems and computer networks are examined. They comprise tapping the immense data-carrying potential of optical fibers, efficiently using tightly coupled networks of thousands of computers, and making network access inexpensive so many people will buy services. Developments for the next decade are predicted by extrapolating from these trends     

Transparent access to Grid resources for user software

Grid computing promises access to large amounts of computing power, but so far adoption of Grid computing has been limited to highly specialized experts for three reasons. First, users are used to batch systems, and interfaces to Grid software are often complex and different to those in batch systems. Second, users are used to having transparent file access, which Grid software does not conveniently provide. Third, efforts to achieve wide‐spread coordination of computers while solving the first two problems is hampered when clusters are on private networks. Here we bring together a variety of software that allows users to almost transparently use Grid resources as if they were local resources while providing transparent access to files, even when private networks intervene. As a motivating example, the BaBar Monte Carlo production system is deployed on a truly distributed environment, the European DataGrid, without any modification to the application itself. Copyright © 2005 John Wiley & Sons, Ltd.     

Ontology-based access control model for security policy reasoning in cloud computing

There are many security issues in cloud computing service environments, including virtualization, distributed big-data processing, serviceability, traffic management, application security, access control, authentication, and cryptography, among others. In particular, data access using various resources requires an authentication and access control model for integrated management and control in cloud computing environments. Cloud computing services are differentiated according to security policies because of differences in the permitted access right between service providers and users. RBAC (Role-based access control) and C-RBAC (Context-aware RBAC) models do not suggest effective and practical solutions for managers and users based on dynamic access control methods, suggesting a need for a new model of dynamic access control that can address the limitations of cloud computing characteristics. This paper proposes Onto-ACM (ontology-based access control model), a semantic analysis model that can address the difference in the permitted access control between service providers and users. The proposed model is a model of intelligent context-aware access for proactively applying the access level of resource access based on ontology reasoning and semantic analysis method.     

上下文感知的动态访问控制模型

现有的访问控制技术主要依靠主体的标识来实现对系统资源的保护,在权限的控制时没有考虑执行的上下文环境。随着网络和分布式计算的发展,应用环境具有分布、异构、 动态的特点,需要考虑主体所处上下文进行动态的权限控制。本文提出了一个上下文感知的访问控制模型（DCAAC）,DCAAC扩展了RBAC模型,增加了上下文约束。DCAAC从应 用环境中获取与安全相关的上下文信息来动态地改变用户的权限,同时保留了传统RBAC模型的优点。这一访问控制模型已在网格计算实验平台中实施。     

网格计算中基于信任度的访问控制研究*

首先给出了网格计算中访问控制的特点和需求,现有的访问控制技术以及分布式授权模型都不能满足网格计算中对访问控制的需求。通过建立实体间的信任关系,在CAS基础上提出了基于信任度的访问控制机制。为了提高资源的利用率提出了Ticket机制。     

网格计算中基于信任度的访问控制研究

首先给出了网格计算中访问控制的特点和需求,现有的访问控制技术以及分布式授权模型都不能满足网格计算中对访问控制的需求。通过建立实体间的信任关系,在CAS基础上提出了基于信任度的访问控制机制。为了提高资源的利用率提出了Ticket机制。     

分布式应用访问控制策略精化冲突分析

随着云技术的发展,分布式应用平台朝着弹性资源和环境动态变迁的方向发展。分布式应用访问控制策略精化计算与资源和环境相关,也需要较强的性能与这种动态性相适应。现有的访问控制策略空间冲突分析方法虽然可以用于分布式访问控制策略精化中的策略冲突分析,但是该类算法以权限赋值单元为单位计算,计算粒度过细导致性能较低。提出了基于集合求交递推算法,以权限赋值单元集合为单位计算策略冲突来提高计算粒度。理论分析与实验结果表明该算法具有较高性能, 适用于云平台策略精化计算的高性能的需求。     

一种Peer-to-Peer环境下的分布式访问控制模型

P2P在目前的网络应用中越来越普遍,但是P2P网络的安全性问题在很大程度上限制了P2P的大规模商业应用。提供一种高效的访问控制模型是保证P2P系统高效、稳定的关键。引对P2P刷络应用环境特点,提出了一种分市式安全访问控制模型。对等网全局采用RBAC模型加以描述,每个节点局部按照自身的访问控制策略进行资源访问控制,实现对等网内的分市式访问控制。并在实验环境中采用这种分布式安全访问控制模型,实现了对等网内的基于角色的分布式访问控制策略。     

Toward a synergy between P2P and grids

Peer-to-peer (P2P) networks and grids are distributed computing models that enable decentralized collaboration by integrating computers into networks in which each can consume and offer services. P2P is a class of self-organizing systems or applications that takes advantage of distributed resources storage, processing, information, and human presence available at the Internet's edges. A grid is a geographically distributed computation platform comprising a set of heterogeneous machines that users can access through a single interface. Both are hot research topics because they offer promising paradigms for developing efficient distributed systems and applications. Unlike the classic client-server model, in which roles are well separated, P2P and grid networks can assign each node a client or server role according to the operations they are to perform on the network - even if some nodes act more as server than as client in current implementations. In spite of current practices and thoughts, the grid and P2P models share several features and have more in common than we perhaps generally recognize. It is time to consider how to integrate these two models. A synergy between the two research communities, and the two computing models, could start with identifying the similarities and differences between them.     

Secure Sharing of Tuple Spaces in Ad Hoc Settings

Security is emerging as a growing concern throughout the distributed computing community. Typical solutions entail specialized infrastructure support for authentication, encryption and access control. Mobile applications executing over ad hoc wireless networks present designers with a rather distinct set of security requirements. A totally open setting and limited resources call for lightweight and highly decentralized security solutions. In this paper we propose an approach that relies on extending an existing coordination middleware for mobility (Lime). The need to continue to offer a very simple model of coordination that assures rapid software development led to limiting extensions solely to password protected tuple spaces and per tuple access control. Password distribution and security are relegated to the application realm. Host level security is ensured by the middleware design and relies on standard support provided by the Java system. Secure interactions among agents across hosts are accomplished by careful exploitation of the interceptor pattern and the use of standard encryption. The paper explains the design strategy used to add security support in Lime and its implications for the development of mobile applications over ad hoc networks.     

基于证据的代码访问控制机制研究

随着分布式计算的不断发展,传统的基于角色的安全性(RBAC)模型已无法满足分布式安全的要求,该文根据微软的代码访问安全性,归纳出基于证据的代码访问控制(EBCAC)模型和它的一种形式化描述,该模型能实现对系统更低层次的访问控制;提出了一种改进的基于证据的代码访问控制系统设计方案,给出了防止引诱攻击的实例。     

有限存储分布式社交网络中数据的动态划分和复制

社交网络的庞大数据需求分布式存储,多个用户的数据分散存储在各个存储和计算节点上可以保持并行性和冗余性。如何在有限的分布式存储空间内高性能存储和访问用户数据具有现实意义。在当前的社交网络系统中,用户数据之间的读写操作会导致大量跨存储节点的远程访问。减少节点间的远程访问可以降低网络负载和访问延迟,提高用户体验。提出一种基于用户交互行为的动态划分复制算法,利用用户之间的朋友关系和评论行为描述社交网络的结构,周期性划分复制用户数据,从而提高本地访问率,降低网络负载。通过真实数据集验证,该算法相比随机划分和复制算法能够大大提升本地访问率,降低访问延迟。     

网格环境下基于信任度的资源访问控制研究

首先给出了网格计算中访问控制的特点和需求。现有的访问控制技术以及分布式授权模型,均不能满足网格计算中对访问控制的需求。通过建立实体间的信任关系,在CAS基础上,提出了基于信任度的访问控制机制。为了提高资源的利用率,提出了Ticket机制。最后给出模拟实验结果,验证有效性。     

A Query Routing Approach Based on Users’ Satisfaction for Resource Discovery in Service-Oriented Networks

Service oriented networks are distributed computing infrastructures that provide widely distributed resources. These networks are dynamic and their size and complexity continue to increase and allow to users a ubiquitous access to available resources and services. Therefore, efficient query routing approaches in large and highly distributed service oriented networks are required and need to be adaptive in order to cope with a dynamically changing environment. In this paper, a query routing approach based on mobile agents and random walks with a reinforcement learning technique is presented. By enhancing random walks with a reinforcement learning mechanism centered on users’ satisfaction, this approach allows dynamic and self-adaptive location of required resources. Peers incorporate knowledge from past and present queries which will be used during next searches by mobile agents to select their next hops. This approach is analyzed through two query routing techniques using the network simulator ns2.