Access Control Policy Analysis and Access Denial Method for Cloud Services

Personal cloud computing is an emerging trend in the computer industry. For a sustainable service, cloud computing services must control user access. The essential business characteristics of cloud computing are payment status and service level agreement. This work proposes a novel access control method for personal cloud service business. The proposed method sets metadata, policy analysis rules, and access denying rules. Metadata define the structure of access control policies and user requirements for cloud services. The policy analysis rules are used to compare conflicts and redundancies between access control policies. The access denying rules apply policies for inhibiting inappropriate access. The ontology is a theoretical foundation of this method. In this work, ontologies for payment status, access permission, service level, and the cloud provide semantic information needed to execute rules. A scenario of personal data backup cloud service is also provided in this work. This work potentially provides cloud service providers with a convenient method of controlling user access according to changeable business and marketing strategies.     

基于访问控制日志的访问控制策略生成方法

为解决其他访问控制机制向基于属性的访问控制机制迁移过程中所面临的策略生成问题,该文提出一种基于访问控制日志的访问控制策略生成方法,利用基于机器学习分类器的递归属性消除法实现策略属性的选择,基于信息不纯度从日志记录中提炼出蕴含的属性-权限关系,结合实体属性选择的结果,构建策略结构树,实现基于属性的访问控制(ABAC)策略的生成,并设计了基于二分搜索的策略生成优化算法实现对最优策略生成结果的快速计算。实验结果表明,只需原始实体属性集中32.56%的属性信息即可实现对日志中95%的策略覆盖,并且能够将策略规模压缩为原有规模的33.33%,证实了该方案的有效性,能够为ABAC策略管理提供有力支撑。     

云计算环境下访问控制关键技术

可控信任域的消失和多租户环境的出现,导致云计算环境下访问控制在诸多关键技术上都面临新的严峻挑战.该文从身份供应、身份认证、访问控制、身份联合和单点登录几个方面介绍了产业界在云访问控制上面临的问题和主要解决方法.从访问控制模型、基于属性的密文访问控制和外包数据的访问控制三个方面评述了学术界在云访问控制上的最新研究成果.基于对已有技术和研究成果的分析,预测了云访问控制研究的未来走向.     

云服务认证浅析

介绍了云计算背景下云服务的应用情况以及企业对实施云服务解决方案的担忧,并由此引出了云服务认证的概念;总结了云服务认证的优势以及遵循认证标准所带来的挑战;提出了一些进行云服务认证的监测和评估方法。     

基于特定领域云服务库的研究

云计算的兴起,将Web服务的应用推上了更为广阔的平台,云服务通常被设计成Web服务,云服务化日趋得到关注.在云计算范型下,为解决云服务的语义信息更新、扩充困难,确保服务质量和按需的资源使用以及能高效地检索、管理云服务,论文结合水利领域业务,提出并实现了一个云服务库来管理各类基于水利业务的云服务,其中采用本体、元数据技术描述云服务的刻面及属性,开发了刻面动态生成机制便于增加新的刻面,进而扩展云服务的语义信息.当前,该云服务库已在多个项目中应用,展现了良好的应用效果.     

Attribute-Based Access Control with Efficient and Secure Attribute Revocation for Cloud Data Sharing Service

Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.     

云计算的服务安全体系结构和访问控制模型

Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views , the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers . An attribute-based dynamic access control model is presented to detail the relationships among subjects , objects , roles , attributes , context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.     

Mobile Cloud for Personalized Any-Media Services

In this paper,we define mobile cloud computing and describe how it can be used for delivering advanced any-media services to both nomadic and mobile users.We focus on service delivery that is localized and personalized and suggest that virtualization and tighter cross-layer communication allows for convergence and seamless transition of services.These are also creating new and never-before seen ways of developing and delivering personalized any-media services.We discuss current paradigms for implementing cloud-based any-media services that generate revenue.Future research topics and requirements for evolving network and service elements are also discussed.     

电子病历存储云系统访问控制研究

随着医疗信息化的快速发展,现行EMR系统在信息共享和安全性方面无法很好地满足医疗和患者的需要。文中基于云计算技术提出一种EMR存储云系统,为患者和医院提供统一的电子病历注册和使用服务,并重点对电子病历的访问控制策略进行了讨论,采用一般角色访问控制和用户个性化逐级授权相结合的策略,有效解决了动态授权和用户个性化需求问题,满足了患者对于信息安全性和隐私保护方面的需求。     

云服务的自组织机制及性能分析

To improve the performance and robustness in service discovery, a self-organizing mechanism for service alliances of Service Providers (SPs) is proposed in this paper. According to the similarity of service content, an SP publishes its services in a partition of SPs to construct connections between highly similar SPs. These SPs constitute a self-organized distributed environment. A self-organizing protocol is designed to ensure the correctness of the construction of the alliances. The protocol consists of four stages — initiating stage, developing stage, developed stage and degradation stage. The experimental results demonstrate that this protocol ensures the self-property. The visualization of alliance developing stages illustrates that sub-alliances are split in balance and self-connected. Compared with the Random Walker algorithm, the time cost and the number of forwarded messages in alliance-based mechanism is lower in service discovery. On three typical topologies (Grid, Random-Graph, Power-Law), the success rate of service discovery is much higher, which shows that self-organized alliances are helpful to enhance the discovery performance.     

云服务的解决方案探索

在对云计算与云服务进行阐述的基础上提出了如何高效提供云服务的解决方案,包括总体架构设计、功能结构设计及子系统模块设计等,针对目前存在的问题对云服务的发展前景进行了展望.     

基于Web Services的QoS本体研究

QoS本体为描述不同系统的QoS参数提供了一种有效、可重用的模型,已经应用于Web Services选择、QoS监控和QoS参数调整等方面。通过比较和分析几种典型的QoS本体的特点,可以得出大多数QoS本体考虑如度量、协议和网络属性等概念,这些特征应用于Web Service发现,特别是Web Service选择,对进一步开发QoS本体、选择最优的服务质量有着重要意义。     

HNB小区UE准入控制策略研究

在介绍LAC资源分配方案的基础上,对封闭模式下不同的准入控制方案进行了分析,并着重给出了一个完整的准入控制解决方案。     

一种基于XACML访问控制策略决策服务的安全模型

访问授权是分布式系统中关键的组成部分之一，但一般没有作为独立节点实现，甚至被忽略。本文提出并实现了一种基于XACML构建策略决策点的安全模型，给出了模型三种应用基本模式，使模型适应各种环境需求。实现安全的细粒度访问控制。     

校园网接入控制方式研究

校园网安全面临来自内部的挑战越来越多,加强网络接入控制能够更好地从源头解决校园网内部安全问题。目前校园网接入控制有多种技术,基于防火墙的接入控制方式有着接入简单、工作量小、管理方便等特点,已在实际中得到越来越广泛的使用。     

云计算服务等级协议（SLA）研究

以云计算服务等级协议SLA为研究对象,从云计算SLA的概念、需求以及云计算SLA所涉及到的参数等几个方面,对云计算服务等级协议SLA进行了研究和阐述。重点对目前常见的几种云计算服务所涉及的关键服务质量参数进行了分类阐述。     

运营商三网融合接入控制方式探讨

通过对PPPoE发展历程的分析及其与IPoE方式的比较,详细讨论了通过IPoE方式提供多业务接入以满足三网融合发展的必要性和可行性,并给出了基于IPoE的综合接入控制的实现建议     

DACPCC:一种包含访问权限的云计算数据访问控制方案

目前云计算访问控制技术最常用的加密体系是CP-ABE,但传统的CP-ABE加密体系中没有涉及用户的访问权限问题,数据提供者只能让用户去读取数据而不能写数据,访问控制机制不灵活,且效率低.针对这一不足,本文提出了一种包含访问权限的高效云计算访问控制方案DACPCC,该方案在CP-ABE基础上设置了权限控制密钥来加密云中的数据,数据提供者通过对权限控制密钥的选择来控制数据的访问权限.文章对DACPCC进行了详细的设计,并做了安全性证明和实验验证,结果表明DACPCC能够让数据提供者对其数据资源进行权限控制,并且是安全和高效的.     

云制造环境下基于竞标机制的云服务主动寻租

为了对云制造环境下的主动制造提供支持,促使服务交易双方共同获利,提出一种将竞标机制应用于云服务主动寻租的方法.该方法将用户制造需求分解成子任务,以标书的形式发布,云服务根据标书和自身实际决定是否投标;在评标时,竞标中心综合考虑对云服务投标书的评价和其它服务的推荐评价来决定中标云服务,并通过招租栏使质量差的服务也有被使用的机会.给出基于竞标机制的云服务主动寻租模型和算法描述,通过仿真实验,说明了方法的有效性.