Extended artificial immune system–based optimized access control for big data on a cloud environment

Integrating parallel computing and distributed computing together can be obtained by cloud computing (CC). One of the major problems faced by public CC is security regarding data access control. CC permits people to share data, documents, videos, and other types of data. Generally, the cloud data are considered as big data, because the volume of the data is huge and it has a greater number of varieties. In recent days, attribute‐based data sharing applied only for selected data is a crucial problem. One of the existing approaches encrypts data using various kinds of keys based on several types of cryptosystems. However, those kinds of methods have some weaknesses such as inability to handle the attributes effectively, storage of more unwanted copies of the same data, and policy changes. It needs a high amount of computational cost and reduces the efficiency of memory utilization and the computational speed. This paper motivated to design and implement an efficient approach for optimized access control (OAC) for data stored in the cloud to overcome these kinds of issues. The efficiency of the proposed method is proved through a simulation‐based experiment in Cloud Simulator.     

Optimization method for attribute-based cryptographic access control in mobile cloud computing

For the problem of secure data sharing and access control in mobile cloud,the drawback of traditional cryptographic access control schemes was deeply analyzed.Considering the truth that mobile devices were usually equipped with limited resources,an optimized attribute-based cryptographic access control scheme was proposed in this study.In the proposed scheme,a third party proxy was introduced into the system model,and the two-layer encryption method was applied.Combining traditional attribute-based encryption (ABE) algorithm with multi-secret sharing and split measurement of ABE encryption,the scheme could greatly reduce the cost of mobile users in terms of data publish and access management.Theoretical and experimental analysis shows that the contribution can well meet the requirements of mobile cloud in terms of security,computational complexity and communication cost,which means that it is promising for future applications.     

属性加密访问控制方法在云环境下的应用研究

随着云计算技术的普遍应用,云环境下云资源的安全性问题也受到了信息安全技术领域研究人员的普遍关注.传统的访问控制方法不能适应云计算环境下的数据存储和处理的安全需要,属性加密访问控制方法在云计算环境下的应用,可以有效的保证云环境下数据的安全性.本文对云安全进行了简单的分析,对基于属性的访问控制方法进行了研究,结合云计算环境数据处理的实际情况,提出了基于属性加密访问控制方法在云计算环境下应用的方案,并进行了研究.     

Penalty‐aware and cost‐efficient resource management in cloud data centers

Today, data centers are the main source of providing cloud services through a service level agreement (SLA). Most research papers for cloud resource management concentrate on how to reduce host energy consumption and SLA violation (SLAV) to minimize operational cost. However, they do not consider the amount of penalty that cloud provider should pay to users because of SLAV. In this paper, we propose a new penalty‐aware and cost‐efficient method that considers cloud resource management as a cost problem. In this method parameters such as user budget, penalty, and host energy consumption cost play an important role in minimizing operational cost which leads to higher profit for cloud provider. The simulation results with CloudSim show that our proposed method minimizes operational cost compared to the prior resource managements. Copyright © 2016 John Wiley & Sons, Ltd.     

面向云存储的高效动态密文访问控制方法

针对云存储中敏感数据的机密性保护问题,在基于属性的加密基础上提出了一种密文访问控制方法HCRE。其思想是设计一种基于秘密共享方案的算法,将访问控制策略变更导致的重加密过程转移到云端执行,从而降低权限管理的复杂度,实现高效的动态密文访问控制。实验分析表明HCRE显著降低了权限管理的时间代价,而且没有向云端泄露额外的信息,保持了数据机密性。     

云计算中数据隐私保护研究进展

由于社会分工和资源共享的必然,公共云平台必将成为和电网、互联网等同等重要的国家基础设施。云计算面临的安全问题制约着云计算的广泛使用。数据安全在云计算中尤为重要,如何保证数据的安全性是云计算安全的核心。从数据的隐私保护计算、数据处理结果的完整性认证、数据访问权限控制以及数据的物理安全4个方面对已有研究工作进行了分类和总结,为后续云计算中数据的安全性研究提供参照。     

基于CP-ABE算法的云存储数据访问控制

针对云存储服务网络特性和数据共享特性安全问题,提出一种基于CP-ABE算法的密文访问控制机制。从访问权限控制及访问控制体系结构2个方面对上述访问控制机制进行研究。给出相应的安全算法数据结构,并对其进行了仿真和性能分析。该安全机制在服务提供商不可信的前提下,保证在开放环境下云存储系统中数据的安全性,并通过属性管理降低权限管理的复杂度。     

云存储下多用户协同访问控制方案

CP-ABE被认为是云存储下最适合的数据访问控制方法之一,但它仅适合用户分别读取或者分别修改不同数据的情况,而直接应用CP-ABE进行多用户协同数据访问时,会存在修改无序、密文文件大量冗余等问题。多用户协同访问云端数据时,应该在保证机密性、抗共谋的前提下控制合法用户有序地修改同一密文文件,同时云端尽可能减少密文文件副本。针对文件和文件逻辑分块,提出了2个多用户协同访问控制方案MCA-F和MCA-B。MCA-F满足单个数据文件作为最小控制粒度的访问控制需求,该方案采用层次加密结构,云服务器承担部分解密计算,以降低用户解密的计算代价;针对多用户同时写数据的访问控制,提出了对多个用户提交的暂存数据的管理方法。MCA-B用于文件的逻辑分块作为最小控制粒度的访问控制,该方案设计了文件的逻辑分块机制、基于索引矩阵的表示方法,提出了子数据掩码表示方法以描述多个用户对同一文件不同逻辑分块的写权限;MCA-B支持用户集合、文件逻辑分块结构的动态变化,而且数据的拥有者和修改者无需一直在线。与现有的方案相比,所提方案不仅具有云存储下多用户协同写数据的访问控制能力,而且读访问控制的用户端存储量和加解密计算量是较小的。     

A comparative study and workload distribution model for re‐encryption schemes in a mobile cloud computing environment

The researchers are using the various variations of re‐encryption schemes, which migrate the computational intensive re‐encryption jobs of mobile devices to the trusted entity/cloud. However, the messages are still encrypted and decrypted using the limited computational power of mobile devices. Our contribution in this paper is to propose a workload distribution model for re‐encryption schemes, which offloads the computational intensive operations, such as encryption and decryption on a trusted entity. Moreover, the proposed workload distribution model is compared with existing re‐encryption schemes of resource utilization on trusted entity and mobile device. The experimental results show substantial improvement in performance compared to the existing schemes.     

云环境下基于属性加密体制算法加速方案

云计算为租户提供存储、计算和网络服务,数据安全保护和租户间的数据共享与访问控制是其必不可少的能力。基于属性的加密体制是一种一对多的加密体制,可以根据用户属性实现细粒度访问控制,适用于云计算环境多租户数据共享。但现有的基于属性加密体制的算法效率较低,难以在实际环境中应用。分析了基于属性的加密体制的两种类型及其应用场景,提出一个基于属性加密体制算法的加速方案。通过实验表明,提出的方案可提高基于属性加密体制的密钥生成算法、加密算法和解密算法的效率。     

FIPA‐based reference architecture for efficient discovery and selection of appropriate cloud service using cloud ontology

Cloud computing is considered the latest emerging computing paradigm and has brought revolutionary changes in computing technology. With the advancement in this field, the number of cloud users and service providers is increasing continuously with more diversified services. Consequently, the selection of appropriate cloud service has become a difficult task for a new cloud customer. In case of inappropriate selection of a cloud services, a cloud customer may face the vendor locked‐in issue and data portability and interoperability problems. These are the major obstacles in the adoption of cloud services. To avoid these complexities, a cloud customer needs to select an appropriate cloud service at the initial stage of the migration to the cloud. Many researches have been proposed to overcome the issues, but problems still exist in intercommunication standards among clouds and vendor locked‐in issues. This research proposed an IEEE multiagent Foundation for Intelligent Physical Agent (FIPA) compliance multiagent reference architecture for cloud discovery and selection using cloud ontology. The proposed approach will mitigate the prevailing vendor locked‐in issue and also alleviate the portability and interoperability problems in cloud computing. To evaluate the proposed reference architecture and compare it with the state‐of‐the‐art approaches, several experiments have been performed by utilizing the commonly used performance measures. Analysis indicates that the proposed approach enables significant improvements in cloud service discovery and selection in terms of search efficiency, execution, and response time.     

云计算下可信虚拟群体内访问控制研究

针对缺乏适合基于云计算的生产型重要信息系统内部隔离机制的问题,对云计算模式下现有的访问控制技术进行了比较,提出了基于两级密钥管理的访问控制方案。第一级构造了一个基于单项散列函数的访问控制多项式实现了子群体间信息流的隔离,即实现了生产型重要信息系统内部门间的信息隔离;在第一级密钥管理的基础上,提出了子群体间层次密钥管理,实现不同部门间信息流的访问控制。然后对该方案的安全性和复杂度进行了分析。最后,通过实例和仿真实验对基于两级密钥管理的访问控制方案进行了验证。     

A prediction‐based and power‐aware virtual machine allocation algorithm in three‐tier cloud data centers

With the increasing popularity of cloud computing services, the more number of cloud data centers are constructed over the globe. This makes the power consumption of cloud data center elements as a big challenge. Hereby, several software and hardware approaches have been proposed to handle this issue. However, this problem has not been optimally solved yet. In this paper, we propose an online cloud resource management with live migration of virtual machines (VMs) to reduce power consumption. To do so, a prediction‐based and power‐aware virtual machine allocation algorithm is proposed. Also, we present a three‐tier framework for energy‐efficient resource management in cloud data centers. Experimental results indicate that the proposed solution reduces the power consumption; at the same time, service‐level agreement violation (SLAV) is also improved.     

面向云计算的软件架构研究

云计算的出现给IT领域带来了一场新的变革,今年是云计算发展非常重要的一年。随着全球对云计算研究的热潮,国际国内各大IT公司相继推出自己的云计算产品,这些云计算产品无一例外都是通过网络向用户提供服务的,这样对数据安全、可靠性和云计算服务自身的健壮性存在着挑战。随着云计算广泛的应用,传统的软件架构也将受到挑战,特别是在3层软件架构中的数据服务层将发生变化。     

基于云计算环境下的数据安全保护技术分析

文中主要以目前云计算环境下数据安全现状为切入点,通过基于虚拟化架构的可信云计算平台、数据备份策略及基于矩阵乱序的数据部分加密方案措施探讨安全保护技术,研究结果显示用户数据安全相当于以往提升至70％,安全系数的增长说明本文研究的数据安全保护技术方案完全可行.尤其虚拟化架构的可信云计算平台在建立用户与虚拟机关联后,仅使用数字信封便能封存虚拟机,用户访问或使用资源时通过PKI中间件使用用户的私钥解密虚拟机中的数字信封,最大程度保证数据完整性和安全性.     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

Energy‐aware dynamic task offloading and collective task execution in mobile cloud computing

There is a good opportunity for enlightening the services of the mobile devices by introducing computational offloading using cloud technology. Offloading is a process for managing the complexity of the mobile environment by migrating computational load to the cloud. The mobile devices oblige the quick response for the offloading requests; it is dependent on network connectivity. The cloud services take long set‐up time irrespective of network connectivity. In this paper, new system architecture for the dynamic task offloading in the mobile cloud environment is proposed. The architecture includes the offloading algorithm that concentrates on energy consumption of the tasks both in the local and remote environment. The proposed algorithm formulates a collective task execution model for minimizing the energy consumption. The architecture concentrates on the network model by considering the task completion time in three different network scenarios. The experimental results show the efficiency of the suggested architecture in reducing the energy consumption and completion time of the tasks.     

浅谈云计算技术在计算机数据处理中的应用与发展策略

本文主要阐述了云计算技术的内涵和在计算机数据处理过程中的应用,包括保障数据安全、为数据处理提供平台,同时,提出了云计算技术的发展策略,包括研发混合云计算、积极发展移动云服务.通过说明以上方法,为相关技术人员提供一些参考.     

ACDAS: Authenticated controlled data access and sharing scheme for cloud storage

Cloud storage services require cost‐effective, scalable, and self‐managed secure data management functionality. Public cloud storage always enforces users to adopt the restricted generic security consideration provided by the cloud service provider. On the contrary, private cloud storage gives users the opportunity to configure a self‐managed and controlled authenticated data security model to control the accessing and sharing of data in a private cloud. However, this introduces several new challenges to data security. One critical issue is how to enable a secure, authenticated data storage model for data access with controlled data accessibility. In this paper, we propose an authenticated controlled data access and sharing scheme called ACDAS to address this issue. In our proposed scheme, we employ a biometric‐based authentication model for secure access to data storage and sharing. To provide flexible data sharing under the control of a data owner, we propose a variant of a proxy reencryption scheme where the cloud server uses a proxy reencryption key and the data owner generates a credential token during decryption to control the accessibility of the users. The security analysis shows that our proposed scheme is resistant to various attacks, including a stolen verifier attack, a replay attack, a password guessing attack, and a stolen mobile device attack. Further, our proposed scheme satisfies the considered security requirements of a data storage and sharing system. The experimental results demonstrate that ACDAS can achieve the security goals together with the practical efficiency of storage, computation, and communication compared with other related schemes.     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。