基于PMI的安全匿名授权体系

权限管理设施(privilege management infrastructure,PMI),它为用户提供授权访问控制等方面的管理.针对匿名访问,提出了一种适用于Web/电子商务环境下的基于PMI的匿名授权体系,在此体系中采用匿名属性证书(AAC)授权链.用户完全信任PMI的属性权威AA,以单次授权密钥(OTAK)替换用户认证密钥来标识用户,并提供密钥匿名性撤销管理.     

Secure context-sensitive authorization

There is a recent trend toward rule-based authorization systems to achieve flexible security policies. Also, new sensing technologies in pervasive computing make it possible to define context-sensitive rules, such as “allow database access only to staff who are currently located in the main office”. However, these rules, or the facts that are needed to verify authority, often involve sensitive context information. This paper presents a secure context-sensitive authorization system that protects confidential information in facts or rules. Furthermore, our system allows multiple hosts in a distributed environment to perform the evaluation of an authorization query in a collaborative way; we do not need a universally trusted central host that maintains all the context information. The core of our approach is to decompose a proof for making an authorization decision into a set of sub-proofs produced on multiple different hosts, while preserving the integrity and confidentiality policies of the mutually untrusted principals operating these hosts. We prove the correctness of our algorithm.     

基于压缩策略的安全XML关键字查询

当含有敏感信息的XML文档在网络上传输或交换时,需要用户执行受限查询,如何提高查询效率,同时又保证敏感信息的安全一直是安全领域的研究热点。以带访问权限的实例信息树为主体,优先抽取主干信息策略,再反向作用于实例信息树存储特殊节点的压缩方法,为安全且高效的XML关键字查询奠定了基础,而且采用扩展的Dewey编码方式,为安全查询提供了方便。实验结果表明,这种基于压缩策略的安全查询方式减轻了存储负担,提高了查询效率。     

An encoding scheme based on fractional number for querying and updating XML data

In order to facilitate the XML query processing, several labeling schemes have been proposed to directly determine the structural relationships between two arbitrary XML nodes without accessing the original XML documents. However, the existing XML labeling schemes have to re-label the pre-existing nodes or re-calculate the label values when a new node is inserted into the XML document during an update process. In this paper, we devise a novel encoding scheme based on the fractional number to encode the labels of the XML nodes. Moreover, we propose a mapping method to convert our proposed fractional number based encoding scheme to bit string based encoding scheme with the intention to minimize the label size and save the storage space. By applying our proposed bit string encoding scheme to the range-based labeling scheme and the prefix labeling scheme, the process of re-labeling the pre-existing nodes can be avoided when nodes are inserted as leaf nodes and sibling nodes without affecting the order of XML nodes. In addition, we propose an algorithm to control the increment of label size when new nodes are inserted frequently at a fix place of an XML tree. Experimental results show that our proposed bit string encoding scheme provides efficient support to the process of XML updating without sacrificing the query performance when it is applied to the range-based labeling schemes.     

On querying simple conceptual graphs with negation

We consider basic conceptual graphs, namely simple conceptual graphs (SGs), which are equivalent to the existential conjunctive positive fragment of first-order logic. The fundamental problem, deduction, is performed by a graph homomorphism called projection. The existence of a projection from a SG Q to a SG G means that the knowledge represented by Q is deducible from the knowledge represented by G. In this framework, a knowledge base is composed of SGs representing facts and a query is itself a SG. We focus on the issue of querying SGs, which highlights another fundamental problem, namely query answering. Each projection from a query to a fact defines an answer to the query, with an answer being itself a SG. The query answering problem asks for all answers to a query.

This paper introduces atomic negation into this framework. Several understandings of negation are explored, which are all of interest in real world applications. In particular, we focus on situations where, in the context of incomplete knowledge, classical negation is not satisfactory because deduction can be proven but there is no answer to the query. We show that intuitionistic deduction captures the notion of an answer and can be solved by projection checking. Algorithms are provided for all studied problems. They are all based on projection. They can thus be combined to deal with several kinds of negation simultaneously. Relationships with problems on conjunctive queries in databases are recalled and extended. Finally, we point out that this discussion can be put in the context of semantic web databases.     

Adaptive relaxation for querying heterogeneous XML data sources

Searching XML data with a structured XML query can improve the precision of results compared with a keyword search. However, the structural heterogeneity of the large number of XML data sources makes it difficult to answer the structured query exactly. As such, query relaxation is necessary. Previous work on XML query relaxation poses the problem of unnecessary computation of a big number of unqualified relaxed queries. To address this issue, we propose an adaptive relaxation approach which relaxes a query against different data sources differently based on their conformed schemas. In this paper, we present a set of techniques that supports this approach, which includes schema-aware relaxation rules for relaxing a query adaptively, a weighted model for ranking relaxed queries, and algorithms for adaptive relaxation of a query and top-k query processing. We discuss results from a comprehensive set of experiments that show the effectiveness and the efficiency of our approach.     

Integrating and querying distributed XML data via XLink

XML instances are not necessarily self-contained but may have connections to remote XML data residing on other servers. In this paper, we show that—in spite of its minor support and use in the XML world—the XLink language provides a powerful mechanism for expressing such links both from the modeling point of view and for actually querying interlinked XML data: in our dbxlink approach, the links are not seen as explicit links (where the users must be aware of the links and traverse them explicitly in their queries), but define views that combine into a logical, transparent XML model which serves as an external schema and can be queried by XPath/XQuery. We motivate the underlying modeling and give a concise and declarative specification as an XML-to-XML mapping. We also describe the implementation of the model as an extension of the eXist [eXist: an Open Source Native XML Database, http://exist-db.org/] XML database system. The approach can be applied both for distribution of data and for integration of data from autonomous sources.     

Storing and querying fuzzy XML data in relational databases

Information imprecision and uncertainty exist in many real-world applications and for this reason fuzzy data management has been extensively investigated in various database management systems. Currently, introducing native support for XML data in relational database management systems (RDBMs) has attracted considerable interest with a view to leveraging the powerful and reliable data management services provided by RDBMs. Although there is a rich literature on XML-to-relational storage, none of the existing solutions satisfactorily addresses the problem of storing fuzzy XML data in RDBMs. In this paper, we study the methodology of storing and querying fuzzy XML data in relational databases. In particular, we present an edge-based approach to shred fuzzy XML data into relational data. The unique feature of our approach is that no schema information is required for our data storage. On this basis, we present a generic approach to translate path expression queries into SQL for processing XML queries.     

Indexing and querying XML using extended Dewey labeling scheme

Finding all the occurrences of a tree pattern in an XML database is a core operation for efficient evaluation of XML queries. The Dewey labeling scheme is commonly used to label an XML document to facilitate XML query processing by recording information on the path of an element. In order to improve the efficiency of XML tree pattern matching, we introduce a novel labeling scheme, called extended Dewey, which effectively extends the existing Dewey labeling scheme to combine the types and identifiers of elements in a label, and to avoid the scan of labels for internal query nodes to accelerate query processing (in I/O cost). Based on extended Dewey, we propose a series of holistic XML tree pattern matching algorithms. We first present TJFast to answer an XML twig pattern query. To efficiently answer a generalized XML tree pattern, we then propose GTJFast, an optimization that exploits the non-output nodes. In addition, we propose TJFastTL and GTJFastTL based on the tag + level data partition scheme to further reduce I/O costs by level pruning. Finally, we report our comprehensive experimental results to show that our set of XML tree pattern matching algorithms are superior to existing approaches in terms of the number of elements scanned, the size of intermediate results and query performance.     

Storing and querying XML data using denormalized relational databases

XML database systems emerge as a result of the acceptance of the XML data model. Recent works have followed the promising approach of building XML database management systems on underlying RDBMSs. Achieving query processing performance reduces to two questions: (i) How should the XML data be decomposed into data that are stored in the RDBMS? (ii) How should the XML query be translated into an efficient plan that sends one or more SQL queries to the underlying RDBMS and combines the data into the XML result? We provide a formal framework for XML Schema-driven decompositions, which encompasses the decompositions proposed in prior work and extends them with decompositions that employ denormalized tables and binary-coded XML fragments. We provide corresponding query processing algorithms that translate the XML query conditions into conditions on the relational tables and assemble the decomposed data into the XML query result. Our key performance focus is the response time for delivering the first results of a query. The most effective of the described decompositions have been implemented in XCacheDB, an XML DBMS built on top of a commercial RDBMS, which serves as our experimental basis. We present experiments and analysis that point to a class of decompositions, called inlined decompositions, that improve query performance for full results and first results, without significant increase in the size of the database.Received: 21 December 2001, Accepted: 1 July 2003, Published online: 23 June 2004Edited by: A. HalevyAndrey Balmin: Andrey Balmin has been supported by NSF IRI-9734548.Yannis Papakonstantinou: The authors built the XCacheDB system while on leave at Enosys Software, Inc., during 2000.     

基于BFS树的XML文档图结构相似性计算

可扩展链接语言将XML文档从树状结构扩展到图状结构,其结构相似性比较对文档查询、聚类意义重大.现存的比较XML树状结构相似性以及比较图结构相似性的方法忽视了文档结构特点,比较的结果与实际存在较大差异.基于BFS树的XML文档图结构相似性计算方法运用广度优先搜索算法找到最小代码树,重新定义了编辑距离的概念.比较结果表明,该方法更符合实际文档相似程度,因此在比较XML文档图结构相似性上有很大的可行性.     

安全访问控制的XML关键字检索

XML(extensive makeup language)的关键字检索简单易用,用户不必了解数据库的模式,受到人们的广泛关注。当前的相关研究主要集中于关键字检索的算法以及返回结果的组织和排序,却忽视了其中的安全性问题。结合XML关键字搜索和XML安全控制,研究了基于安全访问控制的XML关键字检索技术。在XML关键字的最小最低公共祖先(smallest lowest common ancestors,SLCA)和基于视图的安全访问控制规则的基础上,确定基于安全访问控制规则的XML关键字检索结果;建立基于安全视图的关键字索引,以及在此基础上的关键字检索算法。实验表明,为了满足安全访问控制规则,该算法虽然需要额外的时间开销但总体上是高效的。     

基于XML实现安全数据交换服务

针对目前日益增长的互联网环境下多应用协同工作的系统运行模式,本文基于XML技术,采用PKI安全体系并结合SOAP技术的运用,设计并实现了一种安全、灵活的数据交换机制,能够为多个业务应用系统协同工作提供统一、安全的数据交换服务。     

XML加密数据查询方法的研究与设计

充分利用XML数据库文档的结构特性,结合Dewey编码的编码原理,设计了一种数据服务（DAS）模式下的XML加密数据的查询算法（ILISA）。将树型结构上的数据检索变换为顺序链表的数据检索,应用插值搜索算法替代深度与广度优先遍历,带来了良好的时间复杂性。设计了一种XML索引表数据结构,使得检索空间大幅缩减。最后给出ILISA的复杂性描述,证明了该算法具有良好的效果。     

XML graphs in program analysis

XML graphs have shown to be a simple and effective formalism for representing sets of XML documents in program analysis. It has evolved through a six year period with variants tailored for a range of applications. We present a unified definition, outline the key properties including validation of XML graphs against different XML schema languages, and provide a software package that enables others to make use of these ideas. We also survey the use of XML graphs for program analysis with four very different languages: Xact (XML in Java), Java Servlets (Web application programming), XSugar (transformations between XML and non-XML data), and XSLT (stylesheets for transforming XML documents).     

基于RDF的XML安全推理控制

提出了一种新的基于RDF的XML安全推理控制方法,将文档节点封装为XML对象,通过XML对象和类型刻画节点之间的语义关系,极大地拓展了推理控制范围。将节点的授权转换为对象／类型的授权,解决了面向节点授权模型难以处理的聚合敏感问题,同时也简化了面向节点方式下的繁杂授权过程。     

可信数字内容安全认证与授权管理协议*

为了保护以文本、图像、音频、视频或软件等形式存在的数字内容的版权,提出了一个可信数字内容的安全认证与授权管理协议,该协议在基于PKI技术实现了数字实体、CA、数字内容提供商三者之间的安全认证以及认证失败时的安全控制机制的同时,又基于动态许可证技术实现了对同属于一个数字内容提供商的多个不同数字内容的授权、迁移与撤销,有效地解决了数字内容被非法复制和扩散的问题。     

Optimizing the execution of XSLT stylesheets for querying transformed XML data

We have to deal with different data formats whenever data formats evolve or data must be integrated from heterogeneous systems. These data when implemented in XML for data exchange cannot be shared freely among applications without data transformation. A common approach to solve this problem is to convert the entire XML data from their source format to the applications’ target formats using the transformations rules specified in XSLT stylesheets. However, in many cases, not all XML data are required to be transformed except for a smaller part described by a user’s query (application). In this paper, we present an approach that optimizes the execution time of an XSLT stylesheet for answering a given XPath query by modifying the XSLT stylesheet in such a way that it would (a) capture only the parts in the XML data that are relevant to the query and (b) process only those XSLT instructions that are relevant to the query. We prove the correctness of our optimization approach, analyze its complexity and present experimental results. The experimental results show that our approach performs the best in terms of execution time, especially when many cost-intensive XSLT instructions can be excluded in the XSLT stylesheet.     

基于XML应用集成安全模型设计

应用对称密码、非对称密码技术和组件思想构建安全组件,在安全组件的基础上构建保护Web数据传输的安全模型,这种安全模型具有易维护和易扩展的优点。在这种安全模型下通过XML能够构建平台独立的具有数据传输和存储安全的应用集成系统,该模型可用于解决基于Web服务的电子商务、电子政务等应用集成环境的安全问题。