Extracting trust information from security system of a service

The issue of trust is a research problem in emerging open environments, such as ubiquitous networks. Such environments are highly dynamic and they contain diverse number of services and autonomous entities. Entities in open environments have different security needs from services. Trust computations related to the security systems of services necessitate information that meets needs of each entity. Obtaining such information is a challenging issue for entities. In this paper, we propose a model for extracting trust information from the security system of a service based on the needs of an entity. We formally represent security policies and security systems to extract trust information according to needs of an entity. The formal representation ensures an entity to extract trust information about a security property of a service and trust information about whole security system of the service. The proposed model is applied to Dental Clinic Patient Service as a case study with two scenarios. The scenarios are analyzed experimentally with simulations. The experimental evaluation shows that the proposed model provides trust information related to the security system of a service based on the needs of an entity and it is applicable in emerging open environments.     

基于双向对齐与属性信息的跨语言实体对齐

实体对齐表示在不同的知识图谱中查找引用相同现实身份的实体。目前主流的基于图嵌入的实体对齐方法中的对齐实体通常具有相似的属性,有效利用属性信息可提升实体对齐效果,同时由于不同知识图谱之间的知识分布差异,仅考虑单个方向的对齐预测会导致预测结果出现偏差。针对上述问题,提出一种改进的跨语言实体对齐方法。利用融合属性信息的双向对齐图卷积网络模型,将前馈神经网络编码实体对应的属性信息与初始的实体嵌入相结合,得到联合属性信息的实体表示,并使用双向对齐机制实现跨语言的实体对齐预测。在3个跨语言数据集上的实验结果表明,该方法通过融合更多的知识图谱信息增强了实体表示能力,并且利用双向对齐机制缓解了数据分布差异问题,相比基于图嵌入的实体对齐方法整体性能更优。     

Security flaws in a recent RFID delegation protocol

Radio frequency identification (RFID) tag delegation enables a centralized back-end server to delegate the right to identify and authenticate a tag to specified readers. This should be used to mitigate the computational load on the server side and also to solve the issues in terms of latency and dependency on network connectivity. In this study, we describe a basic RFID delegation architecture and then under this model, we investigate the security of an RFID delegation protocol: Song Mitchell delegation (SMD), which is recently proposed by Song and Mitchell. We point out security flaws that have gone unnoticed in the design and present two attacks namely, a tag impersonation attack and a desynchronization attack against it. We also discover a subtle flaw by which a delegated entity can still keep its delegation rights after the expire of them—this infringes security policy of the scheme. More precisely, we show that the protocol will be still vulnerable to previously mentioned attacks, even if the back-end server ends the delegation right of a delegated reader and update the secrets of the delegated tags. To counteract such flaws, we improve the SMD protocol with a stateful variant so that it provides the claimed security properties.     

一种新的信息服务实体跨域认证模型

为解决基于身份的信息服务多信任域认证系统不能实现身份即时撤销的问题,提出了一种可撤销的身份签名方案。在SM9(国产标识密码)签名算法的基础上,引进一个安全仲裁来保管实体的部分私钥,通过终止安全仲裁给实体发送签名信令来撤销实体的签名能力,从而实现 身份 的即时撤销。在该方案的基础上,利用基于证书的公钥基础设施(PKI)与基于身份的密码体制(IBC)的组合应用优点,提出了一种新的信息服务实体跨域认证模型。该模型不仅具有灵活高效的认证特点,而且适合构建大规模信息服务实体的应用环境。同时,设计了一种跨域认证协议,实现了跨信任域的双向实体认证和密钥协商。分析结果表明,该协议具有较高的安全性及较少的通信量和计算量。     

基于实体画像增强网络的事件检测方法

事件检测任务旨在从非结构化的文本中自动识别并分类事件触发词。挖掘和表示实体的属性特征(即实体画像)有助于事件检测,其基本原理在于“实体本身的属性往往暗示了其参与的事件类型”(例如,“警察”往往参与“Arrest-Jail”类的事件)。现有研究已利用编码信息实现实体表示,并借此优化事件检测模型。然而,其表示学习过程仅仅纳入局部的句子级语境信息,使得实体画像的信息覆盖率偏低。为此,该文提出基于全局信息和实体交互信息的画像增强方法,其借助图注意力神经网络,不仅在文档级的语境范围内捕捉实体的高注意力背景信息,也同时纳入了局部相关实体的交互信息。特别地,该文开发了基于共现图的注意力遮蔽模型,用于降低噪声信息对实体表示学习过程的干扰。在此基础上,该文联合上述实体画像增强网络、BERT语义编码网络和GAT聚合网络,形成了总体的事件检测模型。该文在通用数据集ACE 2005上进行实验,结果表明实体画像增强方法能够进一步优化事件检测的性能,在触发词分类任务上的F₁值达到76.2%,较基线模型提升了2.2%。     

基于实体相似性的知识表示学习方法

知识表示学习旨在将知识图谱中的实体和关系表示成低维稠密实值向量,能有效缓解知识图谱的数据稀疏性和显著提升计算效率。然而,现有大多数知识表示学习方法仅将实体视为三元组的一个组成部分,没有考虑实体自身具有的特质,如实体相似性。为了加强嵌入向量的语义表达,提出基于实体相似性的表示学习方法SimE。该方法首先利用实体的结构邻域度量实体的相似性,再将实体的相似性和拉普拉斯特征映射结合作为基于三元组事实的表示学习方法的约束,形成联合表示。实验结果表明,该方法在链接预测和三元组分类等任务上与目前最好的方法性能接近。     

基于Web服务自动摘要系统的安全实现方案

在基于Web服务自动摘要系统的开发过程中,如何保障Web服务的安全是一个必须解决的难题。该文设计了一种利用SOAP消息头传递验证信息、基于会话的高效Web服务安全通信机制。实验证明,该安全通信方案满足了系统的安全需求。     

I'm Pc01002/SpringPeeper/ED288l.6; Who are You?

In considering identity management, the first issue is—What is identity? This is, of course, an issue that has plagued poets, philosophers, and playwrights for centuries. We're concerned with a more prosaic version of the question: How does an entity recognize another entity? This important question occurs when access to resources, such as health or financial records, services, or benefits, is limited to specific entities. The entity in question could be a person, a computer, or even a device with quite limited memory and computational power. In this issue of IEEE Security & Privacy—the first of what we suspect will be several special issues on identity management—we have chosen to focus on identity management in which the entity being identified is a person.     

工作流系统中基于角色层次的任务转授权模型

针对工作流系统中用户由于某些原因不能按时完成所分配任务的情况,提出了基于角色层次的任务转授权模型。在该模型中,将系统指派给角色的任务分为可转授权私有任务、不可转授权私有任务和公有任务。委托用户在转授权申请中不指定具体的受托用户,只在下级角色中指定选择受托用户的角色范围,由转授权服务器依据角色层次关系动态选择合法的用户作为受托用户执行被转授权的任务,克服了以往转授权模型中由委托用户指定受托用户时受托用户选择不当或者多步转授权的缺点。     

A formalized delegation model for multimedia social networks

In response to the issues of second-hand sharing and repeat delegation of the digital content in existing multimedia social networks, this paper proposed a novel formalized delegation model for multimedia social network. In accordance with this model, delegators can independently lay down delegation policies. Further, related delegation constraints and strategies were identified to solve delegation conflicts. When a conflict arises among several delegations, strategies could be used to solve the conflict. This delegation model can control the authorities and are delegated consistently until the authorization expires or is revoked. And also, the paper presented essential security policies that lead to revoking different authorities. A use case of real multimedia social network further verified the efficiency and effectiveness of the proposed model.     

Workflow-Based Authorization Service in the Grid

In a distributed environment, a specific right may be required while a task is controlled and processed. A user should delegate enough rights to a task for processing. Tasks cannot work correctly if delegated rights are insufficient, or security threats may occur if delegated rights are excessive. Restricted delegation is the step that delegates proper rights to a task, and that enables fine-grained authorization in the Grid. In this paper, we propose the WAS architecture as a method for supporting restricted delegation and rights management. In contrast to traditional architecture, the WAS architecture uses a workflow that describes the sequence of rights required for normal execution of a task. By using the workflow, the WAS architecture is able to check whether the task exercises allowed rights. The WAS architecture is implemented on Globus toolkit 2.0 and extended on Globus toolkit 3.0.     

Secure Internet management by delegation

The IETF Script management information base (MIB) integrates the management by delegation (MbD) model into the Internet management framework. This paper discusses the security aspects of the Script MIB concerning MIB access security and runtime security of delegated management functions. The paper shows how SNMPv3 security mechanisms have been utilized to protect the Script MIB from unauthorized access. A prototype implementation is presented using the Java virtual machine as a runtime system for delegated management functions. The prototype demonstrates how solutions to all security aspects can be integrated.     

Building toward Capability Specifications of Web Services Based on an Environment Ontology

Automated Web service discovery requires Web service capability specifications of a high precision. Semantic-based approaches are inherently more precise than conventional keyword-based approaches. This paper proposes to build capability specifications of Web services based on an environment ontology, the main concepts of which are the environment entities in a particular application domain and their interactions. For each environment entity, there is a tree-like hierarchical state machine modeling the effects that are to be achieved by the Web services on this environment entity. The proposed approach is based on the assumption that the Web service capability specifications, built on the effects of the Web services on the environment entities, are more accessible and observable. Algorithms for constructing the domain environment ontology and the matchmaking between the Web service capability specifications are presented to show how Web service discovery is supported. An example on travel service is given to illustrate this proposed approach.     

基于Transformer与技术词信息的知识产权实体识别方法

专利文本中包含了大量实体信息,通过命名实体识别可以从中抽取包含关键信息的知识产权实体信息,帮助研究人员更快了解专利内容。现有的命名实体提取方法难以充分利用专业词汇变化带来的词层面的语义信息。本文提出基于Transformer和技术词信息的知识产权实体提取方法,结合BERT语言方法提供精准的字向量表示,并在字向量生成过程中,加入利用字向量经迭代膨胀卷积网络提取的技术词信息,提高对知识产权实体的表征能力。最后使用引入相对位置编码的Transformer编码器,从字向量序列中学习文本的深层语义信息,并实现实体标签预测。在公开数据集和标注的专利数据集的实验结果表明,该方法提升了实体识别的准确性。     

Delegation with supervision

Delegation certificates (e.g. SPKI) support the decentralized management of access rights in organizations without the need for a centralized server to mediate every delegation operation. However, it does not allow the access rights to be delegated in a flexible way. For instance, a user cannot be granted the authorization to perform delegation of permission without granting himself/herself the authorization to exercise the associated permission at the same time. In this paper, we propose an improved delegation model, where the various users in a delegation chain may perform supervision on the delegate to exercise the delegated permission. We describe the way to support the model using SPKI as an example. Also, we describe how to support efficient authorization in delegation with supervision using proxy signature techniques.     

Applying biological principles to designs of network services

This paper describes application of key biological principles and mechanisms to the design of network services. In biological systems, an individual entity (e.g., a bee in a bee colony) follows a simple set of behavior policies (e.g., migration, replication, death), yet a group of entities (e.g., a bee colony) exhibits complex emergent behavior with useful properties such as scalability and adaptability. Analogous to the biological systems, in the biologically inspired networking architecture that we present in this paper, a group of autonomous agents that implement simple behavior policies collectively provide a network service. We believe if a network service is modeled after biological principles and mechanisms, the network service is able to meet key requirements such as scalability, adaptability, survivability, simplicity and autonomy. This paper discusses key biological principles that can be applied to the design of network services, and demonstrates through simulations how network services built based on biological principles evolve to improve service performance.     

Multi-level delegations with trust management in access control systems

Delegation is a mechanism that allows one agent to act on another’s privilege. It is important that the privileges should be delegated to a person who is trustworthy. In this paper, we propose a multi-level delegation model with trust management in access control systems. We organize the delegation tasks into three levels, Low, Medium, and High, according to the sensitivity of the information contained in the delegation tasks. It motivates us that the more sensitive the delegated task is, the more trustworthy the delegatee should be. In order to assess how trustworthy a delegatee is, we devise trust evaluation techniques to describe a delegatee’s trust history and also predict the future trend of trust. In our proposed delegation model, a delegatee with a higher trust level could be assigned with a higher level delegation task. Extensive experiments show that our proposed multi-level delegation model is effective in accurately predicting trust and avoiding sensitive information disclosure.     

CoGCN: Combining co‐attention with graph convolutional network for entity linking with knowledge graphs

Entity linking is a fundamental task in natural language processing. The task of entity linking with knowledge graphs aims at linking mentions in text to their correct entities in a knowledge graph like DBpedia or YAGO2. Most of existing methods rely on hand‐designed features to model the contexts of mentions and entities, which are sparse and hard to calibrate. In this paper, we present a neural model that first combines co‐attention mechanism with graph convolutional network for entity linking with knowledge graphs, which extracts features of mentions and entities from their contexts automatically. Specifically, given the context of a mention and one of its candidate entities' context, we introduce the co‐attention mechanism to learn the relatedness between the mention context and the candidate entity context, and build the mention representation in consideration of such relatedness. Moreover, we propose a context‐aware graph convolutional network for entity representation, which takes both the graph structure of the candidate entity and its relatedness with the mention context into consideration. Experimental results show that our model consistently outperforms the baseline methods on five widely used datasets.     

支持属性委托模型中委托撤销研究

支持属性的委托模型(ABDM)中,受托者必须同时满足委托先决条件(CR)和委托属性表达式(DAE)才能获得委托权限或角色.在该模型中,委托撤销完成将委托出去的权限收回到委托者处的工作.首先介绍了ABDM提出的两种新的撤销模式及其带来的多步委托中委托与撤销的优先级问题.然后详细讨论了委托与撤销的关系,对两种解决办法:"先来先响应"和"先撤销后委托"进行了分析,提出了两种方法的适应场合.