P2P中基于信任和属性的访问控制

P2P具有无集中控制节点、节点对等自治和网络动态的特点,这些特点为实施访问控制带来很大的挑战,传统的访问控制技术不能很好地适应对等网环境。首先对现有的对等网环境中的访问控制技术进行研究,然后在基于信任模型的角色访问控制的基础上,针对无法区分通过信任模型计算出相同结果的用户的问题,提出了基于信任和属性的访问控制。基于信任和属性的访问控制引入资源属性和用户属性来分别描述资源和用户,依据用户属性、信任模型计算出的数值、环境属性和授权策略来建立用户角色指派关系,依据资源属性和授权策略来建立角色权限指派关系,从而解决基于信任模型的角色访问控制存在的问题。     

Matrix based proactive resource provisioning in mobile cloud environment

Mobile cloud computing is a dynamic, virtually scalable and network based computing environment where mobile device acts as a thin client and applications run on remote cloud servers. Mobile cloud computing resources required by different users depend on their respective personalized applications. Therefore, efficient resource provisioning in mobile clouds is an important aspect that needs special attention in order to make the mobile cloud computing a highly optimized entity. This paper proposes an adaptive model for efficient resource provisioning in mobile clouds by predicting and storing resource usages in a two dimensional matrix termed as resource provisioning matrix. These resource provisioning matrices are further used by an independent authority to predict future required resources using artificial neural network. Independent authority also checks and verifies resource usage bill computed by cloud service provider using resource provisioning matrices. It provides cost computation reliability for mobile customers in mobile cloud environment. Proposed model is implemented on Hadoop using three different applications. Results indicate that proposed model provides better mobile cloud resources utilization as well as maintains quality of service for mobile customer. Proposed model increases battery life of mobile device and decreases data usage cost for mobile customer.     

移动网络中心云计算存储数据访问安全自动监测系统设计

为了提高移动网络中心云计算存储数据访问和安全监测能力,提出一种基于深度学习和交叉编译控制的移动网络中心云计算存储数据访问安全自动监测系统设计方法。采用混合属性数据模糊加权聚类方法进行移动网络中心云计算存储数据的优化访问控制模型设计,根据云计算存储数据之间的属性相似度进行离散化数值属性分解,提取移动网络中心云计算存储数据的混合属性特征量,根据最小化云存储数据访问成本为代价进行移动网络中心云计算存储数据访问的安全监测。结合深度学习方法进行数据访问的自适应控制,在交叉编译环境下实现云计算存储数据访问安全自动监测系统开发设计。测试结果表明,采用该方法进行移动网络中心云计算存储数据访问的安全性较好,自动化控制能力较强。     

Wukong: A cloud-oriented file service for mobile Internet devices

Along with the rapid growth of heterogeneous cloud services and network technologies, an increasing number of mobile devices use cloud storage services to enlarge their capacity and share data in our daily lives. We commonly use cloud service client-side software in a straightforward fashion. However, when more devices and users participate in heterogeneous services, the difficulty of managing these services efficiently and conveniently increases. In this paper, we report a novel cloud-oriented file service, Wukong, which provides a user-friendly and highly available facilitative data access method for mobile devices in cloud settings. Wukong supports mobile applications, which may access local files only, transparently accessing cloud services with a relatively high performance. To the best of our knowledge, Wukong is the first file service that supports heterogeneous cloud services for mobile devices by using the innovative storage abstraction layer. We have implemented a prototype with several plugins and evaluated it in a systematic way. We find that this easily operable file service has a high usability and extensibility. It costs about 50 to 150 lines of code to implement a new backend service support plugin. Wukong achieves an acceptable throughput of 179.11 kB/s in an ADSL environment and 80.68 kB/s under a countryside EVDO 3G network with negligible overhead.     

Energy-efficient multisite offloading policy using Markov decision process for mobile cloud computing

Mobile systems, such as smartphones, are becoming the primary platform of choice for a user’s computational needs. However, mobile devices still suffer from limited resources such as battery life and processor performance. To address these limitations, a popular approach used in mobile cloud computing is computation offloading, where resource-intensive mobile components are offloaded to more resourceful cloud servers. Prior studies in this area have focused on a form of offloading where only a single server is considered as the offloading site. Because there is now an environment where mobile devices can access multiple cloud providers, it is possible for mobiles to save more energy by offloading energy-intensive components to multiple cloud servers. The method proposed in this paper differentiates the data- and computation-intensive components of an application and performs a multisite offloading in a data and process-centric manner. In this paper, we present a novel model to describe the energy consumption of a multisite application execution and use a discrete time Markov chain (DTMC) to model fading wireless mobile channels. We adopt a Markov decision process (MDP) framework to formulate the multisite partitioning problem as a delay-constrained, least-cost shortest path problem on a state transition graph. Our proposed Energy-efficient Multisite Offloading Policy (EMOP) algorithm, built on a value iteration algorithm (VIA), finds the efficient solution to the multisite partitioning problem. Numerical simulations show that our algorithm considers the different capabilities of sites to distribute appropriate components such that there is a lower energy cost for data transfer from the mobile to the cloud. A multisite offloading execution using our proposed EMOP algorithm achieved a greater reduction on the energy consumption of mobiles when compared to a single site offloading execution.     

云计算下基于动态用户信任度的属性访问控制

为便于对云中资源的管理,云计算环境通常会被划分成逻辑上相互独立的安全管理域,但资源一旦失去了物理边界的保护会存在安全隐患。访问控制是解决这种安全问题的关键技术之一。针对云计算环境多域的特点,提出了一种基于动态用户信任度的访问控制模型(CT-ABAC),以减少安全域的恶意推荐的影响并降低恶意用户访问的数量。在CT-ABAC模型中,访问请求由主体属性、客体属性、权限属性、环境属性和用户信任度属性组成,模型采用动态细粒度授权机制,根据用户的访问请求属性集合来拒绝或允许本次访问。同时,该模型扩展了用户信任度属性,并考虑时间、安全域间评价相似度、惩罚机制对该属性的影响。仿真实验结果表明,CT-ABAC模型能够有效地降低用户的恶意访问,提高可信用户的成功访问率。     

Dynamic application placement in the Mobile Cloud Network

To meet the challenges of consistent performance, low communication latency, and a high degree of user mobility, cloud and Telecom infrastructure vendors and operators foresee a Mobile Cloud Network that incorporates public cloud infrastructures with cloud augmented Telecom nodes in forthcoming mobile access networks. A Mobile Cloud Network is composed of distributed cost- and capacity-heterogeneous resources that host applications that in turn are subject to a spatially and quantitatively rapidly changing demand. Such an infrastructure requires a holistic management approach that ensures that the resident applications’ performance requirements are met while sustainably supported by the underlying infrastructure. The contribution of this paper is three-fold. Firstly, this paper contributes with a model that captures the cost- and capacity-heterogeneity of a Mobile Cloud Network infrastructure. The model bridges the Mobile Edge Computing and Distributed Cloud paradigms by modelling multiple tiers of resources across the network and serves not just mobile devices but any client beyond and within the network. A set of resource management challenges is presented based on this model. Secondly, an algorithm that holistically and optimally solves these challenges is proposed. The algorithm is formulated as an application placement method that incorporates aspects of network link capacity, desired user latency and user mobility, as well as data centre resource utilisation and server provisioning costs. Thirdly, to address scalability, a tractable locally optimal algorithm is presented. The evaluation demonstrates that the placement algorithm significantly improves latency, resource utilisation skewness while minimising the operational cost of the system. Additionally, the proposed model and evaluation method demonstrate the viability of dynamic resource management of the Mobile Cloud Network and the need for accommodating rapidly mobile demand in a holistic manner.     

基于智能网络与虚拟化计算的移动办公系统信息安全的研究与应用简

本文基于政府行业3G网络和云计算环境移动办公系统的应用实例,重点讨论了构建以网络通信、区域边界、云计算环境、安全管控中心为基础的信息安全平台,为移动办公系统提供一个安全稳定的可信可控可管的移动应用环境的可行性,     

针对 BYOD 的网络入口边界安全研究

近年来,云计算业务平台的广泛应用强化了研究人员对于移动设备的依赖性。员工携带自己的设备（Bring Your Own Devices, BYOD）已经成为当前移动办公的主要趋势。针对BYOD环境中的数据泄露和恶意代码等问题,提出了一种跨平台的安全解决方案。该方案应用无客户端网络准入控制方式获取终端属性,并在向量表示法的基础上,为CPU空闲率等特殊属性设计了一种动态数值型评估方式。因此,该方案能够对进入网络的移动智能终端进行准确地可信评估,将终端分别判入可信域、非可信域和隔离域,确保最终进入网络的BYOD设备处于可信状态,以实现网络入口边界安全。实验结果表明本文方案比现有方案在移动智能终端安全状态的评估和防止对数据的非法访问等方面具有更好的效果。     

Recent Advances in Mobile Grid and Cloud Computing

Grid and cloud computing systems have been extensively used to solve large and complex problems in science and engineering fields. These systems include powerful computing resources that are connected through high-speed networks. Due to the recent advances in mobile computing and networking technologies, it has become feasible to integrate various mobile devices, such as robots, aerial vehicles, sensors, and smart phones, with grid and cloud computing systems. This integration enables the design and development of the next generation of applications by sharing of resources in mobile environments and introduces several challenges due to a dynamic and unpredictable network. This paper discusses applications, research challenges involved in the design and development of mobile grid and cloud computing systems, and recent advances in the field.     

C2OF2N: a low power cooperative code offloading method for femtolet-based fog network

Power and delay aware cloud service provisioning to mobile devices has become a promising domain today. This paper proposes and implements a cooperative offloading approach for indoor mobile cloud network. In the proposed work mobile devices register under femtolet which is a home base station with computation and data storage facilities. The resources of the mobile devices are collaborated in such a way that different mobile devices can execute different types of computations based on cooperative federation. The proposed offloading scheme is referred as cooperative code offloading in femtolet-based fog network. If none of the mobile device can execute the requested computation, then femtolet executes the computation. Use of femtolet provides the mobile devices voice call service as well as cloud service access. Femtolet is used as the fog device in our approach. The proposed model is simulated using Qualnet version 7. The simulation results demonstrate that the proposed scheme minimizes the energy by 15% and average delay up to 12% approximately than the existing scheme. Hence, the proposed model is referred as a low power offloading approach.     

Mobile cloud-based depression diagnosis using an ontology and a Bayesian network

Recently, depression has becomes a widespread disease throughout the world. However, most people are not aware of the possibility of becoming depressed during their daily lives. Therefore, obtaining an accurate diagnosis of depression is an important issue in healthcare. In this study, we built an inference model based on an ontology and a Bayesian network to infer the possibility of becoming depressed, and we implemented a prototype using a mobile agent platform as a proof-of-concept in the mobile cloud. We developed an ontology model based on the terminology used to describe depression and we utilized a Bayesian network to infer the probability of becoming depressed. We also implemented the system using multi-agents to run on the Android platform, thereby demonstrating the feasibility of this method, and we addressed various implementation issues. The results showed that our method may be useful for inferring a diagnosis of depression.     

面向移动云计算弹性应用的安全模型

根据云计算资源建立了资源受限设备弹性应用的安全模型。首先介绍了由一个或多个Weblet组成的一个弹性应用程序,每个Weblet可在移动设备端或云端启动,Weblet之间可根据所处的计算环境的动态变化或用户的配置进行迁移。分析了该模式的安全性,提出建立弹性应用程序的安全设计模型,包括实现Weblet运行所在的移动设备端和云端之间的身份验证、安全会话管理和通过外部网络的访问服务。该模型解决了Weblet之间的安全迁移和授权云Weblet通过外部Web网络去访问敏感用户数据的问题。该方案能应用在云计算场景,如在企业应用环境下的私有云和公有云之间的应用集成。     

Flexible CP-ABE Based Access Control on Encrypted Data for Mobile Users in Hybrid Cloud System

In hybrid cloud computing, encrypted data access control can provide a fine-grained access method for organizations to enact policies closer to organizational policies. This paper presents an improved CP-ABE (ciphertext-policy attribute-based encryption) scheme to construct an encrypted data access control solution that is suitable for mobile users in hybrid cloud system. In our improvement, we split the original decryption keys into a control key, a secret key and a set of transformation keys. The private cloud managed by the organization administrator takes charge of updating the transformation keys using the control key. It helps to handle the situation of flexible access management and attribute alteration. Meanwhile, the mobile user’s single secret key remains unchanged as well as the ciphertext even if the data user’s attribute has been revoked. In addition, we modify the access control list through adding the attributes with corresponding control key and transformation keys so as to manage user privileges depending upon the system version. Finally, the analysis shows that our scheme is secure, flexible and efficient to be applied in mobile hybrid cloud computing.     

Android智能手机的云服务应用研究

云计算的应用目标并不仅局限于PC,随着移动互联网的蓬勃发展,基于手机等移动终端的云服务已成为IT行业炙手可热的新业务发展模式。本文基于Openmobster搭建移动云计算环境,并利用Android智能手机作为终端来访问云端服务器资源,以数据传输的事务处理为应用背景,采用c／s模式和B／S模式相结合的方式,建立了云服务下移动智能终端信息采集和处理的基础架构,并根据此架构初步实现了追踪定位的功能。该方法通过无线网络连接,利用服务器端与手机客户端的即时通信,实现了为Android智能手机提供云推送和云同步的服务。     

基于深度强化学习的电子政务云动态化任务调度方法

电子政务云中心的任务调度一直是个复杂的问题。大多数现有的任务调度方法依赖于专家知识,通用性不强,无法处理动态的云环境,通常会导致云中心的资源利用率降低和服务质量下降,任务的完工时间变长。为此,提出了一种基于演员评论家（actor-critic,A2C）算法的深度强化学习调度方法。首先,actor网络参数化策略并根据当前系统状态选择调度动作,同时critic网络对当前系统状态给出评分;然后,使用梯度上升的方式来更新actor策略网络,其中使用了critic网络的评分来计算动作的优劣;最后,使用了两个真实的业务数据集进行模拟实验。结果显示,与经典的策略梯度算法以及五个启发式任务调度方法相比,该方法可以提高云数据中心的资源利用率并缩短离线任务的完工时间,能更好地适应动态的电子政务云环境。     

Executing mobile applications on the cloud: Framework and issues

Modern mobile devices, such as smartphones and tablets, have made many pervasive computing dreams come true. Still, many mobile applications do not perform well due to the shortage of resources for computation, data storage, network bandwidth, and battery capacity. While such applications can be re-designed with client–server models to benefit from cloud services, the users are no longer in full control of the application, which has become a serious concern for data security and privacy. In addition, the collaboration between a mobile device and a cloud server poses complex performance issues associated with the exchange of application state, synchronization of data, network condition, etc. In this work, a novel mobile cloud execution framework is proposed to execute mobile applications in a cloud-based virtualized execution environment controlled by mobile applications and users, with encryption and isolation to protect against eavesdropping from cloud providers. Under this framework, several efficient schemes have been developed to deal with technical issues for migrating applications and synchronizing data between execution environments. The communication issues are also addressed in the virtualization execution environment with probabilistic communication Quality-of-Service (QoS) technique to support timely application migration.     

基于可信期望的跨域访问安全性研究

访问控制作为保护信息安全的主要手段,能够有效保证用户合法地访问网络资源。随着移动互联网的发展,跨域和跨系统等多域环境下的安全问题面临严峻挑战。为了满足云计算多域环境的访问需求,基于角色访问控制技术,提出一种适用于云计算多域环境的访问控制模型。该模型利用贝叶斯理论得出访问者的可信期望值,然后与预先设定的访问阈值进行比较,决定用户的访问请求是否被允许,且访问权限随着用户可信度动态变化而改变,避免了之前获得高信任值的用户因信任度变化而进行恶意攻击的风险。实验结果表明,提出模型不仅能减少高风险用户的访问请求量,且能满足为用户动态授权的需求。因此该模型可以有效解决云计算多域环境中的安全问题。     

基于TrustZone的可信移动终端云服务安全接入方案

可信云架构为云计算用户提供了安全可信的云服务执行环境,保护了用户私有数据的计算与存储安全. 然而在移动云计算高速发展的今天, 仍然没有移动终端接入可信云服务的安全解决方案. 针对上述问题, 提出了一种可信移动终端云服务安全接入方案, 方案充分考虑了移动云计算应用背景, 利用ARM TrustZone硬件隔离技术构建可信移动终端, 保护云服务客户端及安全敏感操作在移动终端的安全执行, 结合物理不可克隆函数技术, 给出了移动终端密钥与敏感数据管理机制. 在此基础之上, 借鉴可信计算技术思想, 设计了云服务安全接入协议, 协议兼容可信云架构, 提供云服务端与移动客户端间的端到端认证. 分析了方案具备的6种安全属性, 给出了基于方案的移动云存储应用实例, 实现了方案的原型系统. 实验结果表明, 可信移动终端TCB较小, 方案具有良好的可扩展性和安全可控性, 整体运行效率较高.     

Policy Management for Secure Data Access Control in Vehicular Networks

The state-of-the-art research in vehicular network security does not address the need for low latency message access control in vehicular applications with tight connection time and message delay requirements. In existing security solutions, the major limitation is that no trust establishment mechanisms that adapt to rapidly changing scenarios and highly mobile environments (mainly because of key management delay, processing overhead, and changing communication peers). To address this issue, we present a policy management framework for secure data access control in vehicular networks. Our solution address two interrelated research areas to achieve efficiency and scalability for data access control and policy management in highly dynamic vehicular networks. The main contributions are in two-fold: (a) efficient key management and group-based policy enforcement using attribute-based cryptography; and (b) dynamic security policy management framework and methodology to manage credentials based on role, time, location and other situation dependent attributes. Our solution utilizes efficient attribute-based cryptography algorithm to achieve unprecedented speedups in message processing time to meet the real-time requirement. To demonstrate the effectiveness of our proposed solution, a systematic and comprehensive evaluation is produced to valid our proposed solution.