基于角色和规则引擎的UCON应用模型

UCON是一种基于属性的下一代访问控制模型,但其高度抽象,难于直接应用,为此提出了一种基于角色和规则引擎的UCON应用模型UCON-ABRR.该模型通过引入角色这一属性,便于实现基于角色的用户管理;并基于规则引擎来制定访问规则和实施访问控制策略,不仅支持UCON的两个重要特征:属性易变性和决策过程连续性,而且具有很好的可操作性.该模型具有通用性,将其应用于云存储场景中,达到了预期的访问控制效果.     

一种基于属性的用户角色自动指派研究

基于角色的访问控制模型没有给出用户角色指派的实现方式,一种基于属性的用户角色自动指派机制,既可以实现细粒度的用户角色自动指派,又可以有效地减少为用户分配角色过程中的代价。本文详细介绍了用户角色自动指派的模型、基于静态属性的指派规则、基于动态属性约束的指派规则以及在某开放系统中的角色自动指派实现实例。     

利用规则RBAC模型实现门户的安全访问控制

基于角色的访问控制(Role—Based Access Control,RBAC)是一种安全、高效的访问控制机制,并不能满足门户中根据用户特征的动态改变而动态地改变用户角色的需要。结合RBAC模型思想和门户的需要提出一个基于规则的RBAC模型,在用户和角色之间增加规则,并通过定义规则表达式实现了动态的用户角色分配,克服了标准的基于角色访问控制模型应用于门户的缺陷。讨论了以规则RBAC模型为基础的门户中资源访问控制的实现,有效地解决了门户中的安全访问控制问题。     

一种改进的基于角色的授权委托模型

委托是访问控制模型中非常重要的组成部分,已成为分布式计算环境下重要的访问控制管理机制.提出了一种改进的基于角色的授权委托模型,此模型对用户的角色划分不仅仅基于用户的身份,还要考虑用户的信任度、能力等属性,通过综合多种因素对用户进行属性级别划分,不同的属性级别对应不同的角色从而对应不同的访问权限,以达到对用户进行访问控制的目的,是一种基于属性的角色授权委托模型.与传统基于身份划分的角色委托模型相比,此模型具有更细的访问控制粒度和更高的安全性.     

面向多策略服务的一种基于属性角色访问控制模型

针对面向服务环境中用户数量大量增长和资源访问策略日益复杂多样化的需求,分析国内外相关研究的发展和局限性,提出了面向多策略服务的一种基于属性角色访问控制模型.该模型根据多策略中用户属性和资源属性的关系,定义多组用户角色,制定相应规则,分配用户角色,满足访问策略多样化的需求,增强了系统管理灵活性,提高系统效率.给出了模型实例分析,并对国内外相关模型进行了比较.     

基于优先级的XML细粒度访问控制模型

提出了一种基于优先级的XML授权与访问控制模型.本模型由主体、客体、授权规则、授权规则树和访问控制算法组成.根据XML的特点,主体既可以是角色也可以是用户.客体是受保护的对象,可以是XML Schema,也可以是XML实例中的任意节点.授权规则的优先级由其三个属性的权值决定,授权规则树将授权规则根据XML文档的结构进行重组织.利用授权规则优先级和授权规则树,极大的简化了访问控制算法.     

基于SOA的属性访问控制模型的研究

本文提出了基于SOA的属性访问控制模型,在角色中通过属性的引入,能够在相同访问控制效果下,使得角色的创建和维护工作量得到大幅度的降低。另外,通过规则的引入,能够支持角色属性,并且也能够支持工作流访问控制模型中出现的按照时间、空间、系统状态等上下文进行访问控制的需求。     

P2P中基于信任和属性的访问控制

P2P具有无集中控制节点、节点对等自治和网络动态的特点,这些特点为实施访问控制带来很大的挑战,传统的访问控制技术不能很好地适应对等网环境。首先对现有的对等网环境中的访问控制技术进行研究,然后在基于信任模型的角色访问控制的基础上,针对无法区分通过信任模型计算出相同结果的用户的问题,提出了基于信任和属性的访问控制。基于信任和属性的访问控制引入资源属性和用户属性来分别描述资源和用户,依据用户属性、信任模型计算出的数值、环境属性和授权策略来建立用户角色指派关系,依据资源属性和授权策略来建立角色权限指派关系,从而解决基于信任模型的角色访问控制存在的问题。     

用户角色自动指派研究与应用

本文重点论述了基于角色访问控制模型中的用户角色自动指派,并对用户角色自动指派进行了形式化的说明。在文中,讨论了用户角色自动指派模型、属性表达式规则集和常见的约束分类。最后,给出了用户角色自动指派在电子书店系统的实现。     

基于属性访问控制的CSP模型

从可用性的角度提出一个基于属性的访问控制模型.首先介绍了属性、属性项等相关概念,在此基础之上,通过约束满足问题建立了访问控制规则的形式化模型;其次,证明了在给定属性项值域的前提下,正向规则与负向规则可以互相转化,从而提出一致性策略的概念,并分别根据肯定优先及否定优先规则合成算法,给出了一致性策略的形式化模型,研究了策略可允许访问操作集合;最后,通过实例阐述了基于属性访问控制模型的表达能力.     

一种基于角色的分布式动态服务组合方法

服务组合是开放环境中实现跨组织敏捷应用集成的重要技术.许多研究采用集中的服务组合引擎管理组合服务的执行,在系统的可伸缩性、消息传输效率及自治性等方面存在局限.针对集中结构的上述问题,提出一种基于角色的分布式动态服务组合方法,通过划分组合服务的全局流程模型产生各个角色的本地流程模型,从而使得组合服务的控制逻辑及执行负载能够对等地分布到多个结点.讨论了本地流程模型的生成算法及部署与执行机制.模拟实验结果表明,与集中式结构相比,该方法能够更有效地支持大规模并发访问以及大数据量的消息转输,有助于提高组合服务的可伸缩性.     

Security Considerations for a Distributed Location Service

Mobile computing, wireless communications, andcheap location tracking and navigation systems have madelocation data a valuable and available commodity formany different kinds of computing applications. However, there are fears that this new wealthof personal location information will lead to newsecurity risks, to the invasion of the privacy of peopleand organizations. In this paper, we discuss security requirements faced by a location service indifferent organizational contexts. We argue thatfine-grained access control requires a symbolic locationmodel over which access control is specified. We outline the salient features of a location servicesupporting such a location model. The two main classicalsecurity models, Lampson's access matrix andBell-LaPadula's security labels, are analyzed with viewto their application to location information. Weargue that those schemes need to be generalized to dealwith multiple targets in order to be applicable tolocation information. Based on the generalized models, we propose a concrete security model forlocation information which protects both personal andorganizational privacy. We have implemented this modelover a prototype implementation of a general location service.     

虚拟知识社区的综合访问控制模型研究

为了防止非法社区成员进入社区和合法社区成员对知识社区知识资源的非法使用,构建了由用户资质、社区知识资源和综合控制策略等组成的虚拟知识社区的综合访问控制模型.利用基于属性的访问控制思想,从用户角色、用户综合信誉、用户拥有的知识货币量以及知识单价,知识交易量、知识满意度等侧面建立用户资质和社区知识资源模型,依据该模型,利用决策表,表达了虚拟知识社区的综合访问控制策略.结合案例比较结果表明了综合访问控制模型的可行和策略的有效性.     

基于P2P的分布式Web服务挖掘技术

为对多个服务注册中心提供支持,方便服务访问日志的记录与挖掘,提出一种基于P2P的分布式服务执行挖掘框架。针对跨组织业务关联的需求,利用该框架构建服务注册联盟机制,设计基于日志库的Web服务关联规则挖掘算法进行组合服务频繁序列挖掘。仿真结果表明,该算法能有效挖掘日志库中的执行与交互信息,提高服务选择与组合效率。     

面向WS-BPEL的访问控制策略合成研究

在Web服务组合中,外部子服务通常会定义访问控制策略以保护资源被安全的使用,同时组合脚本中也存在着复杂的逻辑控制结构,这两点因素使安全管理员在描述组合服务的访问控制策略变得非常复杂。提出一种基于条件的访问控制策略模型以及基于该模型的策略合成代数,将WS-BPEL语言中常见控制结构映射成策略合成表达式,通过合成外部子服务的访问控制策略,生成组合服务的访问控制策略。最后,设计了原型系统描述策略合成的流程。     

Ontology-based access control model for security policy reasoning in cloud computing

There are many security issues in cloud computing service environments, including virtualization, distributed big-data processing, serviceability, traffic management, application security, access control, authentication, and cryptography, among others. In particular, data access using various resources requires an authentication and access control model for integrated management and control in cloud computing environments. Cloud computing services are differentiated according to security policies because of differences in the permitted access right between service providers and users. RBAC (Role-based access control) and C-RBAC (Context-aware RBAC) models do not suggest effective and practical solutions for managers and users based on dynamic access control methods, suggesting a need for a new model of dynamic access control that can address the limitations of cloud computing characteristics. This paper proposes Onto-ACM (ontology-based access control model), a semantic analysis model that can address the difference in the permitted access control between service providers and users. The proposed model is a model of intelligent context-aware access for proactively applying the access level of resource access based on ontology reasoning and semantic analysis method.     

一种无线公交车载网络MAC协议的设计及性能分析

为公交车乘客提供高质量的Internet服务,可以让其在乘车过程中享受娱乐甚至工作,进而大大提高乘客的生活质量.基于此,提出一种无线公交车载网络MAC协议——BusMAC,支持公交车乘客的Internet访问.该协议基于改进的公交车载网络结构,可以大大减少由于公交车上多个用户同时发起产生的大量访问冲突.BusMAC协议基于超帧结构,结合动态竞争机制和捎带机制可以大大减少公交车网络的通信瓶颈.通过建立请求竞争访问模型和数据调度访问模型,对BusMAC协议的性能进行了分析.大量仿真实验结果表明,BusMAC与传统结构及协议相比可以获得相当好的性能,且更加适合于公交车通信.真实移动性场景下的实验说明了该协议在实际系统部署中的可行性.     

Semantic Access to Multichannel M-Services

M-services provide mobile users wireless access to Web services. In this paper, we present a novel infrastructure for supporting M-services in wireless broadcast systems. The proposed infrastructure provides a generic framework for mobile users to look up, access, and execute Web services over wireless broadcast channels. Access efficiency is an important issue in wireless broadcast systems. We discuss different semantics that have impact on the access efficiency for composite M-services. A multiprocess workflow is proposed for effectively accessing composite M-services from multiple broadcast channels based on these semantics. We also present and compare different broadcast channel organizations for M-services and wireless data. Analytical models are provided for these channel organizations. Practical studies are presented to demonstrate the impact of different semantics and channel organizations on the access efficiency.     

Multi-attribute negotiation mechanism for manufacturing service allocation in smart manufacturing

Smart manufacturing is undergoing rapid development along with many disruptive technologies, such as Internet of Things, cyber-physical system and cloud computing. A myriad of heterogeneous manufacturing services can be dynamically perceived, connected and interoperated to satisfy various customized demands. In smart manufacturing, the market equilibrium is variable over time due to changes in demand and supply. Thus, efficient manufacturing service allocation (MSA) is critical to implementation of smart manufacturing. This paper considers the MSA problem under market dynamics with maximization of utility of customers and service providers. Many conventional methods generally allocate manufacturing services to the customers by multi-objective optimization without considering the impact of interactions between customers and service providers. This paper presents a multi-attribute negotiation mechanism to address the MSA problem under time constraints relying on autonomous agents. The proposed negotiation mechanism is composed of two models: an atomic manufacturing service negotiation model and a composite manufacturing service coordination. The former model is based on automated negotiation to seek an atomic manufacturing service over multiple attributes for an individual subtask. The latter model incorporates the global distribution and surplus redistribution to coordinate and control multiple atomic manufacturing service negotiations for the whole manufacturing task. Numerical studies are employed to verify the effectiveness of the multi-attribute negotiation mechanism in solving the MSA problem. The results show that the proposed negotiation mechanism can address the MSA problem and surplus redistribution can effectively improve the success rate of negotiations.     

An extended XACML model to ensure secure information access for web services

More and more software systems based on web services have been developed. Web service development techniques are thus becoming crucial. To ensure secure information access, access control should be taken into consideration when developing web services. This paper proposes an extended XACML model named EXACML to ensure secure information access for web services. It is based on the technique of information flow control. Primary features offered by the model are: (1) both the information of requesters and that of web services are protected, (2) the access control of web services is more precise than just “allow or reject” policy in existing models, and (3) the model will deny non-secure information access during the execution of a web service even when a requester is allowed to invoke the web service.