防火墙策略建模与其全局冲突分析(英文)

The global view of firewall policy conflict is important for administrators to optimize the policy.It has been lack of appropriate firewall policy global conflict analysis,existing methods focus on local conflict detection.We research the global conflict detection algorithm in this paper.We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set.Based on this model,we presented the global conflict formal model,and represent it with OBDD(Ordered Binary Decision Diagram).Then we developed GFPCDA(Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict.In experiment,we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model,of a classical algorithm.We compared this algorithm with GFPCDA algorithm.The results show that GFPCDA detects conflicts more precisely and independently,and has better performance.     

Distributed soft policy enforcement by swarm intelligence; application to loadsharing and protection

Managing complex heterogeneous computer and telecommunication systems is challenging. One promising management concept for such systems is policy based management. However, it is common to interpret policies strictly and resort to centralized decisions to resolve policy conflicts. Centralization is undesirable from a dependability point of view. Swarm intelligence based on sets of autonomous “ant-like” mobile agents, where control is distribute among the agents, has been applied to several challenging optimization and tradeoff problems with great success. This paper introduces and demonstrates how a set of such ant-like mobile agents can be designed to find near optimal solutions for the implementation of a set of potentially conflicting policies. Solutions are found in a truly distributed manner, hence an overall more dependable/robust system is obtained. The enforcement of the policies is soft in the sense that it is probabilistic and yields a kind of “best effort” implementation. To demonstrate the feasibility of the overall concept, a case study is presented where ant-like mobile agents are designed to implement load distribution and conflict free back-up policies.     

基于统计分析优化的高性能XACML策略评估引擎

为提高分布式环境下XACML策略评估引擎的效率,提出了新的XACML策略评估引擎HPEngine。该引擎利用基于统计分析的策略优化机制动态精化策略,并将精化的策略由文本形式转化为数值形式;同时采用基于统计分析的多级缓存机制存储频繁调用的请求结果对、属性和策略信息。仿真结果表明,HPEngine所采用的基于统计分析的多级优化机制缩减了策略规模,降低了引擎和其他功能部件的通信损耗,减少了匹配运算量,提高了匹配速度,整体评估性能优于其他同类系统。     

A market-oriented dynamic collaborative cloud services platform

Currently, interoperability and scalability are two major challenging issues for cloud computing. Forming a dynamic collaboration (DC) platform among cloud providers (CPs) can help to better address these issues. A DC platform can facilitate expense reduction, avoiding adverse business impacts and offering collaborative or portable cloud services to consumers. However, there are two major challenges involved in this undertaking; one is to find an appropriate market model to enable a DC platform, and the other one is to minimize conflicts among CPs that may occur in a market-oriented DC platform. In this paper, we present a novel combinatorial auction (CA)-based cloud market (CACM) model that enables a DC platform in CPs. To minimize conflicts among CPs, a new auction policy is proposed that allows a CP to dynamically collaborate with suitable partner CPs to form groups and publishes their group bids as a single bid to compete in the auction. However, identifying a suitable combination of CP partners to form the group and reduce conflicts is a NP-hard problem. Hence, we propose a promising multi-objective (MO) optimization model for partner selection using individual information and past collaborative relationship information, which is seldom considered. A multi-objective genetic algorithm (MOGA) called MOGA-IC is proposed to solve the MO optimization problem. This algorithm is developed using two popular MOGAs, the non-dominated sorting genetic algorithm (NSGA-II) and the strength pareto evolutionary genetic algorithm (SPEA2). The experimental results show that MOGA-IC with NSGA-II outperformed the MOGA-IC with SPEA2 in identifying useful pareto-optimal solution sets. Other simulation experiments were conducted to verify the effectiveness of the MOGA-IC in terms of satisfactory partner selection and conflict minimization in the CACM model. In addition, the performance of the CACM model was compared to the existing CA model in terms of economic efficiency.     

Motion Sequence-Based Human Abnormality Detection Scheme for Smart Spaces

Smart spaces represent an emerging new paradigm that encompasses diverse active research areas such as ubiquitous, grid and cloud computing. Hence, there are a wide variety of interesting issues and applications for smart spaces, and surveillance is one issue that has long received much attention. In many cases, human motion is one of the most important clues used in assessing a situation for surveillance purposes. In this paper, we propose a new human abnormality detection scheme for surveillance purposes. More specifically, we first present a motion sequence matching algorithm called Dynamic View Warping to represent specific motion characteristics. Secondly, we propose a matching speed-up technique called Dynamic Group Warping that establishes boundaries in Dynamic View Warping. Thirdly, we propose an indexing scheme for motion sequences and present K-NN search algorithm to efficiently and effectively find similar motion sequences. Our extensive experiments show that our proposed methods achieve outstanding performance.     

异构移动云计算网络中基于QoS的动态资源管理研究(英文)

In mobile cloud computing(MCC) systems,both the mobile access network and the cloud computing network are heterogeneous,implying the diverse configurations of hardware,software,architecture,resource,etc.In such heterogeneous mobile cloud(HMC) networks,both radio and cloud resources could become the system bottleneck,thus designing the schemes that separately and independently manage the resources may severely hinder the system performance.In this paper,we aim to design the network as the integration of the mobile access part and the cloud computing part,utilizing the inherent heterogeneity to meet the diverse quality of service(QoS)requirements of tenants.Furthermore,we propose a novel cross-network radio and cloud resource management scheme for HMC networks,which is QoS-aware,with the objective of maximizing the tenant revenue while satisfying the QoS requirements.The proposed scheme is formulated as a restless bandits problem,whose "indexability" feature guarantees the low complexity with scalable and distributed characteristics.Extensive simulation results are presented to demonstrate the significant performance improvement of the proposed scheme compared to the existing ones.     

Public policy and private investment in advanced telecommunicationsinfrastructure

The Telecommunications Act of 1996 was supposed to usher in a new era of competition in U.S. telecommunications markets in which advanced services were made available to all consumers. In this article, we discuss how policies designed to promote competition, investment, and universal deployment may conflict with each other. We do not believe that these conflicts are the inevitable consequences of conflicts between the objectives; we do, however, believe that there are inescapable conflicts between the specific policies being implemented in pursuit of these objectives     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

防火墙策略冲突检测及冲突策略可视化

为了检测防火墙策略中的所有冲突,避免修改冲突时引入新冲突,文中采用对规则进行分割来检测冲突。其中,冲突检测包括3个部分:防火墙策略分割、对分割的结果进行分析和计算,以及冲突域提取。同时,为了对冲突规则以及产生冲突的原因进行分析,文中采用网格的可视化方法实现了对防火墙规则之间以及规则与冲突域之间的关系。采用这种技术能够提高管理员发现、分析和修改策略冲突的效率和准确性,并通过实验验证了该方法的有效性。     

面向SDN的动态网络策略部署与实现

软件定义网络（SDN）为未来网络业务的管理要求提供了一种新的解决方案。以动态服务功能链作为服务功能编排模式、以高级网络编程语言作为服务功能部署工具,并结合虚拟网络映射设计了业务到策略、从控制器到网络节点的部署方案。基于SDN三层结构,提出动态策略管理系统。动态策略管理系统可以根据反馈的网络状态信息调整网络策略,并对同一节点上的网络策略进行冲突检测,根据不同的冲突类型选择组合方式,有效避免了网络策略冲突,实现网络服务的自适应部署。最后,通过实验验证了动态策略管理系统从业务到策略的完整部署过程。     

Trapdoor Security Lattice-Based Public-Key Searchable Encryption with a Designated Cloud Server

Cloud storage technique has becoming increasingly significant in cloud service platform. Before choosing to outsource sensitive data to the cloud server, most of cloud users need to encrypt the important data ahead of time. Recently, the research on how to efficiently retrieve the encrypted data stored in the cloud server has become a hot research topic. Public-key searchable encryption, as a good candidate method, which enables a cloud server to search on a collection of encrypted data with a trapdoor from a receiver, has attracted more researchers’ attention. In this paper, we propose the frist efficient lattice-based public-key searchable encryption with a designated cloud server, which can resist quantum computers attack. In our scheme, we designate a unique cloud server to test and return the search results, thus can remove the secure channel between the cloud server and the receiver. We have proved that our scheme can achieve ciphertext indistinguishability under the hardness of learning with errors, and can achieve trapdoor security in the random oracle model. Moreover, our scheme is secure against off-line keyword guessing attacks from outside adversary.     

Distributed policy processing in active‐service based infrastructures

More and more applications in the Internet are requiring an intelligent service infrastructure to provide customized services. In this paper, we present an infrastructure, which can transparently and effectively provide customized active‐services to end users and dynamically adapt to changing customized policies in large distributed heterogeneous environments. The infrastructure consists of two components: the policy agent and middleware box. Particularly, our technologies include: (1) Generic active‐service based infrastructure, where the policy agent can integrate policies requested by applications, and middleware boxes can transparently execute services and (2) Distributed policy processing in the middleware box. We study two policy partitioning schemes to achieve conflict‐free policies for distributed policy processing and guarantee the correctness of the policy execution. We conduct extensive performance evaluations on different schemes proposed. Our experimental results demonstrate that our policy partitioning schemes can effectively generate partition‐capable and conflict‐free policy sets. The evaluation results also show that distributed policy processing can achieve over 70% increase in performance/price ratio with proper assignment of the policy distribution degree compared to a purely centralized approach. Copyright © 2005 John Wiley & Sons, Ltd.     

Access Control Policy Analysis and Access Denial Method for Cloud Services

Personal cloud computing is an emerging trend in the computer industry. For a sustainable service, cloud computing services must control user access. The essential business characteristics of cloud computing are payment status and service level agreement. This work proposes a novel access control method for personal cloud service business. The proposed method sets metadata, policy analysis rules, and access denying rules. Metadata define the structure of access control policies and user requirements for cloud services. The policy analysis rules are used to compare conflicts and redundancies between access control policies. The access denying rules apply policies for inhibiting inappropriate access. The ontology is a theoretical foundation of this method. In this work, ontologies for payment status, access permission, service level, and the cloud provide semantic information needed to execute rules. A scenario of personal data backup cloud service is also provided in this work. This work potentially provides cloud service providers with a convenient method of controlling user access according to changeable business and marketing strategies.     

Secure‐aware and privacy‐preserving electronic health record searching in cloud environment

Cloud storage has become a trend of storage in modern age. The cloud‐based electronic health record (EHR) system has brought great convenience for health care. When a user visits a doctor for a treatment, the doctor may be necessary to access the history health records generated at other medical institutions. Thus, we present a secure EHR searching scheme based on conjunctive keyword search with proxy re‐encryption to realize data sharing between different medical institutions. Firstly, we propose a framework for health data sharing among multiple medical institutions based on cloud storage. We explore the public key encryption with conjunctive keyword search to encrypt the original data and store it in the cloud. It ensures data security with searchability. Furthermore, we adopt the identity‐based access control mechanism and proxy re‐encryption scheme to guarantee the legitimacy of access and the privacy of the original data. Generally speaking, our work can achieve authentication, keyword privacy, and privacy preservation. Moreover, the performance evaluation shows that the scheme can achieve high computational efficiency.     

A Model for Static Conflict Analysis of Management Policies

Management of today's distributed systems is becoming increasingly complex. There is an obvious requirement for a flexible mechanism to help manage such systems. Rule-based management is one such mechanism. However, in order for rule-based management to become widely usable a method is required by which conflicts between management policies (defined as rules) can be identified and resolved. This paper creates a set theoretic model for rules as a trituple of the relationship between the subject, action and target of a policy. It also identifies two classes of policy set — 'syntactically easy policy set' (SEPS) and 'syntactically non-easy policy set' (SNEPS). SEPSs are policies which are sets of all the Cartesian products of its subjects, actions and targets, whereas SNEPSs are only a subset of that Cartesian product. Conflict analysis of SEPSs has been handled in other papers; this paper addresses conflict analysis of SNEPSs. A method for resolving conflict is suggested. The paper also raises some issues that arise when considering a database of policies.     

Heuristic RAT selection policy to minimize call blocking probability in next generation wireless networks

In next generation wireless network (NGWN) where multiple radio access technologies (RAT) co‐exist, a joint call admission control (JCAC) algorithm is needed to make a RAT selection decision for each arriving call. RAT selection policy has a significant effect on the overall new call blocking probability in the network. We propose a heuristic RAT selection policy to minimize new call blocking probability in NGWN. The proposed JCAC scheme measures the arrival rate of each class of calls in the heterogeneous wireless network. Based of the measured values of the arrival rates and using linear programming technique, the JCAC scheme determines the RAT selection policy that minimizes overall call blocking probability in the heterogeneous wireless network. Using Markov decision process, we develop an analytical model for the JCAC scheme, and derive new call blocking probability, handoff call dropping probability (HCDP), and call incompletion probability (CIP). Performance of the proposed scheme is compared with the performance of other JCAC scheme. Simulation results show that the proposed scheme reduces new call blocking probability, HCDP, and CIP in the heterogeneous wireless network. Copyright © 2009 John Wiley & Sons, Ltd.     

一种基于QoS的事务工作流并发调度算法

并发冲突引起的连锁夭折会降低系统性能,提出了一种基于QoS的事务工作流调度算法,该算法适应异构环境需求,支持基于QoS的延迟调度优化策略和SAFE集合扩充优化策略,可根据QoS参数调整相应的调度决策,在保证分布异构环境中复杂事务工作流并发正确性的同时减少连锁夭折.证明了算法不会引起循环等待和饿死现象,可保证调度的可串行性和可恢复性,性能模拟表明该算法适用于长期运行的事务工作流的并发调度,可有效减少连锁夭折,从而减少由此带来的性能损失.     

跨域访问控制策略合成的可视化框架

The rapid increase in resource sharing across domains in the cloud computing environment makes the task of managing inter-domain access control policy integration difficult for the security administrators. Although a number of policy integration and security analysis mechanisms have been developed, few focus on enabling the average ad-ministrator by providing an intuitive cognitive sense about the integrated policies, which considerably undermines the usability factor. In this paper we propose a visualization framework for inter-domain access control policy integration, which integrates Role Based Access Control (RBAC) policies on the basis of role-mapping and then visualizes the integrated result. The role mapping algorithm in the framework considers the hybrid role hierarchy. It can not only satisfy the security constraints of non-cyclic inheritance and separation of duty but also make visualization easier. The framework uses role-permission trees and semantic substrates to visualize the integrated policies. Through the interactive policy query visualization, the average administrator can gain an intuitive understanding of the policy integration result.     

CASA‐IoT: Scalable and context‐aware IoT access control supporting multiple users

The Internet of Things (IoT) supports many users and context‐aware applications controlling heterogeneous IoT devices. This differs from traditional networks, in which a single entity manages each device. Thus, new access control models must be created in order to support more responsive, scalable, secure, and autonomous management. This article presents an attribute‐based access control model, which applies conflict resolution and access delegation in a multiuser and multiapplication environment. With scalability in mind, we propose the caching of access permissions, as well as a split policy processing model in which the devices with enough computational power perform part of the processing. The proposed model was implemented as part of the ManIoT architecture an d evaluated in experiments on a testbed to demonstrate its efficiency. Results show that our model accelerates the processing of access management policies from 51% by up to 79%.     

SecCloudSharing: Secure data sharing in public cloud using ciphertext‐policy attribute‐based proxy re‐encryption with revocation

An efficient cryptography mechanism should enforce an access control policy over the encrypted data to provide flexible, fine‐grained, and secure data access control for secure sharing of data in cloud storage. To make a secure cloud data sharing solution, we propose a ciphertext‐policy attribute‐based proxy re‐encryption scheme. In the proposed scheme, we design an efficient fine‐grained revocation mechanism, which enables not only efficient attribute‐level revocation but also efficient policy‐level revocation to achieve backward secrecy and forward secrecy. Moreover, we use a multiauthority key attribute center in the key generation phase to overcome the single‐point performance bottleneck problem and the key escrow problem. By formal security analysis, we illustrate that our proposed scheme achieves confidentiality, secure key distribution, multiple collusions resistance, and policy‐ or attribute‐revocation security. By comprehensive performance and implementation analysis, we illustrate that our proposed scheme improves the practical efficiency of storage, computation cost, and communication cost compared to the other related schemes.