An approach to domain-based scalable context management architecture in pervasive environments

In pervasive environments, context management systems are expected to administrate large volume of contextual information that is captured from spatial to nonspatial elements. Research in context-aware computing produced a number of middleware systems for context management to intermediate the communications between applications and context providers. In particular, in pervasive environments, the design of distributed storage, retrieval and propagation mechanisms of context information across domains is vital. In this paper, we propose a domain-based approach to address the requirements of scalable distributed context management, cross-domain efficient context information dissemination and domain-based privacy policy enforcement. We propose infinitum, a middleware architecture that incorporates the management and communication benefits of the Google Wave Federation Protocol, while also taking advantage of the semantic and inference benefits of ontology-based context models. This architecture establishes a robust cross-domain scalable context management and collaboration framework, which has been implemented and evaluated in a real-life application of “SMART University” to support virtual team collaboration.     

A secure collaboration service for dynamic virtual organizations

Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.     

一个通用的分布式访问控制决策中间件

将各种安全功能从上层应用中抽象出来形成一种通用和标准的安全服务,可以简化应用开发的复杂性和增强安全功能的可重用性。论文设计并实现了一个基于XACML的通用分布式访问控制决策中间件UDACD（Universal Distributed Access Control Decision）,对分布式环境下的访问控制决策过程进行了封装,对外面向各种应用提供通用的决策服务。UDACD支持多种访问控制策略类型和跨管理域的匿名资源访问控制;实现了对策略的缓存和对用户安全属性的两级缓存,显著加快了决策速度。UDACD可以帮助简化策略管理,并提供跨应用的一致策略实施。     

EXAM: a comprehensive environment for the analysis of access control policies

Policy integration and inter-operation is often a crucial requirement when parties with different access control policies need to participate in collaborative applications and coalitions. Such requirement is even more difficult to address for dynamic large-scale collaborations, in which the number of access control policies to analyze and compare can be quite large. An important step in policy integration and inter-operation is to analyze the similarity of policies. Policy similarity can sometimes also be a pre-condition for establishing a collaboration, in that a party may enter a collaboration with another party only if the policies enforced by the other party match or are very close to its own policies. Existing approaches to the problem of analyzing and comparing access control policies are very limited, in that they only deal with some special cases. By recognizing that a suitable approach to the policy analysis and comparison requires combining different approaches, we propose in this paper a comprehensive environment—EXAM. The environment supports various types of analysis query, which we categorize in the paper. A key component of such environment, on which we focus in the paper, is the policy analyzer able to perform several types of analysis. Specifically, our policy analyzer combines the advantages of existing MTBDD-based and SAT-solver-based techniques. Our experimental results, also reported in the paper, demonstrate the efficiency of our analyzer.     

Web服务访问控制策略研究

Web服务环境中,交互实体通常位于不同安全域,具有不可预见性。Web服务应该基于其他与领域无关的信息而非身份来实施访问控制,以实现对跨域未知用户的访问授权。为此,提出了适应于Web服务的基于上下文的访问控制策略模型。模型的核心思想是将各种与访问控制有关的信息统一抽象表示为一个上下文概念,以上下文为中心来制定和执行访问控制策略,上下文担当了类似基于角色的访问控制(RBAC)中角色的概念。基于描述逻辑语言(DL),定义了基于上下文的访问控制策略公理,建立了访问控制策略知识库,提出了访问控制策略的逻辑推理方法。最后基于Racer推理系统,通过实验验证了方法的可行性和有效性。     

PaaSword: A Holistic Data Privacy and Security by Design Framework for Cloud Services

Enterprises increasingly recognize the compelling economic and operational benefits from virtualizing and pooling IT resources in the cloud. Nevertheless, the significant and valuable transformation of organizations that adopt cloud computing is accompanied by a number of security threats that should be considered. In this paper, we outline significant security challenges presented when migrating to a cloud environment and propose PaaSword – a novel holistic framework that aspires to alleviate these challenges. Specifically, the proposed framework involves a context-aware security model, the necessary policies enforcement mechanism along with a physical distribution, encryption and query middleware.     

一种跨域网络资源的安全互操作模型

网络资源需要在安全策略控制下共享与互操作。针对多异构安全域域间资源互操作的安全问题,提出了一种基于RBAC安全策略的跨域网络资源的安全互操作模型。首先引入域间角色的概念,并定义跨域资源共享访问的要求;其次在跨域操作准则的基础上,提出异构域间资源安全互操作模型和访问算法;最后以实例场境对模型和算法进行了应用分析。结果表明,该方法针对性强,权限控制有效,为实现多域资源共享和互操作的安全保障提供了一种可行的途径。     

Cross-domain action recognition via collective matrix factorization with graph Laplacian regularization

This paper investigates the problem of cross-domain action recognition. Specifically, we present a cross-domain action recognition framework by utilizing some labeled data from other data sets as the auxiliary source domain. It is a challenging task as data from different domains may have different feature distribution. To map data from different domains into the same abstract space and boost the action recognition performance, we propose a method named collective matrix factorization with graph Laplacian regularization (CMFGLR). Our approach is built upon the technique of collective matrix factorization, which simultaneously learns a common latent space, linear projection matrices for obtaining semantic representations, and an optimal linear classifier. Moreover, we explore the label consistency across different domain and the local geometric consistency in each domain and obtain a graph Laplacian regularization term to enhance the discrimination of learned features. Experimental results verify that CMFGLR significantly outperforms several state-of-the-art methods.     

跨领域文本情感分类研究进展

作为社会媒体文本情感分析的重要研究课题之一，跨领域文本情感分类旨在利用源领域资源或模型迁移地服务于目标领域的文本情感分类任务，其可以有效缓解目标领域中带标签数据不足问题.本文从三个角度对跨领域文本情感分类方法行了归纳总结：（1）按照目标领域中是否有带标签数据，可分为直推式和归纳式情感迁移方法；（2）按照不同情感适应性策略，可分为实例迁移方法、特征迁移方法、模型迁移方法、基于词典的方法、联合情感主题方法以及图模型方法等；（3）按照可用源领域个数，可分为单源和多源跨领域文本情感分类方法.此外，论文还介绍了深度迁移学习方法及其在跨领域文本情感分类的最新应用成果.最后，论文围绕跨领域文本情感分类面临的关键技术问题，对可能的突破方向进行了展望.     

基于信任度属性的访问控制策略合成

运用代数系统来形式化的描述、推理和演算跨域环境下基于属性的访问控制策略合成,是解决策略冲突和合成的有效途径。通过引入由上下文环境及时间衰减性动态判决的信任度属性,增加信任度投票算子,并将属性授权项扩展为由主体属性、客体属性、环境属性、信任度属性、操作属性构成的五元组,提出了基于信任度属性的策略合成代数系统。通过四个安全域中的策略合成实例分析,详细阐述了利用信任度属性值实时监控访问请求主体在授权后访问行为的安全性,并展示了策略合成更强的描述能力、灵活性和安全性。最后使用现有的策略合成表达式的代数性质来验证策略合成的结果。     

Domain structure-based transfer learning for cross-domain word representation

Cross-domain word representation aims to learn high-quality semantic representations in an under-resourced domain by leveraging information in a resourceful domain. However, most existing methods mainly transfer the semantics of common words across domains, ignoring the semantic relations among domain-specific words. In this paper, we propose a domain structure-based transfer learning method to learn cross-domain representations by leveraging the relations among domain-specific words. To accomplish this, we first construct a semantic graph to capture the latent domain structure using domain-specific co-occurrence information. Then, in the domain adaptation process, beyond domain alignment, we employ Laplacian Eigenmaps to ensure the domain structure is consistently distributed in the learned embedding space. As such, the learned cross-domain word representations not only capture shared semantics across domains, but also maintain the latent domain structure. We performed extensive experiments on two tasks, namely sentiment analysis and query expansion. The experiment results show the effectiveness of our method for tasks in under-resourced domains.     

Policy-Based Management for Federation of Virtualized Infrastructures

This paper presents Policy-based Federation (PBF) architecture for interworked Future Internet Virtualized Infrastructures (VIs). Each VI is an individually managed autonomous domain. Users may request slices of virtual resources across the federation, managed and controlled via inter-domain policies that abide by agreed upon federated SLAs. The key component of our PBF architecture is a Policy Service, which provides support for intra-domain policies (Obligation, Authorization, Role-Based Access Control) and for inter-domain Delegation policies. Delegation policies reserve resources in remote domains, update the number of resources exchanged, set alien domain obligations for cross-domain resource provisioning and define the exchange of internal domain information through the execution of remote semantic queries. Key to the architecture is the PBF Policy Ontology that specifies common federation concepts within the context of a user slice and the PBF services that trigger management actions. A prototype of the proposed architecture was developed and deployed in a European Future Internet federated testbed.     

Secure Collaboration in a Mediator-Free Distributed Environment

The internet and related technologies have made multidomain collaborations a reality. Collaboration enables domains to effectively share resources; however it introduces several security and privacy challenges. Managing security in the absence of a central mediator is even more challenging. In this paper, we propose a distributed secure interoperability framework for mediator-free collaboration environments. We introduce the idea of secure access paths which enables domains to make localized access control decisions without having global view of the collaboration. We also present a path authentication technique for proving path authenticity. Furthermore, we present an on-demand path discovery algorithms that enable domains to securely discover paths in the collaboration environment. We implemented a simulation of our proposed framework and ran experiments to investigate the effect of several design parameters on our proposed access path discovery algorithm.     

网格环境中基于浮动License的软件资源共享

传统基于License的管理系统可在局域网范围内实现一定的软件共享,但无法适用于开放、异构和动态的网格环境。本文提出一种基于浮动License机制的新型全局软件共享系统LicTraveler,在不改变原有License使用机制的前提下实现License的全局管理和跨域共享。两层体系结构可同时提供自治局部License服务和协同全局License服务;Litennse的预留与配额策略、布局与调度策略为用户提供了灵活性和健壮性。实验表明,LicTraveler能够有效降低软件的重复投资,可将License的使用效率提升50％以上。     

An empirical study on the effect of data sparsity and data overlap on cross domain collaborative filtering performance

In the present day, the oversaturation of data has complicated the process of finding information from a data source. Recommender systems aim to alleviate this problem in various domains by actively suggesting selective information to potential users based on their personal preferences. Amongst these approaches, collaborative filtering based recommenders (CF recommenders), which make use of users’ implicit and explicit ratings for items, are widely regarded as the most successful type of recommender system. However, CF recommenders are sensitive to issues caused by data sparsity, where users rate very few items, or items receive very few ratings from users, meaning there is not enough data to give a recommendation. The majority of studies have attempted to solve these issues by focusing on developing new algorithms within a single domain. Recently, cross-domain recommenders that use multiple domain datasets have attracted increasing attention amongst the research community. Cross-domain recommenders assume that users who express their preferences in one domain (called the target domain) will also express their preferences in another domain (called the source domain), and that these additional preferences will improve precision and recall of recommendations to the user. The purpose of this study is to investigate the effects of various data sparsity and data overlap issues on the performance of cross-domain CF recommenders, using various aggregation functions. In this study, several different cross-domain recommenders were created by collecting three datasets from three separate domains of a large Korean fashion company and combining them with different algorithms and different aggregation approaches. The cross-recommenders that used high performance, high overlap domains showed significant improvement of precision and recall of recommendation when the recommendation scores of individual domains were combined using the summation aggregation function. However, the cross-recommenders that used low performance, low overlap domains showed little or no performance improvement in all areas. This result implies that the use of cross-domain recommenders do not guarantee performance improvement, rather that it is necessary to consider relevant factors carefully to achieve performance improvement when using cross-domain recommenders.     

Access control and trust in the use of widely distributed services

OASIS is a role‐based access control (RBAC) architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralized, roles are parametrized, roles are activated within sessions and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use (authorization); users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long‐lived credentials such as academic and professional qualification or membership of an organization. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. The role activation and authorization policies of services within an administrative domain need not embody role hierarchies nor enforce privilege delegation. But OASIS is sufficiently flexible to capture such notions, through prerequisite roles and appointments, if they are required within an application domain. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains and we propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each other's credentials. In a multi‐domain system access control policy may come from multiple sources and must be expressed, enforced and managed. In order to respond to changing relationships between organizations it should be easy to allow role holders in one domain to obtain privileges in another. Our approach to policy and meta‐policy management is described. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust. Copyright © 2003 John Wiley & Sons, Ltd.     

Weakly-Supervised Cross-Domain Dictionary Learning for Visual Recognition

We address the visual categorization problem and present a method that utilizes weakly labeled data from other visual domains as the auxiliary source data for enhancing the original learning system. The proposed method aims to expand the intra-class diversity of original training data through the collaboration with the source data. In order to bring the original target domain data and the auxiliary source domain data into the same feature space, we introduce a weakly-supervised cross-domain dictionary learning method, which learns a reconstructive, discriminative and domain-adaptive dictionary pair and the corresponding classifier parameters without using any prior information. Such a method operates at a high level, and it can be applied to different cross-domain applications. To build up the auxiliary domain data, we manually collect images from Web pages, and select human actions of specific categories from a different dataset. The proposed method is evaluated for human action recognition, image classification and event recognition tasks on the UCF YouTube dataset, the Caltech101/256 datasets and the Kodak dataset, respectively, achieving outstanding results.     

A review and framework of laser-based collaboration support

New technologies are emerging to enable and support physical, implicit and explicit collaborations. They are essential for dealing with increasingly complex systems in unstructured, dynamic environments. The purpose of this article is to review the role of laser technology in enabling better, more precise interactions and their control, and to identify opportunities and challenges in this area. While the most common applications of laser technology are found in medical and health care, manufacturing, and communication, other domains such as safety, quality assurance, agriculture, construction, entertainment, defense, transportation, and law enforcement also benefit from it. In spite of the rapid dissemination of this technology, its role in support of collaboration and discovery is still in its infancy. Research activities concerning new ways of using lasers as a collaboration supporting technology that may strengthen new areas have been relatively limited. Nevertheless, the translation to this domain of collaboration support has been recognized as vital for activities that demand increasingly more coordinated effort among interacting agents (e.g., humans, machines, particles) and digital, possibly also photonic agents. Recent advances in laser technology in a number of application domains are reviewed in this article, focusing primarily on lasers’ role for supporting different forms of precision interactions and collaboration. In addition, a framework with five collaboration support functions and five collaboration dimensions is defined for this review. The taxonomy framework is useful for enabling better understanding of the existing and emerging opportunities that laser-based technology offers for collaboration support, its advantages and several research gaps.     

基于多对多生成对抗网络的非对称跨域迁移行人再识别

无监督跨域迁移学习是行人再识别中一个非常重要的任务. 给定一个有标注的源域和一个没有标注的目标域, 无监督跨域迁移的关键点在于尽可能地把源域的知识迁移到目标域. 然而, 目前的跨域迁移方法忽略了域内各视角分布的差异性, 导致迁移效果不好. 针对这个缺陷, 本文提出了一个基于多视角的非对称跨域迁移学习的新问题. 为了实现这种非对称跨域迁移, 提出了一种基于多对多生成对抗网络(Many-to-many generative adversarial network, M2M-GAN)的迁移方法. 该方法嵌入了指定的源域视角标记和目标域视角标记作为引导信息, 并增加了视角分类器用于鉴别不同的视角分布, 从而使模型能自动针对不同的源域视角和目标域视角组合采取不同的迁移方式. 在行人再识别基准数据集Market1501、DukeMTMC-reID和MSMT17上, 实验验证了本文的方法能有效提升迁移效果, 达到更高的无监督跨域行人再识别准确率.