一种面向多域云系统的扩展RBAC模型

提出一种扩展的基于角色的访问控制ERBAC模型,以解决RBAC在多域云系统的资源使用约束、策略管理和互操作安全性等方面存在的不足。首先,通过引入容器元素和两类角色基数约束,构建了基于容器元素+动态角色基数约束的资源使用策略;其次,深入研究了多域角色继承管理,提出基于先检测后建立角色关系的域间策略管理函数,并给出各类安全策略冲突检测算法。分析表明,ERBAC模型实现了资源使用约束、支持高效的安全策略管理,提高了跨域互操作的安全性,且性能测试说明了该模型在多域云系统中具有适应性和可行性。     

一种开放式综合安全管理平台的设计与实现

如何将各管一方的安全管理工具整合在一起并能够集成到网络管理平台上,是形成全面有效的安全管理解决方案之一。本文提出了一种开放式的综合安全管理平台的设计方案,即所有支持SNMP网络管理协议的安全产品均可在此平台上进行整合并建立具有互操作性的统一环境。该平台针对若干安全产品巳实现了集成管理。     

Sustaining interoperability of networked liquid-sensing enterprises: A complex systems perspective

The emerging Liquid-Sensing Enterprise (LSE) concept provides manufacturing industrial networks with the required enablers to seamless interoperate and sustain its interoperability along the operational life cycle. Actually, the actual domain of enterprise information systems interoperability prospects the need for a new paradigm able to manage the network dynamics, facilitating adaptation along the lifecycle of an enterprise and the LSE network. The theory of complex systems provides a set of heuristics that can be applied to support the formalization of the LSE industrial network and its dynamics, demonstrating how they can be enabled and at the same time controlled to keep the overall level of interoperability stable. Hence, today there is technology suitable to implement such systems, capable to realize the LSE real, digital and virtual worlds. However, isolated, this technology cannot deliver the requirements for a self-sustainable LSE network. The authors propose a novel metaphor from complexity as a framework to model and implement the mechanism for sustaining interoperability in such networked environments. They identify the motivations for sustaining interoperability of networked liquid-sensing enterprises, having complex and adaptive systems as a vehicle to model and understand the relationships between enterprises and enterprise information systems in networked environments. Then, existing technology such as model-driven interoperability, agent-based or service oriented architectures, and knowledge management, is proposed to detail the conceptual solution for the sustainability of interoperability. An instantiation of the concept proposed is presented, which details the prototypal application elaborated in a real manufacturing scenario, implemented and validated during the European Project Factories of the Future IMAGINE.     

CORBA安全综述

1 CORBA规范特点公共对象请求代理结构CORBA是对象管理组OMG在其对象管理结构OMA框架之下以对象请求代理ORB为核心制定的分布式对象处理标准,它定义了对象之间通过ORB透明地发送请求接收响应的机制,保证在分布异构环境下对象之间的互操作性。OMG是一个拥有800多个成员(包括IBM、HP、SUN、DEC等)的国际性组织。OMA参考模型结构如图1所     

基于角色的安全互操作模型

针对当前域间安全互操作中存在的不足,如不同粒度控制域之间的用户进行安全互操作时,带来的身份识别和规则冲突等一系列的问题,提出一种基于角色的安全互操作模型:RBSIM.在该模型中,引入角色,实现用户权限的分离,方便管理,角色--权限进行二次指派,方便系统对用户行为的细粒度控制.同时,该模型可解决安全域之间规则约束、粒度冲突等问题.用户通过发送请求申请访问资源,通过证书认证分配角色授予权限.角色的引入在带来管理方便的同时,充分解决了粗细粒度控制的冲突问题.     

动态角色转换的关联优化

多个管理域间的安全互操作是一个重要的研究内容。IRBAC2000模型通过关联进行动态角色转换,从而实现两个管理域间的安全互操作。关联是IRBAC2000模型的最重要组成部分,对动态角色转换的安全和效率有着重大的影响。因此,合理管理IRBAC2000模型中的关联是十分重要的。首先分析了关联管理面临的问题:一是导致安全漏洞的冲突关联;二是降低动态角色转换效率和带来管理麻烦的冗余关联。然后探讨了解决上述问题的方法,从而对关联的管理进行了优化。     

Interoperability of Learning Objects Copyright in the LUISA Semantic Learning Management System

Abstract

Semantic Web technology is able to provide the required computational semantics for interoperability of learning resources across different Learning Management Systems (LMS) and Learning Object Repositories (LOR). The EU research project LUISA (Learning Content Management System Using Innovative Semantic Web Services Architecture) addresses the development of a reference semantic architecture for the major challenges in the search, interchange, and delivery of learning objects in a service-oriented context. One of the key issues, highlighted in this paper, is Digital Rights Management (DRM) interoperability. A Semantic Web approach to copyright management has been followed, which places a Copyright Ontology as the key component for interoperability among existing DRM systems and other licensing schemes like Creative Commons. Moreover, Semantic Web tools like reasoners, rule engines and semantic queries facilitate the implementation of an interoperable copyright management component in the LUISA architecture.     

A video streaming application for urban traffic management

Urban traffic control systems have based their technological infrastructure both on advanced analog close-circuit television systems (CCTV) and point-to-point links, providing difficult-to-scale and very expensive systems. The main goal of an urban traffic monitoring system is to capture, send, play and distribute video information from the streets of a certain city to a management centre where it is processed by different services. Current digitalization process of video networks, and the research carried out in the field of streaming media, has led vendors to present proprietary hardware and software solutions resulting in a strong dependency by their customers. This work presents an open urban traffic control system based in commercial off-the-shelf (COTS) philosophy for hardware and software components, as well as open source and standardized protocols. The existence of open standards for video encoding and protocols for streaming media transmission over IP networks has led to the proposal of such a system. The proposed system is a suitable solution in terms of scalability, cost, interoperability and performance for traffic control systems. Furthermore, its architecture can be easily adapted to other video applications and tools like command and control, surveillance or security systems for military and civilian applications.     

Presenting DEViSE: Data Exchange for Visualizing Security Events

The Data Exchange for Visualizing Security Events (DEViSE) is an open-source architecture designed to enable data sharing between security visualization tools. The security visualization market currently lacks interoperability between different applications, which tend to be constrained to certain log formats. DEViSE is a middleware layer that manages these interactions so one visualization tool can transfer security-related information to another application. DEViSE uses XML for all communication purposes. This allows a much greater level of freedom for application integration. To demonstrate DEViSE, the authors have created several security visualization tools that adhere to different visualization paradigms.     

A review of interoperability assessment models

Interoperability is the ability of systems to provide services to and accept services from other systems, and to use the services exchanged so as to operate together in a more effective manner. The fact that interoperability can be improved means that the metrics for measuring interoperability can be defined. For the purpose of measuring the interoperability between systems, an interoperability assessment model is required. This paper deals with the existing interoperability assessment models. A compara- tive analysis among these models is provided to evaluate the similarities and differences in their philosophy and implementation. The analysis yields a set of recommendations for any party that is open to the idea of creating or improving an interoperability assessment model.     

可信移动计算与数字版权管理综合方案

针对目前手持终端媒体受到版权侵犯、未授权使用及其非法在移动网络中传播困扰等问题,分析了采用开放移动联盟制订的数字版权管理技术,在解决这些问题时的不足及仍存在的潜在安全风险.创建性提出了一种基于可信移动计算平台之上且更为安全的数字版权管理模式,从而能强化该最新规范架构的安全性能并提升系统的交互性与兼容性.理论分析和实验结果表明,采用这种将两者相结合的策略后所构建的终端系统具备良好的健壮性.     

An Architecture for Building Scalable, Web-Based Management Services

We present the architecture of Marvel, adistributed computing environment for building scalablemanagement services using intelligent agents and theworld-wide web. Marvel is based on an information model that generates computed views of managementinformation and a distributed computing model that makesthese views available to a variety of clientapplications. Computed views consist of monitoring,control and event views of information collected fromnetwork elements and subsequently aggregated using aseries of spatial and temporal filters. Marvel does notreplace existing element management agents but rather builds on top of them a hierarchy ofservers that generate computed views and present them toclient applications in a number of formats, includingJava-enriched web pages. It uses a distributed persistent store to reduce the cost associatedwith centralized network management systems and mobileagent technology to: (a) support thin clients byuploading the necessary code to access Marvel services; and (b) extend its functionality dynamically bydownloading code that incorporates new objects andservices. A prototype implementation in Java ispresented together with results from its firstapplication on a residential broadband access system usingcable modems.     

使用基于进程代数的方法建立软件体系结构的安全模型

安全体系结构集成了软件体系结构与信息安全两大领域的研究,基于进程代数的语言适合描述基于并发交互构件的软件体系结构的一系列重要性质。使用基于进程代数的描述语言对结构中各组成元素和整体拓扑构形分别建模,形成安全的软件体系结构。     

基于CORBA的分布式访问控制

随着网络应用的发展,应用对安全管理的需求逐步提高。由于安全管理最终目的的实现对资源的安全使用,访问控制成为安全协议中的核心问题。目前基于角色的访问控制（RBAC）正在因为适应于广大的商业和政府应用的需要而逐渐为人们所重视。另一方面,由于异构环境的存在和异构环境下实现互操作的需求,CORBA凭其广泛的支持力而成为中间件规范的公认标准。本文基于[6]的分析之上,描述CORBA对RBAC的方便支持,但是现有的CORBA中对角色的管理有诸多不足,对此本文提出基于CORBA的RBAC实现中角色的动态管理机制,给出了管理框架描述,从而使RBAC更加适合于分布式异构环境。     

Web服务安全模型研究与实现

随着Web服务在分布式系统中的广泛应用,安全问题日益突出。论文基于WS-Security和WS-Policy协议,提出一个Web服务安全模型,并在.NET环境下,使用WSE2.0Web服务开发组件实现了该模型。该安全模型灵活、可扩展,既保证了SOAP消息端到端的安全性,又通过安全策略文件提高了Web服务的互操作性,可满足Web服务应用环境下的安全需求。     

Interoperability evaluation models: A systematic review

Interoperability is defined as the ability for two (or more) systems or components to exchange information and to use the information that has been exchanged. There is increasing demand for interoperability between individual software systems. Developing an interoperability evaluation model between software and information systems is difficult, and becoming an important challenge. An interoperability evaluation model allows knowing the degree of interoperability, and lead to the improvement of interoperability. This paper describes the existing interoperability evaluation models, and performs a comparative analysis among their findings to determine the similarities and differences in their philosophy and implementation. This analysis yields a set of recommendations for any party that is open to the idea of creating or improving an interoperability evaluation model.     

Realizing TMN-like Management Services in TINA

Telecommunications Information NetworkingArchitecture (TINA) provides an architecture based ondistributed computing technologies to enabletelecommunications networks to support the flexibleintroduction and operation of new advanced services and tomanage both the services and the network in anintegrated fashion. While the service operation andmanagement aspects are well advanced, network management aspects are less well defined. ResourceConfiguration Management (RCM) is one of the mostimportant management areas as it covers, among others,the management of static topology and dynamicconnectivity resources; these are both fundamental to theoperation of TINA services. In this paper we presentfirst an analysis of RCM, which results in introducinga new domain that deals with the configuration of management resources, in addition to network,service and computing resources. We then present ageneric model for configuration management computationalentities; this separates specific task-oriented aspects from generic resource representationsaccessed in a flexible fashion. The genericcomputational interface and relevant methodology forrepresenting and accessing resources are influenced fromOSI/TMN design principles, but make use of the TINAODP-based Distributed Processing Environment (DPE).Based on this generic model, we present an RCM systemarchitecture that deals with network and management resources. Parts of the latter have beenverified through a prototype implementation in thecontext of a real field trial.     

Network management: interoperability and information model

Interoperability is an essential and significant issue that constrains the original goals and functionality of integrated network management systems. This paper shows how this issue can be solved by using a common management information model and a common, management information exchange protocol. The paper also describes the general issues and a methodology for the construction of a management information model in a heterogeneous environment. By means of object-oriented techniques, a basic management information model is proposed. Based on this model, a general management information base can be built that will enhance the interoperability of network management systems.     

信息安全管理的概念映射方法

尝试从简单语义模拟到语义Web中的语义集成来处理信息安全管理中的概念问题。这其中最复杂的问题是语义互操作问题,很显然,这些问题存在于各种类型的安全问题。另一个重要问题是语义模拟问题,这些语义分析不同资源中的安全信息,以便更准确地提供整体的网络安全情况。提供了概念映射方法和安全概念模型来支持和解决这类安全问题。     

基于PKI/PMI和RBAC的DRM模型

针对现有的DRM系统普遍存在互操作性和追踪机制的情况,本文提出了一种基于PKI/PMI、数字水印和RBAC的DRM模型,并分析了其工作流程和安全特性。