NGN业务跨域互操作访问控制研究
|
摘要
网络发展的根本目的是能够方便、快捷地提供满足用户需求的业务。在下一代网络NGN中,通过业务能力的开放,新的业务可通过组合已有的业务能力来实现,从而不但可以进一步提高新业务的提供速度,降低新业务的提供成本,而且可以向终端用户提供单一业务运营商难以独自提供的、需要使用多个业务运营商独特业务特征的业务。
与网络能力开放类似,业务能力的开放也带来了一系列业务层特有的安全问题。在电信领域,国内外对下一代网络的安全问题研究主要集中在对下一代网络安全体系结构的规划上,并侧重于业务层之下的控制层、传输层和接入层,对位于高层的业务能力开放所引入的安全问题还没有进行深入的研究。在IT领域,应用跨域互操作的安全问题研究是当前安全领域的研究热点,并取得了一定的研究成果。本文基于这些研究成果,根据NGN业务跨域互操作的特点,对NGN业务跨域互操作的访问控制问题进行了深入的研究,取得了相应的研究成果,概括如下:
(1)根据NGN业务跨域互操作的访问控制需求,提出了一种业务跨域互操作访问控制方法RABAC (Role and Attribute Based Access Control)。与基于角色的访问控制方法RBAC相比,该方法具有良好的灵活性,能够根据业务主体的上下文情况进行相应的访问控制。与基于属性的访问控制方法ABAC相比,该方法首先通过角色对属性条件进行分组以解决基于属性的权限规则繁琐易冲突的问题,然后通过对内角色和对外角色的分离,为业务自主地创建自己的安全角色提供良好的支持,并有助于降低安全域对映射关系管理的复杂度以及域间属性数据传递需求。
(2)为尽可能发挥RABAC方法的作用,提出了对外角色的生成方法和相应的角色映射关系构建方法。基于聚类和分类算法使得生成的对外角色可以较好地反映角色间的内在关系,并能够比较准确地完成大部分角色间映射关系的建立。不但可减轻安全域管理员的工作量,而且建立的角色间映射关系大多为一对一或者多对一,有助于保障角色映射的性能。
(3)针对域间可能存在欺骗的问题,提出了一种RABAC域间信任保障机制。根据概率分布情况进行信任度的初步评估,然后再根据需要进行相对准确的信任度评估,并基于评估结果进行惩罚,有助于提升域间不信任情况下域间交互的安全性。
(4)提出了一种业务能力安全开放的安全服务平台的概念模型,基于该模型提出了一种支持RABAC的提供跨域访问控制支持的安全服务平台实现方法,该方法具有良好的可扩展性。
Providing service with rich user experience is a goal of converged network. Service capability is provided by open APIs in NGN, so applications can be composed by some existing capabilities, which speeds up service creation procedure and reduces cost of creation. Beyond that, some application can even combine some capabilities coming from different service providers.
Similar to the openness of network capability, the openness of application capability also introduces some security problems which are unique in application layer. The researches on NGN security focus on NGN security architecture, which mainly discusses about control layer, transport layer and access layer. There is little discussion on security problem which is introduced by high layer openness.
In IT domain, inter-domain interaction introduces new security problem. This problem is also a hot topic in current area. Based on result from IT domain, we move research forward onto NGN domain. And some researches and results are carried out as follows:
1) An Inter-domain interaction access control method is proposed, which is called RABAC(Role and Attribute Based Access Control). Compared to RBAC, our method is easier to apply access control function according to context. And it groups similar attributes before role mapping. It is more simple and easy than pure ABAC method as there are less attributes under consideration. With the separation between in-role and out-role, it also helps applications to create new security role and reduce the complexity of management.
2) An Out-role creation method is proposed, which is based on cluster and classification algorithm. Based on those algorithms, out-roles are created automatically. And as out-role is created by on similarity, it might be more accurate than manually creation. At the time when roles are created, mappings between out-role and local role are also established. So this method would help system administrator to manage roles and setup mapping easier.
3) As there would be some frauds between domains, an inter-domain trust ensurance method is proposed. Based on the statistics, we evaluated the trust of incoming requests. And based on the evaluation, if any cheating behavior is found, we start the punish procedure. This method would secure the interaction between untrusted domains.
4) Finally, a concept model of security service platform with capability openness is provided. Detail implementation of this model is also fully discussed. This model can also be extended easily.
与网络能力开放类似,业务能力的开放也带来了一系列业务层特有的安全问题。在电信领域,国内外对下一代网络的安全问题研究主要集中在对下一代网络安全体系结构的规划上,并侧重于业务层之下的控制层、传输层和接入层,对位于高层的业务能力开放所引入的安全问题还没有进行深入的研究。在IT领域,应用跨域互操作的安全问题研究是当前安全领域的研究热点,并取得了一定的研究成果。本文基于这些研究成果,根据NGN业务跨域互操作的特点,对NGN业务跨域互操作的访问控制问题进行了深入的研究,取得了相应的研究成果,概括如下:
(1)根据NGN业务跨域互操作的访问控制需求,提出了一种业务跨域互操作访问控制方法RABAC (Role and Attribute Based Access Control)。与基于角色的访问控制方法RBAC相比,该方法具有良好的灵活性,能够根据业务主体的上下文情况进行相应的访问控制。与基于属性的访问控制方法ABAC相比,该方法首先通过角色对属性条件进行分组以解决基于属性的权限规则繁琐易冲突的问题,然后通过对内角色和对外角色的分离,为业务自主地创建自己的安全角色提供良好的支持,并有助于降低安全域对映射关系管理的复杂度以及域间属性数据传递需求。
(2)为尽可能发挥RABAC方法的作用,提出了对外角色的生成方法和相应的角色映射关系构建方法。基于聚类和分类算法使得生成的对外角色可以较好地反映角色间的内在关系,并能够比较准确地完成大部分角色间映射关系的建立。不但可减轻安全域管理员的工作量,而且建立的角色间映射关系大多为一对一或者多对一,有助于保障角色映射的性能。
(3)针对域间可能存在欺骗的问题,提出了一种RABAC域间信任保障机制。根据概率分布情况进行信任度的初步评估,然后再根据需要进行相对准确的信任度评估,并基于评估结果进行惩罚,有助于提升域间不信任情况下域间交互的安全性。
(4)提出了一种业务能力安全开放的安全服务平台的概念模型,基于该模型提出了一种支持RABAC的提供跨域访问控制支持的安全服务平台实现方法,该方法具有良好的可扩展性。
Providing service with rich user experience is a goal of converged network. Service capability is provided by open APIs in NGN, so applications can be composed by some existing capabilities, which speeds up service creation procedure and reduces cost of creation. Beyond that, some application can even combine some capabilities coming from different service providers.
Similar to the openness of network capability, the openness of application capability also introduces some security problems which are unique in application layer. The researches on NGN security focus on NGN security architecture, which mainly discusses about control layer, transport layer and access layer. There is little discussion on security problem which is introduced by high layer openness.
In IT domain, inter-domain interaction introduces new security problem. This problem is also a hot topic in current area. Based on result from IT domain, we move research forward onto NGN domain. And some researches and results are carried out as follows:
1) An Inter-domain interaction access control method is proposed, which is called RABAC(Role and Attribute Based Access Control). Compared to RBAC, our method is easier to apply access control function according to context. And it groups similar attributes before role mapping. It is more simple and easy than pure ABAC method as there are less attributes under consideration. With the separation between in-role and out-role, it also helps applications to create new security role and reduce the complexity of management.
2) An Out-role creation method is proposed, which is based on cluster and classification algorithm. Based on those algorithms, out-roles are created automatically. And as out-role is created by on similarity, it might be more accurate than manually creation. At the time when roles are created, mappings between out-role and local role are also established. So this method would help system administrator to manage roles and setup mapping easier.
3) As there would be some frauds between domains, an inter-domain trust ensurance method is proposed. Based on the statistics, we evaluated the trust of incoming requests. And based on the evaluation, if any cheating behavior is found, we start the punish procedure. This method would secure the interaction between untrusted domains.
4) Finally, a concept model of security service platform with capability openness is provided. Detail implementation of this model is also fully discussed. This model can also be extended easily.
引文
[1]. ETSI ES 202 915. Open Service Access (OSA); Application Programming Interface(API).2003.
[2]. E. ETSI, "282 001:Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN)," NGN Functional Architecture Release, vol.1,2005.
[3]. K. Knightson, N. Morita, and T Towle, "NGN architecture:generic principles, functional architecture, and implementation," IEEE Communications Magazine, vol.43,2005, pp. 49-56.
[4]. A. Moerdijk, L. Klostermann, "Opening Networks with Parlay/OSA:Standards and Aspects Behind APIs",IEEE Network,2003(May/June):p.58-64.
[5].田森平,祝亚玲"Parlay X业务开发模型的研究与实现,”微计算机信息,vol.22,2006,pp.13-15.
[6]. O.M. Alliance, "OMA Service Environment," Approved Version, vol.1,2007.
[7]. O.M. Alliance and M. A, Enabler Releases and Specifications-OMA Service Environment Architecture Document,", Nov,2007.
[8].刘浩颖,“华为-运营探讨——SDP:业务网络的奠基石.”华为技术,vol22.2007.pp.29-31
[9].胡乐明,杨穗珊,曹磊,李宝荣,“新一代的业务交付平台架构研究,”电信科学,vol.22,2006,pp.21-24.
[10].邹华,熊文剑,杨放春,“下一代网络业务能力开放的若干安全问题探究,”电子学报,vol.32,2004,pp.44-47.
[11].叶云,董振江,“IMS与下一代电信业务网,”中兴通讯技术,2008,pp.27-30.
[12].NGSON Working Group. IEEE P1903TM/D1. Draft White Paper for Next Generation Service Overlay Network.2008
[13].罗鑫,”访问控制技术与模型研究”,博士学位论文.北京邮电大学.2009.
[14]. R. S. Sandhu. "Access Control", The Neglected Frontier in First Australian Conference on Information Security and Privacy.1996.
[15]. R. S. Sandhu, E. J. Coyne, H. L. Feinstein et al. Role-Based Access Control Models. IEEE Computer,1996.29(2):p.38-47.
[16]. D. Ferraiolo, J. Cugini, and D.R. Kuhn, "Role-based access control (RBAC):Features and motivations," Proceedings of 11th Annual Computer Security Application Conference,1995, pp.241-48.
[17].彭晋,“NGN开放业务体系安全机制的研究,”博士学位论文.北京邮电大学,2007.
[18]. E. Bertino, P.A. Bonatti, and E. Ferrari, "TRBAC:A temporal role-based access control model," ACM Transactions on Information and System Security (TISSEC), vol.4,2001, pp.191-233.
[19]. J.B. Joshi, E. Bertino, and A. Ghafoor, "Temporal hierarchies and inheritance semantics for GTRBAC," Proceedings of the seventh ACM symposium on Access control models and technologies,2002, p.83.
[20].J. Wainer, P. Barthelmess, and A. Kumar, "W-RBAC-a workflow security model incorporating controlled overriding of constraints," International Journal of Cooperative Information Systems, vol.12,2003, pp.455-485.
[21]. J. Wainer, A. Kumar, and P. Barthelmess, "DW-RBAC:A formal security model of delegation and revocation in workflow systems," Information Systems, vol.32,2007, pp.365-384.
[22]. S. Chandran and J.B.D. Joshi, "LoT-RBAC:A location and time-based RBAC model," Web Information Systems Engineering-WISE 2005,2005, pp.361-375.
[23].黄建,卿斯汉,温红子,”带时间特性的角色访问控制,”软件学报,vol.14,2003, pp.1944-1954.
[24].Steinmiiller, B. and Safafik, J. Extending, "Role-based Access Control Model with States", In Poreeedings of the International Conference on Trends in Communications,2001, Bartislava, p.398—399.
[25].林闯,封富君,李俊山,“新型网络环境下的访问控制技术,”Journal of Software, vol. 18,2007, pp.955-966.
[26]. "OASIS Standard Specification", Web Service Security:SOAP Message Security 1.1.2006.
[27]. M. Naedele, "Standars for XML and Web Services Security",IEEE Computer,2003..36(4):p. 96-98.
[28].Siddharth Bajaj, VeriSign, Giovanni Della-Libera. "WS-Federation:活动请求方概要."2004
[29].金莉,卢正鼎,赵峰,“多域环境下安全互操作研究进展,”计算机科学,vol.36,2009, pp.47-54.
[30].金莉,“面向多域的安全互操作机制研究,”博士学位论文.华中科技大学,2009.
[31].文珠穆,“多域互操作环境中的动态信任与访问控制研究,”博士学位论文.华中科技大学,2008.
[32].A. Kapadia, J. Al-Muhtadi, R.H. Campbell, and D. Mickunas, "IRBAC 2000:Secure interoperability using dynamic role translation," 2000.
[33].廖俊国,洪帆,朱贤,肖海军,”多域间动态角色转换的职责分离”,计算机研究与发展.2006.PP.1065-1070
[34].Freudenthal E,Pesin T,Port L.d, "RBAC:Distributed role-based access control for dynamic coalition environment", Proc.22nd International Conference on Distributed Computing Systems (ICDCS'02).Vienna:IEEE,2002:294-306
[35]. Mohamed S, Elisa B, Arif G. "SERAT:Secure Role Mapping Technique for Decentralized Secure Interoperability", Proc.10th ACM Symposium on Access Control Models and Technologies. ACM Press,Stockholm,Sweden,2005:159-167
[36].Siqing D and Joshi J.B.D, "Supporting Authorization Query and Interdomain Role Mapping in Presence of Hybrid Role Hierarchy". In Proceedings of the eleventh ACM symposium on Access control models and technologies,2006, Lake Tahoe, California, USA, ACM Press, P.228—236.
[37]. Denker G,Millen J,Miyake Y. "Cross-domain access control via PKI", Proceeding of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY.02)[C].IEEE Press,2002
[38].张煜,张文燚,李先贤,怀进鹏,“多自治域协同环境中群组通信的安全访问控制,”计算机研究与发展,vol.42,2005, pp.1558-1563.
[39].王远,徐锋,曹春,吕建,“一个基于信任管理的分布式访问控制系统的设计与实现,”计算机科学,vol.32,2005, pp.226-229.
[40].刘强,陈新度,王磊,徐胜,“网络化制造环境下共享资源的访问控制技术综述,”制造业自动化,vol.30,2008, pp.1-7.
[41].朱贤,邢光林,洪帆,“分布式环境下的访问控制综述,”微型机与应用,vol.24,2005, pp. 4-7.
[42].洪帆,朱贤,邢光林,“多域环境下的分布式RBAC模型,”上海大学学报:英文版,vol. 10,2006, pp.134-141.
[43]. M A. Al-Kahtani and Ravi Sandhu. A Model of Attribute-Based User-Role Assignment. Proceedings of 18th Annual Computer Security Applications Conference,2002.
[44]. E. Yuan and J. Tong, "Attributed based access control (ABAC) for Web services," 2005.
[45].张成彬,廖振松,“基于角色的安全互操作模型,”计算机工程与设计,2010,pp.483-485.
[46].J.A. Hartigan and M.A. Wong, "A k-means clustering algorithm," JR Stat. Soc. Ser. C-Appl. Stat, vol.28,1979, pp.100-108.
[47]. K. Wang, J. Zhang, D. Li, X. Zhang, and T. Guo, "Adaptive affinity propagation clustering," Acta Automatica Sinica, vol.33,2007, pp.1242-1246.
[48]. B. Frey and D. Dueck, "Mixture modeling by affinity propagation," Advances in neural information processing systems, vol.18,2006, p.379.
[49].甄彤,“基于层次与划分方法的聚类算法研究,”计算机工程与应用,vol.42,2006,pp.178-180.
[50]. G. Salton, A. Wong, and C.S. Yang, "A vector space model for automatic indexing," Communications of the ACM, vol.18,1975, p.620.
[51].边肇祺,张学工,“模式识别,”清华大学出版社,2000.
[52]. J. Gama and P. Brazdil, "Characterization of classification algorithms," Progress in Artificial Intelligence,1995, pp.189-200.
[53]. S.A. Dudani, "The distance weighted k-nearest neighbor rule," Nearest neighbor (NN) norms: nn pattern classification techniques,1991, p.92.
[54]. J. Cheng and R. Greiner, "Comparing Bayesian network classifiers," Proceedings UAI,1999
[55]. M.A. Hearst, S.T. Dumais, E. Osman, J. Platt, and B. Scholkopf, "Support vector machines," IEEE Intelligent Systems and Their Applications, vol.13,1998, pp.18-28.
[56]. I. Steinwart and A. Christmann, "Support vector machines", Springer Verlag,2008.
[57]. M.E. Ruiz and P. Srinivasan, "Hierarchical text categorization using neural networks," Information Retrieval, vol.5,2002, pp.87-118.
[58]. D. Gambetta, "Can we trust," Trust:Making and Breaking of Cooperative Relations, New York, Basil Blackwell,1988, pp.213-238.
[59]. M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized trust management," 1996 IEEE Symposium on Security and Privacy,1996. Proceedings.,1996, pp.164-173.
[60]. P. Bonatti, C. Duma, D. Olmedilla, and N. Shahmehri, "An integration of reputation-based and policy-based trust management," networks, vol.2, p.10.
[61]. A. Drazen and P.R. Masson, "Credibility of policies versus credibility of policymakers," The Quarterly Journal of Economics, vol.109,1994, pp.735-754.
[62]. M. Blaze, J. Feigenbaum, and A. Keromytis, "KeyNote:Trust management for public-key infrastructures," Security Protocols,1999, pp.625-625.
[63].Y.H. Chu, J. Feigenbaum, B. LaMacchia, P. Resnick, and M. Strauss, "REFEREE:Trust management for Web applications," Computer Networks and ISDN Systems, vol.29,1997, pp.953-964.
[64]. K.E. Seamons, T. Chan, E. Child, M. Halcrow, A. Hess, J. Holt, J. Jacobson, R. Jarvis, A. Patty, B. Smith, and others, "TrustBuilder:negotiating trust in dynamic coalitions," DARPA Information Survivability Conference and Exposition,2003. Proceedings,2003.
[65]. V. Shmatikov and C. Talcott, "Reputation-based trust management," Journal of Computer Security, vol.13,2005, pp.167-190.
[66].S. Marsh, "Formalising trust as a computational concept," Computing Science and Mathematics,1994.
[67]. G. Xu, Z. Feng, H. Wu, and D. Zhao, "Swift trust in a virtual temporary system:A model based on the Dempster-Shafer theory of belief functions," International Journal of Electronic Commerce, vol.12,2007, pp.93-126.
[68]. B. Esfandiari and S. Chandrasekharan, "On how agents make friends:Mechanisms for trust acquisition," Proceedings of the Fourth Workshop on Deception, Fraud and Trust in Agent Societies, Montreal, Canada,2001, pp.27-34.
[69].樊宇,方勇,刘嘉勇,欧晓聪,杨勇,“基于模糊逻辑的Ad Hoc网络信任模型研究,”计算机应用,vol.27,2007, pp.2170-2173.
[70].TBeth, RBorcherding,"Valuation of trust in open networks", In Proceeding soft European Symposiumon Researchinsecurity, Brighton:Springer Verglag,1999.59—63.
[71]. A. Abdul-Rahman and S. Hailes, "A distributed trust model," Proceedings of the 1997 workshop on New security paradigms,1998, p.60.
[72]. A. J.sang, "Artificial reasoning with subjective logic," Proceedings of the Second Australian Workshop on Commonsense Reasoning,1997.
[73].王怀民,唐扬斌,尹刚,李磊,“互联网软件的可信机理,”中国科学:E辑,vol.36, 2006, pp.1156-1169.
[74]. W. Nejdl, D. Olmedilla, and M. Winslett, "Peertrust:Automated trust negotiation for peers on the semantic web," Secure Data Management,2004, pp.118-132.
[75].王伟,曾国荪,“一种基于Bayes信任模型的可信动态级调度算法,”中国科学E辑,vol.37,2007, pp.285-296.
[76]. B. Ooi, C. Liau, and K.L. Tan, "Managing trust in peer-to-peer systems using reputation-based techniques," Advances in Web-Age Information Management,2003, pp. 2-12.
[77].徐锋,吕建,郑玮,曹春,“一个软件服务协同中信任评估模型的设计,”Journal of Software, vol.14,2003.
[78].吴鹏,吴国新,方群,“一种基于概率统计方法的P2P系统信任评价模型,”计算机研究与发展.2008.PP.408-416
[79].赵延喜,徐卫亚,“大变形隧洞稳定性模糊概率分析,”中国矿业大学学报,vol.39,2010, pp.214-218.
[80].王平,邱劲,邱玉辉,“对等网络中一种基于概率的信任机制研究,”计算机科学,2010,pp.212-215.
[81].马新新,耿技,“对等网络信任和信誉机制研究综述,”计算机应用,vol.27,2007, pp.1935-1938.
[82].王平,邱劲,邱玉辉,“P2P网络中基于Gossip算法的信任模型,”计算机工程,vol.36,2010.
[83].张新鹏,刘金锦,党力明,李俊旭,“基于gossip的信任值收集算法,”光盘技术,vol.2,2007.
[84].刘端阳,“网格中的机制惩罚模型,”计算机工程,vol.35,2009,p.24.
[85]. R. Boyd, H. Gintis, S. Bowles, and P.J. Richerson, "The evolution of altruistic punishment," Proceedings of the National Academy of Sciences, vol.100,2003, p.3531.
[86]. R. Boyd and P.J. Richerson, "Punishment allows the evolution of cooperation (or anything else) in sizable groups," Ethology and sociobiology, vol.13,1992, pp.171-195.
[87]. E. Fehr and U. Fischbacher, "Third-party punishment and social norms," Evolution and human behavior, vol.25,2004, pp.63-87.
[88].X.Y. Ding, M.Y. Fan, D.Y. Zhu, J.H. Wang, and X.J. Lu, "WMN基于理性博弈的惩罚机制,”计算机应用研究,vol.25,2008, pp.62-63.
[89].戴常英,张广志,“Web服务中的信任评估模型,”计算机工程,vol.35,2009, pp.139-141.
[90].张楠,张建华,何蔚林,严春燕,“网格环境中的综合信任评估模型,”西南交通大学学报,vol.44,2009, pp.32-35.
[2]. E. ETSI, "282 001:Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN)," NGN Functional Architecture Release, vol.1,2005.
[3]. K. Knightson, N. Morita, and T Towle, "NGN architecture:generic principles, functional architecture, and implementation," IEEE Communications Magazine, vol.43,2005, pp. 49-56.
[4]. A. Moerdijk, L. Klostermann, "Opening Networks with Parlay/OSA:Standards and Aspects Behind APIs",IEEE Network,2003(May/June):p.58-64.
[5].田森平,祝亚玲"Parlay X业务开发模型的研究与实现,”微计算机信息,vol.22,2006,pp.13-15.
[6]. O.M. Alliance, "OMA Service Environment," Approved Version, vol.1,2007.
[7]. O.M. Alliance and M. A, Enabler Releases and Specifications-OMA Service Environment Architecture Document,", Nov,2007.
[8].刘浩颖,“华为-运营探讨——SDP:业务网络的奠基石.”华为技术,vol22.2007.pp.29-31
[9].胡乐明,杨穗珊,曹磊,李宝荣,“新一代的业务交付平台架构研究,”电信科学,vol.22,2006,pp.21-24.
[10].邹华,熊文剑,杨放春,“下一代网络业务能力开放的若干安全问题探究,”电子学报,vol.32,2004,pp.44-47.
[11].叶云,董振江,“IMS与下一代电信业务网,”中兴通讯技术,2008,pp.27-30.
[12].NGSON Working Group. IEEE P1903TM/D1. Draft White Paper for Next Generation Service Overlay Network.2008
[13].罗鑫,”访问控制技术与模型研究”,博士学位论文.北京邮电大学.2009.
[14]. R. S. Sandhu. "Access Control", The Neglected Frontier in First Australian Conference on Information Security and Privacy.1996.
[15]. R. S. Sandhu, E. J. Coyne, H. L. Feinstein et al. Role-Based Access Control Models. IEEE Computer,1996.29(2):p.38-47.
[16]. D. Ferraiolo, J. Cugini, and D.R. Kuhn, "Role-based access control (RBAC):Features and motivations," Proceedings of 11th Annual Computer Security Application Conference,1995, pp.241-48.
[17].彭晋,“NGN开放业务体系安全机制的研究,”博士学位论文.北京邮电大学,2007.
[18]. E. Bertino, P.A. Bonatti, and E. Ferrari, "TRBAC:A temporal role-based access control model," ACM Transactions on Information and System Security (TISSEC), vol.4,2001, pp.191-233.
[19]. J.B. Joshi, E. Bertino, and A. Ghafoor, "Temporal hierarchies and inheritance semantics for GTRBAC," Proceedings of the seventh ACM symposium on Access control models and technologies,2002, p.83.
[20].J. Wainer, P. Barthelmess, and A. Kumar, "W-RBAC-a workflow security model incorporating controlled overriding of constraints," International Journal of Cooperative Information Systems, vol.12,2003, pp.455-485.
[21]. J. Wainer, A. Kumar, and P. Barthelmess, "DW-RBAC:A formal security model of delegation and revocation in workflow systems," Information Systems, vol.32,2007, pp.365-384.
[22]. S. Chandran and J.B.D. Joshi, "LoT-RBAC:A location and time-based RBAC model," Web Information Systems Engineering-WISE 2005,2005, pp.361-375.
[23].黄建,卿斯汉,温红子,”带时间特性的角色访问控制,”软件学报,vol.14,2003, pp.1944-1954.
[24].Steinmiiller, B. and Safafik, J. Extending, "Role-based Access Control Model with States", In Poreeedings of the International Conference on Trends in Communications,2001, Bartislava, p.398—399.
[25].林闯,封富君,李俊山,“新型网络环境下的访问控制技术,”Journal of Software, vol. 18,2007, pp.955-966.
[26]. "OASIS Standard Specification", Web Service Security:SOAP Message Security 1.1.2006.
[27]. M. Naedele, "Standars for XML and Web Services Security",IEEE Computer,2003..36(4):p. 96-98.
[28].Siddharth Bajaj, VeriSign, Giovanni Della-Libera. "WS-Federation:活动请求方概要."2004
[29].金莉,卢正鼎,赵峰,“多域环境下安全互操作研究进展,”计算机科学,vol.36,2009, pp.47-54.
[30].金莉,“面向多域的安全互操作机制研究,”博士学位论文.华中科技大学,2009.
[31].文珠穆,“多域互操作环境中的动态信任与访问控制研究,”博士学位论文.华中科技大学,2008.
[32].A. Kapadia, J. Al-Muhtadi, R.H. Campbell, and D. Mickunas, "IRBAC 2000:Secure interoperability using dynamic role translation," 2000.
[33].廖俊国,洪帆,朱贤,肖海军,”多域间动态角色转换的职责分离”,计算机研究与发展.2006.PP.1065-1070
[34].Freudenthal E,Pesin T,Port L.d, "RBAC:Distributed role-based access control for dynamic coalition environment", Proc.22nd International Conference on Distributed Computing Systems (ICDCS'02).Vienna:IEEE,2002:294-306
[35]. Mohamed S, Elisa B, Arif G. "SERAT:Secure Role Mapping Technique for Decentralized Secure Interoperability", Proc.10th ACM Symposium on Access Control Models and Technologies. ACM Press,Stockholm,Sweden,2005:159-167
[36].Siqing D and Joshi J.B.D, "Supporting Authorization Query and Interdomain Role Mapping in Presence of Hybrid Role Hierarchy". In Proceedings of the eleventh ACM symposium on Access control models and technologies,2006, Lake Tahoe, California, USA, ACM Press, P.228—236.
[37]. Denker G,Millen J,Miyake Y. "Cross-domain access control via PKI", Proceeding of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY.02)[C].IEEE Press,2002
[38].张煜,张文燚,李先贤,怀进鹏,“多自治域协同环境中群组通信的安全访问控制,”计算机研究与发展,vol.42,2005, pp.1558-1563.
[39].王远,徐锋,曹春,吕建,“一个基于信任管理的分布式访问控制系统的设计与实现,”计算机科学,vol.32,2005, pp.226-229.
[40].刘强,陈新度,王磊,徐胜,“网络化制造环境下共享资源的访问控制技术综述,”制造业自动化,vol.30,2008, pp.1-7.
[41].朱贤,邢光林,洪帆,“分布式环境下的访问控制综述,”微型机与应用,vol.24,2005, pp. 4-7.
[42].洪帆,朱贤,邢光林,“多域环境下的分布式RBAC模型,”上海大学学报:英文版,vol. 10,2006, pp.134-141.
[43]. M A. Al-Kahtani and Ravi Sandhu. A Model of Attribute-Based User-Role Assignment. Proceedings of 18th Annual Computer Security Applications Conference,2002.
[44]. E. Yuan and J. Tong, "Attributed based access control (ABAC) for Web services," 2005.
[45].张成彬,廖振松,“基于角色的安全互操作模型,”计算机工程与设计,2010,pp.483-485.
[46].J.A. Hartigan and M.A. Wong, "A k-means clustering algorithm," JR Stat. Soc. Ser. C-Appl. Stat, vol.28,1979, pp.100-108.
[47]. K. Wang, J. Zhang, D. Li, X. Zhang, and T. Guo, "Adaptive affinity propagation clustering," Acta Automatica Sinica, vol.33,2007, pp.1242-1246.
[48]. B. Frey and D. Dueck, "Mixture modeling by affinity propagation," Advances in neural information processing systems, vol.18,2006, p.379.
[49].甄彤,“基于层次与划分方法的聚类算法研究,”计算机工程与应用,vol.42,2006,pp.178-180.
[50]. G. Salton, A. Wong, and C.S. Yang, "A vector space model for automatic indexing," Communications of the ACM, vol.18,1975, p.620.
[51].边肇祺,张学工,“模式识别,”清华大学出版社,2000.
[52]. J. Gama and P. Brazdil, "Characterization of classification algorithms," Progress in Artificial Intelligence,1995, pp.189-200.
[53]. S.A. Dudani, "The distance weighted k-nearest neighbor rule," Nearest neighbor (NN) norms: nn pattern classification techniques,1991, p.92.
[54]. J. Cheng and R. Greiner, "Comparing Bayesian network classifiers," Proceedings UAI,1999
[55]. M.A. Hearst, S.T. Dumais, E. Osman, J. Platt, and B. Scholkopf, "Support vector machines," IEEE Intelligent Systems and Their Applications, vol.13,1998, pp.18-28.
[56]. I. Steinwart and A. Christmann, "Support vector machines", Springer Verlag,2008.
[57]. M.E. Ruiz and P. Srinivasan, "Hierarchical text categorization using neural networks," Information Retrieval, vol.5,2002, pp.87-118.
[58]. D. Gambetta, "Can we trust," Trust:Making and Breaking of Cooperative Relations, New York, Basil Blackwell,1988, pp.213-238.
[59]. M. Blaze, J. Feigenbaum, and J. Lacy, "Decentralized trust management," 1996 IEEE Symposium on Security and Privacy,1996. Proceedings.,1996, pp.164-173.
[60]. P. Bonatti, C. Duma, D. Olmedilla, and N. Shahmehri, "An integration of reputation-based and policy-based trust management," networks, vol.2, p.10.
[61]. A. Drazen and P.R. Masson, "Credibility of policies versus credibility of policymakers," The Quarterly Journal of Economics, vol.109,1994, pp.735-754.
[62]. M. Blaze, J. Feigenbaum, and A. Keromytis, "KeyNote:Trust management for public-key infrastructures," Security Protocols,1999, pp.625-625.
[63].Y.H. Chu, J. Feigenbaum, B. LaMacchia, P. Resnick, and M. Strauss, "REFEREE:Trust management for Web applications," Computer Networks and ISDN Systems, vol.29,1997, pp.953-964.
[64]. K.E. Seamons, T. Chan, E. Child, M. Halcrow, A. Hess, J. Holt, J. Jacobson, R. Jarvis, A. Patty, B. Smith, and others, "TrustBuilder:negotiating trust in dynamic coalitions," DARPA Information Survivability Conference and Exposition,2003. Proceedings,2003.
[65]. V. Shmatikov and C. Talcott, "Reputation-based trust management," Journal of Computer Security, vol.13,2005, pp.167-190.
[66].S. Marsh, "Formalising trust as a computational concept," Computing Science and Mathematics,1994.
[67]. G. Xu, Z. Feng, H. Wu, and D. Zhao, "Swift trust in a virtual temporary system:A model based on the Dempster-Shafer theory of belief functions," International Journal of Electronic Commerce, vol.12,2007, pp.93-126.
[68]. B. Esfandiari and S. Chandrasekharan, "On how agents make friends:Mechanisms for trust acquisition," Proceedings of the Fourth Workshop on Deception, Fraud and Trust in Agent Societies, Montreal, Canada,2001, pp.27-34.
[69].樊宇,方勇,刘嘉勇,欧晓聪,杨勇,“基于模糊逻辑的Ad Hoc网络信任模型研究,”计算机应用,vol.27,2007, pp.2170-2173.
[70].TBeth, RBorcherding,"Valuation of trust in open networks", In Proceeding soft European Symposiumon Researchinsecurity, Brighton:Springer Verglag,1999.59—63.
[71]. A. Abdul-Rahman and S. Hailes, "A distributed trust model," Proceedings of the 1997 workshop on New security paradigms,1998, p.60.
[72]. A. J.sang, "Artificial reasoning with subjective logic," Proceedings of the Second Australian Workshop on Commonsense Reasoning,1997.
[73].王怀民,唐扬斌,尹刚,李磊,“互联网软件的可信机理,”中国科学:E辑,vol.36, 2006, pp.1156-1169.
[74]. W. Nejdl, D. Olmedilla, and M. Winslett, "Peertrust:Automated trust negotiation for peers on the semantic web," Secure Data Management,2004, pp.118-132.
[75].王伟,曾国荪,“一种基于Bayes信任模型的可信动态级调度算法,”中国科学E辑,vol.37,2007, pp.285-296.
[76]. B. Ooi, C. Liau, and K.L. Tan, "Managing trust in peer-to-peer systems using reputation-based techniques," Advances in Web-Age Information Management,2003, pp. 2-12.
[77].徐锋,吕建,郑玮,曹春,“一个软件服务协同中信任评估模型的设计,”Journal of Software, vol.14,2003.
[78].吴鹏,吴国新,方群,“一种基于概率统计方法的P2P系统信任评价模型,”计算机研究与发展.2008.PP.408-416
[79].赵延喜,徐卫亚,“大变形隧洞稳定性模糊概率分析,”中国矿业大学学报,vol.39,2010, pp.214-218.
[80].王平,邱劲,邱玉辉,“对等网络中一种基于概率的信任机制研究,”计算机科学,2010,pp.212-215.
[81].马新新,耿技,“对等网络信任和信誉机制研究综述,”计算机应用,vol.27,2007, pp.1935-1938.
[82].王平,邱劲,邱玉辉,“P2P网络中基于Gossip算法的信任模型,”计算机工程,vol.36,2010.
[83].张新鹏,刘金锦,党力明,李俊旭,“基于gossip的信任值收集算法,”光盘技术,vol.2,2007.
[84].刘端阳,“网格中的机制惩罚模型,”计算机工程,vol.35,2009,p.24.
[85]. R. Boyd, H. Gintis, S. Bowles, and P.J. Richerson, "The evolution of altruistic punishment," Proceedings of the National Academy of Sciences, vol.100,2003, p.3531.
[86]. R. Boyd and P.J. Richerson, "Punishment allows the evolution of cooperation (or anything else) in sizable groups," Ethology and sociobiology, vol.13,1992, pp.171-195.
[87]. E. Fehr and U. Fischbacher, "Third-party punishment and social norms," Evolution and human behavior, vol.25,2004, pp.63-87.
[88].X.Y. Ding, M.Y. Fan, D.Y. Zhu, J.H. Wang, and X.J. Lu, "WMN基于理性博弈的惩罚机制,”计算机应用研究,vol.25,2008, pp.62-63.
[89].戴常英,张广志,“Web服务中的信任评估模型,”计算机工程,vol.35,2009, pp.139-141.
[90].张楠,张建华,何蔚林,严春燕,“网格环境中的综合信任评估模型,”西南交通大学学报,vol.44,2009, pp.32-35.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |