Yan Zhuang,Dan Xu,Kailong Zhang,Jingui Pan,Jiming Chen

DOI: https://doi.org/10.1109/iccs.2008.4737241

2008-01-01

Abstract:Collaborative virtual environment (CVE) is a multi-user virtual environment that supports distributed collaboration. The two main issues that CVE is facing are how to improve system scalability and quality of service. Combining Active routing and content-based publish/subscribe and taking bi-directional shared multicast tree as the communication structure of Interest Management, Active interest management (AIM) can effectively improve system scalability. However, due to the lack of network monitoring, it can only provide same services, and consequently cannot guarantee services and alleviate system workload when it gets saturated. In this paper, we propose a QoS-based Adaptive Access control (QAAC) approach which includes dynamic system delay maintenance, active router verification and host low start. By QAAC, we dynamically control the access of hosts based on network status to improve services and scalability in AIM. Finally, experiment results show that this approach can stabilize network traffic, reduce system load and provide better collaboration services.

Cui Yan-Li,Zhang Xing

DOI: https://doi.org/10.1109/cnmt.2009.5374540

2009-01-01

Abstract:In the distributed environment, one important security issue is how to apply further security control to the object that is released to other terminals. The appearance of trusted computing technology has provided an effective solution for this issue in the distributed environment. At the same time, through combining trusted computing technology with the strong isolation and sharing characteristic provided by virtual machine technology has further increased the security and the flexibility of distributed access control. Therefore, this paper uses trusted computing technology to improve the security of the terminal in carrying out the distributed access control, designs a trusted terminal architecture that bases on the trusted computing technology and the virtual machine technology as well as a enhanced mode that suits in distributed access control, and on this basis, analyzes the security of system design.

Yi Liu,Chau Yuen,Xianghui Cao,Naveed Ul Hassan,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2014.2310425

2014-01-01

Abstract:A robust and resilient Medium Access Control (MAC) protocol is crucial for numerous machine-type devices to concurrently access the channel in a Machine-to-Machine (M2M) network. Simplex (reservation or contention based) MAC protocols are studied in most literatures which may not be able to provide a scalable solution for M2M networks with large number of heterogeneous devices. In this paper, a scalable hybrid MAC protocol, which consists of a contention period and a transmission period, is designed for heterogeneous M2M networks. In this protocol, different devices with pre-set priorities (hierarchical contending probabilities) firstly contend the transmission opportunities following the convention based p-persistent CSMA mechanism. Only the successful devices will be assigned a time slot for transmission following the reservation based TDMA mechanism. If the devices failed in contention at previous frame, to ensure the fairness among all devices, their contending priorities will be raised by increasing their contending probabilities at the next frame. To balance the tradeoff between the contention and transmission period in each frame, an optimization problem is formulated to maximize the channel utility by finding the key design parameters: the contention duration, initial contending probability and the incremental indicator. Analytical and simulation results demonstrate the effectiveness of the proposed Hybrid MAC protocol.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

Ming Xia,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.3390/s110302505

IF: 3.9

2011-01-01

Sensors

Abstract:The power consumption and latency of existing MAC protocols for wireless sensor networks (WSNs) are high in heterogeneous convergecast, where each sensor node generates different amounts of data in one convergecast operation. To solve this problem, we present W-MAC, a workload-aware MAC protocol for heterogeneous convergecast in WSNs. A subtree-based iterative cascading scheduling mechanism and a workload-aware time slice allocation mechanism are proposed to minimize the power consumption of nodes, while offering a low data latency. In addition, an efficient schedule adjustment mechanism is provided for adapting to data traffic variation and network topology change. Analytical and simulation results show that the proposed protocol provides a significant energy saving and latency reduction in heterogeneous convergecast, and can effectively support data aggregation to further improve the performance.

Zhiyong Tan,Duo Liu,Xuejun Zhuo,Yiqi Dai,Laurence T. Yang

DOI: https://doi.org/10.1007/s11227-011-0732-z

IF: 3.3

2013-01-01

The Journal of Supercomputing

Abstract:This paper presents the design and implementation features of Centralized Pervasive Computing Environment/Multilevel Security (CPCE/MLS), a multilevel security (MLS) system in pervasive computing environment deployed in Local area network (LAN) with a Mandatory Access Control (MAC) mechanism. By introducing the server-storage terminals and implementing the multilevel security access control mechanism based on the Bell---LaPadula model, process creation supervision, and an auditing mechanism, the CPCE/MLS system is able to provide the security guarantee of the whole computing environment. As such, each terminal is controlled under an integrated security policy. The performance test results show that the CPCE/MLS system, without optimization, generates great overhead but achieves significantly better performance after the cache mechanism is added in the monitor agent and in the hook driver. The system with the hook driver cache mechanism is able to achieve the 95.9% throughput of the native system with 8 K and 16 K requested data blocksize.

Guanjie Cheng,Junqin Huang,Yewei Wang,Jun Zhao,Linghe Kong,Shuiguang Deng,Xueqiang Yan

DOI: https://doi.org/10.1109/tifs.2023.3314211

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the emergence of the sixth-generation (6G) communication technologies, the Internet of Vehicles (IoV) is rapidly developing with the coordination between intelligent networked vehicles, road infrastructures, and the cloud. However, the openness and dynamic nature of the IoV raise significant security and privacy concerns, highlighting the need for efficient authentication schemes. Conventional authentication schemes are no longer suitable for 6G-enabled IoV due to high latency, single point of failure, and heavy management costs. Additionally, existing literature on multi-domain authentication mainly investigates vehicle mobility, ignoring the challenges posed by vehicle heterogeneity. To fill this gap, we propose a multi-domain authentication scheme with conditional privacy preservation (MACPP) that considers administrative domains ( AD ) and geographic domains ( GD ) in the IoV. In MACPP, we design a novel identity-based signature scheme without requiring bilinear pairing for efficient authentication. Additionally, we propose a blockchain-assisted pseudonym management scheme (BAPM) to further improve system security by designing a dynamical sparse Merkle tree structure (DSMT). We demonstrate that the proposed MACPP satisfies the security requirements through an in-depth security analysis. Moreover, the experimental results demonstrate the effectiveness and efficiency of both MACPP and BAPM.

Diming Zhang,Liangqiang Chen,Fei Xue,Hao Wu,Hao Huang

DOI: https://doi.org/10.1007/978-3-319-69659-1_19

2017-01-01

Abstract:Mobile security has become increasingly important in mobile computing, hence mandatory access control (MAC) systems have been widely used to protect it. However, malicious code in the mobile system may have significantly impact to the integrity of these MAC systems by forcing them to make the wrong access control decision, because they are running on the same privilege level and memory address space. Therefore, for a trusted MAC system, it is desired to be isolated from the malicious mobile system at runtime. In this paper, we propose a trusted MAC isolation framework called T-MAC to solve this problem. T-Mac puts the MAC system into the enclave provided by the ARM TrustZone so as to avert the direct impact of the malicious code on the access decision process. In the meanwhile, T-MAC provides a MAC supplicant client which runs in the mobile system kernel to effectively lookup policy decisions made by the back-end MAC service in the enclave and to enforce these rules on the system with trustworthy behaviors. Moreover, to protect T-MAC components that are not in the enclave, we not only provide a protection mechanism that enables TrustZone to protect the specific memory region from the compromised system, but establish a secure communication channel between the mobile system and the enclave as well. The prototype is based on SELinux, which is the widely used MAC system, and the base of SEAndroid. The experimental results show that SELinux receives enough protection, and the performance degradation that ranges between 0.53% to 7.34% compared to the original by employing T-MAC.

陈文智,姚远,杨建华,何钦铭

DOI: https://doi.org/10.3724/sp.j.1016.2009.01311

2009-01-01

Chinese Journal of Computers

Abstract:With the rapidly development of personal computer hardware,to construct multiple isolated computing domains through virtualization technology has already become a future direction of PC. To avoid the difficulties caused by implementing VMM on traditional IA-32 architecture through software virtualization technology,the authors designed and implemented a VMM based on Intel VT-x technology — Pcanel/V2. Pcanel/V2 utilizes the latest hardware virtualization technology to configure a controllable virtual execution environment and run multiple operating systems directly without any modification of source code. While the accesses to hardware resources by the guest operating system are monitored,various sensitive situations which occur in the guest operating system can also be handled correspondingly by Pcanel/V2. Concurrent execution of Linux and VxWorks on Pcanel/V2 has been realized and corresponding evaluation results show that Pcanel/V2 architecture simplifies the complexity of the design process while increasing the overall performance by approximately 10% compared to software virtual technology.

Xiaowei Li,Hongxiang Sun,Qiaoyan Wen

DOI: https://doi.org/10.1109/ccis.2012.6664413

2012-01-01

Abstract:Numerous virtual machines have been designed to make full use of the adequate resources and facilitate people's lives. In turn, it results in the necessity of communication between the virtual machines. As we know, the data of communication between the virtual machines which located on the different hosts, could potentially be altered or intercepted during transport. To solve the problem, we design and operation of the transparent encryption-decryption communication mechanism (TEDCM) in the privilege virtual machine, the result suggests that the TEDCM in our paper is a good choice to solve the problem of information leakage.

CHEN Hui,ZHOU Xue-Hai,CHEN Xiang-Lan

DOI: https://doi.org/10.3969/j.issn.1003-3254.2010.12.003

2010-01-01

Abstract:Security is always a hot topic with the development of computer technologies.Currently,mechanisms like active defense,detection and anti-detection are proposed.They could be implemented on different levels such as application-level and kernel-level in the system.We manage to go to the system-level.Linux owns mature security-enhanced version SELinux.For Windows,we focus on mandatory access control and propose a mechanism with improved efficiency,compatibility and stability.

Sang-Yoon Chang,Yih-Chun Hu,Zhuotao Liu

DOI: https://doi.org/10.1109/tmc.2017.2693990

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless network dynamically allocates channel resources to improve spectral efficiency and, to avoid collisions, has its users cooperate with each other using a medium access control (MAC) protocol. However, MAC assumes user compliance and can be detrimental when a user misbehaves. An attacker who compromised the network can launch more devastating denial-of-service (DoS) attacks than a network outsider by sending excessive reservation requests to waste bandwidth, by listening to the control messages and conducting power-efficient jamming, by falsifying information to manipulate the network control, and so on. We build SecureMAC to defend against such insider threats while retaining the benefits of coordination between the cooperative users. SecureMAC is comprised of four components: channelization to prevent excessive reservations, randomization to thwart reactive targeted jamming, coordination to counter control-message aware jamming and resolve over-reserved and under-reserved spectrum, and power attribution to determine each node's contribution to the received power. Our theoretical analyses and implementation evaluations demonstrate superior performance over previous approaches, which either ignore security issues or give up the benefit of cooperation when under attack by disabling user coordination (such as the Nash equilibrium of continuous wideband transmission). In realistic scenarios, our SecureMAC implementation outperforms such schemes by 76-159 percent.

Vincent C. Hu,D. Richard Kuhn,Tao Xie,Jeehyun Hwang

DOI: https://doi.org/10.1142/s021819401100513x

IF: 1.007

2011-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Yi Jie Tong,Wei Qi Yan,Jin Yu

DOI: https://doi.org/10.4018/ijdcf.2015010104

2015-01-01

International Journal of Digital Crime and Forensics

Abstract:With an increasing number of personal computers introduced in schools, enterprises and other large organizations, workloads of system administrators have been on the rise due to the issues related to energy costs, IT expenses, PC replacement expenditures, data storage capacity, and information security, etc. However, Application Virtualization (AV) has been proved as a successful cost-effective solution to solve these problems. In this paper, the analytics of a Virtual Desktop Infrastructure (VDI) system will be taken into consideration for a campus network. Our developed system will be introduced and justified. Furthermore, the rationality for these improvements will be introduced.

Yuanzhong Xu,Alan M Dunn,Owen S Hofmann,Michael Z Lee,Syed Akbar Mehdi,Emmett Witchel

Abstract:DCAC is a practical OS-level access control system that supports application-defined principals. It allows normal users to perform administrative operations within their privilege, enabling isolation and privilege separation for applications. It does not require centralized policy specification or management, giving applications freedom to manage their principals while the policies are still enforced by the OS. DCAC uses hierarchically-named attributes as a generic framework for user-defined policies such as groups defined by normal users. For both local and networked file systems, its execution time overhead is between 0%-9% on file system microbenchmarks, and under 1% on applications. This paper shows the design and implementation of DCAC, as well as several real-world use cases, including sandboxing applications, enforcing server applications' security policies, supporting NFS, and authenticating user-defined sub-principals in SSH, all with minimal code changes.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Khalid Abdel Hafeez,Lian Zhao,Jon W. Mark,Xuemin (Sherman) Shen,Zhisheng Niu

DOI: https://doi.org/10.1109/tvt.2013.2258361

IF: 6.8

2013-01-01

IEEE Transactions on Vehicular Technology

Abstract:Since vehicular safety applications require periodic dissemination of status and emergency messages, contention-based medium-access-control (MAC) protocols such as IEEE 802.11p have problems in predictability, fairness, low throughput, latency, and high collision rate, particularly in high-density networks. Therefore, a distributed multichannel and mobility-aware cluster-based MAC (DMMAC) protocol is proposed. Through channel scheduling and an adaptive learning mechanism integrated within the fuzzy-logic inference system (FIS), vehicles organize themselves into more stable and nonoverlapped clusters. Each cluster will use a different subchannel from its neighbors in a distributed manner to eliminate the hidden terminal problem. Increasing the system's reliability, reducing the time delay for vehicular safety applications, and efficiently clustering vehicles in highly dynamic and dense networks in a distributed manner are the main contributions of the proposed MAC protocol. The reliability and connectivity of DMMAC are analyzed in terms of the average cluster size, the communication range within the cluster and between cluster heads (CHs), and the lifetime of a path. Simulation results show that the proposed protocol can support traffic safety and increase vehicular ad hoc networks' (VANETs) efficiency, reliability, and stability of the cluster topology by increasing the CH's lifetime and the dwell time of its members.

Kan Yang,Xiaohua Jia,Kui Ren,Bo Zhang

DOI: https://doi.org/10.1109/tifs.2013.2279531

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is an effective way to ensure data security in the cloud. However, due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems. Existing access control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising technique for access control of encrypted data. However, due to the inefficiency of decryption and revocation, existing CP-ABE schemes cannot be directly applied to construct a data access control scheme for multiauthority cloud storage systems, where users may hold attributes from multiple authorities. In this paper, we propose data access control for multiauthority cloud storage (DAC-MACS), an effective and secure data access control scheme with efficient decryption and revocation. Specifically, we construct a new multiauthority CP-ABE scheme with efficient decryption, and also design an efficient attribute revocation method that can achieve both forward security and backward security. We further propose an extensive data access control scheme (EDAC-MACS), which is secure under weaker security assumptions.

Wei Han,Yeping He,Liping Ding

DOI: https://doi.org/10.1109/ssiri-c.2011.37

2011-01-01

Abstract:In virtualization environment, the communication and resource sharing between virtual machines can be protected by mandatory access control mechanism to guarantee the isolation of the virtual machines. The safety of the mandatory access control framework depends on whether the security sensitive operations are protected by the security check functions completely. In this paper, we present a novel method to verify the safety of the Xen security modules framework. We implement our method on the Xen 4.01 source code and evaluate the results. While our work in this paper focuses on the verification of Xen security modules, which can be used to analyze other mandatory access control framework analogous with it as well.

Xiang Cheng,Rongqing Zhang,Liuqing Yang

DOI: https://doi.org/10.1007/978-3-030-02176-4_4

2019-01-01

Abstract:In vehicular networks, road safety and data-related applications require reliable and efficient communications with minimized transmission collisions, and thus effective medium access control (MAC) protocols are also essential for the VCN system design. However, in vehicular networks, the MAC design is much more challenging due to the high mobility, heterogeneous and frequently changing topology, and versatile QoS requirements. Hence, also following the wireless-vehicle combination perspective, in this chapter, we focus on the effective and efficient MAC designs for VCN. First, by taking the trend (from distributed to centralized) and challenges of the MAC design in VCN into consideration, three essential MAC issues and their corresponding solutions are explored, including distributed congestion control, centralized resource sharing and scheduling, and centralized data dissemination scheduling. Then, regarding the next leap for MAC designs in VCN, NOMA-V2X and data-driven resource management are also discussed.