Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Tianchi Ma,Shanping Li

DOI: https://doi.org/10.1007/978-3-540-24679-4_153

2004-01-01

Abstract:An instance-oriented security mechanism is proposed to deal with security threats in building a general-purpose mobile agent middleware in Grid environment. The proposed solution imports security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent's specific code segments, or even the states and requests. Study shows this mechanism can inject large flexibility and scalability into the security framework, and can avoid the inefficiency and potential damages obscuring in a conventional linear delegation model.

Ma Tian-chi,Li Shan-ping

DOI: https://doi.org/10.1631/jzus.2005.a0405

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:New challenges are introduced when people try to build a general-purpose mobile agent middleware in Grid environment. In this paper, an instance-oriented security mechanism is proposed to deal with possible security threats in such mobile agent systems. The current security support in Grid Security Infrastructure (GSI) requires the users to delegate their privileges to certain hosts. This host-oriented solution is insecure and inflexible towards mobile agent applications because it cannot prevent delegation abuse and control well the diffusion of damage. Our proposed solution introduces security instance, which is an encapsulation of one set of authorizations and their validity specifications with respect to the agent’s specific code segments, or even the states and requests. Applications can establish and configure their security framework flexibly on the same platform, through defining instances and operations according to their own logic. Mechanisms are provided to allow users delegating their identity to these instances instead of certain hosts. By adopting this instance-oriented security mechanism, a Grid-based general-purpose MA middleware, Everest, is developed to enhance Globus Toolkit’s security support for mobile agent applications.

TC Ma,SP Li

DOI: https://doi.org/10.1109/clustr.2003.1253356

2003-01-01

Cluster Computing

Abstract:In this paper, an instance-oriented security mechanism is proposed, to attack possible security threats in grid-based mobile agent system. The proposed delegation profile allows application systems to define their own security instances, while it provides mechanisms to delegate one's identity on those instances, instead of on certain hosts, just like the conventional delegation does. This can prevent the delegated host from abusing privileges. By adopting the new delegation profile kernel, a new trust framework is then proposed to enhance the security verification ability and provide more fine-grained authorization to mobile agent platforms.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Jie Jiang,TieMing Chen,Bo Chen,Limin Jin,Deren Chen

2008-01-01

Abstract:In order to solve the security problems introduced by the dynamic characteristics of grid services in authentication and authorization, a security services access platform based on Grid Security Infrastructure is proposed, which can provide the security grid services including the single sign-on and unified authentication and dynamic authorization. In this platform, a self-signed proxy certificate technique and improved context-constrains role based access control mechanism are deployed. The application in Country Emergency Response Grid Service System shows that the proposed platform can satisfy the need of security for grid services access through the grid portal.

XU Jing-jing,DAI Hong-lei,ZHA Li,XU Zhi-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.070

2006-01-01

Abstract:The Community-based VEGA Grid Operating System(VEGA GOS) is an environment and platform that support development and running of the grid applications.Combining with community that centralize the user and resource locally,we form a cross domain authorization model in subject,resource and operating space to solve the issues of versatile,autonomous control and easy-to-use in grid environment.This paper introduces the design and implementation of the community-based multi-grained authorization and access control mechanism,and take a measurement and analysis to the performance penalty due to the use of security mechanism.

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

CQ Huang,DR Chen,HL Hu

DOI: https://doi.org/10.1109/cmpsac.2004.1342652

2004-01-01

Abstract:Grid computing is becoming a new computing infrastructure for large-scale scientific computation and cooperative work. The Globus toolkit is the most popular grid environment and de facto grid standard, and it has adopted OGSA architecture to provide applications with grid service level. This study focuses on the requirement for scientists in engineering computation field and narrows the gap between grid service and the engineering community. The engineering computation architecture supplies the users with a visual application development and deployment environment for engineering computation. The whole is characterized by grid service. At the same time, QoS driven user-centric scheduling, community-based efficient authorization and flexible task management are designed and implemented.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Ke Xu,Yuexuan Wang,Cheng Wu

DOI: https://doi.org/10.1007/11745693_53

2006-01-01

Abstract:Ensuring the reliability and robustness of complex scientific grid applications is a critical issue for managing and sharing expensive scientific instruments. However, guaranteeing the correct processing of grid applications under all circumstances is difficult and not fully addressed by existing grid infrastructure. Hidden flaws in the applications including unexpected internal behaviors, dissatisfaction of real-time constraints, incompatibility in service interactions, etc may lead to subtle failures in grid systems. This work tries to enhance the trustworthiness of grid applications by investigating existing formal techniques and their extensions. A formal framework based on extensions of Pi calculus is proposed which also integrates formal techniques of model checking and bisimulation analysis to enable the reasoning of grid applications from three perspectives: data, time and behavior. In addition, both application examples and our current implementation architecture are also concluded.

Wang Qianghua,Zhou Mingquan,Geng Guohua,Xu Ti

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.11.010

2006-01-01

Abstract:Grid is an open distributed system environment.The purpose of Grid is to provide for sharing the resources between virtual organizations with distributed,heterogeneous,dynamic characteristics.Security is one of the key factors in Grid environment.The Grid security include data integrity,data privacy,authentication,authorization and audit.In this paper,the security model and the authentication,authorization framework of open system environment are analyzed,the security protocols and infrastructures of the OGSA grid service are discussed.

Yl Jiang,Bs Liao,Y Liu,J Hu

DOI: https://doi.org/10.1007/978-3-540-30483-8_2

2004-01-01

Abstract:Traditional methods for authorization within Grid computing have many shortcomings. Firstly, the enrolments of users and services into the server are done manually, which is not adaptable to the dynamic environment where the service providers and service consumers join or leave dynamically. Secondly, the authorization policy language is not expressive enough to represent more complex policies, and can't resolve the problem of semantic inconsistency between different parties who treat the same policy. This paper takes advantage of characteristics of intelligent agent such as autonomy, proactivity, and sociality, to treat with the authorization issues, including automated registrations and management of agents (service providers and service consumers), autonomous authentication and authorization based on policies, etc. On the other hand, an ontology-based content-explicit policy modeling framework is presented, which resolves the semantic inconsistency problem among different parties.

Pei-You Zhu,Ji Gao,Bo-Ou Jiang,Hui Song

DOI: https://doi.org/10.1109/ICMLC.2006.258807

2006-01-01

Abstract:Grid is a new technology which implements flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources. Unlike in conventional network systems, the services and resources in Grid are heterogeneous and dynamic, they also belong to different domains. So the intrusion detection system (IDS) for Grid should be a system which could rapidly and dynamically integrate the related node detection resources of a Grid Computing application according to the dynamic detection demand and ensure the security of Grid Computing. Conventional network IDS lack the necessary flexibility needed by Grid environment and could not dynamically adjust their structure to the dynamic Grid Computing applications. This paper provides a new flexible multi-agent approach to intrusion detection for Grid (MAIDG). MAIDG not only takes advantage of the flexibility and autonomy of agent technology, but also makes good use of the Globus Toolkit4.0 (GT4)'s data management components which provide the virtual interfaces for all the (heterogeneous or homogeneous) detection resources and realize the publication, location, and high performance transfer of detection data. In a word, this paper provides a new ideal and way to realize the intrusion detection system for Grid.

Ky Lam,Xb Zhao,Sl Chung,M Gu,Jg Sun

DOI: https://doi.org/10.1007/978-3-540-24591-9_4

2003-01-01

Abstract:With the rapid development of the global information infrastructure, the use of virtual organization (VO) is gaining increasing importance as a model for studying business and organizational structures. The notion of VO is significant in that it could serve as a basic framework for implementing geographically distributed, cross-organizational application systems in a highly flexible manner. To further enhance the pervasiveness of VO, it is of great importance that participation of mobile computing nodes be supported. Thus, security is a critical issue due to the open nature of the wireless channels that provide connectivity to mobile devices. This paper discusses, from an application angle, the importance of supporting mobile devices in VO. It also discusses the design of security infrastructures that support mobile nodes in mission-specific applications. A simple grid security infrastructure that supports participation of mobile computing nodes is also proposed to illustrate the implementation feasibility of the infrastructure.

J Hu,J Gao,Bs Liao,Jj Chen

DOI: https://doi.org/10.1007/978-3-540-30483-8_5

2004-01-01

Abstract:The Grid and agent communities both develop concepts and mechanisms for open distributed systems, albeit from different perspectives. The Grid community has focused on infrastructure, tools and application for reliable and secure resource sharing within dynamic and geographically distributed virtual organizations. In contrast, the agents community has focused on autonomous problem solvers that can flexibly in uncertain and dynamic environments. Yet as the scale and ambition of both Grid and agent deployments increase, we see that multi-agent systems require robust infrastructure and Grid systems require autonomous, flexible behaviors. So, an Agent Based Grid Infrastructure of Social Intelligence (ABGISI) is presented in this paper. With multi-agents cooperation as main line, this paper expatiates on ABGISI from three aspects: agent information representation; the support system for agent social behavior, which includes agent mediate system and agent rational negotiation mechanism, and agent federation structure.

BS Liao,J Gao,J Hu,JJ Chen

2004-01-01

Abstract:OGSA-compliant Grid Computing has emerged as an important technology for large scale service sharing and integration. However, the management of massive, distributed, heterogeneous, and dynamic Grid services is becoming increasingly complex. This paper proposes a model of agent-enabling autonomic Grid service system to relieve the management burdens such as configuration, deployment, discovery, composition, and monitoring of Grid services. We adopt intelligent agents as autonomic elements to manage Grid services from two aspects: internal management and external transaction and cooperation. On the one hand, within an autonomic element (agent), goal-based planning and scheduling mechanism autonomously (re-) configures, and monitors the enforcement of, managed elements (Grid services or other agents). On the other hand, the automated discovery, negotiation, and contract-based service providing and monitoring among various agents treat with the relationships among autonomic elements.

Jiang-hu YANG,Ge-gang PENG,Chuan-shan GAO,Chang-lai HUANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2005.08.009

2005-01-01

Abstract:Grid is considered the next generation of Internet. Much research has been done in grid forums, experimental environments and projects. As a result of such research, many grid technologies emerge and many grids are established to solve large-scale applications. But those grids have difficult to interconnect and inter-operate because of different grid security mechanism and resource sharing methods. This paper presents a novel agent-based inter-grid interconnect infrastructure by combining agent technology and grid technology. We focus our research on inter-grid security mechanism and resource management. This infrastructure we proposed can deal with grid security mechanism heterogeneity and inter-domain grid resource management problem. This infrastructure supports grid's fundamental properties such as single-sign-on and delegation on inter-domain grids, leaves the local domain security policies unchanged, and achieves general, simple, high-performance and distributed sharing of resources on inter-domain grids.

Zhi Wang,Qi Chen,Chuanshan Gao

DOI: https://doi.org/10.1109/GCCW.2006.56

2006-01-01

Abstract:With the fast advance of wireless chip-set and portable devices, mobile ad-hoc network (MANET) is becoming a novel wireless computing environment that can embrace grid computing by utilizing the non-trivial computing capabilities of each node to solve time-critical or resource-critical problems. But a few issues such as intermittent network connectivity, node's heterogeneity and resource constraints, must be addressed carefully. For them, a mobile agent approach is proposed in this paper. It delegates computation jobs to mobile agent, drives it to migrate on MANET and find nodes that have the resources. On each node, agent negotiates to use it resources and does its best to accomplish the jobs. This approach enables flexible handling of various resource sharing policies, and considers each node's resource capabilities. Moreover, it shields the dynamical network connectivity to mobile agent, thus enables logical mobility of grid applications over MANET