Ning Xi,Jianfeng Ma,Cong Sun,Di Lu,Yulong Shen

DOI: https://doi.org/10.1007/s10619-018-7228-2

IF: 0.974

2018-01-01

Distributed and Parallel Databases

Abstract:Homomorphic encryption allows the direct operations on encrypted data, which provides a promising way to protect outsourcing data in clouds. However, it can not guarantee the end-to-end data security if different cloud services are composed together. Especially for the operations on encrypted data, it may violate the standard noninterference, which can not be solved by traditional information flow control approaches. In order to analyze the information flow with encrypted data, we define a new type of flow called the encryption flow to describe the dependence relationship among different encrypted data objects across multiple services. Based on the new definition on encrypted flow, we propose the secure information flow verification theorem and specify the improved security constraints on each service component. Then a distributed information flow control framework and algorithm are designed for verification on regular and encrypted flow across multiple clouds. Through the experiments, we can obtain that our approach is more appropriate for the verification across multiple clouds and provides a more effective way compared with centralized verification approaches.

Ning Xi,Cong Sun,Jianfeng Ma,Jing Lv

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00035

2019-01-01

Abstract:Service composition provides a promising way for the delivery of IT applications to satisfy complex consumers' demands. The qualitative information flow control mechanism based on non-interference provides a solid security assurance on the propagation of customer's private data across multiple service providers. However, strict discipline limits the service availability and may cause a high failure rate on service composition. Therefore, we propose a distributed quantitative information flow evaluation approach for service composition across multiple clouds. The quantitative approach provides us a more precise way to evaluate the leakage and supports the customized disciplines on information flow security for the diverse requirements of different customers. Through the experiments and the proof, the results indicate that our approach can improve the availability of composite service effectively with affordable costs while satisfying the customer's security requirements.

Ning Xi,Di Lu,Cong Sun,Jianfeng Ma,Yulong Shen

DOI: https://doi.org/10.1109/nana.2016.53

2017-01-01

Mobile Information Systems

Abstract:The regional and dynamic characteristics of mobile clouds pose a great challenge on information flow security during service composition. Although secure verification approaches based on standard noninterference provide a solid assurance on information flow security of composite service, too strict constraints on service components may cause the failure of composition procedure. In order to ensure the availability of composite service, we specify the declassification policies based on cryptographic operations to allow data to be legally declassified. And we propose the improved distributed secure service composition framework and approach, which can realize different cloud platforms in multiple domains, cooperate with each other to complete the declassification, and secure composition procedure. Through the experiment and evaluation, it is indicated that our approach provides a more reliable and efficient way for secure service composition in mobile clouds.

Ning Xi,Jing Lv,Cong Sun,Jianfeng Ma

DOI: https://doi.org/10.3390/e21080753

IF: 2.738

2019-01-01

Entropy

Abstract:The advances in mobile technologies enable mobile devices to cooperate with each other to perform complex tasks to satisfy users’ composite service requirements. However, data with different sensitivities and heterogeneous systems with diverse security policies pose a great challenge on information flow security during the service composition across multiple mobile devices. The qualitative information flow control mechanism based on non-interference provides a solid security assurance on the propagation of customer’s private data across multiple service participants. However, strict discipline limits the service availability and may cause a high failure rate on service composition. Therefore, we propose a distributed quantitative information flow evaluation approach for service composition across multiple devices in mobile environments. The quantitative approach provides us a more precise way to evaluate the leakage and supports the customized disciplines on information flow security for the diverse requirements of different customers. Considering the limited energy feature on mobile devices, we use a distributed evaluation approach to provide a better balance on consumption on each service participant. Through the experiments and evaluations, the results indicate that our approach can improve the availability of composite service effectively while the security can be ensured.

Ning Xi,Jianfeng Ma,Cong Sun,Tao Zhang

DOI: https://doi.org/10.1109/icws.2013.81

2013-01-01

Abstract:Dynamic service composition in wireless environment provides us with a promising approach to build complex applications based on the basic value-added services. In different network domains, multiple services may provide data with different security levels. In order to prevent from information leakage, information flow security is a major concern in composite services. However, the energy-limited nature of user terminal in mobile computing environments poses a significant challenge for the centralized information flow verification where the verification node need cost lots of computation and network resources. In this paper, we specify the security constraints for each service participant to secure the information flow in service chain based on the lattice model, and then present a decentralized information flow verification framework that cooperates different service participants to complete the verification process distributively with respect to their information flow policies. Through the experiments and evaluations, the results show it decreases the verification cost on single service node.

Xi Ning,Sun Cong,Ma Jianfeng,Chen Xiaofeng,Shen Yulong

DOI: https://doi.org/10.1109/cc.2016.7464129

2016-01-01

China Communications

Abstract:Accelerate processor, efficient software and pervasive connections provide sensor nodes with more powerful computation and storage ability, which can offer various services to user. Based on these atomic services, different sensor nodes can cooperate and compose with each other to complete more complicated tasks for user. However, because of the regional characteristic of sensor nodes, merging data with different sensitivities become a primary requirement to the composite services, and information flow security should be intensively considered during service composition. In order to mitigate the great cost caused by the complexity of modeling and the heavy load of single-node verification to the energy-limited sensor node, in this paper, we propose a new distributed verification framework to enforce information flow security on composite services of smart sensor network. We analyze the information flows in composite services and specify security constraints for each service participant. Then we propose an algorithm over the distributed verification framework involving each sensor node to participate in the composite service verification based on the security constraints. The experimental results indicate that our approach can reduce the cost of verification and provide a better load balance.

Cong Sun,Ning Xi,Jinku Li,Qingsong Yao,Jianfeng Ma

DOI: https://doi.org/10.1109/APSEC.2014.60

2014-01-01

Abstract:Information flow security has been considered as a critical requirement on software systems, especially when heterogeneous components from different parties cooperate to achieve end-to-end enforcement on data confidentiality. Enforcing the information flow security properties on complicated systems faces a great challenge because the properties cannot be preserved under composition and most of the current approaches are not scalable enough. To address this problem, there have been several recent efforts on the compositional information flow analyses developed for different abstraction levels. But these approaches have rarely been considered to incorporate with the process of system design. Integrating the security enforcement with the model-based development process can provide the designer with ability to verify information flow security in the early stage of system development. We propose a compositional information flow verification which is integrated with model-based system design in Sys ML by an automated model translation from semi-formal behavior and structure models to interface automata. Our compositional approach is general to support the complex security lattices and a variety of in distinguish ability relations. The evaluation results show the usability of our approach on practical system designs and the scalability of the compositional verification.

XI Ning,MA Jian-feng,SUN Cong,LU Di,ZHANG Tao

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.11.003

2014-01-01

Abstract:A composable information verification approach is proposed for the secure service chain composition.Based on the secure service component，the security constraints for the component’s composibility is specified and the information flow verification algorithms is proposed.Through the experiments and simulation，it shows that the approach can decrease the verification cost effectively and improve the efficiency of the verification.

Ning Xi,Jianfeng Ma,Cong Sun,Yulong Shen,Tao Zhang

DOI: https://doi.org/10.1155/2013/693639

IF: 1.938

2013-01-01

International Journal of Distributed Sensor Networks

Abstract:Dynamic service composition provides us with a promising approach to cooperate different sensor nodes in WSN to build complex applications based on their basic functions. Usually multiple nodes located in different regions provide data with different security levels, and it is critical to ensure the security of the information flow in the composite services. However, the energy-limited nature of sensor nodes in WSN poses a significant challenge for the centralized information flow verification with which the verification node needs to consume lots of computation and network resources. In this paper, we specify the security constraints for each service participant to secure the information flow in a service chain based in the lattice model and then present a distributed verification framework that cooperates different service participants to verify their information flow policies distributively. The evaluation results show a significant decrease on the verification cost of the single verification node, which provides a better load balance in each sensor node.

Xiaochen Liu,Chunhe Xia,Tianbo Wang,Li Zhong

DOI: https://doi.org/10.1109/bigdatacongress.2017.87

2017-01-01

Abstract:In the process of big data analysis and processing, a key concern blocking users from storing and processing their data in the cloud is their misgivings about the security and performance of cloud services. There is an urgent need to develop an approach that can help each cloud service provider (CSP) to demonstrate that their infrastructure and service behavior can meet the users' expectations. However, most of the prior research work focused on validating the process compliance of cloud service without an accurate description of the basic service behaviors, and could not measure the security capability. In this paper, we propose a novel approach to verify cloud service security conformance called CloudSec, which reduces the description gap between the cloud provider and customer through modeling cloud service behaviors (CloudBeh Model) and security SLA (SecSLA Model). These models enable a systematic integration of security constraints and service behavior into cloud while using UPPAAL to check the conformance, which can not only check CloudBeh performance metrics conformance, but also verify whether the security constraints meet the SecSLA. The proposed approach is validated through case study and experiments with a cloud storage service based on OpenStack, which illustrates CloudSec approach effectiveness and can be applied in real cloud scenarios.

Fatma Lahmar,Haithem Mezni

DOI: https://doi.org/10.1007/s00500-020-05519-x

IF: 3.732

2021-01-05

Soft Computing

Abstract:With the emergence of cloud computing and to better satisfy users’ complex requirements in front of the huge number of cloud services, these latter may be combined while considering the virtualized environment’s constraints, including quality of services, security policies, resources availability, interoperability, etc. As composing services from multiple clouds was proved to be more beneficial than relying on services from one single cloud, the new approaches are now spanning multiple clouds. Despite the advantages of multi-cloud environments, there are always some security risks that mostly threaten the cloud consumers’ data, which makes the identification of suitable services a challenging task. In this work, we propose a security-aware multi-cloud service composition approach using fuzzy formal concept analysis (fuzzy FCA) and rough set theory (RS), which are two techniques with a strong mathematical background. To guarantee a high security level of the hosting clouds and the selected services, we exploit the fuzzy relations of fuzzy FCA and the approximation of RS. These techniques will help reducing the search space, by eliminating the disqualified clouds and insecure services. The experimental results proved the performance and the effectiveness of our approach.

computer science, artificial intelligence, interdisciplinary applications

Junwen Lu,Yongsheng Hao,Lina Wang,Mai Zheng

DOI: https://doi.org/10.1109/CSCI.2015.69

2015-01-01

Abstract:In this paper, we propose a theoretical model for the service composition in MCE. A user sends service requests to the MCE. Each service request can be satisfied from multiple clouds (i.e., service composition). Given this model, we then design a multi-layer algorithm to minimize the service composition overhead. The overhead is measured through two fundamental metrics: (1) the average number of clouds (ANC) involved in the service composition, and (2) the average number of service files (ANS) examined. While simple, the two metrics capture the fundamental communication overhead across clouds and within clouds, respectively. Preliminary evaluation based on simulation show that our algorithm outperforms the previous approaches in terms of both ANC and ANS.

bo yu,lin yang,s h chen,lin ru ma

DOI: https://doi.org/10.4028/www.scientific.net/AMM.336-338.2348

2013-01-01

Applied Mechanics and Materials

Abstract:Service computing facilitates resource sharing and business collaboration for cross-domain partiers by universal service description and discovery. The multi-domain nature of service oriented environments introduces challenging security issues, especially with regard to information flow control which controls the flow of privacy resources. This paper presents a state-of-the-art review of information flow control technology in service oriented environments. We review the research background and classifications of information flow control, and discuss architecture and existing technologies of both centralized and distributed information flow approach. We outline the features, advantages and limitations of existing information flow control approaches. The analysis results show that the research of collaboration and dynamic nature are important, but insufficient to secure information flow.

Beibei Pang,Yixuan Yang,Fei Hao

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00373

2019-01-01

Abstract:Multi-cloud composed by multiple clouds environment can take advantages of cloud computing which is becoming increasingly popular among new scientific and technological undertakings. The requested services of users could often be distributed across some providers hosted by several clouds. The multi-cloud services composition problem requires new scalable approaches to efficiently perform searching to reduce the energy consumption and monetary cost for fulfilling user's request. In this paper, we present a sustainable strategy for multi-cloud service composition, using Formal Concept Analysis and social network by considering some critical factors such as energy consumption between clouds, monetary cost and trust between users and clouds. In addition, a novel algorithm is proposed regarding to the sustainable multi-cloud service composition. We also evaluated the proposed approach through experiments and the results reveal the feasibility and effectiveness of our approach. Finally, we point out future directions for the selection of cloud providers.

Shanchen Pang,Qian Gao,Ting Liu,Hua He,Guangquan Xu,Kaitai Liang

DOI: https://doi.org/10.1109/access.2019.2913432

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the development of cloud computing, more and more individuals and organizations have moved local application resources into the cloud computing resource pool in the form of Web services so that users can choose to invoke. This paper proposes a trustworthy service composition discovery approach to satisfy user requirements including behavioral constraints in a cloud environment. First, we build a global service composition discovery model based on sematic relationships between attributes and present a service composition discovery method. Then, we propose a method for detecting behavioral consistency. We validate the feasibility and effectiveness of the proposed solutions through a case study.

Wei-Tek Tsai,Peide Zhong,Janaka Balasooriya,Yinong Chen,Xiaoying Bai,Jay Elston

DOI: https://doi.org/10.1109/ISADS.2011.90

2011-01-01

Abstract:As cloud services proliferate, it becomes difficult to facilitate service composition and testing in clouds. In traditional service-oriented computing, service composition and testing are carried out independently. This paper proposes a new approach to manage services on the cloud so that it can facilitate service composition and testing. The paper uses service implementation selection to facilitate service composition similar to Google’s Guice and Spring tools, and apply the group testing technique to identify the oracle, and use the established oracle to perform continuous testing for new services or compositions. The paper extends the existing concept of template based service composition and focus on testing the same workflow of service composition. In addition, all these testing processes can be executed in parallel, and the paper illustrates how to apply service-level MapReduce technique to accelerate the testing process.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Guisheng Fan,Huiqun Yu,Qiang Wu,Liqiong Chen,Dongmei Liu

DOI: https://doi.org/10.6138/jit.2013.14.3.12

2013-01-01

Abstract:Service composition is an effective way to build complex Web service applications. However, it is a challenge to enforce security and reliability of those applications due to the uncertainty of service quality in distributive and heterogeneous environment. This paper proposes a novel method to compose Web services for high security and reliability, which is driven by the requirements of service consumers. Petri nets are used to precisely describe the process of service composition in order to articulate the logic relationship between components. Based on this, a strategy for analyzing the compositionality of service is presented, and a reliable service composition method and its enforcement technique are proposed. Theories of Petri nets help prove the effectiveness of strategy. Finally, a case study of Travel Service demonstrates the feasibility of our method.

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.