基于经纪人的多云访问控制模型研究

doi:10.11896/jsjkx.190300112

摘要/Abstract

摘要： 多云(Multicloud)无需改变提供商的技术方案及运营方式,以独立于提供商的方式自由组合云资源,是一种认可度较高、具有重要推广价值的互联云模型。云经纪人支持向云提供商和云用户提供透明服务,按需组合多个云提供商的资源,降低了跨云协作难度、提供商锁定风险和用户成本开销。然而,云提供商间的访问控制策略的异构性和信任机制的缺乏,极易造成隐私泄露和数据丢失等安全隐患,严重影响了多云的推广应用。文中综合考虑信任、上下文和服务等级协议(SLA)等因素,提出了基于经纪人的多云访问控制模型(MC-ABAC)。首先,构建了多云访问控制模型结构,该结构由虚拟资源管理器(VRM)、访问控制管理器(ACM)和云访问控制经纪人(CACB)等模块组成;其次,设计了多云访问控制模型,该模型定义了主体、资源、环境和操作等,形式化描述了信任、上下文、SLA和授权策略等,实现了云提供商信任度量和跨云的授权;再次,设计了多云访问控制的工作流程,包括从本地提供商访问多云的工作流程和从CACB访问多云的工作流程;最后,利用CloudSim 4.0和OpenAZ搭建多云访问控制环境,验证该模型的请求成功率和响应时间等可用性指标。实验结果表明,当正常使用且请求数量较大时,该模型的请求成功率比ABAC模型提升了18%左右,且响应时间性能优于ABAC模型。

关键词: 多云, 访问控制, 服务等级协议, 上下文信息, 信任管理, 云经纪人

Abstract: Multicloud is increasingly accepted by industry and has great promotional value and development potential,since it combines cloud resources in a provider-independent way and there is no need to change the provider’s original technology solutions and operation model.Cloud broker provides transparent service for providers and users,composes the resource of cloud providers on demand,and reduces the difficulty of Multicloud collaboration,the risk of vendor lock-in and the cost of cloud user.However,the loss of trust and the heterogeneity of access control policy among cloud providers can easily cause security problems,such as privacy leakage and data loss,and affect the promotion and application of Multicloud seriously.Based on the factors,such as trust,context and SLA,Multicloud access control model (MC-ABAC) was proposed.Firstly,the framework of MC-ABAC is constructed to collaborate in Multicloud environments,which consists of Virtual Resource Manager (VRM),Access Control Manager (ACM) and Cloud Access Control Broker (CACB).Secondly,MC-ABAC is designed to achieve trust measurement of cloud providers and authorization management in Multicloud.This model defines subject,resource,environment and operation,and formalizes trust,context,SLA and authorization.Thirdly,the workflow of MC-ABAC is designed to access the resource of multicloud from local provider and CACB respectively.Finally,the simulation environment of MC-ABAC is built by using CloudSim 4.0 and OpenAZ,and used to verify the availability,such as the success rate and the response time of the request.The results show the request success rate of MC-ABAC is about 18% higher than that of ABAC,and whose average response time is better than that of ABAC,when MC-ABAC is used normally and the number of requests is large.

Key words: Access control, Cloud broker, Context information, Multicloud, Service level agreement, Trust management

中图分类号:

TP393

赵鹏, 吴礼发, 洪征. 基于经纪人的多云访问控制模型研究[J]. 计算机科学, 2019, 46(11): 123-129. https://doi.org/10.11896/jsjkx.190300112

ZHAO Peng, WU Li-fa, HONG Zheng. Research on Broker Based Multicloud Access Control Model[J]. Computer Science, 2019, 46(11): 123-129. https://doi.org/10.11896/jsjkx.190300112

参考文献

[1]PETCU D.Multi-Cloud:expectations and current approaches[C]∥International Workshop on Multi-Cloud Applications and Federated Clouds.ACM,2013:1-6.
[2]SINGHAL M,CHANDRASEKHAR S,GE T,et al.Collaboration in Multicloud Computing Environments:Framework and Security Issues[J].Computer,2013,46(2):76-84.
[3]ALMUTAIRI A A,SARFRAZ M I,BASALAMAH S,et al.A Distributed Access Control Architecture for Cloud Computing[J].IEEE Software,2012,29(2):36-44.
[4]THEIMER M M,NICHOLS D A,TERRY D B.Delegationthrough access control programs[C]∥International Conference on Distributed Computing Systems.IEEE,1992:529-536.
[5]GUZEK M,GNIEWEK A,BOUVRY P,et al.Cloud Brokering:Current Practices and Upcoming Challenges[J].IEEE Cloud Computing,2015,2(2):40-47.
[6]ANASTASI G F,CARLINI E,COPPOLA M,et al.Usage Control in Cloud Federations[C]∥IEEE International Conference on Cloud Engineering.IEEE,2014:141-146.
[7]SETTE I S,CHADWICK D W,FERRAZ C A G.Authorization Policy Federation in Heterogeneous Multicloud Environments[J].IEEE Cloud Computing,2017,4(4):38-47.
[8]ZHENG Y,LI X,KANTOLA R.Heterogeneous Data AccessControl Based on Trust and Reputation in Mobile Cloud Computing[M]∥Advances in Mobile Cloud Computing and Big Data in the 5G Era.Springer International Publishing,2017.
[9]NGO C,DEMCHENKO Y,LAAT C D.Multi-tenant attribute-based access control for cloud infrastructure services[J].Journal of Information Security and Applications,2016,27-28:65-84.
[10]DEMCHENKO Y,NGO C,LAAT C D,et al.Federated Access Control in Heterogeneous Intercloud Environment:Basic Models and Architecture Patterns[C]∥IEEE International Conference on Cloud Engineering.IEEE,2014:439-445.
[11]MEI J,LI K,TONG Z,et al.Profit Maximization for Cloud Brokers in Cloud Computing[J].IEEE Transactions on Parallel & Distributed Systems,2018,30(1):190-203.
[12]FOWLEY F,PAHL C,JAMSHIDI P,et al.A Classification and Comparison Framework for Cloud Service Brokerage Architectures[J].IEEE Transactions on Cloud Computing,2016,6(2):358-371.
[13]HOGAN M D,LIU F,SOKOL A W,et al.NIST Cloud Computing Standards Roadmap[R].NIST Special Publication,2011,35.
[14]GUZEK M,GNIEWEK A,BOUVRY P,et al.Cloud Brokering:Current Practices and Upcoming Challenges.IEEE Cloud Computing,2015,2(2):40-47.
[15]THOMAS M V.Agent-Based Cloud Broker Architecture forDistributed Access Control in the Inter-Cloud Environments[J].International Journal of Information Processing,2014,8(1):107-123.
[16]PAWAR P S,NAIR S K,ELMOUSSA F,et al.Opinion Model Based Security Reputation Enabling Cloud Broker Architecture[C]∥International Conference on Cloud Computing.Springer,2012:103-113.
[17]HALABI T,BELLAICHE M.A broker-based framework forstandardization and management of cloud security-SLAs[J].Computers & Security,2018,75(6):59-71.
[18]LIU C,WANG G,HAN P,et al.A Cloud Access Security Broker based approach for encrypted data search and sharing[C]∥International Conference on Computing.Networking and Communications.IEEE,2017:422-426.
[19]AI H.Distributed access control[J].Computer Engineering and Design,2007,28(21):5110-5111.
[20]TOLONE W,AHN G J,PAI T,et al.Access control in collaborative systems[J].Acm Computing Surveys,2005,37(1):29-41.
[21]RIZVI S,MITCHELL J.A Semi-distributed Access ControlManagement Scheme for Securing Cloud Environment[C]∥IEEE International Conference on Cloud Computing.IEEE,2015:501-507.
[22]LUO Y,LUO W,TIAN P,et al.OpenStack Security Modules:A Least-Invasive Access Control Framework for the Cloud[C]∥IEEE International Conference on Cloud Computing.IEEE,2017:51-58.
[23]HILIA M,CHIBANI A,WINTER T,et al.Semantic Based Authorization Framework For Multi-Domain Collaborative Cloud Environments[J].Procedia Computer Science,2017,109:718-724.
[24]ALANSARI S,PACI F,MARGHERI A,et al.Privacy-Preserving Access Control in Cloud Federations[C]∥IEEE International Conference on Cloud Computing.IEEE,2017:757-760.
[25]LI F,LUO B,LIU P,et al.In-broker Access Control:Towards Efficient End-to-End Performance of Information Brokerage Systems[C]∥IEEE International Conference on Sensor Networks,Ubiquitous,and Trustworthy Computing.IEEE,2006:252-259.
[26]BHATT S,PATWA F,SANDHU R.An Attribute-Based Access Control Extension for OpenStack and Its Enforcement Utilizing the Policy Machine[C]∥IEEE International Conference on Collaboration and Internet Computing.IEEE,2017:37-45.
[27]JOHN J C,SURAL S,GUPTA A.Authorization Management in Multi-cloud Collaboration Using Attribute-Based Access Control[C]∥International Symposium on Parallel and Distributed Computing.IEEE,2017:190-195.
[28]SINGH S,SIDHU J.Compliance-based Multi-dimensional Trust Evaluation System for determining trustworthiness of Cloud Service Providers[J].Future Generation Computer Systems,2017,67:109-132.
[29]YOU J,SHANG J L,XU S K,et al Distributed Dynamic Trust Management Model b ased on Trust Reliability[J].Journal of Software,2017,28(9):2354-2369.

相关文章 15

[1]	郭鹏军, 张泾周, 杨远帆, 阳申湘. 飞机机内无线通信网络架构与接入控制算法研究 Study on Wireless Communication Network Architecture and Access Control Algorithm in Aircraft 计算机科学, 2022, 49(9): 268-274. https://doi.org/10.11896/jsjkx.210700220
[2]	黄少滨, 孙雪薇, 李熔盛. 基于跨句上下文信息的神经网络关系分类方法 Relation Classification Method Based on Cross-sentence Contextual Information for Neural Network 计算机科学, 2022, 49(6A): 119-124. https://doi.org/10.11896/jsjkx.210600150
[3]	阳真, 黄松, 郑长友. 基于区块链与改进CP-ABE的众测知识产权保护技术研究 Study on Crowdsourced Testing Intellectual Property Protection Technology Based on Blockchain and Improved CP-ABE 计算机科学, 2022, 49(5): 325-332. https://doi.org/10.11896/jsjkx.210900075
[4]	郭显, 王雨悦, 冯涛, 曹来成, 蒋泳波, 张迪. 基于区块链的工业控制系统角色委派访问控制机制 Blockchain-based Role-Delegation Access Control for Industrial Control System 计算机科学, 2021, 48(9): 306-316. https://doi.org/10.11896/jsjkx.210300235
[5]	陈海彪, 黄声勇, 蔡洁锐. 一个基于智能电网的跨层路由的信任评估协议 Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid 计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169
[6]	程学林, 杨小虎, 卓崇魁. 基于组织架构的数据权限控制模型研究与实现 Research and Implementation of Data Authority Control Model Based on Organization 计算机科学, 2021, 48(6A): 558-562. https://doi.org/10.11896/jsjkx.200700127
[7]	潘瑞杰, 王高才, 黄珩逸. 云计算下基于动态用户信任度的属性访问控制 Attribute Access Control Based on Dynamic User Trust in Cloud Computing 计算机科学, 2021, 48(5): 313-319. https://doi.org/10.11896/jsjkx.200400013
[8]	郝志峰, 廖祥财, 温雯, 蔡瑞初. 基于多上下文信息的协同过滤推荐算法 Collaborative Filtering Recommendation Algorithm Based on Multi-context Information 计算机科学, 2021, 48(3): 168-173. https://doi.org/10.11896/jsjkx.200700101
[9]	何亨, 蒋俊君, 冯可, 李鹏, 徐芳芳. 多云环境中基于属性加密的高效多关键词检索方案 Efficient Multi-keyword Retrieval Scheme Based on Attribute Encryption in Multi-cloud Environment 计算机科学, 2021, 48(11A): 576-584. https://doi.org/10.11896/jsjkx.201000026
[10]	曹萌, 于洋, 梁英, 史红周. 基于区块链的大数据交易关键技术与发展趋势 Key Technologies and Development Trends of Big Data Trade Based on Blockchain 计算机科学, 2021, 48(11A): 184-190. https://doi.org/10.11896/jsjkx.210100163
[11]	徐堃, 付印金, 陈卫卫, 张亚男. 基于区块链的云存储安全研究进展 Research Progress on Blockchain-based Cloud Storage Security Mechanism 计算机科学, 2021, 48(11): 102-115. https://doi.org/10.11896/jsjkx.210600015
[12]	晏旭, 马帅, 曾凤娇, 郭正华, 伍俊龙, 杨平, 许冰. 基于编码-解码器架构的光场深度估计方法 Light Field Depth Estimation Method Based on Encoder-decoder Architecture 计算机科学, 2021, 48(10): 212-219. https://doi.org/10.11896/jsjkx.200900005
[13]	王静宇, 刘思睿. 大数据风险访问控制研究进展 Research Progress on Risk Access Control 计算机科学, 2020, 47(7): 56-65. https://doi.org/10.11896/jsjkx.190700157
[14]	顾荣杰, 吴治平, 石焕. 基于TFR 模型的公安云平台数据分级分类安全访问控制模型研究 New Approach for Graded and Classified Cloud Data Access Control for Public Security Based on TFR Model 计算机科学, 2020, 47(6A): 400-403. https://doi.org/10.11896/JsJkx.191000066
[15]	马海江. 基于卷积神经网络与约束概率矩阵分解的推荐算法 Recommendation Algorithm Based on Convolutional Neural Network and Constrained Probability Matrix Factorization 计算机科学, 2020, 47(6A): 540-545. https://doi.org/10.11896/JsJkx.191000172

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed