【摘 要】
:
Although there are many access control models having been developed and applied in various environments,few of them have addressed the issue of managing information access control in the combined cont
【机 构】
:
Key Laboratory of Beijing Network Technology, Beijing, China;School of Computer Science and Engineer
论文部分内容阅读
Although there are many access control models having been developed and applied in various environments,few of them have addressed the issue of managing information access control in the combined context of virtualization and multiple domains.Aiming at applying RBAC in the virtualized and multi-domain scenarios,this paper enhanced authorization ability of RBAC through two concepts: domain and virtual machine.We define an innovative model named VRBAC in which authorized users can migrate or copy virtual machines from one domain to another without causing a conflict.Domain users or groups are allowed to share permissions of not only resources like shared files but also virtual machines with others either from the same or a different domain.Three types of conflicts between VRBAC policies are defined and formulated in the form of ontologies,which provides extra access to description logic reasoning and facilitates the conflict detection procedure.Moreover,in order to address the practical needs in enterprise management processes,we have successfully applied VRBAC to a widely used virtualization infrastructure: Microsoft Active Directory and VMware vSphere platform.Experimental results indicate that all policy conflicts can be detected precisely and efficiently.The generated reports can offer network administrators the conflict details including conflict types,positions and causes,which will serve as guidance for further conflict resolution.
其他文献
Resource reservation is a widely used mechanism in distributed systems and high-performance networks,and the optimization of its performance has been greatly concerned.Data structure is used to store
In virtualized and dynamical cloud computing environment,all resources can be virtualized and provided as IT services which can be accessed through internet in a pervasive way.One can create new value
The P2P (peer-to-peer) has been widely used in file sharing,online chatting,peer computing,etc.Network traffic generated by P2P applications makes up of a large portion of the overall Internet traffic
Communication systems utilize the Distributed Hash Table (DHT) approach to build the network infrastructure for advantages of even distribution of workload,high scalability and cost-effectiveness.Alth
The Internet is designed to bypass failures by rerouting around connectivity outages.Consequently,dynamical redistribution of loads may result in congestion in other networks.Due to the co-location of
The existing methods of policy refinement in computer network defense (CND) can only support the refinement of access control policy,but not the policies of protection,detection,response,and recovery.
Recently,the Graphics Processing Unit (GPU) has been proved to be an exciting new platform for high-performance software routers.On such a platform,designing efficient IP lookup engine is a challengin
As one of the three service models of cloud computing,PaaS (Platform as a Service) has gained more and more popularity for its capabilities in optimizing development productivity and business agility.
Conflict detection is an important issue of the Access Control Policy.Most conflict detection tools mainly focus on the two rules that have contrary actions,but there are also other rules which are ne
Large networks are always partitioned into several small networks when deploying software defined networks (SDN),and a dedicated network operating system (NOS) is deployed for each network.Each NOS ha