计算机学报
計算機學報
계산궤학보
CHINESE JOURNAL OF COMPUTERS
2009年
11期
2187-2199
,共13页
李明楚%杨彬%钟炜%田琳琳%江贺%胡红钢
李明楚%楊彬%鐘煒%田琳琳%江賀%鬍紅鋼
리명초%양빈%종위%전림림%강하%호홍강
反馈机制%群组授权服务%信任模型%动态授权%网格计箅
反饋機製%群組授權服務%信任模型%動態授權%網格計箄
반궤궤제%군조수권복무%신임모형%동태수권%망격계폐
feedback mechanism%CAS%trust model%dynamic authorization%grid computing
网格现有的授权系统存在静态性问题,表现为没有提供机制来反馈用户对授予的权限的使用情况.当一个本来可信的用户或服务变成不可信时,授权系统不能及时发现,对其权限进行调整可能导致恶意用户对网格系统的破坏.因此,在授权系统中建立反馈机制,根据用户的行为动态地调整用户角色,对于网格系统的安全具有重大意义.文中分析了网格中现有的授权系统及信任模型的特点,指出它们存在的不足.在此基础上提出一种基于反馈机制的动态授权新模型,很好地解决了现有授权系统的静态性的缺点.该模型是对CAS授权系统的改进,增加了反馈机制和信任度计算机制.其中,信任度计算机制中提出的基于行为的分层信任新模型较以往的信任模型相比,使用服务权值来区分重要服务和普通服务,从而保护了网格中的重要服务并且能有效地抑制恶意节点的行为;文中提出了一种新的更加精确地计算域间推荐信任度的方法,从而解决了不诚实反馈的问题.反馈机制则利用基于行为分层信任模型给出的用户信任度的变化,实现了根据用户的行为动态调整他的角色.文中还设计了三组模型实验,分别验证新模型的特点、对网格中恶意实体行为的抑制情况,从不同的角度对模型进行了实验,对基于行为的分层信任模型对行为的敏感性、收敛性、有效性及合理性加以了证明.
網格現有的授權繫統存在靜態性問題,錶現為沒有提供機製來反饋用戶對授予的權限的使用情況.噹一箇本來可信的用戶或服務變成不可信時,授權繫統不能及時髮現,對其權限進行調整可能導緻噁意用戶對網格繫統的破壞.因此,在授權繫統中建立反饋機製,根據用戶的行為動態地調整用戶角色,對于網格繫統的安全具有重大意義.文中分析瞭網格中現有的授權繫統及信任模型的特點,指齣它們存在的不足.在此基礎上提齣一種基于反饋機製的動態授權新模型,很好地解決瞭現有授權繫統的靜態性的缺點.該模型是對CAS授權繫統的改進,增加瞭反饋機製和信任度計算機製.其中,信任度計算機製中提齣的基于行為的分層信任新模型較以往的信任模型相比,使用服務權值來區分重要服務和普通服務,從而保護瞭網格中的重要服務併且能有效地抑製噁意節點的行為;文中提齣瞭一種新的更加精確地計算域間推薦信任度的方法,從而解決瞭不誠實反饋的問題.反饋機製則利用基于行為分層信任模型給齣的用戶信任度的變化,實現瞭根據用戶的行為動態調整他的角色.文中還設計瞭三組模型實驗,分彆驗證新模型的特點、對網格中噁意實體行為的抑製情況,從不同的角度對模型進行瞭實驗,對基于行為的分層信任模型對行為的敏感性、收斂性、有效性及閤理性加以瞭證明.
망격현유적수권계통존재정태성문제,표현위몰유제공궤제래반궤용호대수여적권한적사용정황.당일개본래가신적용호혹복무변성불가신시,수권계통불능급시발현,대기권한진행조정가능도치악의용호대망격계통적파배.인차,재수권계통중건립반궤궤제,근거용호적행위동태지조정용호각색,대우망격계통적안전구유중대의의.문중분석료망격중현유적수권계통급신임모형적특점,지출타문존재적불족.재차기출상제출일충기우반궤궤제적동태수권신모형,흔호지해결료현유수권계통적정태성적결점.해모형시대CAS수권계통적개진,증가료반궤궤제화신임도계산궤제.기중,신임도계산궤제중제출적기우행위적분층신임신모형교이왕적신임모형상비,사용복무권치래구분중요복무화보통복무,종이보호료망격중적중요복무병차능유효지억제악의절점적행위;문중제출료일충신적경가정학지계산역간추천신임도적방법,종이해결료불성실반궤적문제.반궤궤제칙이용기우행위분층신임모형급출적용호신임도적변화,실현료근거용호적행위동태조정타적각색.문중환설계료삼조모형실험,분별험증신모형적특점、대망격중악의실체행위적억제정황,종불동적각도대모형진행료실험,대기우행위적분층신임모형대행위적민감성、수렴성、유효성급합이성가이료증명.
There is a problem of static status in the existing authorization systems of grids that don't provide feedback mechanism to feedback the use of permission by users. When a user or a service with creditability at the past would become unlikelihood, the authorization systems could not find this status in time to adjust the user's permission, so that it is possible for malicious us-ers to destroy the grid systems. Thus, building feedback mechanism in authorization to adjust us-ers' roles by their behavior dynamically is necessary to the security of grid systems. In this pa-per, we analyze the characteristics of the existing authorization systems and trust models in grid, and point out their shortcomings. This paper proposes a new dynamic authorization model based on feedback mechanism to solve static state of mechanisms. This model improves the authoriza-tion system for CAS, and adds trust degree computing mechanism and feedback mechanism to CAS. This paper proposes a new trust model with two layers based on behavior in the trust de-gree computing mechanism to distinguish important services and common services by using service weight, so it effectively protects important services in grid from the attack of malicious nodes; This paper also use a new method to account trust degrees between domains to solve the problem of dishonesty feedback. By using two-layer trust model based on behavior to get the changes of trust degrees, the feedback mechanism can adjust users' roles by users' behavior. In this paper, a series of simulation experiments are designed such as validating the characteristic of new model, controlling to malicious nodes. These experiments validate the sensitivity, astringency, validity and rationality with behavior in the two-layer trust model based on these behaviors.
