The Experts below are selected from a list of 171168 Experts worldwide ranked by ideXlab platform
Cees De Laat - One of the best experts on this subject based on the ideXlab platform.
-
policy and Context management in dynamically provisioned access control service for virtualized cloud infrastructures
Availability Reliability and Security, 2012Co-Authors: Canh Ngo, Yuri Demchenko, Peter Membrey, Cees De LaatAbstract:Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning of computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between a single provider and multiple customers with simple Security and trust model. New architectural models should allow multi-provider heterogeneous service environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new Security approaches for multi-provider, multi-tenant environment crossing multiple Security domains to create consistent and dynamically configurable Security services for virtualized infrastructures. This paper proposes an on-demand provisioned access control infrastructure with dynamic trust establishment for entities in a Cloud IaaS architecture model. It applies XACML-based RBAC model for the flexible authorization policy configuration and management. It uses authorization ticket as a Security session management mechanism to solve the Security Context synchronization and exchange between multiple Cloud providers. The paper describes practical implementation of the proposed Dynamic Access Control Infrastructure as the part of a complex infrastructure services provisioning system.
-
Security framework for virtualised infrastructure services provisioned on demand
IEEE International Conference on Cloud Computing Technology and Science, 2011Co-Authors: Canh Ngo, Yuri Demchenko, Peter Membrey, Cees De LaatAbstract:Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between single provider and single customer with simple Security and trust model. New architectural models should allow multi-provider heterogeneous services environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new Security approaches to create consistent Security services in virtualised multi-provider Cloud environment and incorporate complex access control and trust relations among Cloud actors. The paper analyzes basis use cases in Cloud services provisioning and defines a Security infrastructure reference model which is used to define other Security infrastructure aspects such as dynamic trust management, distributed access control, policy and Security Context management. It also provides information about ongoing implementation of the proposed Dynamic Access Control Infrastructure based on Enterprise Service Bus as a part of complex infrastructure services provisioning system.
-
Security infrastructure for on-demand provisioned cloud infrastructure services
Proceedings - 2011 3rd IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2011, 2011Co-Authors: Yuri Demchenko, Chun Ming Rong, Canh Ngo, Tomasz Wiktor Wlodarczyk, Cees De Laat, Wolfgang ZieglerAbstract:Providing consistent Security services in on-demand provisioned Cloud infrastructure services is of primary importance due to multi-tenant and potentially multi-provider nature of Clouds Infrastructure as a Service (IaaS) environment. Cloud Security infrastructure should address two aspects of the IaaS operation and dynamic Security services provisioning: (1) provide Security infrastructure for secure Cloud IaaS operation, (2) provisioning dynamic Security services, including creation and management of the dynamic Security associations, as a part of the provisioned composite services or virtual infrastructures. The first task is a traditional task in Security engineering, while dynamic provisioning of managed Security services in virtualised environment remains a problem and requires additional research. In this paper we discuss both aspects of the Cloud Security and provide suggestions about required Security mechanisms for secure data management in dynamically provisioned Cloud infrastructures. The paper refers to the architectural framework for on-demand infrastructure services provisioning, being developed by authors, that provides a basis for defining the proposed Cloud Security Infrastructure. The proposed SLA management solution is based on the WS-Agreement and allows dynamic SLA management during the whole provisioned services lifecycle. The paper discusses conceptual issues, basic requirements and practical suggestions for dynamically provisioned access control infrastructure (DACI). The paper proposes the Security mechanisms that are required for consistent DACI operation, in particular Security tokens used for access control, policy enforcement and authorisation session Context exchange between provisioned infrastructure services and Cloud provider services. The suggested implementation is based on the GAAA Toolkit Java library developed by authors that is extended with the proposed Common Security Services Interface (CSSI) and additional mechanisms for binding sessions and Security Context between provisioned services and virtualised platform.
-
xacml policy profile for multidomain network resource provisioning and supporting authorisation infrastructure
IEEE International Symposium on Policies for Distributed Systems and Networks, 2009Co-Authors: Yuri Demchenko, Mihai Cristea, Cees De LaatAbstract:Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the proposed XACML-NRP policy and attributes profile for Network Resource Provisioning. In addition to specifying a set of subject, resource, action attributes that are required for consistent XACML policy definition, the proposed profile allows also handling network path information what is especially important for QoS enforcement. To overcome stateless character of XACML policies, the proposed authorisation infrastructure provides a number of Security mechanisms to support such important for NRP functionality as authorisation session and interdomain Security Context management, simple delegation, conditional authorisation decisions, and policy obligations handling.
-
authorisation infrastructure for on demand network resource provisioning
Grid Computing, 2008Co-Authors: Yuri Demchenko, Mihai Cristea, Cees De LaatAbstract:High performance Grid applications require high speed network infrastructure that should be capable to provide network connectivity service on-demand. This paper presents results of the development of the Authorisation (AuthZ) infrastructure for on-demand multidomain network resource provisioning (NRP). We propose a general Complex Resource Provisioning (CRP) model that can be used as a basis for AuthZ infrastructure development providing a common abstraction for provisioning both network and Grid resources. This model allows common policy expressions, using single user sign-on credentials when requesting and accessing complex Grid-Network resources. The implementation described is based on the generic AAA Authorisation Framework (GAAA-AuthZ) and suggests a number of Security mechanisms and components that extends GAAA-AuthZ to achieve consistent policy enforcement and Security Context management: Token Validation Service (TVS), AuthZ ticket used for AuthZ session management, a special XACML profile for NRP, reference model for policy obligations handling (OHRM). The proposed infrastructure and solutions are being implemented in the framework of the EU project Phosphorus and use authors experiences gained from the major Grid based and Grid oriented projects.
Yuri Demchenko - One of the best experts on this subject based on the ideXlab platform.
-
policy and Context management in dynamically provisioned access control service for virtualized cloud infrastructures
Availability Reliability and Security, 2012Co-Authors: Canh Ngo, Yuri Demchenko, Peter Membrey, Cees De LaatAbstract:Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning of computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between a single provider and multiple customers with simple Security and trust model. New architectural models should allow multi-provider heterogeneous service environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new Security approaches for multi-provider, multi-tenant environment crossing multiple Security domains to create consistent and dynamically configurable Security services for virtualized infrastructures. This paper proposes an on-demand provisioned access control infrastructure with dynamic trust establishment for entities in a Cloud IaaS architecture model. It applies XACML-based RBAC model for the flexible authorization policy configuration and management. It uses authorization ticket as a Security session management mechanism to solve the Security Context synchronization and exchange between multiple Cloud providers. The paper describes practical implementation of the proposed Dynamic Access Control Infrastructure as the part of a complex infrastructure services provisioning system.
-
Security framework for virtualised infrastructure services provisioned on demand
IEEE International Conference on Cloud Computing Technology and Science, 2011Co-Authors: Canh Ngo, Yuri Demchenko, Peter Membrey, Cees De LaatAbstract:Cloud computing is developing as a new wave of ICT technologies, offering a common approach to on-demand provisioning computation, storage and network resources which are generally referred to as infrastructure services. Most of currently available commercial Cloud services are built and organized reflecting simple relations between single provider and single customer with simple Security and trust model. New architectural models should allow multi-provider heterogeneous services environment that can be delivered to organizational customers representing multiple user groups. These models should be supported by new Security approaches to create consistent Security services in virtualised multi-provider Cloud environment and incorporate complex access control and trust relations among Cloud actors. The paper analyzes basis use cases in Cloud services provisioning and defines a Security infrastructure reference model which is used to define other Security infrastructure aspects such as dynamic trust management, distributed access control, policy and Security Context management. It also provides information about ongoing implementation of the proposed Dynamic Access Control Infrastructure based on Enterprise Service Bus as a part of complex infrastructure services provisioning system.
-
Security infrastructure for on-demand provisioned cloud infrastructure services
Proceedings - 2011 3rd IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2011, 2011Co-Authors: Yuri Demchenko, Chun Ming Rong, Canh Ngo, Tomasz Wiktor Wlodarczyk, Cees De Laat, Wolfgang ZieglerAbstract:Providing consistent Security services in on-demand provisioned Cloud infrastructure services is of primary importance due to multi-tenant and potentially multi-provider nature of Clouds Infrastructure as a Service (IaaS) environment. Cloud Security infrastructure should address two aspects of the IaaS operation and dynamic Security services provisioning: (1) provide Security infrastructure for secure Cloud IaaS operation, (2) provisioning dynamic Security services, including creation and management of the dynamic Security associations, as a part of the provisioned composite services or virtual infrastructures. The first task is a traditional task in Security engineering, while dynamic provisioning of managed Security services in virtualised environment remains a problem and requires additional research. In this paper we discuss both aspects of the Cloud Security and provide suggestions about required Security mechanisms for secure data management in dynamically provisioned Cloud infrastructures. The paper refers to the architectural framework for on-demand infrastructure services provisioning, being developed by authors, that provides a basis for defining the proposed Cloud Security Infrastructure. The proposed SLA management solution is based on the WS-Agreement and allows dynamic SLA management during the whole provisioned services lifecycle. The paper discusses conceptual issues, basic requirements and practical suggestions for dynamically provisioned access control infrastructure (DACI). The paper proposes the Security mechanisms that are required for consistent DACI operation, in particular Security tokens used for access control, policy enforcement and authorisation session Context exchange between provisioned infrastructure services and Cloud provider services. The suggested implementation is based on the GAAA Toolkit Java library developed by authors that is extended with the proposed Common Security Services Interface (CSSI) and additional mechanisms for binding sessions and Security Context between provisioned services and virtualised platform.
-
Access control infrastructure for on-demand provisioned virtualised infrastructure services
2011 International Conference on Collaboration Technologies and Systems (CTS), 2011Co-Authors: Yuri Demchenko, Canh Ngo, Cees De LaatAbstract:Cloud technologies are emerging as a new way of provisioning virtualised computing and infrastructure services on-demand for collaborative projects and groups. Security in provisioning virtual infrastructure services should address two general aspects: supporting secure operation of the provisioning infrastructure, and provisioning a dynamic access control infrastructure as part of the provisioned on-demand virtual infrastructure. The paper refers to the architectural framework for on-demand infrastructure services provisioning and defines the general Security requirements to the Security infrastructure. Dynamically provisioned access control infrastructure (DACI) reveals a wide spectrum of problems related to the distributed access control, policy and related Security Context management. Consistent Security services design, deployment and operation require continuous Security Context management during the whole Security services lifecycle, which is aligned to the main provisioned services lifecycle. The paper discusses conceptual issues, basic requirements and practical suggestions for provisioning dynamically configured access control services. The paper discusses Security mechanisms that are required for consistent DACI operation, in particular use of authorisation tokens for access control and authorisation session Context exchange between infrastructure services and providers. The proposed Security infrastructure implementation is based on the GAAA-Toolkit that provides rich Security session Context management functionality with authorisation tickets and tokens. The defined Common Security Services Interface (CSSI) allows uniform call to Security services both in the provisioning and virtual infrastructures.
-
xacml policy profile for multidomain network resource provisioning and supporting authorisation infrastructure
IEEE International Symposium on Policies for Distributed Systems and Networks, 2009Co-Authors: Yuri Demchenko, Mihai Cristea, Cees De LaatAbstract:Policy definition is an important component of the consistent authorisation service infrastructure that could be effectively integrated with the general resource provisioning workflow and network control and management plane. The paper describes the proposed XACML-NRP policy and attributes profile for Network Resource Provisioning. In addition to specifying a set of subject, resource, action attributes that are required for consistent XACML policy definition, the proposed profile allows also handling network path information what is especially important for QoS enforcement. To overcome stateless character of XACML policies, the proposed authorisation infrastructure provides a number of Security mechanisms to support such important for NRP functionality as authorisation session and interdomain Security Context management, simple delegation, conditional authorisation decisions, and policy obligations handling.
Toby P Breckon - One of the best experts on this subject based on the ideXlab platform.
-
object classification in 3d baggage Security computed tomography imagery using visual codebooks
Pattern Recognition, 2015Co-Authors: Greg T. Flitton, Andre Mouton, Toby P BreckonAbstract:We investigate the performance of a Bag of (Visual) Words (BoW) object classification model as an approach for automated threat object detection within 3D Computed Tomography (CT) imagery from a baggage Security Context. This poses a novel and unique challenge for rigid object classification within complex and cluttered volumetric imagery. Within this Context it extends the BoW model to 3D transmission imagery (X-ray CT) from its conventional application in 2D reflectance (photographic) imagery. We explore combinations of four 3D feature descriptors (Density Histogram (DH), Density Gradient Histogram (DGH), Scale Invariant Feature Transform (SIFT) and Rotation Invariant Feature Transform (RIFT)), three codebook assignment methodologies (hard, kernel and uncertainty) and seven codebook sizes. Optimal performance is achieved using the DH and DGH descriptors in conjunction with an uncertainty assignment methodology. Successful detection rates in excess of 97% for handguns and 89% for bottles and false-positive rates of approximately 2-3% are achieved. We demonstrate that the underlying imaging modality and the irrelevance of illumination and scale invariance within the transmission imagery Context considered here result in the favourable performance of simpler density histogram descriptors (DH, DGH) over 3D extensions of the well-established SIFT and RIFT feature descriptor approaches. HighlightsNovel investigation of BoW model for object classification in 3D baggage CT scans.Four descriptor types and three codebook assignment methodologies compared.Simple density-based descriptors outperform more complex descriptors.Optimal true and false positive rates for classification of handguns and bottles.Low resolution, noise and artefacts limit performance.
Greg T. Flitton - One of the best experts on this subject based on the ideXlab platform.
-
object classification in 3d baggage Security computed tomography imagery using visual codebooks
Pattern Recognition, 2015Co-Authors: Greg T. Flitton, Andre Mouton, Toby P BreckonAbstract:We investigate the performance of a Bag of (Visual) Words (BoW) object classification model as an approach for automated threat object detection within 3D Computed Tomography (CT) imagery from a baggage Security Context. This poses a novel and unique challenge for rigid object classification within complex and cluttered volumetric imagery. Within this Context it extends the BoW model to 3D transmission imagery (X-ray CT) from its conventional application in 2D reflectance (photographic) imagery. We explore combinations of four 3D feature descriptors (Density Histogram (DH), Density Gradient Histogram (DGH), Scale Invariant Feature Transform (SIFT) and Rotation Invariant Feature Transform (RIFT)), three codebook assignment methodologies (hard, kernel and uncertainty) and seven codebook sizes. Optimal performance is achieved using the DH and DGH descriptors in conjunction with an uncertainty assignment methodology. Successful detection rates in excess of 97% for handguns and 89% for bottles and false-positive rates of approximately 2-3% are achieved. We demonstrate that the underlying imaging modality and the irrelevance of illumination and scale invariance within the transmission imagery Context considered here result in the favourable performance of simpler density histogram descriptors (DH, DGH) over 3D extensions of the well-established SIFT and RIFT feature descriptor approaches. HighlightsNovel investigation of BoW model for object classification in 3D baggage CT scans.Four descriptor types and three codebook assignment methodologies compared.Simple density-based descriptors outperform more complex descriptors.Optimal true and false positive rates for classification of handguns and bottles.Low resolution, noise and artefacts limit performance.
Apurva Kumar - One of the best experts on this subject based on the ideXlab platform.
-
integrated Security Context management of web components and services in federated identity environments
International Conference on Service Oriented Computing, 2008Co-Authors: Apurva KumarAbstract:The problem of providing unified web Security management in an environment with multiple autonomous Security domains is considered. Security vendors provide separate Security management solutions for cross-domain browser based and web service based interactions. This is partly due to the fact that different web standards dominate in each space. E.g. Security Assertion Markup Language (SAML) which is an important standard in cross domain single sign on (SSO) specializes in browser based access while WS-* standards focus on Security needs of web services. However, cross domain web services are often invoked in Context of a secure browser session. Considering these interactions in isolation will lead to a fractured Security solution. This paper proposes a solution that provides seamless transfer of Security Context across various types of cross-domain web interactions.
