A novel vulnerability prediction model to predict vulnerability loss based on probit regression

Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two software — Open SSL and Xpdf, and the experimental result shows a good performance of our model.     

An Anomalous Behavior Detection Model in Cloud Computing

This paper proposes an anomalous behavior detection model based on cloud computing. Virtual Machines(VMs) are one of the key components of cloud Infrastructure as a Service(Iaa S). The security of such VMs is critical to Iaa S security. Many studies have been done on cloud computing security issues, but research into VM security issues, especially regarding VM network traffic anomalous behavior detection, remains inadequate.More and more studies show that communication among internal nodes exhibits complex patterns. Communication among VMs in cloud computing is invisible. Researchers find such issues challenging, and few solutions have been proposed—leaving cloud computing vulnerable to network attacks. This paper proposes a model that uses Software-Defined Networks(SDN) to implement traffic redirection. Our model can capture inter-VM traffic, detect known and unknown anomalous network behaviors, adopt hybrid techniques to analyze VM network behaviors, and control network systems. The experimental results indicate that the effectiveness of our approach is greater than 90%, and prove the feasibility of the model.     

The theory and practice in the evolution of trusted computing

Trusted computing （TC） is an emerging tech- nology to enhance the security of various computing plat- forms by a dedicated secure chip （TPM/TCM）, which is widely accepted by both the industrial and academic world. This paper attempts to sketch the evolution of TC from the view of our theoretical and engineering work. In theory, we focus on protocol design and security analysis. We have proposed the first ECDAA protocol scheme based on q-SDH assumption, which highlights a new way to design direct anonymous attestation scheme. In technical evolu- tion, we discuss the key technologies of trust chain, trusted network connection and TC testing and evaluation. We break through several key technologies such as trusted boot, OS measurement and remote attestation, and imple- ment a TC system from TPM/TCM to network. We also design and implement a testing and evaluation system of TC platform, which is the first one put into practical application in China. Finally, with the rapid development of cloud computing and mobile applications, TC is moving toward some new directions, such as the trust in cloud and mobile environments, new TPM standard, and flexible trust execution environment trust establishment method.     

Key management for outsourced data security

This paper analyzes the efficiency and security of bilinear-map-based schemes and brings about an AAA based publicly auditable scheme for cloud computing,which is much more efficient.In this scheme,a trust model including four entities is designed to provide both integrity and confidentiality protection.The proposed scheme can be proved to achieve the security goals that no cheating cloud server can pass the auditing without storing users’data intact.The efficiency of the proposal is evaluated by analyzing the fulfillment of the design goals,including the computation cost,communication cost and storage cost of our scheme.This light weight publicly auditable Proof-of-storage scheme achieves security goals perfectly,and has an excellent efficiency performance superior to the current bilinear-map-based publicly auditable Proof-of-storage scheme.     

MSMAM: Testing resources allocation, obtaining non-functional indexes based on functional testing results, and evaluating security

Security testing is a key technology for software security.The testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improving software security.However,it is difficult to describe by mathematics the relationship between the results of software functional testing and software nonfunctional security indexes.In this paper,we propose a mathematics model(MSMAM) based on principal component analysis and multiattribute utility theory.This model can get nonfunctional security indexes by analyzing quantized results of functional tests.It can also evaluate software security and guide the effective allocation of testing resources in the process of software testing.The feasibility and effectiveness of MSMAM is verified by experiments.     

Trust Based Pervasive Computing

Pervasive computing environment is a distributed and mobile space. Trust relationship must be established and ensured between devices and the systems in the pervasive computing environment. The trusted computing （TC） technology introduced by trusted computing group is a distributed-system-wide approach to the provisions of integrity protection of resources. The TC＇s notion of trust and security can be described as conformed system behaviors of a platform environment such that the conformation can be attested to a remote challenger. In this paper the trust requirements in a pervasive/ubiquitous environment are analyzed. Then security schemes for the pervasive computing are proposed using primitives offered by TC technology.     

Transparent Computing: Spatio-Temporal Extension on von Neumann Architecture for Cloud Services

The rapid advancements in hardware, software, and computer networks have facilitated the shift of the computing paradigm from mainframe to cloud computing, in which users can get their desired services anytime, anywhere, and by any means. However, cloud computing also presents many challenges, one of which is the difficulty in allowing users to freely obtain desired services, such as heterogeneous OSes and applications, via different light-weight devices. We have proposed a new paradigm by spatio-temporally extending the von Neumann architecture, called transparent computing, to centrally store and manage the commodity programs including OS codes, while streaming them to be run in non-state clients. This leads to a service-centric computing environment, in which users can select the desired services on demand, without concern for these services’ administration, such as their installation, maintenance, management, and upgrade. In this paper, we introduce a novel concept, namely Meta OS, to support such program streaming through a distributed 4VP + platform. Based on this platform, a pilot system has been implemented, which supports Windows and Linux environments. We verify the effectiveness of the platform through both real deployments and testbed experiments. The evaluation results suggest that the 4VP + platform is a feasible and promising solution for the future computing infrastructure for cloud services.     

GPGPU Cloud: A Paradigm for General Purpose Computing

The Kepler General Purpose GPU (GPGPU) architecture was developed to directly support GPU virtualization and make GPGPU cloud computing more broadly applicable by providing general purpose computing capability in the form of on-demand virtual resources. This paper describes a baseline GPGPU cloud system built on Kepler GPUs, for the purpose of exploring hardware potential while improving task performance. This paper elaborates a general scheme which defines the whole cloud system into a cloud layer, a server layer, and a GPGPU layer. This paper also illustrates the hardware features, task features, scheduling mechanism, and execution mechanism of each layer. Thus, this paper provides a better understanding of general-purpose computing on a GPGPU cloud.     

An Energy-Saving Task Scheduling Strategy Based on Vacation Queuing Theory in Cloud Computing

High energy consumption is one of the key issues of cloud computing systems. Incoming jobs in cloud computing environments have the nature of randomness, and compute nodes have to be powered on all the time to await incoming tasks. This results in a great waste of energy. An energy-saving task scheduling algorithm based on the vacation queuing model for cloud computing systems is proposed in this paper. First, we use the vacation queuing model with exhaustive service to model the task schedule of a heterogeneous cloud computing system.Next, based on the busy period and busy cycle under steady state, we analyze the expectations of task sojourn time and energy consumption of compute nodes in the heterogeneous cloud computing system. Subsequently, we propose a task scheduling algorithm based on similar tasks to reduce the energy consumption. Simulation results show that the proposed algorithm can reduce the energy consumption of the cloud computing system effectively while meeting the task performance.     

Numerical simulation of March 11, 2011 Honshu, Japan tsunami

In order to predict tsunami hazards through numerical simulation,by using the focal mechanisms as well as fault parameters of Japan’s 2011 Tohoku Earthquake provided by National Geological Survey(referred to as USGS),we proposed a numerical model to simulate the Honshu,Japan tsunami.Numerical computing is conducted to investigate the security along the coast.We also analyzed the simulation results and distribution of tsunami disaster,trying to achieve a more reasonable tsunami warning program.Our numerical model is composed of simulation of surface deformation after the earthquake and the tsunami propagation process which is based on two dimensional shallow water equations.The simulation results show the characteristics of the tsunami propagation,and arrival times on recorder points are consistent with tsunami observation.This model can be applied to evaluate the security of the coastal area and obtain more accurate tsunami warning.     

Trusted Attestation Architecture on an Infrastructure-as-a-Service

Trusted attestation is the main obstruction preventing large-scale promotion of cloud computing.How to extend a trusted relationship from a single physical node to an Infrastructure-as-a-Service(IaaS) platform is a problem that must be solved.The IaaS platform provides the Virtual Machine(VM),and the Trusted VM,equipped with a virtual Trusted Platform Module(vTPM),is the foundation of the trusted IaaS platform.We propose a multi-dimensional trusted attestation architecture that can collect and verify trusted attestation information from the computing nodes,and manage the information centrally on a cloud management platform.The architecture verifies the IaaS's trusted attestation by apprising the VM,Hypervisor,and host Operating System's(OS) trusted status.The theory and the technology roadmap were introduced,and the key technologies were analyzed.The key technologies include dynamic measurement of the Hypervisor at the process level,the protection of vTPM instances,the reinforcement of Hypervisor security,and the verification of the IaaS trusted attestation.A prototype was deployed to verify the feasibility of the system.The advantages of the prototype system were compared with the Open CIT(Intel Cloud attestation solution).A performance analysis experiment was performed on computing nodes and the results show that the performance loss is within an acceptable range.     

Dynamic Measurement Protocol in Infrastructure as a Service

Infrastructure as a Service （laaS） has brought advantages to users because virtualization technology hides the details of the physical resources, but this leads to the problem of users being unable to perceive their security. This defect has obstructed cloud computing from wide-spread popularity and development. To solve this problem, a dynamic measurement protocol in laaS is presented in this paper. The protocol makes it possible for the user to get the real-time security status of the resources, thereby solving the problem of guaranteeing dynamic credibility. This changes the cloud service security provider from the operator to the users themselves. This study has verified the security of the protocol by means of Burrow-Abadi-Needham （BAN） logic, and the result shows that it can satisfy requirements for innovation, privacy, and integrity. Finally, based on different laaS platforms, this study has conducted a performance analysis to demonstrate that this protocol is reliable, secure, and efficient.     

公共云安全体系结构设计

针对云计算环境下新型服务模式的引入以及虚拟化技术的使用为信息安全带来一系列新的安全隐患问题, 对公共云的安全性进行研究。从用户安全目标数据安全性和云服务可用性及性能两方面入手, 全面分析公共云面临的安全威胁。设计了公共云安全参考框架, 提出从用户管理、 数据安全、 数据中心软硬件安全和控制权转移引发的安全问题加强公共云安全性。最后对云安全评估进行了讨论。实验结果表明, 该结构能整体提高公共安全性, 抵御各类安全威胁。     

云计算安全体系设计与实现综述

云计算的安全性既要面对传统信息技术带来的安全威胁，又要面对云计算核心技术，如虚拟化带来的新风险。根据经典的以安全策略(policy)、保护(protection)、检测(detection)和响应(response)为核心的安全模型—PPDR模型，结合笔者在云服务商工作积累的多年安全实践，论述了云计算安全体系设计与实现的关键技术，包括网络、主机、应用、数据和运维运营5个层面的安全设计与实现，并对云计算安全相关的技术趋势进行了展望。提出一种经实战检验的云计算安全体系的设计与实现，特别是数据安全体系的设计与实现。该体系上线3年来，已消减针对云平台99.99%以上的安全攻击，经受住了现网大规模安全实战的考验。     

基于时间序列的 Openstack 云计算平台负载预测与弹性资源调度的研究

随着云计算技术的发展与运用,云计算在资源的效用比、按需服务等方面优势显著;相对于传统的计算资源构建,云计算凭借其安全性保障、高效的弹性计算资源分配能力、简易的硬件要求等特性,能实现面对不同需求时的计算资源快速弹性构建。基于云计算的弹性资源效用比为研究点,以经典的电信接入随机过程模型—泊松过程为基础,采用相关性时间序列模型对资源预测进行研究,并对相似的多类模型进行仿真与分析;最后以 Openstack云平台为基础,结合实际需求对模型进行了工程化实现和初步测试。结果表明,该方法为云计算按需使用和资源弹性构建提供了一种可行的方式,在保证服务等级协议（service-level agreement,SLA）的同时,进一步降低云计算平台的运行损耗,提高资源的效用比。     

云计算联盟式安全模型

云计算是把数据存放或运行在互联网的设备上,必然存在隐私和安全性问题,尤其是政府或企业重要或敏感数据。文章提出一种联盟式的安全模型来减小或消除云计算的安全隐患,并试着用联盟式安全模型解决云计算出现的安全问题,证实安全模型的可行性和提出实现建议。     

一种基于虚拟化技术增强云安全的可信赖模型

云计算的安全性问题不仅是安全技术自身问题,也涉及到云系统的可靠性、保密性、信息匮乏等相关问题.为了增强异构、独立的云计算环境的安全性,提出一种云可信赖性模型CDMV(cloud dependability model by virtualization techniques),主要贡献体现在以下两个方面:提出了一种新的具有较好可扩展性、通用性的云系统可信赖性模型CDMV,并系统分析了CDMV模型的可信赖特性;给出了云系统可信赖性的定义及可信赖性的度量指标,并予以量化分析.     

云计算的特征、应用与问题分析

云计算是一种新兴的计算模型云计算作为IT行业的热门问题受到高度关注,很多IT公司开始提供云存储、云安全等产品和软件服务,本文对云计算的特征、应用和存在问题进行分析。     

浅谈“云安全”对数字图书的影响

在探究当前高校数字图书馆网络信息安全隐患的基础上,提出基于云计算体系结构的＂云安全＂理念。对比传统的网络安全技术,本文从安全防御,管理以及经济上来阐述新技术新理念所能带给现代数字图书馆的优越性。     

云计算中数据存储安全的研究

云计算作为IT发展的下一阶段,尽管有很多的优势,如提高业务的灵活性、可扩展性、工作效率以及企业的盈利能力,但是在带来这些优势的同时也带来云计算新的安全风险和问题.在众多的安全问题中,数据的存储安全已经成为云计算安全的核心问题.针对云计算数据的特点,在对数据加密技术研究的基础之上,本文讨论数据的敏感性问题,结合数据加密方法的优点,提出将数据分为不同安全级别然后结合密码技术,从而达到数据的在云计算环境下安全存储的方案.