8 research outputs found
開發雲端仲介器閘道之環境感知資料加密與分散服務(I)
No full text[[abstract]]近年來,由於網際網路的快速發展,雲端運算受到大量的關注。藉由MapReduce程式設計模式,使用者可以很簡單的開發能夠有效處理大量資料的應用。本計畫規劃在異質階層式雲端架構中透過中介器閘道提供使用者安全且高效能的雲端服務。根據過去文獻的研究成果,提升MapReduce運算效能的挑戰之一為如何分配適當的mapper任務與reducer任務數量給雲端裡的每個節點來執行。儘管過去已經有許多改善MapReduce運算效能的研究,但是大部分的方法都是假設節點是同質的情況,因此預設採用的工作分配方式是均勻分配,即分配相同數量的mapper任務與reducer任務給每個節點。然而,均勻分配法並不適用在異質的雲端運算環境,因為每個節點的運算能力與剩餘資源不同,如果分配的工作量相同則會導致節點間工作的不平衡而使得運算效能降低。因此,在本計畫中,我們提出一個在異質的雲端運算環境下,可以透過分析工作的特性、資料量大小與節點資源的不同來分配給每個節點不同的mapper任務與reducer任務數量,使得每個節點能夠達到工作負載平衡,這樣不僅可以提升運算效能,也可以有效的使用節點的資源。此外,為了能夠在實際的系統上運作,本計畫在今年也實作了一個可以將工作分散在不同行動裝置上運算的系統雛形。為了確保資料安全性,資料的傳送過程中都是有加密的。此系統亦可根據使用者的安全性與效能需求來選擇適當的運算節點並採用不同的加密演算法進行加密以提高運算效能與安全性。
In recent years, cloud computing receives the significant attention due to the fast development of Internet. With the MapReduce programming model, the users are able to develop the applications for big data analysis in an efficient way. In this project, we attempt to develop the cloud service broker gateway for providing secure and high performance cloud services. One of the challenges is improving the MapReduce performance by assigning appropriate mapper and reducer tasks to nodes in a cloud cluster. Most of previous works were made under the assumption of homogeneous clouds. Thus, the uniform assignment is sufficient. However, it is not suitable for heterogeneous clouds since each node has different capability and available resources. The performance will be degraded if the load is unbalanced among nodes in a cloud cluster. Therefore, in this project, the adaptive task assignment approach is proposed to assign appropriate mapper tasks no nodes according to the job types and nodes’ capability and available resources. The objective is to achieving the load balancing among nodes which incurs high performance and resource utilization. Moreover, in order to realize such system, a prototype, which is able to distribute tasks to nearby mobile nodes for parallel processing, has been designed and implemented in this project. For ensuring the data security, the data transmission in this system is encrypted. According to users’ security and performance requirements, this system can select the appropriate nodes and encryption algorithms for maximizing the data security and job performance
子計畫三:植基於免疫系統之安全的物聯網應用開發方法 - 以先進駕駛輔助系統為例
No full text[[abstract]]本子計畫「植基於免疫系統之安全的物聯網應用開發方法 ─ 以先進駕駛輔助系統為例」的目標即是在確保由大量車輛上先進駕駛輔助系統(ADAS)所產生之感測資料透過網路傳送到雲端資料中心進行儲存與運算的過程當中資料的安全性。第一年度的成果主要是實現「適用於物聯網之植基於身份加密方法」,其研究目標是讓物聯網裝置所產生的資料能夠在確保安全性與隱私權的條件下細緻地給適當的使用者進行存取。由於未來物聯網裝置數量急遽增加的情況下,傳統的存取控制清單(Access Control List)方法將因為其延展性不佳而不適合用來在物聯網中實現存取控制。從近代資訊安全技術的發展來看,密文政策屬性加密(Ciphertext-Policy Attribute-Based Encryption,簡稱CP-ABE)似乎是一個符合對透過物聯網交換的資料進行加密並同時提供存取控制的解決方案。本子計畫即是透過通訊協定設計來將CP-ABE有效運用在物聯網裝置間資料傳輸的安全性上,而達到透過加密確保資料的隱私且可以將資料分享給適當之使用者的目的。此外,我們也將此成果實作在訊息佇列遙測傳輸協定(Message Queue Telemetry Transport,簡稱MQTT)之上。MQTT被認為是物聯網中相當重要的通訊協定之一,許多物聯網平台供應商,如Google、Microsoft、Amazon、與IBM都支援MQTT通訊協定。為了將此技術應用在資源有限的物聯網裝置上,本計畫分析了CP-ABE在具有不同屬性數量與階層的存取政策樹之下進行加密與解密所需要的時間已確認其可行性。然而,當物聯網裝置的運算能力無法進行複雜的CP-ABE加密時,本子計畫亦提出一個運算卸載(computation offloading)的方法將運算依據節點能力卸載至鄰近的裝置進行運算來提高運算效率。根據實驗結果,我們所提出的運算卸載方法可以將運算效率提高1倍,而這個方法將會在第二年的計畫中進行實作。
The objective of this project, “An Immune System based Approach to Develop Secure IoT Applications using Advanced Driver Assistant Systems (ADAS) as a Case Study”, is to ensuring the security of data of ADAS from enormous cars to cloud data centers. In first year, the objective of IoT Identity-Based Encryption (I2BE) is to provide a fine-grained access control based on the profile of thing (PoT) in the premise of data security and privacy. Because the number of IoT devices is increasing rapidly, the scalability of traditional access control list (ACL) is limited and thus ACL is no longer suitable for IoT. According to our study, Ciphertext-Policy Attribute-Based Encryption (CP-ABE) can be a suitable solution to share data on the premise of data security and privacy in IoT. In this project, we design and implement a security protocol which apply CP-ABE to secure data communication in IoT. Due to the nature of CP-ABE, the data still can be shared with authorized users. In addition, the security protocol has been implemented in Message Queue Telemetry Transport (MQTT). MQTT is one of the well-known IoT protocols. Most of IoT platform provider, such as Google, Microsoft, Amazon, and IBM support MQTT in their solutions. To ensure the feasibility of proposed approach, we also analyze the performance of CP-ABE under the different access trees with various number of attributes and heights. However, the computation complexity of CP-ABE is too high to be executed in most resource-restricted IoT devices. Thus, we then proposed an efficient task offloading approach based on node capability estimation in a cloudlet (EstiTO). According to the experimental results, EstiTO can improve the performance by 2 times and will be implemented in second year of this project
子計畫四:開發行動雲端中多裝置協同運算與資料存取之安全服務
No full text[[abstract]]本計畫的目標是設計與實現一個提供行動雲端中多裝置協同運算與資料存取之安全服務的軟體系統。為了讓使用者能夠信任各種雲端運算服務,本計畫運用傳統的資訊安全技術提供可根據使用者定義之安全性需求調適的資料存取安全服務。以下針對本計畫擬開發之系統所應呈現之具體特色加以說明:(1)具擴展性(scalability)之群組授權能力、(2)具彈性(flexibility)之條件式群組授權能力、與(3)具細緻化(granularity)的雲端資料存取授權。我們設計與實現了一個提供行動雲端中多裝置協同運算與資料存取之安全服務的軟體系統,其中包含了(1)細緻化雲端資料授權技術(GDL)與(2)門檻式金鑰產生方法(TKGA)。在GDL中,雲端服務供應者可以透過service brokers很容易地設定誰可以在何時以及如何存取它們的服務。接著,只有當服務要求者能夠從service brokers取得授權才能夠存取服務提供者的服務。比起現行的存取控制描述語言,GDL是一個更適合雲端服務用來保護資料庫與檔案的描述語言。另外,TKGA被提出用來避免CP-ABE遭受單點錯誤攻擊與共謀攻擊。根據本計畫進行的安全與效能分析,TKGA是目前數數能夠避免共謀攻擊的金鑰產生方法。雖然與ABE、KP-ABE、與CP-ABE預設的金鑰產生方法相比,TKGA具有較高的運算與通訊成本,但是透過適當地選擇(n, k)-秘密共享的k值,則可以在安全與性能之間取得平衡。
The goal of this project is to design and implement a secure data access service for mobile clouds. In order to let users trust cloud services, the conventional security measures are applied to provide a secure data access which can adapt users’ security requirements. The security service proposed in this project has the following features: (1) scalability, (2) flexibility, and (3) granularity access control. In this project, we proposed (1) granularity cloud data licensing with identity management (GDL) and (2) threshold-based key generation approach (TKGA). In GDL, service responders could easily specify who, when, and how to access their data via service brokers. Then, service requesters can access the data of service responders if and only if they get the authorization from service brokers. Thus, GDL is more appropriate to be utilized to protect data in database and file formats. In addition, TKGA is proposed to prevent the single point of failure and collusion attacks in CP-ABE. According to our security and performance evaluation, TKGA can resist collusion attacks. Although the computation and communication overhead is higher compared with the key generation algorithms of ABE, KP-ABE, and CP-ABE, the security and performance can be leveraged by optimally selecting n and k in (n, k)-secret sharing. The work of optimally selecting n and k for leverage security and performance will be left in the future
Development of Intelligent Cloud Broker Gateway Capable of Multi-Level Client Awareness as Well as Hierarchical Security and Service Quality Negotiation
No full text[[abstract]]本為總計畫包含四項子計畫,提出一「具備多層次用戶情境感知、安全及服務品質協調能力之智慧型雲端服務仲介器」,其系統功能包含:針對一特定雲端用戶空間(行動用戶, 物聯網,或其混合型態)之各項服務需求做最佳之雲端服務仲介工作;可從不同層次感知用戶及用戶設施之資源現況及應用情境,做為服務仲介的考量依據之一,以落實user-centric 的精神;可依據多雲端平台的資源使用現況及目標服務的作業需求,進行雲與端間的服務仲介與QoS negotiation;有效統合用戶端、仲介器、雲端平台三方的資安策略,以達到最佳雲端服務接取安全保障;可針對特定雲端用戶空間之整體資源進行最佳之服務排程,使空間內的每個用戶或設備皆感受優質的服務品質。藉由展場應用情境,我們將展示以下關鍵性技術:第一、多層次用戶端感知技術,層次包含:分析裝置狀與能力以達到裝置情境感知(Device-context awareness)、分析用戶端之喜好、需求、位置、資料隱密敏感性而達到用戶情境感知(User-context awareness)、分析並偵測網路頻寬、起始服務延遲、網路可靠度、網路安全性以達成網路情境感知(Network-context awareness);第二、智慧型雲間服務仲介技術,包含:基於多層次用戶端感知之服務推介、跨雲間跨層(cross-layer)且基於多重QoS 以及QoE 評量之服務探知(discovery)以及服務之合成、針對用戶服務要求之優化資源排程技術;第三、跨協定雲間資訊安全管理,包含:整合性資訊安全之協調與策略規劃、基於安全性之設備匹配、以及基於資料敏感性之壓縮等。系統實現上以展場應用為實例,將展區區分為多組展場管理單位(簡稱ADM)私有雲,每一私有雲對應一個仲介器閘道(broker gateway,簡稱broker),此broker 不只將網域分割,更將資料分散儲存以利資源分割的優化,這些私有雲上組成一個更大的私有雲,因此這些 broker 藉由上層另一個broker 所管理,並因此能和公共雲溝通,最上層broker 從子brokers 資訊瞭解要從外部public cloud 要求哪些服務,形成階層式架構以利將整個網際網路的資源納入。開發時程上,第一年完成單一Broker 加上單一ADM 私有雲的展場應用。第二年完成多Brokers 結合多組ADM 私有雲。第三年實作階層式brokers 架構之外,將公共雲的資源以及服務納入展場應用,能根據情境動態的分析主動連接到私有雲以及公共雲提供最佳服務。本計畫展場應用的實現內含了前述眾多迫切急需的雲端計算技術開發,並藉由成大數位生活科技研究中心、永洋科技股份有限公司、等等單位的支援配合,將所開發技術應用在實質產品上,因此在學術研究、產業推動、以及人才培育上均有可預期的豐富成果。[[abstract]]This main project hosts four subprojects and proposes “Development of Intelligent Cloud Broker Gateway Capable of Multi-level Client Awareness as well as Hierarchical Security and Service Quality Negotiation.” The primary functions are: brokering optimal cloud services for certain client spaces (such as mobile phone user, Internet of Things, or hybrids), user-centric service brokering according to client context-awareness and client facility context-awareness in multiple levels, cloud service brokering with QoS negotiation according to multiple clouds’ resources status and target services’ operational requirements, effectively security policy coordinating clients, brokers, and cloud platforms, optimal service scheduling according to resource status of certain cloud user space such that users and facilities experience premium quality of service. Via application to the scenario of product exposition (such as the Consumer Electronics Show, CES), we demonstrate the following key technologies: first, multi-level client awareness including device-context awareness (device capability, discovery, availability, reliability), user-context awareness (preference, demand, location, privacy), and network-context awareness (bandwidth, latency, reliability, security); second, intelligent multi-cloud service brokering including service recommendation and brokering based on multi-level client awareness, QoS-based service discovery and composition over multi-clouds, optimal user space resource scheduling for client service requests; finally, cross-layer cloud security management comprising integrated security policy negotiation and planning, security facility matching, and data-sensitive encryption. The system implementation of product exposition includes multiple administration units’ private clouds (abbreviated ADM) which partition the whole expo into several areas. Each private cloud corresponds to a broker gateway (abbreviated broker). Thus the broker not only partitions the network domain but also distributes data access for purpose of optimal resource allocation and security. The private clouds form a bigger private cloud and beyond the brokers there is a higher level broker managing them such that they are able to communicate public clouds. The higher level broker aware service availability from internal brokers and convey services to users from private and public clouds. The project is scheduled to play in three years. In the first year, we are to accomplish single broker with single ADM private cloud. In the second year, we are to accomplish hierarchical multiple brokers system for multiple ADM clouds. In the third year, we will realize include public cloud resources and services into the expo application and then the system connect private and public clouds for conveying optimal service according to automatic context analysis. The realization of expo application comprises developments of emergent cloud computing technologies. Moreover, through support from the Center for Research of E-life DIgital Technology (CREDIT) and Advance Multimedia Internet Technology (AMIT) Corporation, we apply the developed technologies in consumer products. Therefore, no matter in academic research, industry promotion, or human education, the various and solid achievements are predicable.[[note]]NSC100-2218-E327-00
Self-Organized User Devices as Multi-Clouds with Performance Development Platform
No full text[[abstract]]本計畫採用階層式仲介架構(Hierarchical Brokering Architecture, HiBA)與行動多雲控制 網路框架(Mobile Multicloud Control Network, MMCN),建構一多雲效能開發平台應用 於民宿觀光旅遊產業,其中階層式仲介架構與行動多雲控制框架來自於過去計畫成 果,在本計畫中特別針對民宿觀光旅遊產業進行規劃,整合共六個子計畫,總計畫兼 子計畫一「自組使用者裝置之多雲運算及其效能開發平台」利用 MMCN 回授框架自 主、自動化、自我組織 HiBA虛擬資源網路架構,提供 IaaS 基礎以及 PaaS、SaaS 框架, 作為其他子計畫開發平台,實作管理面與控制面之各式演算法,並加以統合各演算法 之衝突,與硬體加速器之研究。分離資料面給子計畫五「基於 HiBA 雲端架構的行動 雲端資料處理框架之研究與實作」,專為民宿觀光旅遊產業設計行動分散式資料庫,結 合子計畫四之「行動雲端協同運算安全子系統」保全個資隱私、條件授權、加密簽章、 密鑰傳遞技術,確保子計畫二之「健康風險機率預估子系統」、子計畫三之「線上自動 議價與行程推薦」、與子計畫六之「基於文本探勘技術之社群協同過濾推薦系統」等之 資料以及運算服務可以確保使用者經驗品質,其中子計畫二之「健康風險機率預估子 系統」實作穿衣鏡等相關感測器感測肢體粗大動作,再根據子計畫六之旅遊性質即時 分析提供健康風險評估提供給子計畫三進行線上自動議價與行程推薦。 利用 HiBA 可以動態群組網路資源的特性,各種資訊與資源之分享可以不必上傳公有 雲,即可從其他人的行動或固定設備中取得,透過維持和其他設備之資源連結,可以 持續更新、分析、與過濾。本系統在旅遊前、中、後均提供動態之主動式服務,消費 者出發前由系統自動衡量個人化的身、心、興趣、價格考量,擷取社群網路朋友中對 於身、心、興趣、價格的建議,即時更新社群朋友、業者的多媒體旅遊資訊,包含照 片、影片、文字介紹、導航資訊…等等。除此之外,由於資訊可以即時更新,可以在 旅行中原訂套裝行程之外,再外加其他行程,成為加值行程。旅行後,可以條件授權 變成資訊與資源的提供者,自動分享已經消費完成的套裝行程中,關於身、心、性質、 價格的資訊以及多媒體內容。本計畫系統服務對象具多元性,包含消費者、民宿或旅 行業者、民宿結盟商家、以及社群旁觀者,大幅提昇買、賣、社群成員的經驗品質, 非常利於衍生創新的商業模式。 本計畫預期的產業效益主要鎖定在民宿觀光旅遊之業者,已經和旅行社、旅遊服務行 銷、APP 廠商等進行多次討論,確定此應用方向不但創新,且極具吸引力。本計畫已 和廠商簽訂合作協議書,並已事先和民宿、行銷、雲端 APP 不同業者取得共識,將陸 續簽訂合作計畫,對於學術發展以及跨領域人才培育上均有可期之重大成果。[[abstract]]We exploit Hierarchical Brokering Architecture (HiBA) and Mobile Multicloud Control Network (MMCN) to build a multi-cloud computing environment with performance development platform. We apply this platform in B&B tourism industry. The HiBA and MMCN are enhanced from previous project with enhancement especially on the applications of B&B tourism industry. The whole project comprises six sub-projects. The host and subproject one “Self-organized User Devices as Multi-Clouds with Performance Development Platform” utilizes MMCN to construct autonomous, automatic, and self-roganized HiBA virtual resource network and provisions IaaS infrastructure as well as PaaS and SaaS templates for the other subprojects’ PaaS and SaaS developments. For the IaaS provision, in the subproject one we implement algorithms on the management and control planes with compromises among the algorithms and hardware acceleration. The data plane is separated from the control plane and it is realized by the 5 th subproject “HiBA-based mobile cloud data processing framework” dedicated to the distributed database for B&B tourism industry. Integrating with sub-project four – the “Mobile cloud cooperative computation security subsystem,” the HiBA system includes privacy preservation, conditional authorization, signature encryption, and key distribution techniques to secure the data and operations in subproject two – the “health risk probability prediction subsystem,” subproject three – the “online automatic bargaining and itinerary recommendation subsystem,” and subproject six – the “ontology-based social cooperative filtering and recommendation subsystem.” The subproject two, the “health risk probability prediction subsystem” also implements a dressing mirror embedded with sensors recoding gross motor trajectories for collapse prediction. The results of subproject six performs real-time tourism prefer and travel package products’ intrinsic property analysis. Then, the results of subprojects two and six provide references besides reserved price to subproject three for automatic price negotiation and itinerary recommendation. Exploiting HiBA’s dynamic resource aggregation nature, lots information and resources are instantly sharable from other proximate mobile and static devices without uploading them to public clouds. By maintaining the resource connections among these proximate devices, information and resources are continuously updated, analyzed, and filtered. The whole system provides proactive and complete live services prior to the itinerary, during the itinerary, and after the itinerary. Prior to the itinerary, the system automatically considers a consumer’s body health, mind, prefer, and price status, excerpts evaluations in the social network, and instantly updates friends’ and vendors’ multimedia information comprising photos, movies, plain texts, and GPS navigations. In addition, since the information is instantly updated, during the original planned itinerary, value-added itinerary becomes possible. After the itinerary, conditional authorization enables the consumer becoming a resource and information provider and the consumer can conditionally authorize publication of the health, prefer, price, and multimedia information experienced during the itinerary with privacy. The users of our system are diverse including consumers, tourism products vendors, B&Bs, heterogeneous industries in alliance the B&Bs, and onlookers in the social network. Our system enormously promotes the quality of experience (QoE) such that it is beneficial to create innovative business model. The project expected benefits are focus on the B&B tourism industry. We have already consulted with travel agencies, tourism marketing people, and APP vendors through several discussions and confirm that the system is innovative and attractive. With cooperation memos and common consensus with them, we are now seeking further cooperated programs. In addition, the enormous academic development and cultivation of multi-discipline talents are both expectable.[[note]]MOST103-2221-E327-04
