On Security Services Of Web Resource Oriented Future Network

Academia and industrial have conducted various researches on future network to deal with the challenges faced by current network.This dissertation focuses on several aspects. How will the architechture of future network supports service innovation, especially, the user involved service innovation? How to design the corresponding architecture of security services with the capability of continuouse service innovation? The following are the main contributions of this dissertation:1) After investigating the related research projects on future network, main features of its architecture are abstracted. Web resource oriented architecture of future network is designed to harness the Web technology which has been driving the service innovation of Internet for years. Capabilities of the network will be abstracted and published as Web resources so that service innovation of future network will be more cost efficient through composition and user involved service components sharing.2) Security composition is proposed. Two deffierent granular abstractions of security services are provided:Virtualizaed Security Appliance(VSA) and Software Defined Security(SDS). VSA abstracts and composites conventional security appliances based on virtualization technology. SDS decomposes foundamental functions that previously encapsulated in various security devices and republishes them as atomic services through Web interfaces. By merging redundant functions and computation, security services could be provided with lower cost through Web service composition. Furthermore, security functions could be orchestrated more tightly with business procedures to provide more efficienct security services.3) The feasibility of SDS is demonostrated. Security and Management Controller(SMC) is developed. Subscription, publication and scheduling of security resources are demonstrated. Static orchestrations of several basic security services are proposed. Based on our work, new security appliances and services are tested in two cloud computing centers.4) In order to protect critical assets of comoposed services with higher security demands in future network, an architectural design security service is introduced to contain the potential threats from supply chain through provider selection. Our approach is cheaper than previous approach of extreme testing which is theoreticaly and practically impossible to cover all components and potential threats, more feasible than merely supplier screening in the environment of global outsourcing. It also provides a preliminary step forward to the engineering answer for a more generic question that how to build composed services as trustworthy as possible with untrustworthy components. Supplier chain model is leveraged to support the hierarchial structure of security model in services composition. Supply chain integrity evaluation model based on attack graph and provider trustworthy value evaluation algorithm considering both objective and subjective elements are provided. We also demonstrated how to calculate objective Provider Trustworthy Value(PTV) based on publicly available vulnerability databases which are impossible to tamper with.5) SNS_ABAC, an attributes based access control model harnessing user information management system of social network, is provided for open service environment of future network in which subjects are usually unknown when services are designed and resources are shared through user involved service innovation. This model supports user defined, fine grained access control polices and provides policy conflict detection capability which is very helpful for unprofessional resource owners. Implementation based on RBAC framework has be successfully deployed in our Web of Things(WOT) platform supporting innovation for student in the university. Enhanced RETEs reasoner is also established for implementation of SNS_ABAC. Two potential schemes of user profile authentication in social network are provided.