Mark Linderman

An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing

Entities (e.g., users, services) have to authenticate themselves to service providers (SPs) in order to use their services. An entity provides personally identifiable information (PII) that uniquely identifies it to an SP. In the traditional application-centric Identity Management (IDM) model, each application keeps trace of identities of the entities that use it. In cloud computing, entities may have multiple accounts associated with different SPs, or one SP. Sharing PIIs of the same entity across services along with associated attributes can lead to mapping of PIIs to the entity. We propose an entity-centric approach for IDM in the cloud. The approach is based on: (1) active bundles—each including a payload of PII, privacy policies and a virtual machine that enforces the policies and uses a set of protection mechanisms to protect themselves, (2) anonymous identification to mediate interactions between the entity and cloud services using entity’s privacy policies. The main characteristics of the approach are: it is independent of third party, gives minimum information to the SP and provides ability to use identity data on untrusted hosts.

Protection of Identity Information in Cloud Computing without Trusted Third Party

Cloud computing allows the use of Internet-based services to support business processes and rental of IT-services on a utility-like basis. It offers a concentration of resources but also poses risks for data privacy. A single breach can cause significant loss. The heterogeneity of “users” represents a danger of multiple, collaborative threats. In cloud computing, entities may have multiple accounts associated with a single or multiple service providers (SPs). Sharing sensitive identity information (that is, Personally Identifiable information or PII) along with associated attributes of the same entity across services can lead to mapping of the identities to the entity, tantamount to privacy loss. Identity management (IDM) is one of the core components in cloud privacy and security and can help alleviate some of the problems associated with cloud computing. Available solutions use trusted third party (TTP) in identifying entities to SPs. The solution providers do not recommend the usage of their solutions on untrusted hosts. We propose an approach for IDM, which is independent of TTP and has the ability to use identity data on untrusted hosts. The approach is based on the use of predicates over encrypted data and multi-party computing for negotiating a use of a cloud service. It uses active bundle—which is a middleware agent that includes PII data, privacy policies, a virtual machine that enforces the policies, and has a set of protection mechanisms to protect itself. An active bundle interacts on behalf of a user to authenticate to cloud services using user’s privacy policies.

Multiple-UAV coordination and communications in tactical edge networks

Unmanned aerial vehicles are becoming prevalent in tactical networks as they are proving to be an extremely flexible platform for a variety of applications. Increasingly, UAVs need to cooperate with each other in order to perform complex tasks such as target monitoring and prosecution, information gathering and processing, and delivery between disconnected portions of the network. However, UAV cooperation in tactical scenarios represents a major challenge from both the coordination and communication perspectives. In fact, cooperating UAVs must achieve a high degree of coordination in order to accomplish complex tasks in a dynamic and uncertain environment. In turn, as UAVs interact with other entities, the effective coordination of multiple-UAV operations requires specific support in terms of efficient communication protocols and mechanisms exploiting UAVs as mobile assets that facilitate and hasten critical information flows. This article presents a series of considerations and lessons learned that we have collected in our experience with multiple- UAV coordination and communications in tactical edge networks, and discusses some of the main components of a middleware we specifically designed to support multiple-UAV operations.

Jini-based publish and subscribe capability

This paper describes a Publish and Subscribe capability developed under the Air Force Research Laboratory s (AFRL) Joint Battlespace Infosphere (JBI) project. The paper will give a brief description of the JBI and it s core service components of publish, subscribe and query. A detailed description fo the Pub/Sub system design and implementation will then be given describing how and where Java, Jini, and XML technologies were used to describe information objects, match subscribers to appropriate dissemination nodes, and disseminate information objects to subscribing clients. Fianlly we describe a number of applications that are currently using the Pub/Sub capability.

Design, implementation and evaluation of parallel pipelined STAP on parallel computers

Performance results are presented for the design and implementation of parallel pipelined space-time adaptive processing (STAP) algorithms on parallel computers. In particular, the issues involved in parallelization, our approach to parallelization, and performance results on an Intel Paragon are described. The process of developing software for such an application on parallel computers when latency and throughput are both considered together is discussed and tradeoffs considered with respect to inter and intratask communication and data redistribution are presented. The results show that not only scalable performance was achieved for individual component tasks of STAP but linear speedups were obtained for the integrated task performance, both for latency as well as throughput. Results are presented for up to 236 compute nodes (limited by the machine size available to us). Another interesting observation made from the implementation results is that performance improvement due to the assignment of additional processors to one task can improve the performance of other tasks without any increase in the number of processors assigned to them. Normally, this cannot be predicted by theoretical analysis.

N-CET: Network-centric exploitation and tracking

The Network-Centric Exploitation and Tracking (N-CET) program is a research effort to enhance intelligence exploitation in a tactical environment by cross-cueing sensors and fusing data from on-board sources with processed information from off-board platforms and sharing the resulting products in a net-centric manner. At the core of N-CET are information management services that decouple data producers and consumers, allowing reconfiguration to suit mission needs. Network-centric algorithms utilize the availability of information from both homogeneous and complementary on-board and off-board sensors. Organic capabilities facilitate the extraction of actionable information from high bandwidth sensor data and ensure the necessary information arrives at other platforms and users in a timely manner. This paper provides an overview of the N-CET architecture and the sensors and algorithms currently implemented upon it. The extent to which such algorithms are enhanced in a network-centric environment is discussed and the challenges of managing the resulting dynamic information space in a tactical publish/subscribe/query model are presented.

A dependable high performance wafer scale architecture for embedded signal processing

A high performance, programmable, floating point multiprocessor architecture has been specifically designed to exploit advanced two- and three-dimensional hybrid wafer scale packaging to achieve low size, weight, and power, and improve reliability for embedded systems applications. Processing elements comprised of a 0.8 micron CMOS dual processor chip and commercial synchronous SRAMs achieve more than 100 MFLOPS/Watt. This power efficiency allows up to 32 processing elements to be incorporated into a single 3D multichip module, eliminating multiple discrete packages and thousands of wirebonds. The dual processor chip can dynamically switch between independent processing, watchdog checking, and coprocessing modes. A flat, SRAM memory provides predictable instruction set timing and independent and accurate performance prediction.

An End-to-End Security Auditing Approach for Service Oriented Architectures

Service-Oriented Architecture (SOA) is becoming a major paradigm for distributed application development in the recent explosion of Internet services and cloud computing. However, SOA introduces new security challenges not present in the single-hop client-server architectures due to the involvement of multiple service providers in a service request. The interactions of independent service domains in SOA could violate service policies or SLAs. In addition, users in SOA systems have no control on what happens in the chain of service invocations. Although the establishment of trust across all involved partners is required as a prerequisite to ensure secure interactions, still a new end-to-end security auditing mechanism is needed to verify the actual service invocations and its conformance to the expected service orchestration. In this paper, we provide an efficient solution for end-to-end security auditing in SOA. The proposed security architecture introduces two new components called taint analysis and trust broker in addition to taking advantages of WS-Security and WS-Trust standards. The interaction of these components maintains session auditing and dynamic trust among services. This solution is transparent to the services, which allows auditing of legacy services without modification. Moreover, we have implemented a prototype of the proposed approach and verified its effectiveness in a LAN setting and the Amazon EC2 cloud computing infrastructure.

MELOC: Memory and Location Optimized Caching Model for Small Mobile Ad Hoc Networks

Caching is a common technique to improve efficiency of data access in MANETs (Mobile Ad hoc Networks), where users communicate using small portable devices connected by resource constraint wireless networks. In some MANET applications, controlling/reducing the cache locations are desirable due to security issues, restricted shared memory and maintenance cost. However, reducing the number of caches should be done by finding optimized cache locations (at highly connected and centrally located nodes) so that it does not affect the performance efficacy of data access in terms of response time. Existing cooperative caching approaches are deficient in finding such optimized cache locations as they do not focus on reducing the number of copies by finding their optimized locations to be shared among nodes. In this paper, we design and evaluate such a caching scheme using a single broker based MANET architecture to improve data access latency. Our scheme reduces the number of caches by efficiently placing them at locations which brings distant data closer to the source. The performance comparison of our scheme with one such recent caching scheme showcases improvement in data access efficiency by 30% along with reduction in number of cache locations by 72%. We evaluated data access efficiency using average hops and average roundtrip delay.

ROMAN: Routing and opportunistic management of airborne networks

Most of the routing and replication algorithms for Mobile Peer to Peer (M-P2P) networks assume the network to be large and therefore, the architecture and algorithms are designed to be scalable. These algorithms however may not perform well with limited number of nodes in a network such as of UAVs. Thus, it is better to design algorithms to increase the efficiency of a small network if scalability is no longer an issue. For such small networks, we design and simulate an effective two layered graph based routing algorithm using store/forward concept. We also take into account UAVs orientation and configuration of radio communication hardware equipped with UAVs. Our routing algorithm provides good average connectivity in the network even while they are mobile. We use a single copy replication to increase the availability of data for distributed query processing. Our system has a network layer and application layer; both of which are integrated to provide better efficiency. We report performance results based on simulations by comparing reach-ability, path efficiency, availability and average connectivity.