Yasuharu Katsuno

Multi Cloud Management for unified cloud services across cloud sites

Recently, there is appearing a multi Infrastructure as a Service (IaaS) cloud site environment. It makes server users/administrators annoying because each cloud site is managed separately by each cloud owner and they have to make use of cloud sites individually. In this paper, we propose the Multi Cloud Management Platform that locates between cloud users and cloud sites and provides unified cloud services. It can decrease workloads of server users/administrators under a multi IaaS cloud site by a service catalog federation, a collaborative management, and an application virtual server migration services. We implement a prototype system, and show our approach is feasible.

Autonomic network configuration for networkable digital appliances

This paper proposes an autonomic network configuration (ANC) technology, which uses autonomic technologies for the network configuration in order for electronics consumer appliances to improve usability and security. ANC provides networkable digital appliances (NDAs) with a network environment detection service and enables them to automatically configure themselves as soon as they are connected to networks. The evaluation shows that ANCs network environment detection is so quick, safe, and accurate that it significantly contributes to the NDAs security and privacy.

Layering negotiations for flexible attestation

Recently, much attention has been paid to research on distributed coalitions that establish trust among the members of groups of computing components in distributed environments. The Trusted Virtual Domains (TVD) that our research division is proposing is a new model of a distributed coalition for establishing multiple trusted coalitions of components on nodes in distributed heterogeneous environments. In a large-scale distributed computing environment where many kinds of components exist and there might be difficult situations to agree common attestation methods among all components beforehand, it is necessary to provide each component with flexible attestation according to its usage scenario for increasing the number of components that can participate in TVD.In this paper, we propose a layering negotiation approach. It divides an attestation process into a global attestation phase that verifies that a TVD is fundamentally secure and supporting essential trusted primitives and a local attestation phase that verifies the integrity of a specific component involved in a usage scenario. And, a combination of attestation methods is decided as a result of negotiation between the components for each kind of attestation at each phase. With our approach, the attestation corresponding to a usage scenario can be done flexibly based on the minimal required attestation needed in the TVD, so the component developers can concentrate on the implementation of the higher-level functions.

An Automated Parallel Approach for Rapid Deployment of Composite Application Servers

Infrastructure as a Service (IaaS) generally provides a standard vanilla server that contains an OS and basic functions, and each user has to manually install the required applications for the proper server deployments. We are working on a composite application deployment approach to automatically install selected applications in a flexible manner, based on a set of application installation scripts that are invoked on the vanilla server. Some applications have installation dependencies involving multiple servers. Previous research projects on installing applications with multi-server dependencies have deployed the servers sequentially. This means the total deployment time grows linearly with the number of servers. Our automated parallel approach makes the composite application deployment run in parallel when there are installation dependencies across multiple servers. We implemented a prototype system on Chef, a widely used automatic server installation framework, and evaluated the performance of our composite application deployment on a Soft Layer public cloud using two composite application server cases. The deployment times were reduced by roughly 40% in our trials.

32-bit as Number Based IP Traceback

Identifying the source address of an IP packet is difficult with the IP protocol. Consequently it has been difficult to resolve distributed denial of service (DDoS) attacks on the Internet. This paper presents an autonomous system (AS) methodology for IP trace back based on the probabilistic packet marking (PPM) scheme. Although many PPM mechanisms have been proposed, almost all assume that all routers in the Internet support PPM. However, such an assumption is impractical for operational and deployment reasons. In this paper, we design an IP trace back technique that extends the architecture to a 32-bit AS number. Our proposed method combines the Internet topology and the PPM, which has not been previously discussed in detail. To discuss the optimum probability for packet marking, consideration of the network topology properties and the router load is necessary. We demonstrate our results by our implementation and verify that marking does not have an impact on performance. The results imply that we can calculate the optimum probability from only the topology property. In our calculations, the optimum probability of 0.092 is obtained.

Chinese-wall process confinement for practical distributed coalitions

A distributed coalition supports distributed mandatory access controls for resources whose security policies differ for each group of components over nodes, and provides secure information operations and exchanges with nodes that handle information over which conflicts of interest may occur. Many projects have proposed distributed coalitions using a virtual machine monitor, but this approach for strong confinement tends to hinder successful deployments in real world scenarios that involve complicated operations and management for applications because such access control is coarse-grained for the resources. In this paper, we propose a Chinese-Wall Process Confinement (CWPC) for practical application-level distributed coalitions that provide fine-grained access controls for resources and that emphasize minimizing the impact on the usability, using a program-transparent reference monitor. We implemented a prototype system named ALDC for standard office applications on Microsoft Windows that are used on a daily basis for business purposes and that may involve conflicts of interests, evaluated its performance and influence on usability, and show that our approach is practical.

Magical device: a small device that makes it easy to build real-world navigation systems

Recently, much attention has been paid to research on real-world navigation systems. Although some real-world navigation systems have already been implemented, they have not been widely adopted, because they assume the use of a computer network system and are difficult to use for both providers and users. To solve this problem, we propose a small magical device based on an existing device called a PHS (Personal Handy-phone System). If providers and users use magical devices, they can use the real-world navigation systems easily and at low cost.

Security, Compliance, and Agile Deployment of Personal Identifiable Information Solutions on a Public Cloud

A public cloud platform offers economy of scale, ease of management, and elasticity to solutions. In addition, regulatory compliance and security must be assured for solutions handling sensitive data, such as student and healthcare data. With the steep rise in data breaches at large enterprises, it is a requirement to emphasize the security, privacy, and compliance of cloud-delivered solutions that hold personally identifiable information (PII). An example of a solution in need of such assurances is an education and learning-related analytics service that handles confidential student data on a public cloud platform. In this paper, we propose an approach for managing the security and privacy of an education and learning-analytics solution on a public cloud platform while assuring compliance with the Family Educational Rights and Privacy Act (FERPA). We also propose a new agile deployment approach that is both rapid and automatic. A prototype of a learning-analytics solution was implemented on a SoftLayer public cloud, and the new deployment method was evaluated in comparison with existing methods.

A Pluggable Domain Management Approach for Building Practical Distributed Coalitions

Recently, much attention has been paid to research on distributed coalitions, as a possible mechanism to embody distributed information flow control which can apply security policies to distributed components over nodes by making the components enforce mandatory access controls for resources based on the policies. Some projects have proposed prototype systems of distributed coalitions, but they assume that each component that participates in a domain has domain management functions. This assumption is reasonable when the components are designed for a distributed coalition, but it has been an obstacle when actually building distributed coalitions in existing environments, because it is difficult for existing components in real environments that were not designed for use in distributed coalitions to update their code and add support for domain management functions while considering the influences of their environments, especially for commercial components.In this paper, we propose a Domain Management Agent (DMA) for building practical distributed coalitions, which performs domain management on behalf of a component and emphasizes minimizing the influence on existing environments. We implement a prototype system on Microsoft Windows platform for broad use by many people, evaluate its performance overhead, and show that our approach is feasible.