| Providing service with rich user experience is a goal of converged network. Service capability is provided by open APIs in NGN, so applications can be composed by some existing capabilities, which speeds up service creation procedure and reduces cost of creation. Beyond that, some application can even combine some capabilities coming from different service providers.Similar to the openness of network capability, the openness of application capability also introduces some security problems which are unique in application layer. The researches on NGN security focus on NGN security architecture, which mainly discusses about control layer, transport layer and access layer. There is little discussion on security problem which is introduced by high layer openness.In IT domain, inter-domain interaction introduces new security problem. This problem is also a hot topic in current area. Based on result from IT domain, we move research forward onto NGN domain. And some researches and results are carried out as follows:1) An Inter-domain interaction access control method is proposed, which is called RABAC(Role and Attribute Based Access Control). Compared to RBAC, our method is easier to apply access control function according to context. And it groups similar attributes before role mapping. It is more simple and easy than pure ABAC method as there are less attributes under consideration. With the separation between in-role and out-role, it also helps applications to create new security role and reduce the complexity of management.2) An Out-role creation method is proposed, which is based on cluster and classification algorithm. Based on those algorithms, out-roles are created automatically. And as out-role is created by on similarity, it might be more accurate than manually creation. At the time when roles are created, mappings between out-role and local role are also established. So this method would help system administrator to manage roles and setup mapping easier.3) As there would be some frauds between domains, an inter-domain trust ensurance method is proposed. Based on the statistics, we evaluated the trust of incoming requests. And based on the evaluation, if any cheating behavior is found, we start the punish procedure. This method would secure the interaction between untrusted domains. 4) Finally, a concept model of security service platform with capability openness is provided. Detail implementation of this model is also fully discussed. This model can also be extended easily.
|
PDF Full Text Request