Dijiang Huang

Arizona State University, Phoenix, Arizona, United States

Are you Dijiang Huang?

Claim your profile

Publications (102)36.43 Total impact

  • IEEE Transactions on Computers 01/2015; DOI:10.1109/TC.2015.2401033 · 1.47 Impact Factor
  • Le Xu, Dijiang Huang, W.-T. Tsai
    [Show abstract] [Hide abstract]
    ABSTRACT: Hands-on experiments are essential for computer network security education. Existing laboratory solutions usually require significant effort to build, configure, and maintain and often do not support reconfigurability, flexibility, and scalability. This paper presents a cloud-based virtual laboratory education platform called V-Lab that provides a contained experimental environment for hands-on experiments using virtualization technologies (such as Xen or KVM Cloud Platform) and OpenFlow switches. The system can be securely accessed through OpenVPN, and students can remotely control the virtual machines (VMs) and perform the experimental tasks. The V-Lab platform also offers an interactive Web GUI for resource management and a social site for knowledge sharing and contribution. By using a flexible and configurable design, V-Lab integrates pedagogical models into curriculum design and provides a progressive learning path with a series of experiments for network security education. Since summer 2011, V-Lab has served more than 1000 students from six courses across over 20 experiments. The evaluation demonstrates that the platform and curriculum have produced excellent results and helped students understand and build up computer security knowledge to solve real-world problems.
    IEEE Transactions on Education 08/2014; 57(3):145-150. DOI:10.1109/TE.2013.2282285 · 1.22 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Software-Defined Networking (SDN) is a new approach to manage the whole network flexibly by decoupling the control plane and the forwarding plane. While forwarding elements can be managed by a unified control, complexity arisen from the network size and scalability regarding the increase of the control traffic are notable problems. To deal with events of network reconfiguration that occur asynchronously and change frequently with intervals shorter than hours, a controller has to continue to asynchronously update the configuration of the whole network. However, it is hard to maintain the consistency of the configuration of the whole network because it needs to manage a huge amount of network information and to deal with user requests that occur asynchronously. In this paper, we propose a database oriented management for asynchronous reconfiguration to achieve the consistency of configuration in SDN. We design a structure of the database to store network information and two functional components. Finally, we adopt our management system to an OpenFlow-based network, and validate that our system can manage and control an OpenFlow network via the database.
    NOMS 2014 - 2014 IEEE/IFIP Network Operations and Management Symposium; 05/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: A flexible, scalable, and robust framework that enables fine-grained flow control under fixed or dynamic policies while addressing trustworthiness as a built-in network level functionality is a desirable goal of the future Internet. Furthermore, the level of trustworthiness may possibly be different from one network to another. It is also desirable to provide user-centric or service-centric routing capabilities to achieve service-oriented traffic controls as well as trust and policy management for security. Addressing these aspects, we present the SeRViTR (Secure and Resilient Virtual Trust Routing) framework. In particular, we discuss the goal and scope of SeRViTR, its implementation details, and a testbed that enables us to demonstrate SeRViTR. We have designed protocols and mechanisms for policy and trust management for SeRViTR and show a validation on the functional implementation of several SeRViTR components to illustrate virtual domains and trust level changes between virtual domains that are achieved under SeRViTR protocols. Going from implementation to testbed, we demonstrate SeRViTR in a virtual network provisioning infrastructure called the Geo-distributed Programmable Layer-2 Networking Environment(G-PLaNE) that connects three institutions spanning the US and Japan.
    Computer Networks 04/2014; 63. DOI:10.1016/j.bjp.2013.12.028 · 1.28 Impact Factor
  • Bing Li, Zhijie Wang, Dijiang Huang
    [Show abstract] [Hide abstract]
    ABSTRACT: In many secure application scenarios, establishing a temporary group without revealing group member information is difficult but desirable. Secure group communication can significantly reduce the computation and communication overhead. Traditional group key management schemes are based on a hierarchical tree. Any network entity who wants to set up a group needs to know the keys of the other group members, i.e., the group key establishment must be done before starting the group communication. As a result, the group needs the group formation beforehand. In this paper, we propose a secure grouping scheme providing anonymity for group members to outsiders. Our approach is based on Attribute Based Encryption (ABE) schemes. In our scheme, each network entity is assigned with a set of attributes. Each group is identified by a logical combination of attributes, i.e., the group access policies. The presented solution has an advantage that there is no need for any prior knowledge of other group members. Instead, the sender just needs to focus on the group access policies. Our scheme further preserves the group formation policies by using a gradual exposure method on attributes. Compared to existing hidden-policy schemes, our solution can greatly reduce the computation and communication overhead.
    GLOBECOM 2013 - 2013 IEEE Global Communications Conference; 12/2013
  • Dijiang Huang, Tianyi Xing, Huijun Wu
    [Show abstract] [Hide abstract]
    ABSTRACT: Mobile devices are rapidly becoming the major service participants nowadays. However, traditional client-server based mobile service models are not able to meet the increasing demands from mobile users in terms of services diversity, user experience, security and privacy, and so on. Cloud computing enables mobile devices to offload complex operations of mobile applications, which are infeasible on mobile devices alone. In this article, we provide a comprehensive study to lay out existing mobile cloud computing service models and key achievements, and present a new user-centric mobile cloud computing service model to advance existing mobile cloud computing research.
    IEEE Network 09/2013; 27(5):6-11. DOI:10.1109/MNET.2013.6616109 · 3.72 Impact Factor
  • Yan Zhu, Di Ma, Dijiang Huang, Changjun Hu
    [Show abstract] [Hide abstract]
    ABSTRACT: The increasing spread of location-based services (LBSs) has led to a renewed research interest in the security of services. To ensure the credibility and availability of LBSs, there is a pressing requirement for addressing access control, authentication and privacy issues of LBSs in a synergistic way. In this paper, we propose an innovative location-based fine-grained access control mechanism for LBSs, enabling effective fine-grained access control, location-based authentication and privacy protection. Our proposed approach is based on the construction of a spatio-temporal predicate-based encryption by means of efficient secure integer comparison. Our experimental results not only validate the effectiveness of our scheme, but also demonstrate that the proposed integer comparison scheme performs better than previous bitwise comparison scheme.
    Proceedings of the second ACM SIGCOMM workshop on Mobile cloud computing; 08/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Cloud security is one of most important issues that has attracted a lot of research and development effort in past few years. Particularly, attackers can explore vulnerabilities of a cloud system and compromise virtual machines to deploy further large-scale Distributed Denial-of-Service (DDoS). DDoS attacks usually involve early stage actions such as multistep exploitation, low-frequency vulnerability scanning, and compromising identified vulnerable virtual machines as zombies, and finally DDoS attacks through the compromised zombies. Within the cloud system, especially the Infrastructure-as-a-Service (IaaS) clouds, the detection of zombie exploration attacks is extremely difficult. This is because cloud users may install vulnerable applications on their virtual machines. To prevent vulnerable virtual machines from being compromised in the cloud, we propose a multiphase distributed vulnerability detection, measurement, and countermeasure selection mechanism called NICE, which is built on attack graph-based analytical models and reconfigurable virtual network-based countermeasures. The proposed framework leverages OpenFlow network programming APIs to build a monitor and control plane over distributed programmable virtual switches to significantly improve attack detection and mitigate attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution.
    IEEE Transactions on Dependable and Secure Computing 07/2013; 99(4-PrePrints):1. DOI:10.1109/TDSC.2013.8 · 1.14 Impact Factor
  • Yan Zhu, Di Ma, Chang-Jun Hu, Dijiang Huang
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper addresses how to construct a RBAC-compatible attribute-based encryption (ABE) for secure cloud storage, which provides a user-friendly and easy-to-manage security mechanism without user intervention. Similar to role hierarchy in RBAC, attribute lattice introduced into ABE is used to define a seniority relation among all values of an attribute, whereby a user holding the senior attribute values acquires permissions of their juniors. Based on these notations, we present a new ABE scheme called Attribute-Based Encryption with Attribute Lattice (ABE-AL) that provides an efficient approach to implement comparison operations between attribute values on a poset derived from attribute lattice. By using bilinear groups of composite order, we propose a practical construction of ABE-AL based on forward and backward derivation functions. Compared with prior solutions, our scheme offers a compact policy representation solution, which can significantly reduce the size of privatekeys and ciphertexts. Furthermore, our solution provides a richer expressive power of access policies to facilitate flexible access control for ABE scheme.
    Proceedings of the 2013 international workshop on Security in cloud computing; 05/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Mobile cloud computing (MCC) enables mobile devices to outsource their computing, storage and other tasks onto the cloud to achieve more capacities and higher performance. One of the most critical research issues is how the cloud can efficiently handle the possible overwhelming requests from mobile users when the cloud resource is limited. In this paper, a novel MCC adaptive resource allocation model is proposed to achieve the optimal resource allocation in terms of the maximal overall system reward by considering both cloud and mobile devices. To achieve this goal, we model the adaptive resource allocation as a semi-Markov decision process (SMDP) to capture the dynamic arrivals and departures of resource requests. Extensive simulations are conducted to demonstrate that our proposed model can achieve higher system reward and lower service blocking probability compared to traditional approaches based on greedy resource allocation algorithm. Performance comparisons with various MCC resource allocation schemes are also provided.
    International Journal of Distributed Sensor Networks 04/2013; 2013. DOI:10.1155/2013/181426 · 0.92 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Security has been one of the top concerns in clouds. It is challenging to construct a secure networking environment in clouds because the cloud is usually a hybrid networking system containing both physical and virtually overlaid networks. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been widely deployed to manipulate cloud security, with the latter providing additional prevention capabilities. This paper investigates into an OpenFlow and Snort based IPS called "SnortFlow", in which it enables the cloud system to detect intrusions and deploy countermeasures by reconfiguring the cloud networking system on-the-fly. The evaluation results demonstrate the feasibility of SnortFlow and provide the guidance for the future work.
    Research and Educational Experiment Workshop (GREE), 2013 Second GENI; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this article, a new mobile Cloud service model is presented. It offers a dynamic and efficient remote access to information services and resources for mobile devices. Mobile Cloud computing has been evolved as a distributed service model, where individual mobile users are Cloud service providers. Compared to traditional Internet-centric Cloud service models, the complexity of mobile service management in a dynamic and distributed service environment is increased dramatically. To address this challenge, we propose to establish an OSGi-based mobile Cloud service model — MCC-OSGi — that uses OSGi Bundles as the basic mobile Cloud service building components. The proposed solution supports OSGi bundles running on both mobile devices and Cloud-side virtual machine OS platforms, and the bundles can be transferred and run on different platforms without compatibility issues. The presented solution is achieved: 1) by incorporating OSGi into Android software development platform, 2) by setting up a Remote-OSGi on the Cloud and on mobile devices, and 3) by defining three service architecture models. The presented solution is validated through a demonstrative application with relevant performance measurements.
    Autonomous Decentralized Systems (ISADS), 2013 IEEE Eleventh International Symposium on; 01/2013
  • Source
    Li Li, Dijiang Huang, Zhidong Shen, S. Bouzefrane
    [Show abstract] [Hide abstract]
    ABSTRACT: With rapid growth of mobile devices and the emergency of mobile cloud services, it is a trend to use mobile devices for mobile-centric applications, and expand the mobile capabilities and provide needed security by mobile cloud services. However, due to the mobility of the device and the semitrust of the mobile cloud, how to build trust in the mobile applications is a big concern. In this paper, we propose a dual-root trust online transaction model that provides a dualroot trust model including both the user's mobile device and a delegation mobile cloud. We design a dual-root trust protocol by leveraging a modified CP-ABE cryptography and the trust execution environment embedded in a mobile device to provide device-specific transaction confirmations for online transactions initiated by the mobile user. The performance evaluation of the protocol demonstrates that it is a lightweight scheme for mobile devices since most cryptographic functions are delegated from users to the mobile cloud.
    Wireless Communications and Networking Conference (WCNC), 2013 IEEE; 01/2013
  • Huijun Wu, Dijiang Huang, Samia Bouzefrane
    [Show abstract] [Hide abstract]
    ABSTRACT: Offloading is one major type of collaborations between mobile devices and clouds to achieve less execution time and less energy consumption. Offloading decisions for mobile cloud collaboration involve many decision factors. One of important decision factors is the network unavailability that has not been well studied. This paper presents an offloading decision model that takes network unavailability into consideration. Network with some unavailability can be modeled as an alternating renewal process. Then, application execution time and energy consumption in both ideal network and network with some unavailability are analyzed. Based on the presented theoretical model, an application partition algorithm and a decision module are presented to produce an offloading decision that is resistant to network unavailability. Simulation results demonstrate good performance of proposed scheme, where the proposed partition algorithm is analyzed in different application and cloud scenarios.
    9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Cloud is gaining momentum but its true potential is hampered by the security concerns it has raised. Having vulnerable virtual machines in a virtualized environment is one such concern. Vulnerable virtual machines are an easy target and existence of such weak nodes in a network jeopardizes its entire security structure. Resource sharing nature of cloud favors the attacker, in that, compromised machines can be used to launch further devastating attacks. First line of defense in such case is to prevent vulnerabilities of a cloud network from being compromised and if not, to prevent propagation of the attack. To create this line of defense, we propose a hybrid intrusion detection framework to detect vulnerabilities, attacks, and their carriers, i.e. malicious processes in the virtual network and virtual machines. This framework is built on attack graph based analytical models, VMM-based malicious process detection, and reconfigurable virtual network-based countermeasures. The proposed framework leverages Software Defined Networking to build a monitor and control plane over distributed programmable virtual switches in order to significantly improve the attack detection and mitigate the attack consequences. The system and security evaluations demonstrate the efficiency and effectiveness of the proposed solution.
    9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Security has become a major concern for mobile devices when mobile users browsing malicious websites. Existed security solutions may rely on human factors to achieve a good result against phishing websites and SSL Strip-based Man-In-The-Middle (MITM) attack. This paper presents a secure web referral service, which is called Secure Search Engine (SSE) for mobile devices. The system uses mobile cloud-based virtual computing and provides each user a Virtual Machine (VM) as a personal security proxy where all Web traffics are redirected through it. Within the VM, the SSE uses web crawling technology with a set of checking services to validate IP addresses and certificate chains. A Phishing Filter is also used to check given URLs with an optimized execution time. The system also uses private and anonymously shared caches to protect user privacy and improve performance. The evaluation results show that SSE is non-intrusive and consumes no power or computation on the client device, while producing less false positive and false negative than existing web browser-based anti-phishing solutions.
    Service Oriented System Engineering (SOSE), 2013 IEEE 7th International Symposium on; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: A secure network is considered to be an important goal of the Future Internet; one way which can be embodied is by having flexible and robust routing functionality with built-in security and trustworthy mechanisms. However, there is a fundamental and important challenge how to determine the trustworthiness to every traffic flow to realize trustable communications. In this paper, we propose a framework to manage the trustworthiness automatically based on the policy by administrator, hysteresis of the traffic, and/or behavior of end users. We describe the role and function on to manage policy and trustworthiness and illustrate the implementation of SeRViTR, which is a trust routing framework, with communication experiment.
    Integrated Network Management (IM 2013), 2013 IFIP/IEEE International Symposium on; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Network virtualization is a promising solution that can prevent network ossification by allowing multiple heterogeneous virtual networks (VNs) to cohabit on a shared substrate network. It provides flexibility and promotes diversity. A key issue that ...
    Journal of Network and Systems Management 12/2012; 20(4). DOI:10.1007/s10922-012-9254-0 · 0.44 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Mobile cloud computing is a promising technique that shifts the data and computing service modules from individual devices to a geographically distributed cloud service architecture. A general mobile cloud computing system is comprised of multiple cloud domains, and each domain manages a portion of the cloud system resources, such as the Central Processing Unit, memory and storage, etc. How to efficiently manage the cloud resources across multiple cloud domains is critical for providing continuous mobile cloud services. In this paper, we propose a service decision making system for interdomain service transfer to balance the computation loads among multiple cloud domains. Our system focuses on maximizing the rewards for both the cloud system and the users by minimizing the number of service rejections that degrade the user satisfaction level significantly. To this end, we formulate the service request decision making process as a semi-Markov decision process. The optimal service transfer decisions are obtained by jointly considering the system incomes and expenses. Extensive simulation results show that the proposed decision making system can significantly improve the system rewards and decrease service disruptions compared with the greedy approach.
    IEEE Transactions on Vehicular Technology 06/2012; 61(5):2222-2232. DOI:10.1109/TVT.2012.2194748 · 2.64 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: A secure network is considered to be an important goal of the Future Internet; one way this can be embodied is by having flexible and robust routing functionalities with intrinsic security mechanisms. It is also desirable to provide user-centric or service-centric routing capabilities to achieve service-oriented traffic controls as well as trust and policy management for security. Based on these potential needs, a flexible, scalable, and robust routing framework that enables fine-grained flow control under fixed or dynamic policies called the Virtual Trusted Routing and Provisioning Domain (VTRouPD)[11] has been recently proposed. In this paper, we present a framework called the Secure and Resilient Virtual Trust Routing (SeRViTR) framework, which is a proof-of-concept model of VTRouPD at the implementation level. SeRViTR has particular entities that are designed for policy management and trust management between different VTRouPDs to enable a secure Internet. We define the roles of each entity within the SeRViTR framework as well as the messages exchanged between them. We also discuss how policy management and trust negotiation can be achieved. Moreover, we present validation on the functional implementation of several SeRViTR components to illustrate how to create virtual domains and change of trust levels between virtual domains.
    01/2012; DOI:10.1109/NOMS.2012.6212043

Publication Stats

722 Citations
36.43 Total Impact Points

Institutions

  • 2006–2014
    • Arizona State University
      • School of Computing, Informatics, and Decision Systems Engineering
      Phoenix, Arizona, United States
  • 2003–2014
    • University of Missouri - Kansas City
      • Department of Computer Science and Electrical Engineering
      Kansas City, Missouri, United States
  • 2011
    • Southwest Jiaotong University
      • School of Information Science and Technology
      China