Abstract—Cloud computing is the next generation of computing paradigm. Along with cloud computing, many related problems come up. And these problems in turn slow the speed of the development of cloud computing down. Among these problems, e.g. interoperability and privacy, identity management and security are strong concerned. Many researchers and enterprises have already done a lot to optimize the identity management and strengthen the security in cloud computing. Most of these studies focus on the usability of identity management and various kinds of method to help improve security. But in this paper, we do some research from a new angle. While the federated solution of identity management helps relieve many problems, it’s adopted by many platforms and enterprises. The general approach for deploying identity management is a centralized component processing authentication and authorization requests. But with the cloud growing in scale and the increasing number of users,this centralized solution will be the bottleneck of the cloud. In this paper, we propose a decentralized approach for implementing identity management in service oriented architecture in cloud computing and a grouping algorithm as the deploy strategy. Security is another problem involved in this paper. Since many researchers have done many detailed and fruitful studies in security, the security solution illustrated in this paper is specific in the proposed architecture.
A Decentralized Approach for Implementing Identity Management in Cloud Computing Jun Chen, Xing Wu*, Shilin Zhang, Wu Zhang School of computer engineering and science Shanghai University Shanghai, China e-mail: xingwu@shu.edu.cn Yanping Niu ShanXi North Fenglei Industry Group Co. Ltd. ShanXi, China Abstract—Cloud computing is the next generation of computing paradigm. Along with cloud computing, many related problems come up. And these problems in turn slow the speed of the development of cloud computing down. Among these problems, e.g. interoperability and privacy, identity management and security are strong concerned. Many researchers and enterprises have already done a lot to optimize the identity management and strengthen the security in cloud computing. Most of these studies focus on the usability of identity management and various kinds of method to help improve security. But in this paper, we do some research from a new angle. While the federated solution of identity management helps relieve many problems, it’s adopted by many platforms and enterprises. The general approach for deploying identity management is a centralized component processing authentication and authorization requests. But with the cloud growing in scale and the increasing number of users, this centralized solution will be the bottleneck of the cloud. In this paper, we propose a decentralized approach for implementing identity management in service oriented architecture in cloud computing and a grouping algorithm as the deploy strategy. Security is another problem involved in this paper. Since many researchers have done many detailed and fruitful studies in security, the security solution illustrated in this paper is specific in the proposed architecture. Keywords-cloud computing; identity management (IdM); service oriented architecture (SOA); grouping algorithm; security I. I NTRODUCTION Cloud computing is the next generation of computing paradigm. It implies a service oriented architecture (SOA) for computing resources. Cloud computing is a quit new computing paradigm and infrastructure and there is little consensus on how to define the Cloud [1]. Ian Foster et al. in [2] have defined it as: A large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet. The SOA is hierarchical and is usually organized as a three level architecture. The bottom level is Infrastructure as a Service (IaaS). It supplies users with the usage of all utilities, e.g. process, storage, network and other basic computing resources. Users can deploy and run any kind of software, including operating system and applications. The Amazon AWS is a provider that provides IaaS. The middle level is Platform as a Service (PaaS). In this service provided fashion, customers can deploy their application developed with a programming language or utility (Java, python, .Net, et al.) to the cloud infrastructure. Google App Engine is a PaaS provider. The top level is Software as a Service (SaaS). The services that provided to customers are applications running in cloud infrastructure. Salesforce.com is a SaaS provider. With the requirements of e-business, and the development of cloud computing, a stronger mechanism for authentication is needed. It is known as identity management (IdM) [3]. Researchers around the world have done a lot studies about IdM and technologies related. Here we do some introduction and comb these knowledge. And the details are stated in section II. The IdM does some specific jobs. In [3], the authors state that the need for IdM for the cloud is a trust model that handles (i) various trust relationships, (ii) access control policies based on roles and attributes, (iii) real-time provisioning, (iv) authorization, and (v) auditing and accountability. In [4], the authors state that an IdM system supports the management of multiple digital identities. It also decides how to best disclose personally identifiable information to obtain a particular service. The deployment of IdM has multiple models, such as the isolated IdM, the centralized IdM, the federated IdM and also personal authentication management [5]. With the recent shift in identity solutions, from being organization centric to user centric [6], Single-sign-on (SSO) is becoming an important experience for user. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them [7]. Almost all of the state of the art IdM support SSO and it’s also the adopted property in this paper. Security is one of the largest concerns for the adoption of cloud computing. And also security is a big issue related to many aspects. What talked in this paper is about intrusion detection, including the deployment strategy and measuring algorithm. 2012 Second International Conference on Cloud and Green Computing 978-0-7695-4864-7/12 $26.00 © 2012 IEEE DOI 10.1109/CGC.2012.118 770 II. RELATED WORKS In this section, some related works are discussed, e.g. IdM technology, security. We also present problems in present IdM solutions. A. Identity Management There are several solutions for deploying IdM, as introduced above. In the isolated IdM model, services are owned and managed by separate service providers and each provider provides service-specific identifiers and does identity management by themselves. So an entity has an identity in every service. In the centralized IdM model, a new entity called identity provider (IDP) is introduced which is responsible for identity management in its domain. The federated IdM model and the centralized IdM looks somewhat alike, but they focus on different aspects. The federated IdM also manages attributes and credentials and authenticates and authorizes for entities in its domain. The main feature of the federated IdM is that it’s capable of providing cross-domain identity service for different services which may take incompatible identity technology and attributes and credentials. In personal IdM (Personal Authentication Management), an entity manages identities by itself.[8] In [4], the authors collect three known solutions for IdM, Privacy and Identity Management for Europe (PRIME), Windows CardSpace, and OpenID. Also they propose an entity-centric approach for IdM in the cloud that based on active bundles and anonymous identification. These are all specific solutions for IdM and use many related technologies and can be adopted by many cloud computing IdM deployment. In this paper, these detailed things are not discussed. In [9], the authors build a distributed identity management model for digital ecosystems. Digital ecosystem is a collection of institutions that compete, collaborate and form stable or unstable federations. In a single institution, there are several technologies and standards used for managing distributed identities. The most mature and widely deployed solutions for federated identity are the SAML and Liberty Alliance standards. But institutions are impossible to be always the same and they may be heterogeneous. To help these institutions set up a federated IdM and work as an integrated one especially for small and medium-size enterprises, a flexible and simple solution is needed to realize the requirement. When service revoking happens inside an institution, there are multiple choices to deploy IdM and it’s easy to implement relatively. In a service composition scenario, the service provider aggregating services from other service providers needs to run the services on the name of the user and as so he has to authenticate the user to the other providers. To solve this problem, the authors adopt the use of Proxy Certificate (PC) that the client issues to the provider of the composite service. When a user requests a composite service from the service provider, the user identifies itself to the certificate authority (SSO use case) and a PC is issued to this service provider. A service that the user requests is contained in another institution which is another trust context and has its own service provider and certificate authority. The user delegates the original service provider to request the service to the second service provider. The second service provider redirects the origin to its certificate authority. Then the origin authenticates the user in this certificate authority using the PC obtained previously. The paper [10] aims to introduce new concepts in cloud computing and security, focusing on heterogeneous and federated scenarios. It’s somewhat similar to [9]. The main thought is adopting the “IdM/SP model” allows to solve the SSO authentication problem using a global approach and integrating many security technologies. They implement a new SAML profile defining the interaction among the home cloud authentication module(s), the foreign cloud authentication module(s) and the Identity Providers (IdP) to define the message exchange flow between the entities in their model. As showed in [9][10], it’s possible to implement IdM between service groups. For some reasons, people may want to divide the cloud into parts to meet their requirement and compared to the discussed scenarios, the service groups that come from a cloud is more homogeneous. The characteristics, e.g. the type of secure token, are often the same. So it’s easy to implement federated IdM for a distributed architecture. B. Security Security is one of the largest concerns for the adoption of Cloud Computing. In [2], the paper outlines seven risks a cloud user should raise with vendors before committing: 1) Privileged user access; 2) Regulatory compliance; 3) Data location; 4) Data segregation; 5) Recovery; 6) Investigative support; 7) Long-term viability. In [3], the paper describes the security of cloud computing in a layered framework, including: 1) Secure Hypervisors; 2) Secure Cloud Storage Management; 3) Secure Cloud Data Management; 4) Secure Cloud Network Management; 5) Security Policy Management for Cloud Computing; 6) Cloud Monitoring. In this paper, we adopt the idea of [3]’s layered framework and focus on the cloud monitoring layer. A widely used method for cloud monitoring is intrusion detection. In [11], the paper introduces the history of the development of intrusion detection, the technology itself overview and other related open issues. There are two basic categories of intrusion detection techniques: anomaly detection and misuse detection. Anomaly detection uses models of the intended behavior of users and applications, interpreting deviations from normal behavior. Misuse detection systems essentially define what’s wrong. The main advantage of anomaly detection systems is that they can detect previously unknown attacks, but it’s difficult to distinguish between anomaly and normal behavior. While today’s intrusion detection systems primarily rely on misuse detection techniques, many researchers advocate using a hybrid misuse-anomaly detection approach to take advantage of anomaly detection’s ability to detect new attacks, but without the approach’s accompanying high rate of false positives. There are some strategies for implementing intrusion detection. In [12], the authors propose a set of requirements 771 to be included in the Service-Level-Agreement (SLA) for cloud computing contracts. In [13], the authors proposed the Grid and Cloud Computing Intrusion Detection System (GCCIDS) which is designed as an audit system for attacks that the networks and hosts cannot detect. This means that each nodes has its own job of intrusion detection and they also alert the other nodes. So the system can detect intrusions against the cloud. In [14], the authors proposed an intrusion detection Web Service based on the VM-based Intrusion Detection System. There are also some methods for analyzing the detected datum. In [15], the authors demonstrated the effectiveness of the proposed relevance feature selection approach with the data mining technique and the machine learning technique. C. Problem area As demonstrated in [5], current approaches to IdM are often implemented as user-centric, service-centric and network-centric solutions. User-centric aims at providing users such mechanisms like user consent and SSO. Service-centric perspective focuses on service provider-related aspects and network-centric perspective is concerned with network provider-related issues. We can see the analysis result as a hierarchical architecture from abstraction to physical. While many IdMs are deployed in a SOA environment, it means that IdMs are deployed in a service-centric, abstraction perspective. And when services invoke each other, one sends a request together with a token to another service. IdM is inserted into the procedure as a middleware dealing with authentication and authorization as shown in Figure 1. Considering the physical layer, when all the services in a cloud need a single IdM to handle authentication and authorization, it’s not a small overhead. And with the scale of cloud and the number of users surging, the predicament becomes apparent. This will be the bottleneck of the performance of the cloud. III. P ROPOSED DECENTRALIZED IDENTITY MANAGEMENT ARCHITECTURE As explained in [2], the cloud is seen as a container full of various kinds of services. Virtualization as an indispensable ingredient for almost every cloud realizes the abstraction that all the applications appear to the users as if they were running simultaneously and users use all the available resources in the Cloud [2]. These available resources can be seen as services in SOA. So in the granularity of services, it’s possible to organize services in groups. According to our analysis, it’s not a good solution for implementing IdM in a centralized way with the scale of cloud and the number of users surging. With the computing paradigm of cloud computing, it’s convenient for users to get resources they want in a flexible, ease way. These resources can be computing power, storage and VM(virtual machine), etc. To the users’ point of view, these services have tight relationships. They may will to integrate these services working for them if they can. But inside cloud, it’s different from users’ view. Some services communicate with each other frequently e.g. the creating VM service always invokes the service of retrieving image. And also there are still many services that have little communication with each other e.g. the invocation between the service that provides users the GUI interface and the service of retrieving image happens seldom or never. Nowadays, it’s very popular to enforce a federated IdM to offer users the SSO (Single-Sign-On) experience. We will also adopt this solution for our implementation. But we do some changes according to the above analysis. Services that have tight relationships meaning they communicate with each other frequently are divided into a group. We call the group TC (Trust Context). If there are still some invocations between TCs, we’ll create another TC in higher level until we get TCs that meet our criterion. We’ll talk about the criterion right away. The abstract implementation is shown in Figure2. Next, we’ll describe our works in detail, including a grouping algorithm, security issues and other performance improvement advice. A. Grouping Algorithm We do some abstraction and get a big graph with many connected components. These connected components are weighted undirected acyclic graphs (WUAG). Each Figure 1. centralized IdM in cloud computing Figure 2. decentralized IdM in cloud computing 772 connected component is a subgraph of the origin. Since subgraphs have already been separated from each other and services included in one subgraph have been grouped in a group, we describe our algorithm in one subgraph, a WUAG. Though IdMs act as middleware between services, the request and response travel between services and is dealt with in service nodes. So we ignore IdM components while taking the grouping algorithm. And when all of the processes finish, IdM will be deployed. The vertexes in graph represent services in cloud when executing the grouping algorithm first time. And the vertexes also represent these already grouped service groups (TC). If services or TCs communicate with each other, there will be an edge between them. And the weight applied to an edge is come from the statistical data. 1) grouping algorithm Datum that used in grouping algorithm should be counted in real cloud computing environment. All statistical data is the number of times that services communicate with each other. While services are running all the time, a time interval is set to get statistical datum. The first quality is called THRESHOLD. If the number of times that services communicate through one IdM is more than the THRESHOLD, the performance will be affected. The cloud computing performance is actually difficult to measure. It may be the waiting time for a service or something else. But it’s not the main idea of this paper, we won’t discuss it next. The second quality is called WEIGHT and every edge in a UWAG has a WEIGHT. It’s the number of times that services adjoining the edge communicate in the set time interval. Symbol used: G: a graph v x : the vertex x in graph e x : the edge x in graph P(G): the number of connected components of the graph G w(e x ): the weight of the edge e x in graph w(G): the digit sum of all the weights in graph G n(G): the number of vertexes in graph G Next, the grouping algorithm will be demonstrated. Initial state: THRESHOLD G v [1, 2, 3, …] e [1, 2, 3, …] P(G) = 1 w(e [1,2, 3, …] ) (>0) w(G) (>0) n(G) (>0) Pseudo code: G0 = G //G0: a graph that has not changed //G1: a graph that has already changed a) if w(G0) <= THRESHOLD then return; else if n(G0) <= 2 then return; else goto b); end if end if b) list[e x , e y , e z , …] according to the list[w(e x ), w(e y ), w(e z ), …] from small to large c) delete e x and get a new graph G1 //delete edges weights from small to large, one edge a time if P(G1) = P(G0) then goto c); else { now two new graphs form, list[G’, G”]; //make sure there isn’t a new graph with a single vertex that forms for Gt in list[G’, G”] if n(Gt) < 2 then undo delete operation of this time and continue c) with the next edge; end if end for //do the same operation for each new graph just like what’ve been done to the origin graph for Gt in list[G’, G”] goto a); end for } Though the grouping algorithm has been used one time in the cloud environment, it doesn’t finish. We abstract another WUAG. But in this WUAG, a vertex is a TC, a group grouped in the previous steps, and an edge means that there is communication between the vertexes adjoining it and the number of times is applied to the edge as its weight. Next the grouping algorithm will be enforced to the new WUAG. The above flow may be enforced several times until all of service nodes or TCs meet the algorithm’s requirement. Each TC deploys an IdM in it to handle identity service for services or low-level TCs that are strong coupling. The result with IdMs is a hierarchical tree structure. In next section, a simple example will be used to help illustrate the grouping algorithm. 2) algorithm demonstration We come up with a simple example to demonstrate how the grouping algorithm works. A WUAG is shown in figure 3 and the meaning of a symbol is illustrated above and the number attached to an edge is the weight of the edge. Initial state: figure 4; THRESHOLD = 25; w(G) = 110; P(G) = 1; n(G) = 10 Demonstration: w(G) > THRESHOLD P(G) = 1 773 Table 1. edges from small to large 2 3 5 7 8 9 10 11 12 13 30 e2 e5 e4 e7 e11 e6 e3 e8 e9 e10 e1 z delete e2; P(G1) = 1 z delete e5; P(G2) = 1 z delete e4; P(G3) = 2; two subgraphs G31, G32; n(G31) = 1, n(G32) = 10; n(G31) < 2, undo delete e4 z delete e7; P(G4) = 2; two subgraphs G41, G42; n(G41) = 5, n(G42) = 5; w(G41) = 56, W(G42) = 42; w(G41) > THRESHOLD, w(G42) > THRESHOLD z delete e11; P(G5) = 3; three subgraphs G51, G52, G53; n(G51) = 1, n(G52) = 4; n(G53) = 5; n(G51) < 2, undo delete e11 z delete e6; P(G6) = 3; three subgraphs G61, G62, G63; n(G61) = 1, n(G62) = 4, n(G63) = 5; n(G61) < 2, undo delete e6 z delete e3; P(G7) = 3; three subgraphs G71, G72, G73; n(G71) = 2, n(G72) = 3, n(G73) = 5; w(G71) = 30, w(G72) = 16, w(G73) = 42; n(G71) == 2, OK; w(G72) <= THRESHOLD, OK To make the demo simple, only subgraph G73 is token into examination next. P(G73) = 1 z delete e8, e8 not ę G73, undo delete e8 z delete e9, P(G731) = 2; two subgraphs G7311, G7312; n(G7311) = 2, n(G7312) = 3; w(G7311) = 9, w(G7312) = 24; w(G7311) <= THRESHOLD, OK; w(G7312) <= THRESHOLD, OK The original graph is grouped into four TCs and each TC is a vertex and the number applied to each edge is the number of communication between TCs in the new graph as shown in figure 5. As the new graph doesn’t meet the Figure 3. WUAG1 Figure 4. WUAG1 grouped Figure 5. WUAG2 774 algorithm’s requirement, the grouping algorithm should execute again. Initial state: figure 5; THRESHOLD = 25; w(G) = 34; P(G) = 1; n(G) = 4 Demonstration: w(G) > THRESHOLD P(G) = 1 Table 2. edges from small to large 5 7 10 12 e4 e2 e1 e3 z delete e4, P(G1) = 1; z delete e2, P(G2) = 2; two subgraphs G21, G22; n(G21) = 2, n(G22) = 2; w(G21) = 10, w(G22) = 12; w(G21) <= THRESHOLD, OK; w(G22) <= THRESHOLD, OK In the previous step, we get two new TCs and further work needs to do to check if the current architecture has met the algorithm’s requirement. As the figure 7 shown: n(G) = 2 and w(G) < THRESHOLD. The entire algorithm has finished and the result of the architecture is shown in figure 2 with IdM deployed. B. Security Issues In [14], the authors have already proposed an intrusion detection Web Service based on the VM-based intrusion detection system. It’s not complicated to adopt this solution in our proposed architecture. As talked above, there are two basic categories of intrusion detection techniques: anomaly detection and misuse detection. While the anomaly detection system has the advantage of detecting previously unknown attacks, determining anomaly from normal behavior is a tough job. This paper imports the idea of a preventing fraud trust model in P2P networks [16] and the useful part to this paper in [16] is the basic trust model of the direct trust. Assume that in the SOA cloud computing environment, U is service request node, and S is service provide node. We define that T U ė S is the trust of U to S. And the calculating formula of T U ė S is: (1) Ev n is the evaluation of current trade. When a normal trade happens, Ev n is a positive number. And on the contrary, Ev n is a negative number, when an anomaly trade happens. is the trust before the current trade. And α is the aggregation weight of current evaluation and historical trust. The value of α can be changed according to whether there is an anomaly behavior or not. As demonstrated in [11], a basic assumption of anomaly detection is that attacks differ from normal behavior. But the definition of what’s normal and what’s abnormal is ambiguous. For example, a particular user typically logs in around 10 am. But one day, the user logged in at 3 am. This activity can be flagged as suspicious. So the technology of data mining is needed to do analysis before the formula (1) applied. IV. CONCLUSION In this paper, we research identity management in cloud computing and propose a decentralized approach for IdM, considering with the scale of cloud and the number of users surging, the traditional federated IdM will be the bottleneck of the cloud computing. This paper demonstrates the architecture of the proposed approach and the algorithm for implementing the architecture. At last, this paper also involves security issues. This makes the paper integrated. With the development of cloud computing, issues related with the core of cloud are coming into notice heavily. Considering and completing every aspects of cloud computing is the prerequisite for the new paradigm widely accepted. V. FUTURE WORK The grouping algorithm is rough and not flexible enough. So the next job is optimizing the algorithm. Also a prototype implementation is needed. VI. ACKNOEWLEDGEMENT This work is supported by the project of the Science and Technology Commission of Shanghai Municipality: 10510500600, by Shanghai Leading Academic Discipline Project [J50103]. R EFERENCES [1] ͆Twenty Experts Define Cloud Computing”, SYS-CON Media Inc, http://cloudcomputing.sys-con.com/read/612375_p.htm, 2008. [2] Foster, I. and Yong Zhao and Raicu, I. and Lu, S., "Cloud Computing and Grid Computing 360-Degree Compared," in Grid Computing Environments Workshop, 2008. GCE '08, November 2008, pp. 1 - 10. [3] K. Hamlen, and Peng Liu and M. Kantarcioglu, and B. Thuraisingham, and Ting Yu, “IDENTITY MANAGEMENT FOR CLOUD COMPUTING:DEVELOPMENTS AND DIRECTIONS,” in CSIIRW '11 Proceedings of the Seventh Annual Workshop on Cyber Figure 1. WUAG2 grouped Figure 7. WUAG3 775 Security and Information Intelligence Research, ACM New York, USA 2011, Article No. 32, pp. 1 - 5. [4] P. Angin, B. Bhargava, R. Ranchal, N. Singh, L. B. Othmane, L. Lilien, and M. Linderman, “An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing,” Proc. 29th IEEE Intl. Symp. on Reliable Distributed Systems (SRDS 10), pp. 177–183, doi: 10.1109/SRDS.2010.28. [5] M. Dabrowski, and P. Pacyna, "Generic and complete three-level identity management model, " In 2nd International Conference on Emerging Security Information, Systems and Technologies, Cap Esterel. 2008. [6] R. H. Khan and J. Ylitalot and A. S. Ahmed, “OpenID Authentication As A Service in OpenStack,” Information Assurance and Security (IAS), 2011 7th International Conference on, 5-8 Dec. 2011, pp. 372 - 377. [7] Wikipedia, “Single sign-on”, [Online], http://en.wikipedia.org/w/index.php?title=Single_sign-on&oldid=4925 85709, Last Accessed: May 24, 2012 [8] A. Jøsang, J. Fabre, B. Hay, J. Dalziel, S. Pope1, “Trust Requirements in Identity Management”, Proceedings of the 2005 Australasian workshop on Grid computing and e-research - Volume 44, 2005 [9] H. Koshutanski, M. Ion, and L. Telesca, "Distributed Identity Management Model for Digital Ecosystems" in International Conference on Emerging Security Information, Systems and Technologies (Securware'07) Valencia, 2007. [10] A. Celesti, F. Tusa, M. Villari, A Puliafito, "Security and Cloud Computing: InterCloud Identity Management Infrastructure", 19th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), 2010, Pp 263-265. [11] R. A. Kemmerer and G. Vigna, “Intrusion detection: a brief history and overview,” Computer, vol. 35, no. 4, pp. 27–30, 2002. [12] B. R. Kandukuri, R. Paturi, and A. Rakshit, "Cloud Security Issues," in IEEE International Conference on Services Computing, 2009, pp. 517-520. [13] K. Vieira, A. Schulter, C. B. Westphall, and C. M. Westphall, "Intrusion Detection for Grid and Cloud Computing," IT Professionals, pp. 38-43, July/August 2010. [14] S. Roschke, F. Cheng, and Ch. Meinel, "Intrusion Detection in the Cloud," in Eighth IEEE International Conference on Dependable, Autonomic, and Secure Computing, 2009, pp. 729-734. [15] S. Suthaharan, T. Panchagnula, “Relevance Feature Selection with Data Cleaning for Intrusion Detection System”, in IEEE SoutheastCon 2012 conference on Innovating For A Better Tomorrow, March 15-18, 2012 [16] S. Liu, Y. Yu, J. Xu, Z. Huang, “A Preventing Fraud Trust Model in P2P Networks”, in IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum, 2012, pp 2299-2305. 776 . Secure Cloud Storage Management; 3) Secure Cloud Data Management; 4) Secure Cloud Network Management; 5) Security Policy Management for Cloud Computing; 6) Cloud. A Decentralized Approach for Implementing Identity Management in Cloud Computing Jun Chen, Xing Wu*, Shilin Zhang, Wu Zhang School of computer engineering