• We introduce AGentVLM, a novel access control policy generation and verification framework. • We introduce a novel access control-specific structured information extraction method for translating complex natural language access requirements into access control policies. • We introduce a novel access control policy verification technique. • We evaluate AGentVLM, showing it achieves state-of-the-art accuracy. • We release two annotated datasets, addressing the data scarcity. Manual generation of access control policies from high-level organizational requirements is labor-intensive and error-prone, often leading to critical failures and data breaches. While automated frameworks have been proposed, existing approaches struggle with complex access requirements due to poor domain adaptation, limiting their accuracy. To address these challenges, we propose AGentVLM, a novel access control policy generation and verification framework based on small, open-source language models (LMs). Our framework enables its efficient on-premise deployment, preserving data confidentiality by avoiding reliance on third-party black-box LMs. AGentVLM excels in identifying natural language access control policies (NLACPs) from high-level requirements, achieving an average F1 score of 90.6 %. Unlike existing frameworks limited to generating simple policies with three components (subject, action, resource), AGentVLM effectively extracts complex elements such as purposes and conditions using an access control-specific structured information extraction technique. This method captures both word-level and semantic information at the same time from NLACPs, leading to a state-of-the-art policy generation F1 score of 80.6 %. Additionally, AGentVLM introduces a verification technique that provides actionable feedback, allowing administrators to refine inaccurate policies before deployment. To support future research, we also release two annotated datasets addressing the scarcity of domain-specific data.

The rapid proliferation of Internet of Things (IoT) devices and distributed computing platforms has accelerated the adoption of the edge–cloud continuum, an architectural paradigm that integrates edge devices, fog nodes, and centralized cloud infrastructures to support real-time data processing and latency-sensitive applications. While this architecture enhances scalability, responsiveness, and intelligent service delivery, it simultaneously expands the cyber-attack surface due to the presence of heterogeneous, resource-constrained, and geographically distributed devices. Traditional perimeter-based security mechanisms are increasingly inadequate for protecting such dynamic environments, while many existing Zero Trust Architecture (ZTA) implementations rely on static access control policies and centralized decision mechanisms that limit scalability and real-time responsiveness. This study proposes a Machine Learning-Driven Self-Healing Zero Trust Architecture (SH-ZTA) designed to enable autonomous cyber resilience across the edge–cloud continuum. The framework integrates Graph Neural Networks (GNNs) for relational anomaly detection and Deep Reinforcement Learning (DRL) for adaptive security policy orchestration. Network telemetry data collected from IoT devices and edge gateways are represented as communication graphs, enabling the detection of abnormal interactions, compromised nodes, and potential lateral movement attacks. The reinforcement learning agent dynamically enforces micro-segmentation policies, isolates malicious entities, and reconfigures network pathways to maintain operational continuity without human intervention. Experimental evaluation conducted in a simulated edge computing environment demonstrates that the proposed SH-ZTA framework significantly improves threat mitigation efficiency while maintaining low computational overhead suitable for resource-constrained devices. The results show improved detection accuracy, faster response latency, and enhanced network resilience compared to conventional security approaches.

Ensuring data security and privacy has emerged as a serious concern in the realm of blood supply chain. This is mainly because of sensitivity of donor information, the involvement of multiple stakeholders, and the need for transparent traceability. This paper proposes a novel privacy-preserving, permissioned blockchain framework for blood supply chain management that integrates Hyperledger Fabric, the InterPlanetary File System (IPFS), and a Zero-Knowledge Proof (ZKP)-based authentication protocol. The framework introduces a Pseudonymous Role-Bound Zero-Knowledge Authentication (PRZKA) mechanism that enables donors to authenticate and authorize access to their medical data without revealing their real identities. Context-specific pseudonyms derived through cryptographic hash-to-curve operations ensure unlinkability across different healthcare interactions, while Schnorr-style challenge–response proofs prevent replay attacks and credential misuse. Sensitive donor information is protected using Fabric Private Data Collections, whereas encrypted medical records are stored off-chain in IPFS, with only secure content identifiers recorded on the blockchain. Smart contracts enforce fine-grained, consent-aware access control policies and maintain immutable audit logs of all access events. The proposed system architecture combines an off-chain ZKP gateway with on-chain authorization logic to minimize blockchain overhead while preserving strong security guarantees. Furthermore, a performance evaluation framework is defined, including metrics, workload scenarios, and system configurations, to support future empirical validation. Security analysis indicates that the proposed framework enhances privacy, prevents identity linkage, and enables auditable, consent-driven data sharing compared with existing blockchain-based healthcare solutions.

In this study, we propose a new insider cyberthreat detection (ICD) framework called CMS-DDQN. The CMS-DDQN model is also integrated with ZTA in order to provide adaptive insider cyber defence. Additionally, the proposed framework combines multimodal behavioral analytics, semantic content representations, and RL – based decision-making in order to support a unified pipeline that is capable of performing detection, decision, and mitigation. The semantic embeddings extracted from file, email, and HTTP content using SBERT are compressed through self-supervised autoencoders to generate compact latent representations that are able to capture both behavioral semantics and contextual information. Accordingly, the agent learns adaptive access control policies within a custom ZT environment through four security actions: allow, limited access, escalation, and denial. Based on the experimental results, the evaluation on the CERT r6.2 dataset indicates that our CMS-DDQN framework is capable of achieving strong detection capability with 0.9947 accuracy, 0.9660 recall, 0.9328 precision, an F1-score of 0.9491, and an AUC of 0.9988. These findings indicate that the CMS-DDQN model has near-perfect discrimination between malicious and benign behaviors. The results also demonstrate that integrating semantic content awareness, self-supervised representation learning, and RL-based policy optimization significantly improves detection robustness and enables adaptive ZT enforcement.

The rapid growth of online alcohol sales, delivery services, and digital marketing has increased alcohol availability and heightened public health concerns, particularly among adolescents. However, regulatory responses remain inconsistent and vary significantly across regions. This scoping review synthesizes global regulatory approaches to online alcohol access, encompassing both established Western models and emerging Asian frameworks, and identifies key cross-national patterns and policy gaps. This scoping review followed PRISMA-ScR (preferred reporting items for systematic reviews and meta-analyses extension for scoping reviews) and Joanna Briggs Institute guidance. Searches of four electronic databases were complemented by a supplementary gray literature search targeting specific Asian jurisdictions to minimize geographic bias. The identified sources included policies and peer-reviewed studies on online alcohol sales, delivery practices, age-verification procedures, and digital marketing regulations. Data were systematically organized by regulatory domain and analyzed using a comparative socio-political framework (liberalism vs. paternalism) to interpret cross-national differences. The analysis of 34 documents across five regulatory domains revealed a distinct global divide. Western nations predominantly rely on co-regulatory models that frequently suffer from significant enforcement gaps, whereas Asian jurisdictions employ strict structural barriers. These include mandatory digital real-name authentication, "Smart Order" systems, and joint platform liability, designed to effectively restrict underage access where Western self-regulation has historically failed. To address global enforcement gaps, future policies must evolve from "soft" co-regulation to "hard" technical mandates. Integrating Asian-style digital identity systems with strict platform liability offers a viable pathway to effectively restrict underage access and reduce alcohol-related harm.

Smartphone compromise detection is challenging because a single software-only check can be hidden, replayed, or forged by a capable attacker. This paper presents Quorum Seal, an evidence-based mobile trust attestation framework that evaluates whether a device is trustworthy enough for sensitive actions such as login, payment approval, marks entry, and protected data access. Quorum Seal uses a nonce-based challenge–response protocol, on-device sensor capture, compact statistical feature extraction, and server-side weighted quorum verification to classify a session as Trusted, Suspicious, or Untrusted. The complete system adds cross-sensor conflict fingerprinting, Adaptive Challenge Escalation, dynamic quorum adaptation for missing or low-quality sensors, and an entropy analyzer to detect low-variance or synthetic motion patterns. Each verification produces an explainable evidence record retrievable via /evidence/{id}, exposing the checks, penalties, and reasons behind the verdict. The prototype is implemented with a Flutter Android client and a Fast API backend exposing /challenge, /verify, and /evidence/{id}, and has been validated using reproducible evidence outputs, including real-device runs. Rather than claiming absolute malware diagnosis, Quorum Seal provides a practical and auditable transaction-time trust decision that raises attacker cost and supports safer access-control policies

This paper proposes an impulsive SIRQ model for the analysis of computer network resilience against malware propagation and distributed denial-of-service (DDoS) attacks. The model extends classical epidemic frameworks by combining the continuous-time dynamics of malicious object spreading with discrete control actions corresponding to mass updates, node isolation, and access control policies. A qualitative analysis of the resulting system of impulsive differential equations is performed. The basic reproduction number R0, identified as a threshold parameter characterizing the intensity of attack propagation, and sufficient conditions for the global asymptotic stability of the infection-free state are established. It is shown that, under periodic impulsive control, the infection-free state can be stabilized with respect to the target population coordinates even when R0>1. An exponential decay estimate for the total active threat is derived, guaranteeing the asymptotic extinction of the infected and quarantined node populations. The proposed approach provides quantitative criteria for the effectiveness of impulsive cyber defense strategies and offers a theoretical foundation for the design of adaptive multi-layer protection systems for critical information infrastructures. Practical interpretation of the results illustrates the dependence of the critical impulsive control period on the model parameters and demonstrates the applicability of the approach to cybersecurity strategy design.

The increasing presence of smart mobile devices in sensitive environments raises significant security and privacy concerns, particularly due to the unauthorized usage of built-in sensors such as cameras and microphones. However, space owners currently have limited means to enforce restrictions on mobile devices within their premises. To address this issue, we propose a novel location-based access control system utilizing bluetooth low energy (BLE) beacons to dynamically enforce security policies. The proposed system introduces the jumbo beacon concept, which enables fragmented transmission and reassembly of signed access control policies, overcoming BLE payload limitations. Unlike centralized enforcement models, our approach is fully decentralized, eliminating the need for a trusted central server and providing a flexible, scalable mechanism for enforcing fine-grained access policies. The system is implemented as a native security module within the Android operating system, ensuring tamper-resistant enforcement of policies while preventing unauthorized modifications. A proof-of-concept implementation demonstrates the system’s effectiveness, highlighting its real-time policy enforcement capabilities and resilience against adversarial threats. The results indicate that our approach offers a lightweight, scalable, and secure solution for enforcing location-based access control in dynamic environments.

Blockchain-enabled halal food certification and supply chain framework in the UAE

Access control policies (ACPs) are essential for creating a secure access control system. ACPs are often studied and specified based on access control models, such as attribute-based access control (ABAC). Moreover, the execution of business process instances is typically recorded in a business process event log. Ensuring conformance with ABAC policies for the process log at the time of post-execution is crucial. To perform conformance testing of ABAC policies for event logs, it is necessary to formalize the ABAC policies. However, this formalization is typically carried out manually, leading to low efficiency and maintainability, as well as a high risk of errors and difficulty in detecting them. Also, the top-down approach for ABAC policy engineering is often less feasible due to the challenges and costs associated with manually developing ABAC policies, which makes it difficult to document security requirements. Besides, there is a lack of an ABAC metamodel that supports the formalization and conformance testing of ABAC policies, and little attention is paid to constructing ABAC policies from existing event logs. This paper presents a fine-grained and highly automated model-driven framework enabling the formalization and conformance testing of ABAC policies for business processes. In our approach, an ABAC metamodel and its patterns are proposed to solve the problems mentioned above. The approach is experimented with and evaluated on three business processes: One simulated and two real-world processes.

Abstract Zero Trust is an approach allowing for increased security by providing an object or a subject with the three CIA (Confidentiality, Integrity, Availability) security aspects. To comply with the CIA criteria, access control models need to support functionalities such as: a) safer permission grant and authorization processes, b) policy decision delivery to single or multiple users, and c) policy decision delivery to single or multiple actions or objects. In addition, we need to consider redundancy, conflict detection, different types of permissions to delegate, delegation, and the separation of duties (SoD) with different types. Extensive literature exists with respect to delegation operations on access control models, but most of them do not consider redundancy or partial conflict detection with regard to the standard policies. We address the positive and negative policies resolution as a precursor to the delegation request resolution. We address the resolutions in context of the standard policies that allow or deny an action on the object to a single or multiple subjects. We provide an analysis via multiple case studies using a Python implementation of the HPol (Hierarchical Policy) model. Our analysis demonstrates the ability of the HPol model to handle access control resolution issues discussed, with proof of results in context of the positive and negative (YES & NO) policy requests.

The rapid expansion of remote work, cloud services, and distributed enterprise infrastructures has significantly increased cybersecurity risks, rendering traditional perimeter-based security models inadequate. Zero-Trust Architecture (ZTA) has emerged as a modern security paradigm that assumes no implicit trust and continuously verifies user identity and device integrity. However, conventional authentication mechanisms such as passwords and one-time verification methods are insufficient to ensure persistent security throughout a user session. This paper proposes a Deep Learning-Based Continuous Authentication Framework tailored for Zero-Trust enterprise environments. The system leverages behavioral biometrics, including keystroke dynamics, mouse movements, and user interaction patterns, to continuously verify user identity in real time. Advanced deep learning models such as Long Short-Term Memory (LSTM) networks and Convolutional Neural Networks (CNNs) are employed to model temporal and spatial behavioral patterns. The framework integrates risk-based scoring and adaptive access control policies to dynamically enforce authentication decisions. Experimental evaluation demonstrates improved detection accuracy, reduced false acceptance rates, and minimal user disruption compared to traditional authentication systems. The proposed solution strengthens enterprise security by enabling adaptive, non-intrusive, and real-time identity verification aligned with Zero-Trust principles

Cloud computing has become a fundamental platform for large-scale data storage due to its flexibility, cost-effectiveness, and scalability. However, the outsourcing of sensitive data to third-party cloud providers introduces significant security and privacy challenges, including unauthorized access, data breaches, and insider threats. To address these concerns, this paper proposes a Scalable and Secure Cloud Data Storage Model that integrates Advanced Encryption Standard (AES) cryptography with robust access control policies. The proposed framework ensures data confidentiality by encrypting files at the client side before uploading them to the cloud, thereby preventing unauthorized disclosure even if the storage server is compromised. Role-Based Access Control (RBAC) mechanisms are implemented to enforce fine-grained authorization, allowing only authenticated users to access or modify data based on predefined roles and privileges. The model also incorporates secure key management and audit logging to enhance accountability and traceability. Experimental evaluation demonstrates that the proposed system achieves high security with minimal computational overhead while maintaining scalability for large datasets. The framework provides a practical and efficient solution for secure cloud data storage in enterprise and academic environments.

On-device derivation of IoT usage control policies: Automating U-XACML policy generation from natural language with LLMs in smart homes environments

Data spaces are an emerging concept with significant potential to enable a data-centric economy by fostering seamless and secure data sharing across diverse stakeholders. These environments are designed to unlock the value of data by ensuring interoperability and collaboration, which are essential for innovation and informed decision-making. However, managing access control in data spaces poses unique challenges, as it must account for complex relationships not only among stakeholders but also among data items themselves, requiring a flexible and context-aware approach. To this end, in this paper we present the design, implementation, and evaluation of an access control solution tailored for data spaces. Our solution leverages the paradigm of Relationship-Based Access Control (ReBAC), enabling the definition and enforcement of access control policies that consider the relationships between entities within the data space, as well as data consumer organisational structures. Furthermore, we propose a distributed version of our solution to facilitate the segregation of access control management across different administrative domains. Our approach supports fine-grained, continuous access control by dynamically evaluating the context of both the protected data items and the consumers of the data space. To ensure compatibility with existing data-sharing standards, we have integrated our solution with ETSI NGSI-LD API, a standardised interface for interacting with data spaces.

Abstract The trend of heterogeneous servers and the rise of Software-Defined Data Center (SDDC) have transformed data center management. Collaborative management of hardware and software is crucial for rapid deployment and migration. As the boundary between physical infrastructure and virtual infrastructure blurs, data center management faces challenges in fine-grained resource provisioning, energy efficiency optimization, and security assurance. To address these challenges, this paper proposes a novel Software-Defined Platform Management (SDPM) architecture based on out-of-band management. This architecture extends server platform management capabilities from physical infrastructure to virtual machines. By abstracting heterogeneous resources into execution points managed by a centralized control plane and consolidating standard industry interfaces, the architecture introduces capabilities for resource provisioning, energy consumption regulation, as well as access control and trusted computing support. A prototype implementation on a real server and experimental results demonstrate that the architecture can dynamically allocate resources based on predictions of virtual machine workloads, optimize energy consumption through workload-aware and temperature-driven fan control, and support secure communication channels to implement advanced access control policies. These results highlight SDPM’s potential in advancing resource provisioning, energy efficiency, and security in modern data centers.

Cloud-based customer relationship management platforms accumulate vast quantities of heterogeneous data assets across multiple interaction channels. Traditional analytics frameworks struggle to synthesize dispersed knowledge fragments into actionable customer insights. Retrieval-augmented generation architectures offer promising solutions for grounding language model outputs in external knowledge repositories. The article presents a comprehensive framework for deploying enterprise-grade RAG systems within cloud CRM environments. The architectural foundation establishes semantic representation through transformer-based embedding models utilizing siamese network structures. Hierarchical navigable small world graphs enable efficient approximate nearest neighbor search across distributed vector indices. The retrieval pipeline combines sparse lexical matching with dense semantic search to maximize recall across diverse query formulations. Cross-encoder reranking refines relevance ordering through fine-grained attention-based scoring mechanisms. The generation component receives retrieved context through structured prompting templates with validation mechanisms detecting hallucinated content. Attribute-based access control policies enforce data governance throughout the retrieval-generation pipeline. Blockchain-based audit frameworks provide tamper-evident logging for regulatory compliance demonstration. The agency security framework contains enterprise-unique compliance responsibilities throughout international crm deployments serving multilingual patron bases.

Multi-tenant Kubernetes clusters present a unique set of security challenges that single-tenant deployments simply do not face. When multiple development teams, business units, or even external customers share the same underlying cluster infrastructure, the blast radius of any misconfiguration or privilege escalation grows dramatically. A compromised pod in one tenant's namespace can, without proper controls, enumerate services in every other namespace, access secrets belonging to other teams, and even escape to the host node if pod security settings are not enforced. These are not theoretical risks they are the exact attack patterns documented in the MITRE ATT&CK Container Matrix and exploited in real-world Kubernetes breaches. This paper examines the design and enforcement of Role-Based Access Control (RBAC) policies and Kubernetes Network Policies in multi-tenant environments, drawing on operational experience managing enterprise telecommunications infrastructure with over 200 namespaces across development, staging, and production tiers. We propose a layered access-control framework that combines namespace-scoped RBAC bindings, default-deny network policy segmentation, Pod Security Standards enforcement, and Kyverno admission controller automation to achieve tenant isolation without sacrificing developer productivity. The framework is validated against six common attack scenarios from the MITRE ATT&CK Container Matrix, including lateral pod-to-pod movement, privilege escalation through service account token abuse, privileged container escape, cross-namespace kubectl access, egress to external command-and-control servers, and unauthorized image deployment from untrusted registries. Results indicate that the proposed layered approach blocks 100 percent of tested cross-tenant access attempts while adding only 12 milliseconds of admission webhook latency per request. The paper also discusses the operational trade-offs between namespace-level soft multi-tenancy and hard multi-tenancy approaches using virtual cluster solutions.

In highly dynamic and interference-prone environments, secure access to wireless communication spectrum and protection of user privacy present significant challenges. To address these issues, this paper proposes a novel framework called the Secure and Privacy-Enhanced Channel Transmission Architecture (SPECTRA). SPECTRA enables fine-grained access control policies defined by a trusted authority and enforces them through distributed Semi-Trusted Distributed Servers (STDSs) using Attribute-Based Encryption and Zero-Knowledge Proofs. This design allows for dynamic spectrum authorization without revealing the requester's sensitive attributes. Furthermore, the frequency-hopping process is modeled as a Markov Decision Process (MDP), and optimized through Proximal Policy Optimization (PPO) to adaptively enhance communication reliability and resistance to interference. SPECTRA also supports both secure replacement and secure incremental update mechanisms, incorporating hash aggregation and elliptic curve signature-based batch verification to improve the efficiency and security of multi-request authentication. Extensive simulations demonstrate that SPECTRA achieves high-accuracy access control, effective communication privacy preservation, and stable frequency-hopping performance under adversarial and uncertain conditions.

With the rapid digitalization of healthcare and the growing use of artificial intelligence (AI) in diagnostic, prognostic, and decision-support systems, the protection of sensitive medical data is becoming a critical priority. This article introduces an improved model designed to safeguard medical information within blockchain-based AI systems, ensuring both robust cybersecurity and ethical data management. The proposed approach relies on a combination of randomized checkpoints and stochastic node confirmation, which together create a resilient mechanism against unauthorized access, data tampering, and single-point failures. Such a structure enhances transparency, decentralization, and traceability of data flows, all of which are essential for modern e-health ecosystems. By integrating blockchain technology with intelligent agents, smart contracts, and adaptive access-control policies, it becomes possible to automate and regulate the use of confidential medical records in a highly secure and ethically sound manner. Smart contracts can dynamically enforce patient consent, restrict operations according to predefined rules, and verify the integrity of AI-generated recommendations. At the same time, intelligent agents enable flexible interaction between AI modules, medical institutions, and secure storage layers, ensuring that data are accessed strictly on a need-to-know basis. Our approach makes a significant contribution to strengthening the cybersecurity of medical AI systems and offers an innovative technological foundation for developing reliable, transparent, and resilient e-health infrastructures in Ukraine. It also opens the door to scalable national platforms where medical data can be securely analyzed, shared, and utilized for improving healthcare outcomes while fully respecting patient privacy