Access Control Approach Research Articles

CTRAC: A Combined Trust and Recommendation based Access Control Approach for Cloud Computing

Trust management plays a significant role in the cloud computing application. Due to the dynamic nature of the cloud, continuous monitoring of the trust attributes is highly essential to enforce Service-Level Agreement (SLA) between the user and service provider. Existing access control techniques cannot satisfy the security prerequisites of the cloud environment. This paper proposes a combined trust and recommendation based access control (CTRAC) approach to ensure high-level security in the cloud environment. The trust value of the user and service provider is evaluated after the content-based and collaborative filtering process. If the trust value of the user is greater than the threshold value, the cloud service is provided to the user. Otherwise, the user is blocked. If the trust value of the provider is greater than the threshold value, the service provider is selected. Otherwise, the provider is blocked. If the trust value between the service providers is greater than the threshold value, ontology formation and service provision are performed. Otherwise, the service provider is searched. The proposed approach achieves better performance in terms of rate of successful transactions, memory consumption, rating performance, error rate and malicious user rating.

A Fine-Grained Analysis of User Activity on Mobile Applications: The Sensitivity Level Perception

Mobile devices contain different levels of data and applications such as photos, text messages, emails and mobile banking applications. Each process within each application has a different level of sensitivity; thus, protection needs to be considered in this context after initial access to the mobile device. The main aim of this research is to investigate when to authenticate the mobile user by focusing on the sensitivity level of each intra-process (within the application) and understanding whether a certain user action in a process may require protection. To accomplish this, the 10 most popular mobile categories were analysed to gain a comprehensive understanding of how to categorise the applications in terms of their sensitivity level. Building upon this analysis, the results show that 78% of 125 user actions are considered sensitive processes. This paper also demonstrates that existing authentication systems lack adequate security solutions to unauthorised access to the mobile device. Consequently, this indicates the need for a robust and usable access control approach to establish a transparent and a continuous authentication system.

On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.

Preserving Smart Objects Privacy through Anonymous and Accountable Access Control for a M2M-Enabled Internet of Things.

As we get into the Internet of Things era, security and privacy concerns remain as the main obstacles in the development of innovative and valuable services to be exploited by society. Given the Machine-to-Machine (M2M) nature of these emerging scenarios, the application of current privacy-friendly technologies needs to be reconsidered and adapted to be deployed in such global ecosystem. This work proposes different privacy-preserving mechanisms through the application of anonymous credential systems and certificateless public key cryptography. The resulting alternatives are intended to enable an anonymous and accountable access control approach to be deployed on large-scale scenarios, such as Smart Cities. Furthermore, the proposed mechanisms have been deployed on constrained devices, in order to assess their suitability for a secure and privacy-preserving M2M-enabled Internet of Things.

An ontological framework for situation-aware access control of software services

Situation-aware applications need to capture relevant context information and user intention or purpose, to provide situation-specific access to software services. As such, a situation-aware access control approach coupled with purpose-oriented information is of critical importance. However, modelling purpose-oriented situations is a challenging task. Existing modelling approaches for situation-aware systems are not adequate to express purpose-oriented situations. Furthermore, existing context/situation-aware access control approaches are highly domain-specific and do not consider purpose-oriented information. In this paper we consider purpose-oriented situations rather than conventional situations (e.g., user׳s state) in proposing a generic situation-aware access control framework for software services. We take situation to mean the states of the entities and their relationships that are relevant to the purpose of a resource access request. Our framework includes a situation model specific to access control, identifying the relevant purpose-oriented situation information. Using the situation model, the policy model of the framework provides support for specifying and enforcing situation-aware access control policies. A software prototype has been developed to demonstrate the practical applicability of the framework. In addition, we demonstrate the general applicability of our framework through two case studies from different domains. Experiments are conducted to quantify the performance overhead of providing such situation-aware access control for software services.

Toward a flexible and fine‐grained access control framework for infrastructure as a service clouds

AbstractCloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in infrastructure as a service clouds. The introduction of virtualization layer increases new security risks, which should be restricted and confined by more stringent access control techniques. In this paper, we propose a flexible and fine‐grained access control framework, named IaaS‐oriented Hybrid Access Control (iHAC), which combines the advantages of both the role‐based access control and type enforcement model. We consider access control issues from the perspective of virtual machines. A permission transition model is designed to dynamically assign permissions to virtual machines. A Virtual Machine Monitor (VMM)‐based access control mechanism is presented to confine the virtual machine's behaviors in a fine‐grained manner. A VMM‐enabled network access control approach is proposed to regulate the communication among virtual machines. iHAC is successfully implemented in the Internet based Virtual Computing Infrastructure (iVIC) platform, and several experiments are conducted to evaluate its effectiveness and efficiency. The results show that iHAC can make correct access control decisions with low performance overhead. Copyright © 2015 John Wiley & Sons, Ltd.

A uniform approach for access control and business models with explicit rule realization

Access control is an important part of security in software, such as business applications, since it determines the access of users to objects and operations and the constraints of this access. Business and access control models are expressed using different representations. In addition, access control rules are not generally defined explicitly from access control models. Even though the business model and access control model are two separate modeling abstractions, they are inter-connected as access control is part of any business model. Therefore, the first goal is to add access control models to business models using the same fundamental building blocks. The second goal is to use these models and define general access control rules explicitly from these models so that the connection between models and their realizations are also present. This paper describes a new common representation for business models and classes of access control models based on the Resource---Event---Agent (REA) modeling approach to business models. In addition, the connection between models and their represented rules is clearly defined. We present a uniform approach to business and access control models. First, access control primitives are mapped onto REA-based access control patterns. Then, REA-based access control patterns are combined to define access control models. Based on these models, general access control rules are expressed in Extended Backus---Naur Form.

Distribute with Proficient Revocation of Data Stored in Clouds

Access control is processed on centralized form with key distributed center (KDC). Because of this data are affected if any one of the key gets attacks. To recover the data from the overall damage from attacks, providing attributes for the data in decentralized approach. Due to this attribute based access control for data in cloud storage. Secure the data storage in clouds, decentralized access control approach is introduced. Access control provides authentication for the user, in which only valid users are able to decrypt the stored information. User authentication and access control scheme are introduced in decentralized, which prevent replay attacks and supports modification on data stored in the cloud. Access control in clouds is gaining attention because it is important that only authorized users have to access to valid service. A huge amount of information is being stored in the cloud, and much of this is sensitive information. Clouds are being store sensitive information about patients to enable access to medical professionals, hospital staff, researchers, and policy makers. Decentralized approach and provides authentication without disclosing the identity of the users.

BYOD NETWORK: Enhancing Security through Trust–Aided Access Control Mechanisms

The growth of mobile devices both in variety and in computational abilities have given birth to a concept in the corporate world known as Bring Your Own Device (BYOD). Under this concept, Employees are allowed to bring personally owned mobile devices for official work. Though relatively new, it has gained up to 53% patronage among organisations, and it is expected to hit 88% in the near future. Its popularity is driven by significant advantages ranging from reduced cost, employee satisfaction to improved productivity. However, the concept also introduces new security challenges; for instance, the organisation looses the ownership of devices used for official work, to the employees. Implying that the employees own and manage the devices they use to work, including seeing to the security needs of such devices. With this development, protecting the corporate network becomes pertinent and even more challenging with an audacious need for outwittingconventional access control mechanisms, giving the highly dynamic nature of mobile devices. Considering the fact that BYOD is also a type of pervasive/dynamic environment, this work studies similar dynamic environments, relating to how their security challenges are addressed, and from such bases a Trust-Aided Dynamic Access Control Approach is proposed for enhancing the security of BYOD devices. Through computational analysis, this scheme has been seen to be security-compliant and could significantly improving the overall security of BYOD networks.

Role Refinement in Access Control: Model and Analysis

Access control mechanisms in software systems administer user privileges by granting users permission to perform certain operations while denying unauthorized access to others. Such mechanisms are essential to ensure that important business functions in an organization are conducted securely and smoothly. Currently, the dominant access control approach in most major software systems is role-based access control. In this approach, permissions are first assigned to roles, and users acquire permissions by becoming members of certain roles. However, given the dynamic nature of organizations, a fixed set of roles usually cannot meet the demands that users (existing or new) have to conduct business. The typical response to this problem is to myopically create new roles to meet immediate demand that cannot be satisfied by an existing set of roles. This ad hoc creation of roles invariably leads to a proliferation in the number of roles with the accompanying administrative overhead. Based on discussions with practitioners, we propose a role refinement scheme that reconstructs a system of roles to reduce the cost of role management. We first show that the role-refinement problem is strongly NP-hard and then provide two polynomial-time approximation algorithms (a greedy algorithm and a randomized rounding algorithm) and establish their performance guarantees. Finally, numerical experiments—based on a real data set from a firm's enterprise resource planning system—are conducted to demonstrate the applicability and performance of our refinement scheme.

Secure sharing of Personal Health Records in cloud computing: Ciphertext-Policy Attribute-Based Signcryption

The sharing of Personal Health Records (PHR) in cloud computing is a promising platform of health information exchange. However, the storage of personal medical and health information is usually outsourced to some third parties which may result in the exposure of patients’ privacy to unauthorized individuals or organizations. In order to address this security loophole, we suggest a promising solution. We propose a new approach for fine-grained access control and secure sharing of signcrypted (sign-then-encrypt) data. We call our new primitive Ciphertext-Policy Attribute-Based Signcryption (CP-ABSC) which satisfies the requirements of cloud computing scenarios for PHR. CP-ABSC combines the merits of digital signature and encryption to provide confidentiality, authenticity, unforgeability, anonymity and collusion resistance. The correctness, security and efficiency of this scheme are also proven.

Optimal Pricing for Duopoly in Cognitive Radio Networks: Cooperate or not Cooperate?

Pricing is an effective approach for spectrum access control in cognitive radio (CR) networks. In this paper, we study the pricing effect on the equilibrium behaviors of selfish secondary users' (SUs') data packets which are served by a CR base station (BS). From the SUs' point of view, a spectrum access decision on whether to join the queue of the BS or not is characterized through an individual optimal strategy that is joining the queue with a joining probability. This strategy also requires each SU to know the average queueing delay, which is a non-trivial problem. Toward this end, we provide queueing delay analysis by using the M/G/1 queue with breakdown. From the BS's point of view, we consider a duopoly market based on the two paradigms: the opportunistic dynamic spectrum access (O-DSA) and the mixed O-DSA & dedicated dynamic spectrum access (D-DSA). In the first paradigm, two co-located opportunistic-spectrum BSs utilize freely spectrum-holes to serve SUs. Then, we show the advantages of the cooperative scenario due to the unique solution that can be obtained in a distributed manner by using the dual decomposition algorithms. For the second paradigm, there are one opportunistic-spectrum BS and one dedicated-spectrum BS. We study a price competition between two BSs as a Stackelberg game. The cooperative behavior between two BSs is modeled as a bargaining game. In both paradigms, bargain revenues of the cooperation are always higher than those due to competition in both cases. Extensive numerical analysis is used to validate our derivation.

Group-Based Discretionary Access Control in Health Related Repositories

The authors introduce a group-based discretionary access control with decentralized permission and group management for scientific repositories. Currently, access control approaches for repositories have inflexible centralized administrations, which do not scale well to large numbers of users. Moreover, discretionary access control is a legal standard for health-related resources. The proposed access control model, which is formalized using Barker's Unifying Meta-model, differentiates permissions for data and meta-data, enabling the sharing of meta-data while protecting sensitive data. The authors describe how the model was implemented, and what challenges were tackled, in the Epidemic Marketplace, an open software information platform for epidemic studies, designed to foster cooperative behavior and data sharing.

Privacy Preserving Policy-Based Content Sharing in Public Clouds

An important problem in public clouds is how to selectively share documents based on fine-grained attribute-based access control policies (acps). An approach is to encrypt documents satisfying different policies with different keys using a public key cryptosystem such as attribute-based encryption, and/or proxy re-encryption. However, such an approach has some weaknesses: it cannot efficiently handle adding/revoking users or identity attributes, and policy changes; it requires to keep multiple encrypted copies of the same documents; it incurs high computational costs. A direct application of a symmetric key cryptosystem, where users are grouped based on the policies they satisfy and unique keys are assigned to each group, also has similar weaknesses. We observe that, without utilizing public key cryptography and by allowing users to dynamically derive the symmetric keys at the time of decryption, one can address the above weaknesses. Based on this idea, we formalize a new key management scheme, called broadcast group key management (BGKM), and then give a secure construction of a BGKM scheme called ACV-BGKM. The idea is to give some secrets to users based on the identity attributes they have and later allow them to derive actual symmetric keys based on their secrets and some public information. A key advantage of the BGKM scheme is that adding users/revoking users or updating acps can be performed efficiently by updating only some public information. Using our BGKM construct, we propose an efficient approach for fine-grained encryption-based access control for documents stored in an untrusted cloud file storage.

A Performance Evaluation of Logging in XML Databases Using an Xlog File for Trust Based Access Control

Logging is an important process in databases and is used for recovery and security purposes. Logging in XML databases has rarely been discussed in the literature. In this paper the Xlog file is presented as a dynamic and temporary log file for XML databases. It is used, not for recovery, but to calculate user trust values by recording users’ bad transactions and errors. The novelty in this approach is that Xlog relates logging and dynamic access control for XML databases. It is part of a trust based access control approach to XML databases. It supports dynamic access control by tracking user history and is part of a novel approach to solving security issues for XML databases. Experimental work has been performed to test the creation and retrieval processes of Xlog files from a performance perspective and is described here.

Towards Security Assurance in Round-Trip Engineering: A Type-Based Approach

Security assurance is a property that ensures that the application code behaves consistently with the access control policy specified at the design level. Security assurance proofs are valid as long as software engineers do not modify the generated code. This assumption does not hold in Round-Trip Engineering, since programmers may modify the generated code and the models are automatically re-generated. This paper proposes a round-trip engineering approach for access control that preserves security assurance both when generating code from models and vice versa. The approach is to extend programming languagesʼ typing mechanisms with additional rules that ensure consistency between models and code, even when code is arbitrarily modified by programmers. This paper presents a formal description of the solution and an initial sketch of the required proofs of correctness. Ongoing work is the development of a prototype to automate most of the process and its validation in a case study.

A semantic approach for fine-grain access control of e-health documents

Fine-grain access control is now possible to enforce thanks to the adoption of available standard de facto and access control models; they allow to protect data and resources as long as they are properly structured. Furthermore, in many critical domains of the e-government (as the e-health, for example) the introduction of access control mechanisms is needed to respect laws in force on security and privacy. The main problem to face in such contexts is related to the coexistence of both structured and unstructured data; this, indeed, represents a huge limitation for documents management in public and private contexts. In particular, the adoption of unstructured documents, even if stored on digital media, make fine-grain access control mechanisms useless. In this article, we have exploited the adoption of different techniques aiming at analysing texts and automatically extracting relevant information to structure and manage them. We propose a semantic-based framework for data transformation that is able to locate and identify critical sections of medical records to be protected and then enable a protection system to enforce proper security policies.

Design and Implementation of Authorization Management System Based on RBAC

Authorization Management is one of the key components in Management Information Systems (MIS) for the security consideration. The adopting of Role-Based Access Control (RBAC) approach makes Authorization Management more efficiency and security. In this paper, we present a way to manage user’s privilege by constructing user’s function menu in the tree pattern based on RBAC in web-oriented system. The architecture of the Authorization Management System, the design of the database, the constructing of dynamic resource tree and the verification of user’s privilege are mainly introduced. The development of the system is under MyEclipse IDE and using MVC pattern.

Utility-Aware Refunding Framework for Hybrid Access Femtocell Network

Femtocell technology addresses the problem of poor indoor coverage, benefiting both wireless service provider (WSP) and end users. With the introduction of femtocell, the cross-tier interference between macro link and femto link becomes a major factor which greatly impacts the network performance. Different access control approaches, by generating different interference patterns, also severely affect the overall throughput of the network and need to be carefully investigated. Among all the access control mechanisms, hybrid access is the most promising one, which allows roaming unregistered users (referred to as macro users) to access the nearby femto base station (BS) while reserving certain resource for registered home users (referred to as femto users), improving overall network capacity. However, to successfully leverage hybrid access is challenging because the femto holders (FHs) are selfish, unwilling to share their femto facilities and spectrum resource with macro users without any incentive mechanism. In this paper, we propose a novel utility-aware refunding framework to motivate hybrid access in femtocell. Within the framework, both WSP and FHs are assumed to be selfish, and target at maximizing their own utilities. WSP provides certain refunding to motivate FHs to open their resource for macro users. FHs decide the resource allocation among femto and macro users according to the amount of refunding WSP offers. Under this framework, the optimal strategies of both WSP and FHs are analyzed by formulating the problem as a Stackelberg Game. A unique Nash Equilibrium is achieved and a hybrid access protocol is designed according to the analysis. Extensive simulations have been conducted and the results show that the utilities of both WSP and FHs are significantly improved exploiting the hybrid access mechanism.

A programmable calculation procedure for number of traffic conflict points at highway intersections

SUMMARYTraffic movement conflict points at intersections are the points at which traffic movements intersect (including crossing, merging, and diverging). Numbers and distribution of different types of conflict points are used to evaluate intersection access management designs and safety performance. Traditionally, the determination of the numbers of conflict points for different traffic movements is based on manual methods, which causes the difficulty for computerized procedures to evaluate safety performance of different access management designs. Sometimes, a programmable calculation procedure may provide more effective solutions as compared with manual methods. This paper presents a programmable calculation procedure for the determination of the numbers of conflict points, which could be used as a basis for a computerized procedure. Concepts of virtual movement lanes and intersection quadrants are introduced to specify types of intersections, traffic lane configurations, and traffic movement regulations. Calculation models, based on such concepts, for traffic movement conflict points at signalized and unsignalized intersections can be obtained. In support of the procedure, case studies are presented in the paper. The procedure presented in the paper can be programmed into a computer program for the purpose of a computerized evaluation of intersection safety and design performance of different access management or control approaches. Copyright © 2012 John Wiley & Sons, Ltd.