Robust attribute-based access control protocol over data-centric IoT–NDN networking

The secure and efficient sharing of geographic spatial data is crucial for applications in urban planning, disaster management, and environmental monitoring. However, conventional access control systems face scalability, security, and transparency problems in a distributed environment. This paper proposes a new framework that marries attribute-based access control with blockchain technology and smart contracts for fine-grained, decentralized, and tamper-proof data sharing. This paper introduces a new framework which combines Attribute-Based Access Control (ABAC), blockchain technology, smart contracts, and an upgraded Black-winged Kite (UBK) algorithm. Access regulations and audit logs are stored on a private blockchain using a Proof-of-Authority consensus mechanism for immutability and transparency. Experimental results show that the proposed method reduces evaluation policy time by 70% and storage overhead by 52% compared to the traditional attribute-based access control, while achieving 98.2% accuracy in access decisions. The performance test shows evaluation time and storage increase linearly, thus proving appropriate large-scale deployment. The combination of blockchain and smart contracts guarantees security-auditable and automated enforcement of access policies without needing a central authority.

The rapid digitisation of healthcare services presents challenges in guaranteeing safe, scalable, and privacy-preserving access to sensitive medical information. This article presents BBAS, a blockchain-based authentication system for e-Health. BBAS incorporates a multi-factor authentication (MFA) framework that includes password hashing, one-time passwords (OTP), and biometric verification, with a hybrid access control model that combines role-based access control (RBAC) and attribute-based access control (ABAC). To guarantee enduring security, BBAS utilises post-quantum digital signatures (CRYSTALS-Dilithium) and exploits the InterPlanetary file system (IPFS) for off-chain data storage, assuring tamper-resistance and scalability. We implemented the system using solidity smart contracts on a permissioned Ethereum network and assessed via 500 authentication iterations. Results show BBAS outperforms benchmark models across all critical metrics: authentication success rate (ASR: 98.6%), latency (0.05s), throughput (19,000 req/s), gas cost (35,000 gas/req), block confirmation time (10s), and storage overhead (0.03 KB/record). Biometric error rates-false acceptance rate (FAR: 0.5%), false rejection rate (FRR: 1.2%), and equal error rate (EER: 0.85%)-are markedly decreased, therefore improving both security and usability. This research validates BBAS as a reliable, scalable, and quantum-resistant authentication framework for contemporary e-Health systems.

Abstract In multi-user cooperative systems such as social networks, personal data is often jointly created and shared among multiple users. The sensitivity of such data depends on the preferences and relationships of all parties involved, making access control decisions inherently complex and dynamic. This complexity is further exacerbated because such data often forms compound objects, such as photos with multiple tagged users or comments, where access to one object can affect access to related objects. Traditional access control models lack the expressiveness needed to capture joint ownership, evolving social relationships, and time-dependent constraints, which can lead to privacy violations and unintended disclosures. In this work, we propose a fine-grained access control model for multi-user cooperative systems and apply it to social networks. Our model extends attribute-based access control with provenance information to enforce additional constraints and explicitly models compound objects to reflect the interrelated nature of social data. A key contribution is the introduction of temporal constraints in access decision-making, enabling dynamic authorizations based on time-sensitive conditions. We implemented a prototype of the proposed model and conducted an experimental evaluation to assess its feasibility. Our results show that incorporating temporal constraints has minimal impact on performance, demonstrating the practicality of our approach in existing social network environments.

Abstract Graph-structured data are integral to applications like social networks, biological systems, cybersecurity, and fraud detection. Outsourcing these data to public clouds offers scalability but raises privacy concerns, as encryption is required before outsourcing, making traditional graph similarity search and access control challenging. This paper presents a novel solution for privacy-preserving full graph similarity search with fine-grained access control in cloud environments. To the best of our knowledge, this is the first work to integrate privacy-preserving graph similarity search in a multi-user/multi-query setting with attribute-based access control (ABAC). This enables scalable and secure access in realistic, collaborative environments. The graph owner leverages the neural Graph2vec model to create feature indexes for encrypted graph data. Simultaneously, a secure transfer learning mechanism enables graph users to generate query feature indexes in the same latent space, ensuring privacy while accurately capturing the user’s query intent. ABAC is employed to enforce flexible, fine-grained access policies. We conduct a formal security analysis under known-ciphertext and known-background threat models, demonstrating strong privacy guarantees. Experimental evaluations on real-world datasets show that our scheme achieves high semantic accuracy, lower search latency, and reduced storage overhead, outperforming existing approaches.

Ensuring the reliable, auditable, and privacy-oriented distribution of donations in disaster logistics constitutes a critical challenge due to multi-stakeholder coordination difficulties and the risk of misuse. This study presents a modular architecture, named SecureRelief, operating on a permissioned Hyperledger Fabric platform. The architecture integrates authentication based on Self-Sovereign Identity (SSI), Decentralized Identifiers (DID), and WebAuthn, together with Attribute-Based Access Control (ABAC), and enables the verification of delivery evidence through privacy-preserving validation using zero-knowledge proofs (ZKP). Documents are stored off-chain on the InterPlanetary File System (IPFS), while only cryptographic summary (hash) values sufficient for integrity verification are maintained on-chain. In scenario-based laboratory experiments, the blockchain layer demonstrated low latency (p95 < 16 ms) and stable transaction throughput, confirming its scalability. While the API layer handled high burst request loads with a 0% error rate, the additional computational overhead introduced by the integrated privacy-preserving (ZKP) mechanisms kept the end-to-end transaction latency within acceptable limits for disaster management applications (3.5–4.5 s).

The rapid expansion of the Internet of Things (IoT) has necessitated a shift to distributed Edge environments, rendering traditional perimeter security obsolete and exposing scalability bottlenecks in centralized Zero-Trust Architecture (ZTA). This paper proposes a novel, decentralized ZTA framework that integrates Directed Acyclic Graph (DAG) distributed ledgers with Attribute-Based Access Control (ABAC) to eliminate single points of failure. By leveraging asynchronous DAG protocols (e.g., IOTA Tangle, Obyte) instead of linear blockchains and using lightweight Elliptic Curve Cryptography (ECC) for resource-constrained devices, the system enables fee-less, parallel transaction processing. Quantitative analysis demonstrates the framework's superior performance, achieving over 1,000 transactions per second (TPS), sub-second finality, and 15ms encryption times on commodity hardware, thereby establishing a robust, partition-tolerant security model for the future Internet of Everything.

Large-scale​‍​‌‍​‍‌​‍​‌‍​‍‌ machine learning systems spread over distributed infrastructures are confronted with crucial issues of managing sensitive data and, at the same time, abiding by regulatory requirements. In general, training pipelines do not have the means by which they can monitor the way in which protected data is introduced to model development; thus, there are quite significant privacy risks in decentralized environments. Also, the lack of complete visibility hinders the organizations' capability to trace data sources, grasp the movement of information between the systems, and check the conformity to the compliance requirements. In many cases, sensitive data is not properly safeguarded and is even allowed to be exploited beyond authorized purposes, both during training and inference stages. Automated classification systems detect sensitivity indicators within datasets and apply metadata tags specifying permissible uses at the precise moment information feeds into training operations. Gating mechanisms function as policy enforcement points that validate access requests against predefined rules, ensuring models access only data appropriate for declared purposes. Attribute-based access control looks at a variety of factors that include attributes of the subject, classes of the resources as well as certain conditions of the environment, and, based on all these factors, it dynamically makes the decision about the authorization. Machine learning anomaly detection is a kind of vigilant system that constantly watches the access patterns and, through behavioral analysis, it can pinpoint the variations from already established compliance standards. Distributed logging that is supported by blockchain keeps very detailed and at the same time very secure audit trails that enable, in the future, the checking of data usage throughout the lifecycle of the models.

Cloud-based healthcare systems have transformed the management and sharing of electronic health records (EHRs), telemedicine data, and collaborative medical research by offering scalability, cost efficiency, and real time accessibility. However, this transformation exposes patient data to risks such as breaches, insider threats, and unauthorized disclosures. Traditional access control mechanisms like Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Identity-Based Encryption (IBE) prove insufficient in dynamic, multi-stakeholder healthcare environments. This research proposes a hybrid framework integrating Attribute Based Encryption (ABE) for fine-grained, policy-driven confidentiality and Secure Multi-Party Computation (SMC) for privacy-preserving collaborative analytics. The framework ensures that sensitive health data remains protected while enabling secure computations across distributed institutions. ABE enforces patient- and context centric access policies, while SMC enables multi-institutional analytics without exposing raw records. The proposed system is evaluated through security analysis and performance benchmarks, highlighting trade-offs between encryption costs, ciphertext expansion, computation overheads, and communication latency. The results demonstrate that ABE + SMC integration can achieve confidentiality, collusion resistance, and regulatory compliance (HIPAA/GDPR), while supporting practical applications such as multi-hospital predictive analytics, genomics, and clinical trials. Despite challenges in key management, revocation, and computational scalability, this hybrid model represents a paradigm shift toward secure, collaborative, and patient-centric healthcare ecosystems.

Cloud-based customer relationship management platforms accumulate vast quantities of heterogeneous data assets across multiple interaction channels. Traditional analytics frameworks struggle to synthesize dispersed knowledge fragments into actionable customer insights. Retrieval-augmented generation architectures offer promising solutions for grounding language model outputs in external knowledge repositories. The article presents a comprehensive framework for deploying enterprise-grade RAG systems within cloud CRM environments. The architectural foundation establishes semantic representation through transformer-based embedding models utilizing siamese network structures. Hierarchical navigable small world graphs enable efficient approximate nearest neighbor search across distributed vector indices. The retrieval pipeline combines sparse lexical matching with dense semantic search to maximize recall across diverse query formulations. Cross-encoder reranking refines relevance ordering through fine-grained attention-based scoring mechanisms. The generation component receives retrieved context through structured prompting templates with validation mechanisms detecting hallucinated content. Attribute-based access control policies enforce data governance throughout the retrieval-generation pipeline. Blockchain-based audit frameworks provide tamper-evident logging for regulatory compliance demonstration. The agency security framework contains enterprise-unique compliance responsibilities throughout international crm deployments serving multilingual patron bases.

MTD-integrated ABAC: integrating moving target defence into attribute-based access control for insider threat mitigation

Businesses lacking technical teams face significant hurdles in cloud migration, particularly with security. Static permission models often lead to resource misuse. Attribute-Based Access Control (ABAC) offers a more granular, dynamic solution. This paper presents a literature review of current cloud security models, focusing on ABAC, automated policy provisioning, and cloud auditing. The review synthesizes findings from recent papers on AWS IAM, S3 bucket security, and infrastructure automation. The key finding is a significant gap in the literature: a lack of integrated frameworks that translate high-level, client- centric business requirements into automated, dynamic security policies in cloud environments. This survey highlights the need for a practical methodology, such as one using AWS IAM Identity Center attributes, to bridge this gap

Enterprise security is evolving rapidly, driven by the shift from traditional perimeter-based defenses to distributed, cloud-native environments. Classical castle-and-moat strategies are insufficient for modern architectures spanning microservices, containers, serverless functions, and multi-cloud deployments. Zero Trust Architecture eliminates implicit trust, enforcing continuous verification at every access point. Identity and Access Management must adopt Attribute-Based Access Control (ABAC) for dynamic, context-aware authorization, while machine learning enhances threat detection across complex systems. Continuous monitoring via Cloud Security Posture Management (CSPM) automates discovery, assessment, and remediation, ensuring resilient and adaptive security. Together, these approaches transform security from a reactive function into a strategic enabler for business agility, governance, and operational efficiency.

Attribute-Based Access Control (ABAC) has become the most suitable access control method for cloud environments due to its flexibility and fine-grained advantages. However, it suffers from issues such as insufficient dynamic adaptability and a lack of risk perception capabilities. The Zero Trust Architecture (ZTA) provides a new approach to addressing these problems through continuous trust evaluation, but its high dependence on the Policy Decision Point (PDP) component in the control plane introduces new security risks. To this end, this paper proposes a Zero-Trust Access Control Model based on Attributes and dynamic user Trust scores (AT-ZTAC). The model incorporates a trust evaluation module, which quantifies the user’s trustworthiness in real time through positive trust values and negative risk values, and dynamically integrates this quantification into access decisions to achieve fine-grained, dynamic, and secure authorization. In addition, to address the single-point trust risk of the PDP component, the model adopts a BLS-based threshold signature scheme to ensure the normal operation of the control plane even under limited intrusions, while supporting decision traceability. Theoretical analysis shows that this model significantly improves the overall security of the control plane. Experiments demonstrate that AT-ZTAC outperforms comparative models in terms of trust evaluation effectiveness, access decision throughput (reaching 1850 req/s, a 54% increase compared to traditional ABAC), and access control accuracy (reaching 96.8%). Compared with traditional solutions, it has advantages in flexibility, accuracy, and efficiency, demonstrating its potential for applications in cloud environments.

The rapid expansion of Internet of Things (IoT) devices poses significant challenges for traditional centralized identity and access management (IdM) systems, which suffer from scalability limitations, single points of failure, and notable privacy risks. Although blockchain technology presents a promising decentralized solution, its direct adoption is often constrained by limited transaction throughput, high operational costs, and the computational constraints of IoT devices. To address these issues, this study proposes and rigorously evaluates HybID-AC, a novel hybrid architecture for decentralized identity and access management, specifically designed for large-scale, heterogeneous IoT ecosystems. HybID-AC employs a dual-layer design that separates global trust anchoring from local execution. A highly scalable, feeless Directed Acyclic Graph (DAG)-based distributed ledger functions as a public anchor layer, registering W3C-standard Decentralized Identifiers (DIDs) and access policy hashes. High-frequency access control operations are handled off-chain at the edge layer, leveraging the DIDComm v2 peer-to-peer protocol, Attribute-Based Access Control (ABAC) for fine-grained policy enforcement, and Zero-Knowledge Proofs (ZKP) to preserve attribute privacy. Analytical results demonstrate that the HybID-AC architecture significantly improves latency and cost-efficiency compared to fully on-chain approaches, maintaining stable performance even as network scale increases. Additionally, a novel probabilistic model is introduced to provide a quantitative measure of the integral security risk of ABAC policies under potential attribute compromise. Overall, the study concludes that this hybrid architecture effectively addresses the inherent trade-offs of blockchain in IoT systems, delivering a secure, scalable, and interoperable framework that empowers devices with self-sovereign identity while ensuring privacy and security by design.

Recent computing technologies and modern information systems require an access control model that provides flexibility, granularity, and dynamism. The Attribute-Based Access Control (ABAC) model was developed to address the new challenges of emerging applications. Designing and implementing an ABAC policy manually is usually a complex and costly task; therefore, many organizations prefer to keep their access control mechanisms in operation rather than incur the costs associated with the migration process. A solution to the above is to automate the process of creating access control policies. This action is known as policy mining. In this paper, we present a novel approach, based on complex network analysis, for mining an ABAC policy from an access control log. The proposed approach is based on the data and the relationships that can be generated from them. The proposed methodology is divided into five phases: (1) data preprocessing, (2) network model, (3) community detection, (4) policy rule extraction, and (5) policy refinement. The results show that it is possible to obtain an ABAC policy using the approach based on complex networks. In addition, our proposed methodology outperforms existing ABAC mining algorithms regarding quality. Finally, we present a novel access decision process that reduces the number of rules to evaluate based on a rule network.

Current data sharing mechanisms face limitations in fine-grained access control, encryption overhead, terminal resource consumption, and result verifiability. These issues make them unsuitable for the low-latency and high-security demands of drone swarm collaboration in cloud-edge-end architectures. To address these challenges, this paper proposes a secure and low-latency data sharing method based on blockchain and outsourced attribute-based encryption. First, in the edge layer, a blockchain network is responsible for enforcing access control, where policy-matching smart contracts enforce fine-grained attribute-based access control. Second, encryption and decryption tasks are outsourced to the edge and cloud, effectively reducing the computational burden on terminal devices. Third, a consistency verification smart contract is introduced to validate outsourced results, ensuring data confidentiality and integrity. Experimental results show that the proposed method significantly lowers system latency and terminal overhead while maintaining strong security, making it suitable for edge-collaborative applications with strict real-time requirements.

A customizable conflict resolution and attribute-based access control framework for multi-robot systems

Traceable and revocable large universe multi-authority attribute-based access control with resisting key abuse

Supply Chain Management (SCM) plays a vital role in delivering environmental, social and financial benefits. Internet of Things (IoT) devices generate transaction data and send it to the Base Station (BS), which then relays it to Blockchain peers for secure and transparent processing. At the physical layer, transaction messages originate from the supply chain, followed by optimal block creation and selection. Smart contracts are created to govern interactions among supply chain entities. When a node initiates a transaction, these contracts ensure compliance with protocol rules. A consensus mechanism then validates the block, followed by secure data sharing and retrieval. Here, the Key generation and management are conducted through the proposed Deep Maxout Convolutional Forward Harmonic Network (DMCFHNet). The analytic measures used for DMCFHNet_KeyGen, namely, deploying cost, transaction cost, storage cost, memory, accuracy, latency and throughput, acquired 0.394, 0.465, 0.610, 194.142 MB, 94.268%, 0.499 sec and 0.750 Mbps, respectively. Abbreviations: SCM: Supply chain management; IoT: Internet of Things; BS: Base Station; AI: Artificial intelligence; DMCFHNet: Deep Maxout Convolutional Forward Harmonic Network; DMN: Deep Maxout Network; CNN: Convolutional Neural Network; SDSM: Secure data sharing scheme; MA-ABE: Multiauthority Attribute-based access control scheme; ABC-ROA: Adaptive Border Collie Rain Optimisation Algorithm; PCGSO: Perceptive Craving Game Search Optimisation; IHT: Information Hiding Techniques; OTH: Over-the-Horizon; FC: Fully Connected; AES: Advanced Encryption Standard; DKN: Deep Kronecker Network; PSCM: Pharmaceutical Supply Chain Management