User Access Control Research Articles

Hierarchical and Multi-Group Data Sharing for Cloud-Assisted Industrial Internet of Things

With the development of Industrial Internet of Things (IIoT) and 5G, massive data are easily collected and transmitted in cloud. Therefore, it is critical to guarantee the security of data sharing. In IIoT applications, the users of a group are in hierarchical structure and they intend to access data by external groups, which requires fine-grained access control, data authenticity and data retrieval. However, existing approaches rarely provide such solutions to satisfy these requirements simultaneously. In this paper, we propose an efficient hierarchical and multi-group data sharing framework (HMGDSF) in cloud-assisted IIoT. Apart from fine-grained data access control for hierarchical users with key leakage resilience, HMGDSF achieves user anonymity with traceability and keyword-based data retrieval. Moreover, the approach supports data authenticity and integrity verification for multi-group data sharing by integrating group signature mechanism. We provide proof for the security of framework and demonstrate its efficiency and practicability by extensive evaluations.

Smartphone-Key: Hands-Free Two-Factor Authentication for Voice-Controlled Devices Using Wi-Fi Location

In the last few years, Internet of Things (IoT) devices have evolved at an accelerated rate. Smart technology is leaning towards new human-device interaction interfaces that lack screens or buttons, thus reducing the cost of the devices while offering a more natural user experience. Voice is one of the most extended IoT user interfaces nowadays and has been popularized with the advent of smart assistants. However, with the adoption of voice interfaces, new challenges arise in terms of security. According to our research, the complexity of speaker recognition has led to non-reliable voice authentication on IoT devices. Recent approaches to solve this problem include multi-factor authentication (MFA) schemes, but existing solutions, such as one-time passwords (OTP), virtual/physical buttons, and others, have a significant impact on the user experience that is not suitable for all applications and can negate the hands-free benefits of voice interfaces. In addition, the privacy concerns of voice biometrics hinder the development of personalized voice applications that require user accounting and access control policies. Motivated by this security concern, in this paper, we present a two-factor authentication (2-FA) scheme for voice-activated devices that uses a smartphone as a key to authorize voice commands when the user’s presence is detected. The proposed security model, which makes use of Wi-Fi location for presence detection, was implemented on an Amazon Echo device and an Android smartphone, the results proved that the denominated Smartphone-key model can protect against the most common attack vectors on voice-controlled devices without affecting the user experience.

Web-Based Application Based on Human-in-the-Loop Deep Learning for Deidentifying Free-Text Data in Electronic Medical Records: Development and Usability Study.

The narrative free-text data in electronic medical records (EMRs) contain valuable clinical information for analysis and research to inform better patient care. However, the release of free text for secondary use is hindered by concerns surrounding personally identifiable information (PII), as protecting individuals' privacy is paramount. Therefore, it is necessary to deidentify free text to remove PII. Manual deidentification is a time-consuming and labor-intensive process. Numerous automated deidentification approaches and systems have been attempted to overcome this challenge over the past decade. We sought to develop an accurate, web-based system deidentifying free text (DEFT), which can be readily and easily adopted in real-world settings for deidentification of free text in EMRs. The system has several key features including a simple and task-focused web user interface, customized PII types, use of a state-of-the-art deep learning model for tagging PII from free text, preannotation by an interactive learning loop, rapid manual annotation with autosave, support for project management and team collaboration, user access control, and central data storage. DEFT comprises frontend and backend modules and communicates with central data storage through a filesystem path access. The frontend web user interface provides end users with a user-friendly workspace for managing and annotating free text. The backend module processes the requests from the frontend and performs relevant persistence operations. DEFT manages the deidentification workflow as a project, which can contain one or more data sets. Customized PII types and user access control can also be configured. The deep learning model is based on a Bidirectional Long Short-Term Memory-Conditional Random Field (BiLSTM-CRF) with RoBERTa as the word embedding layer. The interactive learning loop is further integrated into DEFT to speed up the deidentification process and increase its performance over time. DEFT has many advantages over existing deidentification systems in terms of its support for project management, user access control, data management, and an interactive learning process. Experimental results from DEFT on the 2014 i2b2 data set obtained the highest performance compared to 5 benchmark models in terms of microaverage strict entity-level recall and F1-scores of 0.9563 and 0.9627, respectively. In a real-world use case of deidentifying clinical notes, extracted from 1 referral hospital in Sydney, New South Wales, Australia, DEFT achieved a high microaverage strict entity-level F1-score of 0.9507 on a corpus of 600 annotated clinical notes. Moreover, the manual annotation process with preannotation demonstrated a 43% increase in work efficiency compared to the process without preannotation. DEFT is designed for health domain researchers and data custodians to easily deidentify free text in EMRs. DEFT supports an interactive learning loop and end users with minimal technical knowledge can perform the deidentification work with only a shallow learning curve.

Evaluating The Application of Library Information System Technology using the PIECES Method in Remote Areas

Over five years, the implementation of the library information system at IKIP Muhammadiyah Maumere faced a challenge, frequent errors during data input that hindered users from fully utilizing the system. These issues not only affected users’ interest but also highlighted the significance of the human factor in shaping the quality of an information system. To make full use of the system, it was crucial to identify and address the problems associated with it. This research delved into the experiences of 242 library information system users, including lecturers, students, and librarians, by using the PIECES method. The goal was to analyze users’ satisfaction and uncover any underlying issues within the system. The results of the PIECES analysis revealed average satisfaction scores, showcasing users' contentment with the system's performance (3.77), information (3.79), economy (3.80), control (3.77), efficiency (3.77), and service (3.89). These findings suggest that the library information system has been meeting users' expectations. However, a significant problem emerged in the performance variable, particularly in the system stability. Additionally, issues related to data compatibility, duplication in storage, and users’ authority management, access control, and system errors were observed in the information and control variables. Based on these identified challenges, recommendations for system improvement were made by targeting low satisfaction levels. Proposed solutions involve enhancing data management, storage practices, user access control, and reducing the risk of system errors, ensuring more efficient and reliable library information system

A Dynamic and Fine-Grained User Trust Evaluation Model for Micro-Segmentation Cloud Computing Environment

<p>With the diversity and complexity of user access behaviors in the “micro-segmentation” cloud computing environment, it is no longer possible to control unauthorized access of authorized users by only relying on user identity login authentication to control user access to cloud resources. The existing trust evaluation methods can not cope with the characteristics of “micro-isolated” cloud environment, which is characterized by high granularity of resources, increasing number of users’ access requests and rapid changes. Based on the zero-trust principle of “Never trust, al-ways verify”, we propose a dynamic, fine-grained user trust evaluation model for micro-segmentation cloud computing environment, which combines multiple user trust attributes and leverages the subjective-objective approach to assign weights to trust attribute indicators to achieve dynamic scoring of users’ real-time behaviors. To capture the characteristics of users’ intrinsic behaviors, we use correlation analysis to identify the correlation between users’ current and historical behaviors, and combine sliding windows and penalty functions to optimize the model. The massive simulation experiments demonstrate the effectiveness of the proposed dynamic and fine-grained method, which can effectively combine the intrinsic correlation of users’ own access behavior and the difference of access behavior among different users.</p> <p> </p>

User authentication and access control to blockchain-based forensic log data

For dispute resolution in daily life, tamper-proof data storage and retrieval of log data are important with the incorporation of trustworthy access control for the related users and devices, while giving access to confidential data to the relevant users and maintaining data persistency are two major challenges in information security. This research uses blockchain data structure to maintain data persistency. On the other hand, we propose protocols for the authentication of users (persons and devices) to edge server and edge server to main server. Our proposed framework also provides access to forensic users according to their relevant roles and privilege attributes. For the access control of forensic users, a hybrid attribute and role-based access control (ARBAC) module added with the framework. The proposed framework is composed of an immutable blockchain-based data storage with endpoint authentication and attribute role-based user access control system. We simulate authentication protocols of the framework in AVISPA. Our result analysis shows that several security issues can efficiently be dealt with by the proposed framework.

Preference-Aware User Access Control Policy in Internet of Things.

There are multiple types of services in the Internet of Things, and existing access control methods do not consider situations wherein the same types of services have multiple access options. In order to ensure the QoS quality of user access and realize the reasonable utilization of Internet of Things network resources, it is necessary to consider the characteristics of different services to design applicable access control strategies. In this paper, a preference-aware user access control strategy in slices is proposed, which can increase the number of users in the system while balancing slice resource utilization. First, we establish the user QoS model and slice QoS index range according to the delay, rate and reliability requirements, and we select users with multiple access options. Secondly, a user preference matrix is established according to the user QoS requirements and the slice QoS index range. Finally, a preference matrix of the slice is built according to the optimization objective, and access control decisions are made for users through the resource utilization state of the slice and the preference matrix. The verification results show that the proposed strategy not only balances slice resource utilization but also increases the number of users who can access the system.

Dynamic Interaction and Visualization Design of Database Information Based on Artificial Intelligence

With the explosive growth of data, people's demand for data analysis has become more intense. Although modern technology can collect a large amount of data, the collected original data is often useless and contains little information. How to extract useful information from massive amounts of data has become an urgent problem. Driven by artificial intelligence (AI) technology and personalized consumption demand of users, this article puts forward a dynamic interactive and visualization algorithm of e-business database information based on an improved collaborative filtering (CF) algorithm to help enterprises more efficiently mine the required potential customer groups from massive customer data and log data. Experiment results prove the effectiveness of the model and algorithm. Data mining (DM) technology is applied to the user access control model in this model. First, the maximum forward reference sequence of mobile e-business groups is mined by data technology. Then a user access control model is established according to this sequence to control user access so enterprises can formulate reasonable marketing strategies based on this knowledge.

Inner product encryption from Middle-Product Learning With Errors

Inner product encryption (IPE) is an important research area of functional cryptosystems. It can improve user access control and fine-grained query, and has a wide range of applications in emerging fields such as cloud computing. Lattice-based inner product encryption has the advantages of resistance to quantum algorithm attacks and relatively simple encryption algorithms, and thus has good application prospects. Currently, the provable security of lattice-based public key encryption schemes is mostly based on the learning with errors (LWE) and polynomial learning with errors (PLWE) problems. However, most of the encryption schemes based on LWE problems suffer from the problem of oversized public keys and ciphers. Although encryption schemes based on the PLWE problem further reduce the size, their hardness is limited by polynomials and the security guarantees are weakened. Compared with the LWE and PLWE problems, the Middle-Product Learning With Errors (MP-LWE) problem relaxes the polynomial restriction and makes full use of the polynomial features to achieve a better balance between security and efficiency. Inspired by this, we have proposed the inner product encryption scheme of Sel-IND-CPA-secure in SocialSec 2022. In this paper, to extend the existing work and improve the functionality of IPE, we construct single-input and multi-input inner product encryption schemes of Ad-IND-CPA-secure, and also evaluate the efficiency of the schemes.

CADF-CSE: Chaotic map-based authenticated data access/sharing framework for IoT-enabled cloud storage environment

Data is an essential asset of an organization or individual in this information age. Secure and resource-efficient data communication has become paramount in the IoT-enabled cloud storage environment. The users must communicate with the cloud storage servers to access, store, and share the data utilizing the public communication channel, which is exposed to various security threats. Moreover, various security frameworks have been presented to render secure data access, storage, and sharing functionalities for the cloud storage environment. Most of them are complicated and incapacitated of resisting various security attacks. Thus, it is imperative to design a secure and resource-efficient data access, storage, and sharing framework for the cloud storage environment. This paper presents a chaotic map-based authenticated data access/sharing framework for the IoT-enabled cloud storage environment (CADF-CSE). CADF-CSE is designed using the chaotic map, authenticated encryption scheme (AEGIS), and one-way hash function (Esch256). The proposed CADF-CSE comprises three significant phases user access control, data storage, and data sharing. The user access control phase enables the user and cloud server to attain mutual authentication followed by the secret session key establishment. Using the established SK during the access control phase user and cloud server exchange information securely across the public Internet. The data storage phase facilitates the data owner to store the data on a cloud server in encrypted form, where encryption is performed with a secret key derived from the user’s biometric. The data-sharing phase enables users to access the data from the cloud server after acquiring mutual permission from the cloud server and the data owner. In addition, an explication of the CADF-CSE through formal and informal analysis shows its resilience to various security attacks. Finally, the performance comparison explicates that CADF-CSE renders better security features while requiring lower computational and communication costs than the related security frameworks.

A Multi-User Collaborative Access Control Scheme Based on New Hash Chain

As the threats to the Internet of Things (IoT) continue to increase, access control is widely used in various IoT information systems. However, due to the shortcomings of IoT devices such as low computing power, it is impossible to use high-performance methods to control user access. Although the emergence of the blockchain provides another way of thinking for access control, the implementation based on the blockchain requires the device to complete the proof of work (PoW) and requires the device to have high computing power. At the same time, most access control schemes existing today are intended for users to use alone, which cannot be applied to the field of multi-user coordinated access. Therefore, this paper proposes a multi-user collaborative access control scheme based on a new hash chain, which uses the identity information of multiple users as the seed value to construct the hash chain, and uses the hash chain as the PoW of the blockchain. An efficiency analysis showed that this method requires only a small amount of hash value calculation and can be applied to IoT systems with low computing power. The security analysis shows that the scheme can resist a variety of attack methods and has high security.

Rhythmic RFID Authentication

Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user’s tapping rhythm. In addition to verifying the RFID card’s identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user’s secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.

Trust-Based Secure Multi-Cloud Collaboration Framework in Cloud-Fog-Assisted IoT

Cloud-Fog-Assisted Internet-of-Things (IoT) is a convincing paradigm to provide users with on-demand and low-latency services through Fog nodes in the edge of multiple clouds (Multi-Cloud). Multi-Cloud is a scalable multi-domain service-oriented net-centric system and can respond to complicated user requirements leveraging Multi-Cloud Service Composition (MCSC). However, in MCSC, user security can be easily compromised by untrusted and curious cloud service providers that may collect and violate the privacy and other essential assets of cloud users. Although many trust-based MCSC solutions have been proposed to seek a trustworthy composite service with highest trust level, most of them are vulnerable to malicious users intending to break through the clouds and inflict serious data leakage or asset damage. Considering these security concerns on both malicious users and untrusted service providers, in this paper, we present a trust-based secure multi-cloud collaboration framework for Cloud-Fog-Assisted IoT systems. Specifically, to guarantee the security of users, we develop a role-based trust evaluation method to enhance the trustworthiness of MCSC. To preserve the security of services, we design an efficient user authentication scheme and a secure collaboration scheme to provide collaborative user authentication and access control mechanism for MCSC. We evaluate its performane with extensive experiments

A Light Weight Temper Resistance Client File in an External Memory for Remote User Authentication and Access Control

This research proposes a lightweight tamper resistant client file in an external memory as an alternative to smart card for remote user authentication and access control. The benefit of using this special client file is portability and ease of acquirement, especially in school online portals, online resources portals, and e-commerce portals. The characteristics and design considerations that make smart card tamper resistant are reviewed. Techniques and characteristics to make a client file in an external memory to exhibit a lightweight tamper resistant property has been formulated. The Kumari et al.'s scheme, which is the latest research that uses external memory for remote user authentication, has been reviewed. The basic system design and software design of the proposed client file is presented and modeled. This will enable implementation of the proposed system using any prepared programming or scripting language of one's choice. The proposed scheme and reviewed scheme are also evaluated for efficiency, tamper resistance, and impersonation attack.

PUF-based user access control scheme for IoT environment

A very important part of any software or hardware associated with the Internet of Things (IoT) is the User Access Control. User Access Control deals with the important security features like authenticating a legitimate user, authorizing a user, etc. A very effective and secure way to ensure the user access control is: three factor user access control. Some three factor user authentication schemes have been developed in the past, brief details regarding them can be found in further sections of the paper. In this paper, we propose a new three factor user access control scheme. Our proposed scheme is based on Mandal et. al.’s user access control scheme published recently. Our scheme involves the use of lightweight cryptographic primitives like Physically Unclonable Function (PUF), one way cryptographic hash function and bitwise exclusive OR (XOR) operations. PUFs make the scheme very lightweight and efficient as compared to other schemes of similar nature. The three factors used in our scheme are: registered device of the user, personal biometrics of the user and password of the user. We present the informal security analysis to show that our scheme is safe from several known attacks.

Proof of Transaction (PoTx) Based Traceability System for an Agriculture Supply Chain

Tracing the origin of the product in the agriculture supply chain offers food safety, identifying the root cause of the food hazard if any, information connectivity between the participating stakeholders and to achieve customer trust. Blockchain is a distributed ledger technology whose transactions can be recorded in a decentralised and immutable ledger. Several applications were developed in the last few years for blockchain based - traceability systems. Most of the work concentrated on information retrieval and system scalability. Still, promising research has not been seen for a blockchain traceability system with user identification methods. This work presents a blockchain system with user identification and access control mechanisms to fill the gap for each supply chain participant. In addition, the system also proposes a novel Proof of Transaction (PoTx) consensus algorithm designed to achieve scalability with reduced communication overhead and computation power. A novel PoTx algorithm is developed by choosing a random validator from a consensus group based on the transaction count to enforce the fault-tolerance of the system. The proposed system with user identification method allows to prevent and identify product adulteration while tracing the agriculture product.

Secondary User Access Control (SUAC) via Quadratic Programming in Massive MIMO Cognitive Radio Networks

Secondary User Access Control (SUAC) via Quadratic Programming in Massive MIMO Cognitive Radio Networks

Hospital indoor air quality and its relationships with building design, building operation, and occupant-related factors: A mini-review.

Indoor air quality (IAQ) has recently gained substantial traction as the airborne transmission of infectious respiratory disease becomes an increasing public health concern. Hospital indoor environments are complex ecosystems and strategies to improve hospital IAQ require greater appreciation of its potentially modifiable determinants, evidence of which are currently limited. This mini-review updates and integrates findings of previous literature to outline the current scientific evidence on the relationship between hospital IAQ and building design, building operation, and occupant-related factors. Emerging evidence has linked aspects of building design (dimensional, ventilation, and building envelope designs, construction and finishing materials, furnishing), building operation (ventilation operation and maintenance, hygiene maintenance, access control for hospital users), and occupants' characteristics (occupant activities, medical activities, adaptive behavior) to hospital IAQ. Despite the growing pool of IAQ literature, some important areas within hospitals (outpatient departments) and several key IAQ elements (dimensional aspects, room configurations, building materials, ventilation practices, adaptive behavior) remain understudied. Ventilation for hospitals continues to be challenging, as elevated levels of carbon monoxide, bioaerosols, and chemical compounds persist in indoor air despite having mechanical ventilation systems in place. To curb this public health issue, policy makers should champion implementing hospital IAQ surveillance system for all areas of the hospital building, applying interdisciplinary knowledge during the hospital design, construction and operation phase, and training of hospital staff with regards to operation, maintenance, and building control manipulation. Multipronged strategies targeting these important determinants are believed to be a viable strategy for the future control and improvement of hospital IAQ.

RF Fingerprint-Identification-Based Reliable Resource Allocation in an Internet of Battle Things

With the advances of Internet of Things (IoT) technology, the Internet of Battlefield Things (IoBT) has revolutionized the military battlefield. Unlike civilian IoT applications, a few adversarial attackers may sneak into an IoBT and destroy the network infrastructure by generating cyberattacks, e.g., Distributed Denial-of-Service (DDoS) attacks, making the Quality of Service (QoS) of network dramatically decrease. To improve the performance of a network, we propose two schemes of enhancing network QoS: one is user access control with the aid of RF fingerprinting because of small-scaled available signal samples, while the other is the optimization of network performance. Specifically, we address the optimization of network utility with the methods of power allocation and channel allocation. Mathematically, we propose a mixed-integer nonlinear (MIN) problem, which optimizes the allocation of wireless resources. Also, the original optimization problem is decomposed into a power allocation subproblem and a channel allocation subproblem, and both these subproblems are nondeterministic polynomial (NP) hard problems. We propose a few approximate algorithms, which can iteratively converge to the optimum of the original problem in polynomial time. The simulation results show that our proposed algorithms can improve network utility and various network QoS than the other algorithms in an IoBT environment.

Access Control and Deployment Design for Multi-UAV Assisted Wireless Networks

In this letter, we investigate the ground user (GU) access control and unmanned aerial vehicle base station (UAV-BS) deployment design in a multiple UAV-BSs assisted wireless network. The objective of each GU is to maximize its own throughput, and the objective of each UAV-BS is to maximize the minimum throughput of GUs served by it. Firstly, we optimize the GU access control by game theory. The access control game is proved to be an exact potential game, and we use the best response algorithm to solve the Nash equilibrium (NE). Then, we optimize the UAV-BS deployment design through convex optimization theory. The simulation results demonstrate that the proposed approach outperforms other five baselines.