Aya Mohamed,Dagmar Auer,Daniel Hofer,Josef Küng

2023-06-22

Abstract:The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account such as vertices and edges along the path between a given subject and resource. In previous iterations of our research, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case and give an outlook on performance.

Cryptography and Security

Yuan Tian,Biao Song,Eui-Nam Huh

DOI: https://doi.org/10.1109/icmss.2009.5301210

2009-01-01

Abstract:Privacy and data protection have become a critical issue in recent years. Not surprisingly, many technologies have been proposed to support privacy data management. The widely used access control model, role based access control (RBAC), significantly simplifies the specification and management of data. In this paper we proposed a privacy-aware system to improve the performance in RBAC, which properly expresses the relationship between data elements. As some vulnerabilities may be raised after certain sensitive data are disclosed, our privacy data graph successfully solved this problem by reducing disclosure of data minimizing overhead. We extend our previous work by refining the definition of roles, thus results in low storage overhead. A full detailed view of the role-based privacy management with experimental results is provided.

Thang Bui,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.2008.08444

2020-11-24

Abstract:Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

Cryptography and Security,Artificial Intelligence

Zhongyuan Xu,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.1306.2401

2014-08-08

Abstract:Attribute-based access control (ABAC) provides a high level of flexibility that promotes security and information sharing. ABAC policy mining algorithms have potential to significantly reduce the cost of migration to ABAC, by partially automating the development of an ABAC policy from an access control list (ACL) policy or role-based access control (RBAC) policy with accompanying attribute data. This paper presents an ABAC policy mining algorithm. To the best of our knowledge, it is the first ABAC policy mining algorithm. Our algorithm iterates over tuples in the given user-permission relation, uses selected tuples as seeds for constructing candidate rules, and attempts to generalize each candidate rule to cover additional tuples in the user-permission relation by replacing conjuncts in attribute expressions with constraints. Our algorithm attempts to improve the policy by merging and simplifying candidate rules, and then it selects the highest-quality candidate rules for inclusion in the generated policy.

Cryptography and Security

Aya Mohamed,Dagmar Auer,Daniel Hofer,Josef Kueng

2024-05-31

Abstract:Access control is the enforcement of the authorization policy, which defines subjects, resources, and access rights. Graph-structured data requires advanced, flexible, and fine-grained access control due to its complex structure as sequences of alternating vertices and edges. Several research works focus on protecting property graph-structured data, enforcing fine-grained access control, and proving the feasibility and applicability of their concept. However, they differ conceptually and technically. We select works from our systematic literature review on authorization and access control for different database models in addition to recent ones. Based on defined criteria, we exclude research works with different objectives, such as no protection of graph-structured data, graph models other than the property graph, coarse-grained access control approaches, or no application in a graph datastore (i.e., no proof-of-concept implementation). The latest version of the remaining works are discussed in detail in terms of their access control approach as well as authorization policy definition and enforcement. Finally, we analyze the strengths and limitations of the selected works and provide a comparison with respect to different aspects, including the base access control model, open/closed policy, negative permission support, and datastore-independent enforcement.

Cryptography and Security

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1002/cpe.5556

2020-01-01

Abstract:Owing to the rapid progress of network researching, attribute-based access control (ABAC) has attracted more and more attention due to its appreciable expressiveness, flexibility, and scalability. Unfortunately, collecting user attributes is necessary to complete the standard ABAC decision process, which increases the risk of privacy disclosure. This problem increases public doubts about ABAC and hinders its popularization. In this paper, a privacy-protected and efficient attribute-based access control (EPABAC) scheme is proposed to prevent the privacy leakage of access subject in the decision-making process of ABAC by introducing a novel hash-based binary search tree. The analyses and experimental evaluations show that the EPABAC achieves user privacy protection in the decision-making process with acceptable additional computing overhead.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Leila Karimi,Mai Abdelhakim,James Joshi

DOI: https://doi.org/10.48550/arXiv.2105.08587

IF: 5.414

2021-05-18

Machine Learning

Abstract:With rapid advances in computing systems, there is an increasing demand for more effective and efficient access control (AC) approaches. Recently, Attribute Based Access Control (ABAC) approaches have been shown to be promising in fulfilling the AC needs of such emerging complex computing environments. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with a higher cost. Further, increasing complexities of organizational systems and the need for federated accesses to their resources make the task of AC enforcement and management much more challenging. In this paper, we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interacting with users/administrators of the system to receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. We focus on developing an adaptive ABAC policy learning model for a home IoT environment as a running example. We evaluate our proposed approach over real and synthetic data. We consider both complete and sparse datasets in our evaluations. Our experimental results show that the proposed approach achieves performance that is comparable to ones based on supervised learning in many scenarios and even outperforms them in several situations.

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1155/2018/6476315

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Attribute-based access control (ABAC) is a maturing authorization technique with outstanding expressiveness and scalability, which shows its overwhelmingly competitive advantage, especially in complicated dynamic environments. Unfortunately, the absence of a flexible exceptional approval mechanism in ABAC impairs the resource usability and business time efficiency in current practice, which could limit its growth. In this paper, we propose a feasible fuzzy-extended ABAC (FBAC) technique to improve the flexibility in urgent exceptional authorizations and thereby improving the resource usability and business timeliness. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of the requests that do not comply with policies, so that the system can make special approval decisions accordingly to achieve unattended exceptional authorizations. We also designed an auxiliary credit mechanism accompanied by periodic credit adjustment auditing to regulate expediential authorizations for mitigating risks. Theoretical analyses and experimental evaluations show that the FBAC approach enhances resource immediacy and usability with controllable risk.

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-319-72389-1_27

2017-01-01

Abstract:Attribute-Based Access Control (ABAC) is a promising approach for addressing intricate management requirements in dynamic and distributed environments. Nevertheless, because of lacking flexible access exception handling mechanism, rigid rules in ABAC influence the resource availability and ultimately the working efficiency. In this paper, we propose a novel fuzzy ABAC model (FABAC) that extends the ABAC with better usability. We introduce the fuzzy mechanism into decision-making process. Based on the membership grades of requests to rules and the spare credits of respective subjects, our framework permits additional requests failing in rule matching, thus enhancing the information flows in business processes. Furthermore, we develop the credit system with history-based recovery mechanism, wherein the subject’s credits and corresponding recovery rate are impacted by the past authorizations on substandard requests, for maintaining the risk of abuse under control. The analysis reveals that our model contributes to attaining better tradeoff between security and usability.

Siyuan Shang,Xiaohan Wang,Aodi Liu

DOI: https://doi.org/10.1016/j.cose.2024.103717

IF: 5.105

2024-01-25

Computers & Security

Abstract:With the rapid development of information technology, the traditional access control model has faced challenges in meeting the demands of practical applications. As a result, the ABAC model has emerged as a more flexible and adaptable solution, gaining popularity among enterprises. However, constructing an ABAC policy set for heterogeneous access control systems (DAC, MAC, RBAC and other non-ABAC systems) has proven to be complex and time-consuming. In this paper, we propose an ABAC policy mining method based on a clustering algorithm , aiming to extract ABAC policies from access control logs and facilitate the heterogeneous policy migration. Regardless of the access control model used by the original system, its security intent can be reflected by the access control logs. Our method segments and encodes log information using a decision tree, generating a matrix representation that characterizes the logs. Hierarchical clustering is then employed to group similar logs into clusters and extract attribute relationships, thus constructing the ABAC policy set. Additionally, policy optimization techniques such as policy pruning, refinement, and analysis are applied to enhance the policy set. Experimental results demonstrate the effectiveness of our method, achieving 5.7 % F−score improvement and 41.4 % WSC decrease compared to the comparison method. Moreover, when applied to noisy and sparse logs, our method achieves 12.5 % F−score improvement while reducing the WSC by 29.4 %.

computer science, information systems

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Ran Yang,Chuang Lin,Fujun Feng

DOI: https://doi.org/10.4304/jcp.4.6.510-518

2009-01-01

Journal of Computers

Abstract:Access control is one of the most important technologies to guarantee computer security. A new model with support for valid time and usage constraint is described based on full analysis of flaws in existing models. In the new model, authorization rules can express access control policies completely and access constraints are necessary conditions to prevent authorization abuse. To solve the problems in implementation of the model, a sound scheme for administration of authorizations is proposed and some access decision algorithms are developed.

Yvo Desmedt,Arash Shaghaghi

DOI: https://doi.org/10.48550/arXiv.1609.04514

2016-09-15

Abstract:Security researchers have stated that the core concept behind current implementations of access control predates the Internet. These assertions are made to pinpoint that there is a foundational gap in this field, and one should consider revisiting the concepts from the ground up. Moreover, Insider threats, which are an increasing threat vector against organizations are also associated with the failure of access control. Access control models derived from access control matrix encompass three sets of entities, Subjects, Objects and Operations. Typically, objects are considered to be files and operations are regarded as Read, Write, and Execute. This implies an `open sesame' approach when granting access to data, i.e. once access is granted, there is no restriction on command executions. Inspired by Functional Encryption, we propose applying access authorizations at a much finer granularity, but instead of an ad-hoc or computationally hard cryptographic approach, we postulate a foundational transformation to access control. From an abstract viewpoint, we suggest storing access authorizations as a three-dimensional tensor, which we call Access Control Tensor (ACT). In Function-based Access Control (FBAC), applications do not give blind folded execution right and can only invoke commands that have been authorized for data segments. In other words, one might be authorized to use a certain command on one object, while being forbidden to use exactly the same command on another object. The theoretical foundations of FBAC are presented along with Policy, Enforcement and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.

Cryptography and Security

Tamara Ranković,Miloš Simić,Milan Stojkov,Goran Sladić

DOI: https://doi.org/10.1007/978-3-031-50755-7_41

2024-10-27

Abstract:Proliferation of systems that generate enormous amounts of data and operate in real time has led researchers to rethink the current organization of the cloud. Many proposed solutions consist of a number of small data centers in the vicinity of data sources. That creates a highly complex environment, where strict access control is essential. Recommended access control models frequently belong to the Attribute-Based Access Control (ABAC) family. Flexibility and dynamic nature of these models come at the cost of high policy management complexity. In this paper, we explore whether the administrative overhead can be lowered with resource hierarchies. We propose an ABAC model that incorporates user and object hierarchies. We develop a policy engine that supports the model and present a distributed cloud use case. Findings in this paper suggest that resource hierarchies simplify the administration of ABAC models, which is a necessary step towards their further inclusion in real-world systems.

Cryptography and Security

Kuangyi ZENG,Jinxiang ZHANG,Jiahai YANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.11.050

2006-01-01

Abstract:A new model for policy refinement is presented at the application background of CERNET.Using the properties of access control list(ACL) in this model,the policies described in different specification languages are mapped into access control lists,which are distributed to different network devices to enforce.Thus,the complex transformation logic in traditional policy refinement fashion is simplified,especially,security and access control configuration management can be automated

Yufan Tao,Fanping Zeng

DOI: https://doi.org/10.1109/bigcom61073.2023.00017

2023-01-01

Abstract:In modern society, smart home has become a part of people’s daily life. The smart home will generate a large amount of data to be shared inside and outside the home which is sensitive and private. Therefore, access control plays a critical role in the many issues that need to be addressed in the smart home. However, there is still a lack of an access control scheme suitable for the smart home to ensure the security of users’ data. Attribute-based access control(ABAC) is a flexible authorization model. It controls whether there is permission to operate objects through the attributes of entities, operation types, and related environments, but it cannot resist malicious attacks within the environment. Therefore, in this paper, we propose a trust-based ABAC model, which is extended on the basis of the ABAC model and applies the trust model to the smart home ABAC model to achieve fine-grained and effective access control. Our model can not only use the trust model to monitor the behavior deviation of devices in smart homes, and establish trust relationships between devices, but also control the permissions of each device. Finally, we test the trust model on the ns-3 platform and simulate the access control model on the small real Internet of Things(IoT). The results show that the trust model has good accuracy, convergence, and anti-attack, and the ABAC model has good applicability in smart home scenarios.

Amani Abu Jabal,Elisa Bertino,Jorge Lobo,Dinesh Verma,Seraphin Calo,Alessandra Russo

DOI: https://doi.org/10.48550/arXiv.2010.09767

2020-11-03

Abstract:Technology advances in areas such as sensors, IoT, and robotics, enable new collaborative applications (e.g., autonomous devices). A primary requirement for such collaborations is to have a secure system which enables information sharing and information flow protection. Policy-based management system is a key mechanism for secure selective sharing of protected resources. However, policies in each party of such a collaborative environment cannot be static as they have to adapt to different contexts and situations. One advantage of collaborative applications is that each party in the collaboration can take advantage of knowledge of the other parties for learning or enhancing its own policies. We refer to this learning mechanism as policy transfer. The design of a policy transfer framework has challenges, including policy conflicts and privacy issues. Policy conflicts typically arise because of differences in the obligations of the parties, whereas privacy issues result because of data sharing constraints for sensitive data. Hence, the policy transfer framework should be able to tackle such challenges by considering minimal sharing of data and support policy adaptation to address conflict. In the paper we propose a framework that aims at addressing such challenges. We introduce a formal definition of the policy transfer problem for attribute-based policies. We then introduce the transfer methodology that consists of three sequential steps. Finally we report experimental results.

Cryptography and Security

Ugur Turan,Ismail Hakki Toroslu

DOI: https://doi.org/10.48550/arXiv.1402.5742

2014-07-17

Abstract:Traditional database access control mechanisms use role based methods, with generally row based and attribute based constraints for granularity, and privacy is achieved mainly by using views. However if only a set of views according to policy are made accessible to users, then this set should be checked against the policy for the whole probable query history. The aim of this work is to define a proactive decomposition algorithm according to the attribute based policy rules and build a secure logical schema in which relations are decomposed into several ones in order to inhibit joins or inferences that may violate predefined privacy constraints. The attributes whose association should not be inferred, are defined as having security dependency among them and they form a new kind of context dependent attribute based policy rule named as security dependent set. The decomposition algorithm works on a logical schema with given security dependent sets and aims to prohibit the inference of the association among the elements of these sets. It is also proven that the decomposition technique generates a secure logical schema that is in compliance with the given security dependent set constraints.

Databases,Cryptography and Security