Xiyuan Chen,Di Wu.,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICCIAS.2006.295308

2006-01-01

Abstract:To satisfy the requirements of secure interoperation among distributed systems, a security violation detection method for RBAC based interoperation is proposed We carry out the discussion in the scope of Core RBAC and Hierarchy RBAC. To better illustrate the method for RBAC based interoperation, a formal definition of secure interoperation in RBAC systems has been introduced. Security violation of interoperation with role mappings in the distributed systems is analyzed. Based on these discussions, a minimum security violation detection method for RBAC based interoperation according to the feature of RBAC system and the inherent characteristic of interoperation in distributed environment is introduced. The minimum detection method provides good performance reducing complexity by decreasing amount of roles involved in detection.

WU Di,ZHU Miao-liang,CHEN Xi-yuan,LIN Jian

DOI: https://doi.org/10.3785/j.issn.1008-973x.2007.09.025

2007-01-01

Abstract:A security violation detection method was proposed to meet the requirements of secure interoperation among distributed systems.Role mapping mechanism was introduced among the role-based access control(RBAC) systems to implement access control across systems.The security violation of interoperation with role mappings was analyzed and the formalized definitions of secure interoperation were done.Then a minimum detection method according to the feature of distributed environment was introduced particularly.This method reduced the computation complexity by decreasing the amount of roles involved in the detection.The security violation character was further analyzed based on the minimum detection method to help administrators eliminate security violation.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.1109/mobhoc.2009.5336922

2009-01-01

Abstract:Collaboration enables domains to share resources effectively; however it introduces several security and privacy challenges. To guarantee the secure interoperation in complex distributed environment, a RBAC based secure interoperation model was proposed. Based on the inherent characteristic of the RBAC system, a directed acyclic graph based detection method of security violation was investigated. We also classified the conflicts according to the feature of each four parts of NITS RBAC model: conflicts resulting from unrelated roles, conflicts that arise from related roles and conflicts due to separation of duty. The targeted detection method for different types of conflicts was illustrated systematically. Therefore corresponding detection method can be applied to different types of conflicts according to the actual application environment. Furthermore, we analyzed the algorithmic complexity of the method and demonstrated the application of the directed acyclic graph based detection method with case studies in realistic scenarios.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

Chao Huang,Jianling Sun,Xinyu Wang,Di Wu

DOI: https://doi.org/10.1587/transinf.e93.d.1070

2010-01-01

IEICE Transactions on Information and Systems

Abstract:In this paper, we propose an inconsistency resolution method based on a new concept, insecure backtracking role,napping. By analyzing the role graph, we prove that the root cause of security inconsistency in distributed interoperation is the existence of insecure backtracking role mapping. We propose a novel and efficient algorithm to detect the inconsistency via finding all of the insecure backtracking role mappings. Our detection algorithm will not only report the existence of inconsistency, but also generate the inconsistency information for the resolution. We reduce the inconsistency resolution problem to the known Minimum-Cut problem, and based on the results generated by our detection algorithm we propose an inconsistency resolution algorithm which could guarantee the security of distributed interoperation. We demonstrate the effectiveness of our approach through simulated tests and a case study.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

黄益民,杨子江,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2004.04.005

2004-01-01

Abstract:The traditional role-based access control (RBAC) model was extended in this work aimed at studying practical ways to implement access control, enforce security administration, and acquire available information from real world to construct an access control model and establish security policies. A three-layered architecture for role-based security administration was proposed. And a practical way was presented to implement role-based access control and role-based security administration ,so that cross-platform role-based access control is implemented automatically and systematically in the security administration system.

Zhiwen Zou,Changqian Chen,Shiguang Ju,Jiming Chen

DOI: https://doi.org/10.1007/978-3-642-12189-0_26

2010-01-01

Abstract:The Spatial Role-Based Access Control (SRBAC) model was discussed in this paper. Firstly, the formal definition of SRBAC Model was given; then the region coverage constraint of spatial object, duration constraint of spatial object, various spatial object separations of duty constraints and spatial object cardinality constraint of role activation were researched; after extending the traditional session, the strategy of eliminating the conflictive session was presented; Finally, the role hierarchy has been discussed under the spatial environment. Combined with practical application, the theory of secure DBMS was optimized and afforded to build the stricter system.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

JIANG Jie,ZHANG Jie,CHEN De-ren

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.09.011

2009-01-01

Abstract:An extended context-aware role based access control(RBAC) based on reasoning(RC-RBAC) model was proposed by integrating the single context-aware RBAC and reasoning-based RBAC in order to solve the problems of the Absence of the adjustment and generation of the context-aware condition dynamically and the incapacity of updating the user authorization according to the adjusted constrain conditions in the existing RBAC.The extended model used the rule reasoning to adjust and generate the context constrains dynamically and start the common sensors and the self-defined sensors to collect the attribute values of the conditions.The access permission to the sensitive data was updated in real time based on the context-aware logic reasoning using the user rules and permission rules.The application results show that the extended RC-RBAC model can be employed in the distributed environment to satisfy the need of the dynamic authorization and reduce the real-time access control management complexity.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.

Wang Baoyi,Zhang Shaomin,Zhilei Zhang

DOI: https://doi.org/10.1109/ICIT.2008.4608609

2008-01-01

Abstract:Role-based Access Control (RBAC) policy separates user and privilege logically by importing the concept of role, which can simplify the management of privilege in electric power enterprise. As the development and sustaining change of electric power system, unattended substations become the new developing direction. Unattended substation automation system will realize centralized management and remote control, so the use of RBAC access control method will aggravate the burden of the access control server. What is more, it adds the complexity of management. RBAC could not meet the needs of the system. This paper designs Distributed RBAC access control model, according to the substation automation system structure stated in IEC61850. Users obtain their roles in centralized server, and obtain their privilege dispersedly. The efficiency is improved. Management is more convenient. In the end, a practical example is presented to prove that the designed model and algorithm have high security, feasibility and effectiveness in unattended substation automation system. Because the model and algorithm are designed according to the ITU-T X.509 and IEC61850 international standards, the design has high currency, adaptability and expansibility. ©2008 IEEE.

谷和武,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2010.06.040

2010-01-01

Abstract:For the access control in multi-domain,this paper proposes a method for policy conflicts classification and detection.The secure interoperation model based on RBAC and its security characteristics are studied,the policy conflicts resulted from the introduction of role mapping are analyzed and classified.The role system is abstracted as directed graph,and the effective roles and role hierarchy are utilized to propose a method based on directed graph of role system for detecting policy conflicts.Finally,the computational complexity?of the proposed method is analyzed,and the solutions for policy conflicts are given.

Li Qi,Xu Mingwei,Zhang Xinwen

DOI: https://doi.org/10.1109/ICDCS.Workshops.2008.26

2008-01-01

Abstract:Role-based Access Control (RBAC) has been widely deployed in many distributed systems in recent years. However, in many large-scale enterprise environments, it is difficult to manage RBAC because of the huge number of users and roles, and complex interrelationships between them. Moreover, with the development of information and communication technologies, many temporal and ad hoc collaborations between groups and departments are emerging, which require dynamic user-role and permission-role assignments. In thesescenarios it is infeasible, if not impossible, for few security officers to administrate the assignment for various applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. As one of the main contributions, we also propose a decentralizedadministration model to address the management issues in traditional RBAC systems, Our model can be used for group-based applications with dynamic assignments where typically local (group-level) administrators take charge of the dynamic assignments. In this way, many administrativetasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-conceptsystem, we implemented a secure Spread prototype based on our proposed model to show the feasibility in the real applications.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Benyuan Yang,Lili Luo,Zhimeng Wang

DOI: https://doi.org/10.1016/j.cose.2023.103621

IF: 5.105

2024-02-01

Computers & Security

Abstract:Interoperation can combine multiple resources and domains, thus it has been widely used in many practical industrial applications, such as distributed database systems. However, the merger of local access control policies in such systems may lead to security violations with regard to access control. For instance, a person can potentially have access (indirectly) to another one's file or data in the interoperation to which s/he should be denied access in the individual system. Therefore, it is critical to deal with such issues in a multidomain environment. Nevertheless, a real-world interoperation contains a large number of entities and access. This imposes a challenge to find the maximum secure interoperation in terms of direct data sharing among individual systems. To overcome this difficulty, we propose an integer linear programming-based approach which can find the maximum secure interoperation in a computationally efficient way. Experimental results are given to demonstrate the efficacy of our approach.

computer science, information systems

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

SooHyun Shin,MyungJoo Park,TaeWan Kim,HyoSik Yang

DOI: https://doi.org/10.3390/s24186000

2024-09-16

Abstract:In traditional power grids, the unidirectional flow of energy and information has led to a decrease in efficiency. To address this issue, the concept of microgrids with bidirectional flow and independent power sources has been introduced. The components of a microgrid utilize various IoT protocols such as OPC-UA, MQTT, and DDS to implement bidirectional communication, enabling seamless network communication among different elements within the microgrid. Technological innovation, however, has simultaneously given rise to security issues in the communication system of microgrids. The use of IoT protocols creates vulnerabilities that malicious hackers may exploit to eavesdrop on data or attempt unauthorized control of microgrid devices. Therefore, monitoring and controlling security vulnerabilities is essential to prevent intrusion threats and enhance cyber resilience in the stable and efficient operation of microgrid systems. In this study, we propose an RBAC-based security approach on top of DDS protocols in microgrid systems. The proposed approach allocates roles to users or devices and grants various permissions for access control. DDS subscribers request access to topics and publishers request access to evaluations from the role repository using XACML. The overall implementation model is designed for the publisher to receive XACML transmitted from the repository and perform policy decision making and enforcement. By applying these methods, security vulnerabilities in communication between IoT devices can be reduced, and cyber resilience can be enhanced.