Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

Xiyuan Chen,Di Wu.,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICCIAS.2006.295308

2006-01-01

Abstract:To satisfy the requirements of secure interoperation among distributed systems, a security violation detection method for RBAC based interoperation is proposed We carry out the discussion in the scope of Core RBAC and Hierarchy RBAC. To better illustrate the method for RBAC based interoperation, a formal definition of secure interoperation in RBAC systems has been introduced. Security violation of interoperation with role mappings in the distributed systems is analyzed. Based on these discussions, a minimum security violation detection method for RBAC based interoperation according to the feature of RBAC system and the inherent characteristic of interoperation in distributed environment is introduced. The minimum detection method provides good performance reducing complexity by decreasing amount of roles involved in detection.

WU Di,ZHU Miao-liang,CHEN Xi-yuan,LIN Jian

DOI: https://doi.org/10.3785/j.issn.1008-973x.2007.09.025

2007-01-01

Abstract:A security violation detection method was proposed to meet the requirements of secure interoperation among distributed systems.Role mapping mechanism was introduced among the role-based access control(RBAC) systems to implement access control across systems.The security violation of interoperation with role mappings was analyzed and the formalized definitions of secure interoperation were done.Then a minimum detection method according to the feature of distributed environment was introduced particularly.This method reduced the computation complexity by decreasing the amount of roles involved in the detection.The security violation character was further analyzed based on the minimum detection method to help administrators eliminate security violation.

LI Jinyan,YU Zhonghua

DOI: https://doi.org/10.13196/j.cims.2017.06.009

2017-01-01

Abstract:With gradual improvement of collaborative manufacturing mode,the played an important role for the adjustment of organizational structure and business process reengineering.How to balance the To solve the problem that collaboration oriented flexible workflow should combine flexibility and security in dynamic environment,according to the characteristics of collaborative,the concept of team was introduced based on the hierarchical authorization management to realize the combination of role-based static authorization and task-based dynamic control,and a novel access control model was proposed for cooperation-oriented flexible workflow.As for the potential conflict of constraints at different levels due to the flexibility and cooperation,task-based separation of duty was provided,so as to better solve the problem of information security and access control for flexible workflow in dynamic environment.

MA Liang,GU Ming

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.01.031

2006-01-01

Abstract:Nowadays workflow is coming into more and more notice in many areas such as OA, e-government, e-business. Security is a important problem in workflow environment. Access control is a vital component of Security. In this paper, a RBAC model in workflow environment (WRBAC) is introduced. The model is based on proposed NIST standard for RBAC, formally describes the relationship between the key elements of access control in workflow systems such as user, role, permission and activity, presents the static and dynamic constraints. The model can effectively reduce the risk of information leakage and fraud, meet the requirements for access control in workflow systems.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ISBIM.2008.132

2009-01-01

Abstract:In large enterprise software systems, users often need to delegate their authority to others. Permission base delegation model (PBDM) based on RBAC96 currently is the most attractive model to fulfill the delegation requirement since it supports partly delegation and multiple steps delegation. However in PBDM there is no explicit specification of the separation of duty (SOD) constraint, which is one of the most important constraints and is essential to the security of the system. In this paper, we analyze the SOD constraint in PBDM delegation model and give the formal definition for the constraint. We prove that the constraint violation will not happen at the stage of the delegation role definition whereas it can only happen at the stage of role assignment. We then propose a protective mechanism to prevent the illegal role delegation utilizing the prerequisite conditions which are a set of Boolean expressions. We also give the algorithm to check the prerequisite conditions to help the security administrator guarantee the safe role delegation.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Xinyu Wang,Jianling Sun,Xiaohu Yang,Chao Huang,Di Wu

DOI: https://doi.org/10.1093/ietisy/e91-d.5.1447

2008-01-01

IEICE Transactions on Information and Systems

Abstract:This paper proposes a security violation detection method for RBAC based interoperation to meet the requirements of secure interoperation among distributed systems. We use role mappings between RBAC systems to implement trans-system access control, analyze security violation of interoperation with role mappings, and formalize definitions of secure interoperation. A minimum detection method according to the feature of RBAC system in distributed environment is introduced in detail. This method reduces complexity by decreasing the amount of roles involved in detection. Finally, we analyze security violation further based on the minimum detection method to help administrators eliminate security violation.

Jian Zhang,Niya Li,Di Luo,Lili He,Chengquan Hu

DOI: https://doi.org/10.1109/ICYCS.2008.188

2008-01-01

Abstract:For the limitation of current workflow delegation models, a conditional delegation model based on weighted roles for workflow is proposed. For the model, it is supporting conditional partial delegation by adding weights to roles and importing variables in workflow tasks. The role delegation tree is defined to address the multi-step delegation issue, and the consistency delegation checking method is provided. Based on this model, the corresponding delegation and revocation algorithm is also given. Finally, a simple example is given, which demonstrates the delegation working process and the building process of role delegation tree.

Yahui Lu,Li Zhang,Jiaguang Sun

DOI: https://doi.org/10.1016/j.compind.2009.02.009

IF: 10

2009-01-01

Computers in Industry

Abstract:The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and resources in information systems. However, the traditional centralized authorization and administration mechanism in access control can not satisfy the administrative requirements in process collaboration environments. In this paper, we propose a domain based administration model for task-role based access control (DATRBAC), in which the authorization and administration permissions are distributed to multiple administrative domains and administrative roles. Then we propose the solution to detect and resolve the conflicts between access control policies defined by different administrative roles. We also described the implementation of the model in the PLM product and the experiments based on the practical application data.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo,Zhang Liqiang

DOI: https://doi.org/10.1109/ISCIT.2007.4392214

2007-01-01

Abstract:Role-based Access Control (RBAC) become an important techniques to secure e-commerce systems during recent years. However, RBAC management issue is still an unresolved problem. Moreover, with the development of IT technologies in many departments, there emerge many group communications which require dynamic user-role assignments. In these scenarios it is infeasible for few security officers to administrate the assignment for local variant applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. We also present an administration model of our PBAC model to address the management issues in traditional RBAC systems. As one of the main contributions, this paper proposes a decentralized administration model by introducing a component of group assignment to implement a novel user authorization mechanism and a new user-role assignment (UA) approach which provides a two-level administration for user and role management through the concept of group. Our model can be applied for the current group communication applications with dynamic assignments where typically local administrators take charge of the dynamic assignments. In this way, many administrative tasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-concept we implemented a prototype in Xen virtualization environment based on our proposed model to secure real distributed applications.

Ahmed S. Alfakeeh,Abdulmohsen Almalawi,Fawaz Jaber Alsolami,Yoosef B. Abushark,Asif Irshad Khan,Adel Aboud S. Bahaddad,Alka Agrawal,Rajeev Kumar,Raees Ahmad Khan

DOI: https://doi.org/10.32604/cmc.2022.020146

2022-01-01

Abstract:Security is an important component in the process of developing healthcare web applications. We need to ensure security maintenance; therefore the analysis of healthcare web application's security risk is of utmost importance. Properties must be considered to minimise the security risk. Additionally, security risk management activities are revised, prepared, implemented, tracked, and regularly set up efficiently to design the security of healthcare web applications. Managing the security risk of a healthcare web application must be considered as the key component. Security is, in specific, seen as an add-on during the development process of healthcare web applications, but not as the key problem. Researchers must ensure that security is taken into account right from the earlier developmental stages of the healthcare web application. In this row, the authors of this study have used the hesitant fuzzy-based AHP-TOPSIS technique to estimate the risks of various healthcare web applications for improving security-durability. This approach would help to design and incorporate security features in healthcare web applications that would be able to battle threats on their own, and not depend solely on the external security of healthcare web applications. Furthermore, in terms of healthcare web application's security-durability, the security risk variable is measured, and vice versa. Hence, the findings of our study will also be useful in improving the durability of several web applications in healthcare.

Maha Aljohani

DOI: https://doi.org/10.1002/cpe.8068

2024-03-07

Concurrency and Computation Practice and Experience

Abstract:Summary The data‐intensive workflow application executes tasks on edge servers and cloud platforms in a heterogeneous big‐data computing environment. Cloud and edge servers are vulnerable to node attacks and malicious links due to their wireless connections. Thus, detecting and mitigating rogue nodes in edge server communication environments during workflow execution is crucial. In today's workflow execution landscape, there is a rising emphasis on resolving Quality of Service (QoS) and security concerns within homogeneous execution settings. Workflow execution on diverse computing platforms has received limited research. We are developing an edge‐cloud‐specific Multi‐Layer Security and Quality‐Aware (MLSQA) framework to solve research issues in this area. Node attacks are detected via reputation‐based security features in the MLSQA framework, whereas link attacks are detected using machine learning. A unique trade‐off metrics technique optimizes workflow security and QoS parameters, reducing energy usage and makespan. In addition, a fault‐tolerant, energy‐efficient job offloading technique is described in detail to improve the system's resilience to errors. The experiment is conducted using complex (i.e., memory and CPU intensive) scientific procedures with intermediate job dependencies, namely Inspiral workflow. The MLSQA framework excels in threat detection, demonstrating lower false alarms, reduced energy consumption, and quicker implementation than the recent secure workflow execution architecture.

computer science, theory & methods, software engineering

Li Qi,Xu Mingwei,Zhang Xinwen

DOI: https://doi.org/10.1109/ICDCS.Workshops.2008.26

2008-01-01

Abstract:Role-based Access Control (RBAC) has been widely deployed in many distributed systems in recent years. However, in many large-scale enterprise environments, it is difficult to manage RBAC because of the huge number of users and roles, and complex interrelationships between them. Moreover, with the development of information and communication technologies, many temporal and ad hoc collaborations between groups and departments are emerging, which require dynamic user-role and permission-role assignments. In thesescenarios it is infeasible, if not impossible, for few security officers to administrate the assignment for various applications. In this paper, we propose a novel RBAC model for decentralized and distributed systems. As one of the main contributions, we also propose a decentralizedadministration model to address the management issues in traditional RBAC systems, Our model can be used for group-based applications with dynamic assignments where typically local (group-level) administrators take charge of the dynamic assignments. In this way, many administrativetasks for different applications can spread over many different local administrators, and a fine-grained administration model of RBAC based on the local administration policies is realized. As a proof-of-conceptsystem, we implemented a secure Spread prototype based on our proposed model to show the feasibility in the real applications.

Brian Lee,Roman Vanickis,Franklin Rogelio,Paul Jacob

DOI: https://doi.org/10.48550/arXiv.1710.09696

2017-10-26

Cryptography and Security

Abstract:As the computing landscape evolves towards distributed architectures such as Internet of Things (IoT),enterprises are moving away from traditional perimeter based security models toward so called zero trust networking (ZTN) models that treat both the intranet and Internet as equally untrustworthy. Such security models incorporate risk arising from dynamic and situational factors, such as device location and security risk level risk, into the access control decision. Researchers have developed a number of risk models such as RAdAC (Risk Adaptable Access Control) to handle dynamic contexts and these have been applied to medical and other scenarios. In this position paper we describe our ongoing work to apply RAdAC to ZTN. We develop a policy management framework, FURZE, to facilitate fuzzy risk evaluation that also defines how to adapt to dynamically changing contexts. We also consider how enterprise security situational awareness (SSA) - which describes the potential impact to an organisations mission based on the current threats and the relative importance of the information asset under threat - can be incorporated into a RAdAC scheme

XIONG Yun,BAI Xiaoying

2006-01-01

Abstract:This paper proposes a Wf-RBAC model based on RBAC96 model to enhance the flexibility and effectiveness of permission management and access control in workflow management systems(WfMS).The paper also puts forward a three-level implementation strategy of the extended workflow systems.It introduces the prototype of supporting tool.

Zhiyuan Wei,Jun Zhuang

DOI: https://doi.org/10.1111/risa.15070

2024-07-13

Risk Analysis

Abstract:Confronting the continuing risk of an attack, security systems have adopted target‐hardening strategies through the allocation of security measures. Most previous work on defensive resource allocation considers the security system as a monolithic architecture. However, systems such as schools are typically characterized by multiple layers, where each layer is interconnected to help prevent single points of failure. In this paper, we study the defensive resource allocation problem in a multilayered system. We develop two new resource allocation models accounting for probabilistic and strategic risks, and provide analytical solutions and illustrative examples. We use real data for school shootings to illustrate the performance of the models, where the optimal investment strategies and sensitivity analysis are presented. We show that the defender would invest more in defending outer layers over inner layers in the face of probabilistic risks. While countering strategic risks, the defender would split resources in each layer to make the attacker feel indifferent between any individual layer. This paper provides new insights on resource allocation in layered systems to better enhance the overall security of the system.

public, environmental & occupational health,mathematics, interdisciplinary applications,social sciences, mathematical methods

Ryma Abassi,Sihem Guemara El Fatmi

DOI: https://doi.org/10.4204/EPTCS.122.8

2013-07-31

Abstract:Security Policies (SP) constitute the core of communication networks protection infrastructures. It offers a set of rules allowing differentiating between legitimate actions and prohibited ones and consequently, associates each entity in the network with a set of permissions and privileges. Moreover, in today's technological society and to allow applications perpetuity, communication networks must support the collaboration between entities to face up any unavailability or flinching. This collaboration must be governed by security mechanisms according to the established permissions and privileges. Delegation is a common practice that is used to simplify the sharing of responsibilities and privileges. The delegation process in a SP environment can be implanted through the use of adequate formalisms and modeling. The main contribution of this paper is then, the proposition of a generic and formal modeling of delegation process. This modeling is based on three steps composing the delegation life cycle: negotiation used for delegation initiation, verification of the SP respect while delegating and revocation of an established delegation. Hence, we propose to deal with each step according to the main delegation characteristics and extend them by some new specificities.

Cryptography and Security

JeeHyun Hwang,Tao Xie,Vincent C. Hu

DOI: https://doi.org/10.1109/SSIRI.2009.63

2009-01-01

Abstract:Access control mechanisms control which subjects (such as users or processes) have access to which resources. To facilitate managing access control, policy authors increasingly write access control policies in XACML. Access control policies written in XACML could be amenable to multiple-duty-related security leakage, which grants unauthorized access to a user when the user takes multiple duties (e.g., multiple roles in role-based access control policies). To help policy authors detect multiple-duty-related security leakage, we develop a novel framework that analyzes policies and detects cases that potentially cause the leakage. In such cases, a user taking multiple roles (e.g., both r1 and r2) is given a different access decision from the decision given to a user taking an individual role (e.g., r1 and r2, respectively). We conduct experiments on 11 XACML policies and our empirical results show that our framework effectively pinpoints potential multiple-duty-related security leakage for policy authors to inspect.