HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1109/icsmc.2004.1401072

2004-01-01

Abstract:The idea of role has been widely applied to solving the authority, responsibility, function and interaction, which are associated with member station in organizations. Access control is a key security issue in distributed collaboration systems. After analyzing corresponding security requirements and the present status of security in distributed collaboration system, this paper presents an extensive role-based access control (ERBAC) architecture based on differentiated domain management. In this architecture, security management is classified into inter-domain one and infra-domain one, whilst, it can integrate new security policies. Based on definition of role permission type, the paper introduces a function of permission type change to make ERBAC architecture flexible. In addition, the authors discuss the methods by which the security can be implemented in an agent-based framework. The practices signify that this system can be flexibly applied various existing policy languages and protocols.

HL Hu,D Chen,CQ Huang

DOI: https://doi.org/10.1007/11428862_31

2005-01-01

Abstract:The open and anonymous of grid make the task of controlling access to sharing information more difficult, which cannot be addressed by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for grid resource sharing. The framework is an integrated solution involving aspects of trust and recommendation models, based the discretionary access control (DAC), and are applied to grid resource-sharing systems. In this paper, we integrate technology of web services into idea of trust for describing resources.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.1109/mobhoc.2009.5336922

2009-01-01

Abstract:Collaboration enables domains to share resources effectively; however it introduces several security and privacy challenges. To guarantee the secure interoperation in complex distributed environment, a RBAC based secure interoperation model was proposed. Based on the inherent characteristic of the RBAC system, a directed acyclic graph based detection method of security violation was investigated. We also classified the conflicts according to the feature of each four parts of NITS RBAC model: conflicts resulting from unrelated roles, conflicts that arise from related roles and conflicts due to separation of duty. The targeted detection method for different types of conflicts was illustrated systematically. Therefore corresponding detection method can be applied to different types of conflicts according to the actual application environment. Furthermore, we analyzed the algorithmic complexity of the method and demonstrated the application of the directed acyclic graph based detection method with case studies in realistic scenarios.

Jianxin Li,Jinpeng Huai,Chunming Hu,Yanmin Zhu

DOI: https://doi.org/10.1016/j.ins.2010.05.014

IF: 8.1

2010-01-01

Information Sciences

Abstract:Nowadays, various promising paradigms of distributed computing over the Internet, such as Grids, P2P and Clouds, have emerged for resource sharing and collaboration. To enable resources sharing and collaboration across different domains in an open computing environment, virtual organizations (VOs) often need to be established dynamically. However, the dynamic and autonomous characteristics of participating domains pose great challenges to the security of virtual organizations. In this paper, we propose a secure collaboration service, called PEACE-VO, for dynamic virtual organizations management. The federation approach based on role mapping has extensively been used to build virtual organizations over multiple domains. However, there is a serious issue of potential policy conflicts with this approach, which brings a security threat to the participating domains. To address this issue, we first depict concepts of implicit conflicts and explicit conflicts that may exist in virtual organization collaboration policies. Then, we propose a fully distributed algorithm to detect potential policy conflicts. With this algorithm participating domains do not have to disclose their full local privacy policies, and is able to withhold malicious internal attacks. Finally, we present the system architecture of PEACE-VO and design two protocols for VO management and authorization. PEACE-VO services and protocols have successfully been implemented in the CROWN test bed. Comprehensive experimental study demonstrates that our approach is scalable and efficient.

Jianxin Li,Jinpeng Huai,Chunming Hu

DOI: https://doi.org/10.1109/srds.2007.12

2007-01-01

Abstract:The increasing complexity and dynamics of grid environments have posed great challenges for secure and privacy-preserving collaboration in a virtual organization. In this paper, we propose PEACE-VO, a secure policy-enabled collaboration framework for virtual organizations. PEACE-VO employs role mapping to define trust relationships across autonomous domains. Nevertheless, a critical issue emerges when the system applies role mapping, which is potential policy conflict in a local domain. We first develop two concepts to depict such possible conflicts within the collaboration policy. Next, we propose a fully distributed evaluation algorithm to detect potential policy conflicts, which does not require domains to disclose their full local security policies and therefore preserves critical domain privacy. Finally, we design two dedicated protocols for virtual organization management and authorization services, respectively. We have successfully implemented the PEACE-VO framework with two fundamental protocols, i.e., VO management protocol and service authorization protocol, in the CROWN Grid. Comprehensive experimental study shows our approach is scalable and efficient.

Qi Li,Xinwen Zhang,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1016/j.cose.2008.12.004

IF: 5.105

2009-01-01

Computers & Security

Abstract:Role-Based Access Control (RBAC) has become a popular technique for security purposes with increasing accessibility of information and data, especially in large-scale enterprise environments. However, authorization management in dynamic and ad-hoc collaborations between different groups or domains in these environments is still an unresolved problem. Traditional RBAC models cannot solve this problem because they cannot support security policy composition from different groups, and lack efficient administrative models for dynamic collaborations. In this paper, we propose a group-based RBAC model (GB-RBAC) for secure collaborations which is based on RBAC96 and extended with group concept to capture dynamic users and permissions. We propose a decentralized security administrative model for GB-RBAC to address the management issues of RBAC in collaborations. As a unique property, our model supports two levels of authorization management: global or system level management by system administrators and local or group level management by group administrators. In this way, our model implements the principles of management autonomy and separation of duty (SoD) in security administrations. We apply our model for authorization management in collaborations by introducing the concept of virtual group. A virtual group is built for a collaboration between multi-groups, where all members build trust relation within the group and are authorized to join and perform operations for the collaborative work. Compared with existing work, our model supports dynamic and ad-hoc collaborations in large-scale systems with the properties of controllable, decentralized, and fine-grained security management.

Qi Li,Xinwen Zhang,Sihan Qing,Mingwei Xu

DOI: https://doi.org/10.1109/colcom.2006.361887

2006-01-01

Abstract:With the increasing accessibility of information and data, role-based access control (RBAC) has become a popular technique for security and privacy purposes. However, trusted collaboration between different groups in large corporate Intranets is still an unresolved problem. The challenge is how to extend existing access control model for efficient security management and administration to allow trusted collaboration between different groups. In this paper, we propose a group-based RBAC model (GB-RBAC) for this purpose. In particular, virtual group is proposed in our model to allow secure information and resource sharing in multi-group collaboration environments. All the members of a virtual group build trust relation between themselves and are authorized to join the collaborative work. The scheme and strategies provided in this paper meet the requirements of security, autonomy, and privacy for collaborations. As a result, our scheme provides an easy way to employ RBAC policies to secure ad-hoc collaboration

Yan Li,Huiping Sun,Zhong Chen,Jinqiang Ren,Haining Luo

DOI: https://doi.org/10.1109/SecTech.2008.50

2008-01-01

Abstract:With the development of grid technology, sensitive files and data protection become difficult tasks multi-domains. Traditional access control mechanisms are not suitable to such distributed environment. Several models and mechanisms utilize trust to assist access control decision. But few explicitly consider trust and risk as two separate factors which affect interactions between peers. In this paper, we present a novel mechanism which considers both trust and risk as two vital parameters to assist access control decision. In addition, a novel model of trust evaluation is proposed to represent the confidence in the peer. And to appease people’s anxiety about loss, a new model of risk assessment is also presented to indicate impacts on resources. At the end of this paper, simulation results will indicate that our mechanism is able to secure local system more efficiently and reliably.

Ying Chen,Shoubao Yang,Leitao Guo

DOI: https://doi.org/10.1007/11590354_22

2005-01-01

Abstract:To improve system scalability and restrain cheat, which are two important aspects in resource sharing gird environment, a dynamic-role based access control framework is proposed in this paper. This framework imports trust model, proposes “conversion parameter” and dynamic-role to resolve the problems of access control across multi domains. Simulation results show that it can realize access control easily, prohibit malicious behavior of entities, and improve the scalability of the system. An implementation is also shown in this paper.

Yongkai Fan,Jun Lin,Tianze Sun

2006-01-01

Journal of Computational Information Systems

Abstract:Collaborative learning, especially by means of learning resource sharing, is becoming increasingly frequent. It is necessary in many cases where the participators are in different areas. An efficient and effective learning resource management seems necessary and sorely needed. To build a collaborative environment, security is the first important aspect that should be seriously considered for the information security. Research focuses on a security model by considering an approach applied for collaborative learning and resource management. The security model implemented through integration of web services security technologies and role-based access police. With some operation, it aims to reduce the barriers imposed by space and time with limited or no collaboration support.

YF Xu,L Korba,LH Wang,Q Hao,WM Shen,S Lang

DOI: https://doi.org/10.1109/indin.2003.1300269

2003-01-01

Abstract:In today's globalized business world, outsourcing, joint ventures, and cross-border collaborations have led to work environments that are geographically distributed across organizational and national boundaries. There are critical research needs to develop highly secured collaborative work environments and security solutions for deployment, configuration, monitoring, and device control of interoperating services. We present a well-shaped security framework for distributed system control with a focus on device-level system control, monitoring and services reconfiguration in open and dynamic environments. The characteristics of portability, reconfigurability, interoperability, and interchangeability of these new environments are considered as key factors to produce new security risks and challenges. By adopting public key cryptography, software agent and XML binding technologies, the major security problems of authenticity, integrity, confidentiality, and safe execution are addressed in this framework. The core modules for secure task delivery and execution are presented in detail.

Yahui Lu,Li Zhang,Yinbo Liu,Jiaguang Sun

DOI: https://doi.org/10.1109/cscwd.2006.253050

2006-01-01

Abstract:Role-based access control (RBAC) models have been successfully implemented in various information systems in recent years. However, the traditional centralized authorization and administration mechanisms in RBAC have several drawbacks in collaborative environments. In this paper, we propose a distributed Domain Administration of RBAC Model, DARBAC, in which the authorization and administration privileges are distributed to multiple administrative domains. Each administrative role is assigned to an administrative domain and can only execute administrative operations within its domain. By introducing the concept of administrative domain and administrative role hierarchy, the DARBAC model can flexibly meet the access control requirements in collaborative environments. We also describe how to implement the model in the PLM product and how to apply the model in a distributed enterprise environment to support cooperative work.

Lina Ge,Shaohua Tang,Qiao Kuang

DOI: https://doi.org/10.1109/apscc.2006.46

2006-01-01

Abstract:In the grid environment, the resource providers should maintain the ultimate authority over their resources, including access authorization and grain scale control. Apparently, the traditional RBAC model will be inappropriate in multi-autonomous domains environment. Focusing on the autonomous, heterogeneous and dynamic features of grid computing, we propose the concept of "Resource Role". We also initiate the Dual-Role Based Access Control (DRBAC) framework, where the resource role permission mapping is defined in resource domain and user role resource role mapping is negotiated by user domain and resource domain. This framework is simple and works better than the traditional RBAC in multi domains environment.

Meng Liu,Xuyun Zhang,Chi Yang,Shaoning Pang,Deepak Puthal,Kaijun Ren

DOI: https://doi.org/10.1016/j.future.2018.10.017

2017-01-01

Abstract:Secure interoperation is an important technology to protect shared data in multi-domain environments. IRBAC (Interoperable Role-based Access Control) 2000 model has been proposed to achieve security interoperation between two or more RBAC administrative domains. Static Separation of Duties (SSoD) is an important security policy in RBAC, but it has not been enforced in the IRBAC 2000 model. As a result, some previous works have studied the problem of SMER (Statically Mutually Exclusive Roles) constraints violation between two RBAC domains in the IRBAC 2000 model. However all of them do not enforce how to preserve privacy of RBAC policies, such as roles, roles hierarchies and user-role assignment while detecting SMER constraints violation, if the two interoperable domains do not want to disclose them each other and to others. In order to enforce privacy-preserving detection of SMER constraints violation, we first introduce a solution without privacy-preserving mechanism using matrix product. Then a privacy-preserving solution is proposed to securely detect SMER constraints violation without disclosing any RBAC policy based on a secure three-party protocol to matrix product computation. By efficiency analysis and experimental results comparison, the secure three-party computation protocol to matrix product based on the Paillier cryptosystem is more efficient and practical.

Gang Yin,Huai-min Wang,Tao Liu,Dian-xi Shi,Ming-feng Chen

DOI: https://doi.org/10.1007/11576259_53

2005-01-01

Abstract:In Grid environments, virtual organizations (VOs) often need to define access control policies to govern who can use which resources for which purpose over multiple policy domains. This is challenging, not only because the entities in VOs must collaborate with each other to share resources across administrative domains, but also because there usually exist a large amount of underlying sites (resource providers) and users in VOs. In this paper, we introduce to use trust management approach to address these problems in Grid environments. We propose a rule-based policy language (RPL) framework to describe the authorization and delegation policies related to VOs, sites and users. This paper also introduces the design of an enhanced community authorization service (ECAS) based on RPL framework, which can be seamlessly integrated with local authorization mechanisms. ECAS uses different kinds of delegation policies for flexible collaboration on authorization between entities in VOs. Compared with similar research works, ECAS enhances the flexibility and scalability of decentralized authorization in Grid environments.

Victor L. Winter,Azamat MametJanov,Steven E. Morrison,James A. Mccoy,Gregory L. Wickstrom

DOI: https://doi.org/10.1109/hase.2007.29

2007-01-01

Abstract:With the increasing complexity of dynamic and collaborative computing environments in grid, security management has become a critical factor. Although several approaches have been proposed, fully decentralized and efficient authorization management is still a challenging problem. We propose an access control scheme based on a group-based RBAC model for grid computing environments. By separating the administrations of users by VO level policies and permissions by resource or service provider policies, our scheme provides decentralized, autonomous, and fine-grained security management which fits the dynamic environment of grids, and can support ad-hoc collaborations. We implement a proof-of-concept prototype system by enhancing the access control module in grid file system (GFS) and specifying different levels of policies with XACML.

Deqing Zou,Laurence T. Yang,Wezhong Qiang,Xueguang Chen,Zongfen Han

DOI: https://doi.org/10.1109/aina.2007.33

2007-01-01

Abstract:Collaboration is used for information sharing and activity coordinating, and it exists broadly in many fields. Group communication enables efficient communication between a set of processes logically organized into groups and communicating via multicast in an asynchronous environment. One of the key technologies for collaborative applications is secure group communication. Current research on secure group communication scarcely considers the existing security mechanism in local systems. As a result, group communication systems couldn't provide general support for collaborative applications running on a specific system. Based on the existing grid security technologies, we propose an authentication and access control framework at Virtual Organization (VO) level for group communication in grid environment. By introducing Role-Based Access Control (RBAC) and attribute-based approach, we define group management policies and design group control protocols. The protocols are analyzed from three aspects: compatibility, performance, and security. Finally, we implement a prototype based on GridShib.

Xiaoyong Li,Xiaolin Gui,Juan Zhao,Bo Zhao

2008-01-01

Journal of Computational Information Systems

Abstract:In large-scale open distributed environment such as Grid computing, Ubiquitous computing, P2P computing and Ad hoc, etc., network is a dynamic and cooperative system made up of multi-software serving. Under the dynamic and uncertainty environment, traditional approaches to security are often found lacking, so dynamic trust model becomes a new and hot topic of security research for these new distributed applications. Focusing on dynamic, uncertainty and collaborative between entities under large-scale distributed environment, theory of Reinforcement Learning (RL) is applied to the study of dynamic trust model. First, basic formal description is conducted for trust decision, and behavior state-space structure is constructed based on gain function according the interaction time sequence between entities. Then, applying RL algorithm, based on direct trust gain function and feedback trust gain function, overall trust degree fusion computing model is set up. New model makes full use of the advantages of the RL algorithm, brakes away from the incongruence problem of trust-making in the traditional method, in which the weights are set up by subjective manners. Simulation's results show that, compared to the existing trust models, the new model has a better dynamic adaptation capability. © 2008 Binary Information Press.

Hong Xiang,Xiaofeng Xia,Haibo Hu,Sheng Wang,Jun Sang,Chunxiao Ye

DOI: https://doi.org/10.5755/j01.itc.45.3.13187

IF: 0.813

2016-01-01

Information Technology And Control

Abstract:The requirement to develop an organization makes collaboration with other organizations necessary, so the organizations can share resources to perform common tasks. Different organizational domains use different access control models to protect their resources from unauthorized access. Organizational collaboration is an important goal for distributed computing paradigms, but policy inconsistencies between domains will cause problems in a collaboration model that add to the problems involved in constructing the collaboration model itself. These problems provide the two challenges that motivate the research presented here: (1) the construction of a collaboration model across multiple domains protected by different access control models; and (2) ensuring that the access control policy used by a participating domain contains no inconsistencies. We also present our new approach to solving the inter-domain role mapping (IDRM) problem, i.e., to determine the minimal role set that covers requested permissions from a collaborating domain. We also analyse our algorithms, present the results of our tests, and compare our results with the results of existing approaches. DOI: http://dx.doi.org/10.5755/j01.itc.45.3.13187