Hoang Nguyen Phuoc-Bao,Manuel Clavel

DOI: https://doi.org/10.48550/arXiv.2209.05561

2022-09-13

Abstract:Recently, we have proposed a model-driven approach for enforcing fine-grained access control (FGAC) policies when executing SQL queries. More concretely, we have defined a function SecQuery() that, given an FGAC policy S and a SQL select-statement q, generates a SQL stored-procedure SecQuery(S, q), such that: if a user u with role r is authorised, according to S, to execute q based on the current state of the database, then calling SecQuery(S, q)(u, r) returns the same result as when u executes q; otherwise, if the user u is not authorised, according to S, to execute q based on the current state of the database, then calling SecQuery(S, q)(u, r) signals an error. Not surprisingly, executing the query q takes less time than calling the corresponding stored-procedure SecQuery(S, q). Here we propose a model-based methodology for optimising the stored-procedures generated by the function SecQuery(). The idea is to eliminate authorisation checks in the body of the stored-procedures generated by SecQuery(), when they can be proved to be unnecessary. Based on our previous mapping from the Object Constraint Language (OCL) to many-sorted first-order logic, we can attempt to prove that authorisation checks are unnecessary by using SMT solvers. We include a case study to illustrate and show the applicability of our methodology.

Databases,Cryptography and Security

Xiyuan Chen,Yang OUYang,Miaoliang Zhu,Yan He

DOI: https://doi.org/10.1109/ICYCS.2008.407

2008-01-01

Abstract:The emerging grid infrastructure presents many challenging security issues that demand new access approach due to its inherent heterogeneity, multidomain characteristic and highly dynamic nature. In order to protect the secure sharing and coordinated use of diverse resources in distributed "virtual organizations", fine-grained access control in grid computing is therefore very necessary and important. In this paper, a semantic-aware access conrtol(SAAC) extending the RBAC with the semantic specification is proposed. Supplying semantic specification by the implementation of semantic inference engine (SIE), the administration for the applicability of users' role memberships to particular permissions is much more easy and precise. The enforcement of the SAAC model for grid application is presented. An experimental evaluation of its overheads is also described.

Yong Liu,Yunliang Jiang,Lican Huang

DOI: https://doi.org/10.1109/tfuzz.2010.2043848

IF: 12.253

2010-01-01

IEEE Transactions on Fuzzy Systems

Abstract:We propose granular computing (GrC) on ontology as a solution to the problem of modeling complex architectures. We expressed the architectures formally as ontology domains, which include two components: the set of basic vocabularies and a knowledge library of rules. The set of basic vocabularies contains elements or basic architecture components. The knowledge library comprises rules that control the combination and construction of the basic elements. As the rules are often given by architectural experts subjectively, they may contain redundant, conflicting, and overlapping rules, especially in certain styles of ancient southeast Chinese architecture. It is difficult to distinguish or identify these rules; therefore, we apply the multilevel approach on ontology [Y. Liu, C. Xu, Q. Zhang, and Y. Pan, ¿Smart architect: Scalable ontology-based modeling for ancient chinese architecture,¿ IEEE Intell. Syst., vol. 23, no. 1, pp. 49-56, Jan./Feb. 2008] and approximation theory of GrC. In this process, we present a measurement that is based on roughness functions to evaluate the degrees of approximation between the selected set and certain architecture domains. With the monotonicity characteristic of roughness functions, we can design a heuristic algorithm to select a suitable knowledge base (rule set) to assist in integrating the parts into final architectures, via several levels. Experiments with a real architectural project, i.e., modeling ancient southeast Chinese architectures, show that our method is effective and may simplify the design of the automodeling system and enhance its performance.

XL Li,ZW Xu,XW Liu,N Yang

DOI: https://doi.org/10.1109/wi.2003.1241240

2003-01-01

Abstract:It is a challenge to integrate and share resources securely across multiple autonomous administrative domains environment. We introduce the community-based model of vega enterprise information grid and its operation mechanism. The individuals and/or institutes forming different communities can not only implement diverse policies and autonomous management of resource sharing without any impact on the other communities, but also achieve a globally shared goal. Based on the model, the access control technique, including framework and uniform formalizing, is presented in detail. The static or dynamic role binding is used for entitling user's request for accessing resources within or across communities, which ensures a globally unified view for user. A prototype describes how these techniques are useful in building an enterprise information grid. The evaluation and future continuing works are presented in the conclusion.

Yang Liu,Xiangyu Li,Yan Ma

DOI: https://doi.org/10.3390/systems10060208

2022-01-01

Systems

Abstract:With the rapid development of digital economics, a large number of data have been accumulated in the supply chain system, and data islands have appeared. Data sharing is an imperative way to unlock the data value of a supply chain system. A safe and effective access control mechanism for privacy-sensitive data is key in data sharing. At present, traditional access control mechanisms are static, single-factor control, and prone to a single point of failure. For dealing with these, a fine-grained access control (FGAC) framework for supply chain data sharing is proposed, based on the blockchain Hyperledger Fabric. It augments role-based access control (RBAC) by giving different attribute keywords to different types of users. This framework is implemented in smart contract Chaincodes and quantitatively verified by using the model-checking tool UPPAAL. The experiment results show that the FGAC framework enhances the efficiency and safety in the process of data sharing for the supply chain system, compared with the existing works.

Qi Li,Zongkai Lin,Yuchai Guo,Shouxun Lin

2001-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Secure, flexible and efficient access control mechanism is a key part of DBMS supporting cooperation. Access control mechanism in traditional DBMS can not meet the requirement of dynamic and group based cooperative applications. The paper presents GACM (generic access control method) which provides fine-grained hierarchical access control method and reduce the authorization work as much as possible, keeping good balance between flexibility and efficiency. Another feature of GACM is its support for group management. GACM is able to manage multi groups and multi roles. It can also check rights dynamically. The paper compares GACMwith the model provided by P. Cewan and H. Shen lastly.

Junbiao Wang,Jianxin Zhang,Jianjun Jiang,Shichao Zhang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2008.04.005

2008-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Aim. Existing access control models are, in our opinion, not sufficiently effective. We now propose a novel access control model based on RBAC (Role-Based Access Control), which, we believe, is sufficiently effective. In the full paper, we explain our model in some detail. In this abstract, we just add some pertinent remarks to listing the two topics of explanation. The first topic is: the analysis of RBAC-based access control model. In the first topic, with the help of Fig.1 in the full paper, we explain in some detail how the FICS (Flexible Information Coding System) controls access. The second topic is: the implementation of our novel and effective RBAC-based access control model. Its three subtopics are: the concepts of traditional RBAC model that we utilize (subtopic 2.1), the restrictions we impose on accessing our novel and effective model (subtopic 2.2), and the access assignment strategy of FICS (subtopic 2.3). A large Chinese aircraft manufacturing enterprise has made use of our novel and effective RBAC-based access control model and has gradually widened and continues to widen the scope of its application. How the large enterprise utilizes our novel and effective model are briefly described in Fig.4 and Table 1 in the full paper.

Jie Cui,Xuelian Chen,Jing Zhang,Qingyang Zhang,Hong Zhong

DOI: https://doi.org/10.1109/jiot.2020.3041860

IF: 10.6

2021-05-15

IEEE Internet of Things Journal

Abstract:A connected and autonomous vehicle (CAV) is often fitted with a large number of onboard sensors and applications to support autonomous driving functions. Based on the current research, little work on applications' access to in-vehicle data has been done. Furthermore, most existing autonomous driving operating systems lack authentication and encryption units. As such, applications can excessively obtain confidential information, such as vehicle location and owner preferences and even upload it to the cloud, threatening the security of the vehicle and the privacy of the owner. In this study, we propose a fine-grained access control scheme to restrict applications' access to data in CAVs (FGAC-inCAVs). First, we present a system model composed of the following elements: a trusted third party (TTP), which is a fully trusted authority; perception components like sensors, which can capture the road information (pictures, videos, etc.); and multiple applications. Then, a fast attribute-based encryption (ABE) is presented, and security analysis also shows it is secure against selective and chosen-plaintext attacks. Furthermore, we propose a key update scheme based on the Chinese remainder theorem (CRT). Finally, the theoretical analysis and simulation experiments demonstrate its feasibility and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lingxi Zhang,Jing Zhang,Yanling Wang,Shulin Cao,Xinmei Huang,Cuiping Li,Hong Chen,Juanzi Li

DOI: https://doi.org/10.48550/arXiv.2306.14722

IF: 14.4

2023-06-26

Artificial Intelligence

Abstract:The generalization problem on KBQA has drawn considerable attention. Existing research suffers from the generalization issue brought by the entanglement in the coarse-grained modeling of the logical expression, or inexecutability issues due to the fine-grained modeling of disconnected classes and relations in real KBs. We propose a Fine-to-Coarse Composition framework for KBQA (FC-KBQA) to both ensure the generalization ability and executability of the logical expression. The main idea of FC-KBQA is to extract relevant fine-grained knowledge components from KB and reformulate them into middle-grained knowledge pairs for generating the final logical expressions. FC-KBQA derives new state-of-the-art performance on GrailQA and WebQSP, and runs 4 times faster than the baseline.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Fuguang Ma,Yong Gao,Menglong Yan,Fuchun Xu,Ding Liu

DOI: https://doi.org/10.1109/GEOINFORMATICS.2010.5567713

2010-01-01

GEOINFORMATICS

Abstract:With the development of the network technologies and GIS, spatial data security is becoming more and more important because of the increasing spatial data sharing and interoperation. At the same time, advanced spatial data acquisition technologies are producing mass high-precision data. Therefore, fine-grained access restrictions to spatial data are seriously demanded. However, the existing data access control technologies are inadequate to meet the security requirement of spatial data, especially in fine-grained access control. In this paper, the fine-grained access control of the spatial data issues is discussed in detail. Then, the mechanism of authorization for the fine-grained access control is introduced. Based on Role-based Access Control (RBAC) model, a fine-grained access control model for spatial data is proposed in the grid environment. Finally, a case study is given to prove the feasibility of the proposed model above.

Aya Mohamed,Dagmar Auer,Daniel Hofer,Josef Küng

2023-06-22

Abstract:The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account such as vertices and edges along the path between a given subject and resource. In previous iterations of our research, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case and give an outlook on performance.

Cryptography and Security

Yvo Desmedt,Arash Shaghaghi

DOI: https://doi.org/10.48550/arXiv.1609.04514

2016-09-15

Abstract:Security researchers have stated that the core concept behind current implementations of access control predates the Internet. These assertions are made to pinpoint that there is a foundational gap in this field, and one should consider revisiting the concepts from the ground up. Moreover, Insider threats, which are an increasing threat vector against organizations are also associated with the failure of access control. Access control models derived from access control matrix encompass three sets of entities, Subjects, Objects and Operations. Typically, objects are considered to be files and operations are regarded as Read, Write, and Execute. This implies an `open sesame' approach when granting access to data, i.e. once access is granted, there is no restriction on command executions. Inspired by Functional Encryption, we propose applying access authorizations at a much finer granularity, but instead of an ad-hoc or computationally hard cryptographic approach, we postulate a foundational transformation to access control. From an abstract viewpoint, we suggest storing access authorizations as a three-dimensional tensor, which we call Access Control Tensor (ACT). In Function-based Access Control (FBAC), applications do not give blind folded execution right and can only invoke commands that have been authorized for data segments. In other words, one might be authorized to use a certain command on one object, while being forbidden to use exactly the same command on another object. The theoretical foundations of FBAC are presented along with Policy, Enforcement and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.

Cryptography and Security

Feng Xiang,Gan Ling,Ni Kai,Zhang Chao

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.10.022

2007-01-01

Abstract:Authorization access control is an essential and important module in MIS.Traditional authorization control needs to be improved on coupling and reusability.A Web service based authorization access control method is designed.By abstracting the basic functions in the field of authorization access control,and setting the authorization intonation into a five-tuple table in database,the functions of authorizatin access control are separated.The authorization access control method is made to run as Web Service,and thus the model is of low coupling,high reusability,and can be easily used in different applications running on isomerism environment.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.1142/s0218194015710047

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-319-72389-1_27

2017-01-01

Abstract:Attribute-Based Access Control (ABAC) is a promising approach for addressing intricate management requirements in dynamic and distributed environments. Nevertheless, because of lacking flexible access exception handling mechanism, rigid rules in ABAC influence the resource availability and ultimately the working efficiency. In this paper, we propose a novel fuzzy ABAC model (FABAC) that extends the ABAC with better usability. We introduce the fuzzy mechanism into decision-making process. Based on the membership grades of requests to rules and the spare credits of respective subjects, our framework permits additional requests failing in rule matching, thus enhancing the information flows in business processes. Furthermore, we develop the credit system with history-based recovery mechanism, wherein the subject’s credits and corresponding recovery rate are impacted by the past authorizations on substandard requests, for maintaining the risk of abuse under control. The analysis reveals that our model contributes to attaining better tradeoff between security and usability.

Jason Crampton,Charles Morisset

DOI: https://doi.org/10.48550/arXiv.1204.2342

2014-07-31

Abstract:There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.

Cryptography and Security,Logic in Computer Science

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1155/2018/6476315

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Attribute-based access control (ABAC) is a maturing authorization technique with outstanding expressiveness and scalability, which shows its overwhelmingly competitive advantage, especially in complicated dynamic environments. Unfortunately, the absence of a flexible exceptional approval mechanism in ABAC impairs the resource usability and business time efficiency in current practice, which could limit its growth. In this paper, we propose a feasible fuzzy-extended ABAC (FBAC) technique to improve the flexibility in urgent exceptional authorizations and thereby improving the resource usability and business timeliness. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of the requests that do not comply with policies, so that the system can make special approval decisions accordingly to achieve unattended exceptional authorizations. We also designed an auxiliary credit mechanism accompanied by periodic credit adjustment auditing to regulate expediential authorizations for mitigating risks. Theoretical analyses and experimental evaluations show that the FBAC approach enhances resource immediacy and usability with controllable risk.

Chunhua Gu,Xueqin Zhang,Guoxin Song

2005-01-01

Abstract:Because of the new business trends such as cooperating, downsizing and resource sharing, the use of virtual organization (VU) is gaining increasing importance as a model for building large-scale business information systems. Authorization is essential in VU in order to control the access to shared resources. But authorization in VU is challenging because the participants of VU need to collaborate in a distributed, dynamic and heterogeneous environment, and accordingly the access control policies are complex. A delegation logic based authorization mechanism is put forward in this paper. Our proposed approach translates the access requests, credentials and access policies into unified delegation logic rules. Based on the calculation on those rules, the access decision is made. We introduce the concept of Access Unit (AU), which wraps the AC system of a task. The rude exchange interface of AU is defined. The main contribution of this paper is that it suggests a practical mechanism for implementing authorization for VU. In essence, we propose an approach to enforce RBAC in VU based on task/project structure.

Xinyu Fan,Faen Zhang,Jianfei Song,Jingming Guo,Fujie Gao

DOI: https://doi.org/10.48550/arXiv.2001.01945

2020-01-07

Abstract:A fine-grained provenance-based access control policy model is proposed in this paper, in order to improve the express performance of existing model. This method employs provenance as conditions to determine whether a piece of data can be accessed because historical operations performed on data could reveal clues about its sensitivity and vulnerability. Particularly, our proposed work provides a four-valued decision set which allows showing status to match a restriction particularly. This framework consists of target policy, access control policy, and policy algebras. With the complete definition and algebra system construction, a practical fine-grained access control policy model is developed.

Cryptography and Security