Jinfei Liu,Li Xiong,Jun Luo

2013-01-01

Abstract:In this paper we illustrate a privacy framework named Indistinguishabley Privacy. Indistinguishable privacy could be deemed as the formalization of the existing privacy definitions in privacy preserving data publishing as well as secure multi-party computation. We introduce three representative privacy notions in the literature, Bayes-optimal privacy for privacy preserving data publishing, differential privacy for statistical data release, and privacy w.r.t. semi-honest behavior in the secure multi-party computation setting, and prove they are equivalent. To the best of our knowledge, this is the first work that illustrates the relationships of these privacy definitions and unifies them through one framework.

Peng Liu,Jian-bin Hu,Zhong Chen

DOI: https://doi.org/10.1109/WI.2005.2

2005-01-01

Abstract:Although several access control policies have been proposed for securing access to resources, they focused on security of distributed environments that were rather static. Nowadays distributed environment becomes open and dynamic. In this paper, we propose a formal language for access control policies in open and dynamic environment. The language is based on description logic program and generalized courteous logic program supporting classical negation, prioritized conflict handling and mutual exclusion constraints. The language allows the specification of positive and negative authorization, privilege delegation and revocation, prioritized conflict resolution and mutual authorization exclusions.

Wu Di,Jian Lin,Yabo Dong,Miaoliang Zhu

DOI: https://doi.org/10.1109/PDCAT.2005.247

2005-01-01

Abstract:Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. One of important aspects in RBAC is constraints that constrain what components in RBAC are allowed to do. There are lots of research have been achieved to specify constraints for secure system developers. However more work is need urgently to met requirements for interoperability of machine and people understandable constraints specification in open and distributed environment. In this paper we propose another approach to specify constraints using Semantic Web technologies. The Web Ontology Language (OWL) specification of basic RBAC components and constraints are described in detail.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Huiying Li,Xiang Zhang,Honghan Wu,Yuzhong Qu

2005-01-01

Abstract:Access control is an important issue among the security problems of resources in distributed systems. In order to enable entities in distributed systems to understand and interpret policies correctly, common concern is drawn to the problem of expressing access control policies with semantic information. In this paper, we introduce how to express access control policies based on OWL and SWRL. It includes a definition of OWL ontology to describe the terms and a declaration of SWRL rules to explicit the relationship between properties. Finally some use cases are given to explain how to express policies in form of rule using the terms defined beforehand.

James A. Hoagland,Raju Pandey,Karl N. Levitt

DOI: https://doi.org/10.48550/arXiv.cs/9809124

1998-10-01

Abstract:A security policy states the acceptable actions of an information system, as the actions bear on security. There is a pressing need for organizations to declare their security policies, even informal statements would be better than the current practice. But, formal policy statements are preferable to support (1) reasoning about policies, e.g., for consistency and completeness, (2) automated enforcement of the policy, e.g., using wrappers around legacy systems or after the fact with an intrusion detection system, and (3) other formal manipulation of policies, e.g., the composition of policies. We present LaSCO, the Language for Security Constraints on Objects, in which a policy consists of two parts: the domain (assumptions about the system) and the requirement (what is allowed assuming the domain is satisfied). Thus policies defined in LaSCO have the appearance of conditional access control statements. LaSCO policies are specified as expressions in logic and as directed graphs, giving a visual view of policy. LaSCO has a simple semantics in first order logic (which we provide), thus permitting policies we write, even for complex policies, to be very perspicuous. LaSCO has syntax to express many of the situations we have found to be useful on policies or, more interesting, the composition of policies. LaSCO has an object-oriented structure, permitting it to be useful to describe policies on the objects and methods of an application written in an object-oriented language, in addition to the traditional policies on operating system objects. A LaSCO specification can be automatically translated into executable code that checks an invocation of a program with respect to a policy. The implementation of LaSCO is in Java, and generates wrappers to check Java programs with respect to a policy.

Cryptography and Security

Zhang Yuan,Sun Meng

DOI: https://doi.org/10.1109/ICSESS.2011.5982244

2011-01-01

Abstract:We use a scenario-based visual notation, called Policy Sequence Chart (PSC), for specifying security policies in service coordination. A security policy defines a set of security requirements that correspond to permissions, prohibitions and obligations to some executions when some contextual conditions are satisfied. In this paper, we propose an approach of defining operational semantics of PSCs in terms of constraint automata, which can be used as the semantic foundation for checking compliance between service coordination and the security policies.An

Qi Qin,Yankai Rong,Guoshun Nan,Shaokang Wu,Xuefei Zhang,Qimei Cui,Xiaofeng Tao

2023-04-20

Abstract:Deep learning based semantic communication(DLSC) systems have shown great potential of making wireless networks significantly more efficient by only transmitting the semantics of the data. However, the open nature of wireless channel and fragileness of neural models cause DLSC systems extremely vulnerable to various attacks. Traditional wireless physical layer key (PLK), which relies on reciprocal channel and randomness characteristics between two legitimate users, holds the promise of securing DLSC. The main challenge lies in generating secret keys in the static environment with ultra-low/zero rate. Different from prior efforts that use relays or reconfigurable intelligent surfaces (RIS) to manipulate wireless channels, this paper proposes a novel physical layer semantic encryption scheme by exploring the randomness of bilingual evaluation understudy (BLEU) scores in the field of machine translation, and additionally presents a novel semantic obfuscation mechanism to provide further physical layer protections. Specifically, 1) we calculate the BLEU scores and corresponding weights of the DLSC system. Then, we generate semantic keys (SKey) by feeding the weighted sum of the scores into a hash function. 2) Equipped with the SKey, our proposed subcarrier obfuscation is able to further secure semantic communications with a dynamic dummy data insertion mechanism. Experiments show the effectiveness of our method, especially in the static wireless environment.

Cryptography and Security

Ziyi Su,Frederique Biennier

DOI: https://doi.org/10.48550/arXiv.1305.1727

2013-05-08

Cryptography and Security

Abstract:In an open information systems paradigm, real-time context-awareness is vital for the success of cooperation, therefore dynamic security attributes of partners should considered in coalition for avoiding security conflicts. Furthermore, the cross-boundary asset sharing activities and risks associated to loss of governance call for a continuous regulation of partners' behavior, paying attention to the resource sharing and consuming activities. This paper describes an attribute-based usage control policy shceme compline to this needs. A concise syntax with EBNF is used to summarize the base policy model. The semantics of negotiation process is disambiguated with abductive constraint logic programming (ACLP) and Event Calculus (EC). Then we propose a policy ratification method based on a policy aggregation algebra that elaborate the request space and policy rule relation. This method ensures that, when policies are aggregated due to resource sharing and merging activities, the resulting policy correctly interprets the original security goals of the providers' policies.

Othman Benammar,Hicham Elasri,Abderrahim Sekkaki

DOI: https://doi.org/10.48550/arXiv.1303.7085

2013-03-28

Cryptography and Security

Abstract:Management of security policies has become increasingly difficult given the number of domains to manage, taken into consideration their extent and their complexity. Security experts has to deal with a variety of frameworks and specification languages used in different domains that may belong to any Cloud Computing or Distributed Systems. This wealth of frameworks and languages make the management task and the interpretation of the security policies so difficult. Each approach provides its own conflict management method or tool, the security expert will be forced to manage all these tools, which makes the field maintenance and time consuming expensive. In order to hide this complexity and to facilitate some security experts tasks and automate the others, we propose a security policies aligning based on ontologies process; this process enables to detect and resolve security policies conflicts and to support security experts in managing tasks.

Cornelius Diekmann,Lars Hupel,Georg Carle

DOI: https://doi.org/10.4204/EPTCS.150.3

2014-05-06

Abstract:Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.

Cryptography and Security,Logic in Computer Science

A. A. Timakov

DOI: https://doi.org/10.1134/s0361768824010110

2024-05-23

Programming and Computer Software

Abstract:One of the basic aspects of information flow control in applications is a security policy language. This language should allow one to define security policies for evaluation of environment elements in coherence with higher-level access control rules. Hence, the language is expected to be flexible because there may be different access control paradigms (mandatory, role-based, etc.) implemented at the system level. The application may also have its own specific restrictions. Finally, it is also desirable that the language support declassification (controlled release of information) during computations. Paralocks is one of such languages. This research is devoted to the logical semantics of a modified version of Paralocks implemented in TLA+. Paralocks represents a language basis for the PLIF information flow control platform, which is developed with author's participation for the analysis of PL/SQL program blocks. It includes proofs of the partial order and lattice defined on a set of security policy expressions.

computer science, software engineering

Abba Lawan,Abdur Rakib

DOI: https://doi.org/10.48550/arXiv.1903.11723

IF: 14.4

2019-03-27

Artificial Intelligence

Abstract:The Semantic Web Rule Language (SWRL) is a direct extension of OWL 2 DL with a subset of RuleML, and it is designed to be the rule language of the Semantic Web. This paper explores the state-of-the-art of SWRL's expressiveness extensions proposed over time. As a motivation, the effectiveness of the SWRL/OWL combination in modeling domain facts is discussed while some of the common expressive limitations of the combination are also highlighted. The paper then classifies and presents the relevant language extensions of the SWRL and their added expressive powers to the original SWRL definition. Furthermore, it provides a comparative analysis of the syntax and semantics of the proposed extensions. In conclusion, the decidability requirement and usability of each expressiveness extension are evaluated towards an efficient inclusion into the OWL ontologies.

Vijay Varadharajan,Kallol Karmakar,Uday Tupakula,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.1806.02053

2018-06-06

Abstract:As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

Cryptography and Security

Sudipta Paria,Swarup Bhunia

2023-08-05

Abstract:The current zero trust model adopted in System-on-Chip (SoC) design is vulnerable to various malicious entities, and modern SoC designs must incorporate various security policies to protect sensitive assets from unauthorized access. These policies involve complex interactions between multiple IP blocks, which poses challenges for SoC designers and security experts when implementing these policies and for system validators when ensuring compliance. Difficulties arise when upgrading policies, reusing IPs for systems targeting different security requirements, and the subsequent increase in design time and time-to-market. This paper proposes a generic and flexible framework, called DiSPEL, for enforcing security policies defined by the user represented in a formal way for any bus-based SoC design. It employs a distributed deployment strategy while ensuring trusted bus operations despite the presence of untrusted IPs. It relies on incorporating a dedicated, centralized module capable of implementing diverse security policies involving bus-level interactions while generating the necessary logic and appending in the bus-level wrapper for IP-level policies. The proposed architecture is generic and independent of specific security policy types supporting both synthesizable and non-synthesizable solutions. The experimental results demonstrate its effectiveness and correctness in enforcing the security requirements and viability due to low overhead in terms of area, delay, and power consumption tested on open-source standard SoC benchmarks.

Cryptography and Security,Hardware Architecture

Meng Shen,Jing Wang,Hongyang Du,Dusit Niyato,Xiangyun Tang,Jiawen Kang,Yaoling Ding,Liehuang Zhu

DOI: https://doi.org/10.1109/mnet.2023.3327111

IF: 10.294

2023-01-01

IEEE Network

Abstract:Semantic communication has emerged as a promising technique that can integrate the meaning and context of information into a communication process. It goes beyond raw data transmission and enables a sender and a receiver to transmit and recover semantic messages through their respective knowledge bases. However, it is challenging to achieve secure semantic communication due to complicated security and privacy threats in semantic communication. In this article, we first introduce the background and architecture of semantic communication. Then, we sort out multiple potential security threats existing in each step of semantic communication. Following that, we summarize the requirements for secure semantic communication and provide possible defenses for each type of attacks. We also present a case study to illustrate the training process of a reliable semantic encoder/decoder. Finally, we discuss open issues and future directions in this research field.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Baowen Xu,Yanhui Li,Jianjiang Lu,Dazhou Kang

DOI: https://doi.org/10.1007/11758549_13

2006-01-01

Abstract:With the development of the Semantic Web. the issue on Semantic Web security has received a considerable attention. OWL security is a burgeoning and challengeable sub-area of Semantic Web security. We propose a novel approach about OWL security, especially about inference control in OWL retrieval. We define OWL inference control rules (ICRs) to present the aim of inference control. To achieve ICRs. our approach introduces a novel concept "semantic related view" (SRView) w.r.t an OWL knowledge base. which describes semantic relations in it. We present a construction process of SRViews from OWL knowledge bases and define pruning operations to rewrite them. Based on pruned SRViews. a query framework to achieve inference control is proposed. followed by analysis of correctness and complexity.

Yang Luo,Qingni Shen,Zhonghai Wu

DOI: https://doi.org/10.48550/arXiv.1903.09756

2019-03-23

Abstract:Access control is an important component for web services such as a cloud. Current clouds tend to design the access control mechanism together with the policy language on their own. It leads to two issues: (i) a cloud user has to learn different policy languages to use multiple clouds, and (ii) a cloud service provider has to customize an authorization mechanism based on its business requirement, which brings high development cost. In this work, a new access control policy language called PERM modeling language (PML) is proposed to express various access control models such as access control list (ACL), role-based access control (RBAC) and attribute-based access control (ABAC), etc. PML's enforcement mechanism is designed in an interpreter-on-interpreter manner, which not only secures the authorization code with sandboxing, but also extends PML to all programming languages that support Lua. PML is already adopted by real-world projects such as Intel's RMD, VMware's Dispatch, Orange's Gobis and so on, which proves PML's usability. The performance evaluation on OpenStack, CloudStack and Amazon Web Services (AWS) shows PML's enforcement overhead per request is under 5.9us.

Cryptography and Security

YAO Qian,CHEN Shun,XIE Li

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.06.058

2005-01-01

Computer Science

Abstract:The security control of the CORBA middleware is a complicated and important work. Focusing on the defi- ciency of the security service standard for security control, this article introduces a new language of access control management,namely VPL, and uses a specific example to explain how VPL manages access control strategy in both static state and dynamic state, which shows the advantage VPL brings to the strategy management.

Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.