Xiyuan Chen,Miaoliang Zhu

DOI: https://doi.org/10.4028/www.scientific.net/kem.439-440.178

2010-01-01

Abstract:Semantic; Trust Management; RBAC; User-role Assignment Abstract. The application of RBAC in access management of the enterprise services and resources is very widely. With phenomenal growth of information interaction and cooperation between distributed systems, the number of users can be in the hundreds of thousands or millions. This renders manual user-to-role assignment a formidable task. In this paper, we propose a semantic and trust based framework to automatically assign users to roles based on a finite set of assignment rules defined by authorized people in the enterprise. These rules take into consideration the attributes users own and any constraints set forth by the enterprise including the assignment history and the credit of the requester. We choose OWL to specify the user attributes.

Yan Li,Jinqiang Ren,Huiping Sun,Haining Luo,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-10240-0_8

2009-01-01

Abstract:With development of grid technology, sensitive data protection becomes a difficult task for accesses from heterogeneous domains. Moreover, anonymity and unknown peers worsen security problems. Traditional access control mechanisms are not suitable to distributed environment. Several models and mechanisms make use of trust evaluation to assist access control decision. But few explicitly consider trust and risk as two separate factors which affect interactions between peers. In this paper, we present an access control mechanism which considers both trust and risk as two vital parameters. We also introduce static game model with incomplete information to analyze the optimal decision. In addition, a new model of trust evaluation is proposed to represent the confidence in the peer. To appease people's anxiety about loss, a model of risk assessment is also presented to indicate impacts on resources. At the end of this paper, to describe how our mechanism works, a scenario is provided.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

Hong Xiang,Xiaofeng Xia,Haibo Hu,Sheng Wang,Jun Sang,Chunxiao Ye

DOI: https://doi.org/10.5755/j01.itc.45.3.13187

IF: 0.813

2016-01-01

Information Technology And Control

Abstract:The requirement to develop an organization makes collaboration with other organizations necessary, so the organizations can share resources to perform common tasks. Different organizational domains use different access control models to protect their resources from unauthorized access. Organizational collaboration is an important goal for distributed computing paradigms, but policy inconsistencies between domains will cause problems in a collaboration model that add to the problems involved in constructing the collaboration model itself. These problems provide the two challenges that motivate the research presented here: (1) the construction of a collaboration model across multiple domains protected by different access control models; and (2) ensuring that the access control policy used by a participating domain contains no inconsistencies. We also present our new approach to solving the inter-domain role mapping (IDRM) problem, i.e., to determine the minimal role set that covers requested permissions from a collaborating domain. We also analyse our algorithms, present the results of our tests, and compare our results with the results of existing approaches. DOI: http://dx.doi.org/10.5755/j01.itc.45.3.13187

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1007/978-3-642-13739-6_13

2010-01-01

Abstract:Access control mechanisms are used to control which principals (such as users or processes) have access to which resources based on access control policies. To ensure the correctness of access control policies, policy authors conduct policy verification to check whether certain properties are satisfied by a policy. However, these properties are often not written in practice. To facilitate property verification, we present an approach that automatically mines likely properties from a policy via the technique of association rule mining. In our approach, mined likely properties may not be true for all the policy behaviors but are true for most of the policy behaviors. The policy behaviors that do not satisfy likely properties could be faulty. Therefore, our approach then conducts likely-property verification to produce counterexamples, which are used to help policy authors identify faulty rules in the policy. To show the effectiveness of our approach, we conduct evaluation on four XACML policies. Our evaluation results show that our approach achieves more than 30% higher fault-detection capability than that of an existing approach. Our approach includes additional techniques such as basic and prioritization techniques that help reduce a significant percentage of counterexamples for inspection compared to the existing approach.

Junzhou Luo,Xudong Ni,Jianming Yong

DOI: https://doi.org/10.1016/j.ins.2009.01.039

IF: 8.1

2009-01-01

Information Sciences

Abstract:The purpose of grid computing is to enable coordinated resource sharing and support cooperative work between different domains in dynamic grid environments. In order to protect each participant’s privilege and security, a secure and efficient access control is essential. This paper presents a new approach of access mechanism based on trust relationships across domains. A new calculation method of trust in grid is proposed and the difference between intro-domain trust and inter-domain trust is analyzed. In addition, a novel access control framework combined with trust degree is given from this proposal. It is shown to be adaptive for both intro-domain and inter-domain conditions. Hence, a prototype system based on the proposed model is introduced; furthermore, it has been shown as a dynamic and fine-granularity access control method through performance analyses and has also been demonstrated as a suitable system for grid environments.

Yufan Tao,Fanping Zeng

DOI: https://doi.org/10.1109/bigcom61073.2023.00017

2023-01-01

Abstract:In modern society, smart home has become a part of people’s daily life. The smart home will generate a large amount of data to be shared inside and outside the home which is sensitive and private. Therefore, access control plays a critical role in the many issues that need to be addressed in the smart home. However, there is still a lack of an access control scheme suitable for the smart home to ensure the security of users’ data. Attribute-based access control(ABAC) is a flexible authorization model. It controls whether there is permission to operate objects through the attributes of entities, operation types, and related environments, but it cannot resist malicious attacks within the environment. Therefore, in this paper, we propose a trust-based ABAC model, which is extended on the basis of the ABAC model and applies the trust model to the smart home ABAC model to achieve fine-grained and effective access control. Our model can not only use the trust model to monitor the behavior deviation of devices in smart homes, and establish trust relationships between devices, but also control the permissions of each device. Finally, we test the trust model on the ns-3 platform and simulate the access control model on the small real Internet of Things(IoT). The results show that the trust model has good accuracy, convergence, and anti-attack, and the ABAC model has good applicability in smart home scenarios.

Lu Chen,Qing Zhou,Gaofeng Huang,Liqiang Zhang

DOI: https://doi.org/10.1109/CIS.2014.47

2014-01-01

Abstract:Resource sharing is one of the main applications of network. How to establish a trust relationship between resources requestor and provider, and enforce authority is the key issue of efficient resource sharing. Existing models and methods are mostly focus on identity, recommendation and other information, but lack of the considering of resource requestor's conduct and environment of computing. And once authorized, it will not be able to track and control user behavior dynamically. It may cause more risks when sharing resources. Aiming to resolve the above problems, a trust-role based context aware access control model is proposed relying on the measurement and verification of the \"trust credentials and evidences\" which embody the context information of user behavior and platform environment to achieve the security, dependable and dynamic access control for resource sharing.

Gang Yin,Huai-min Wang,Tao Liu,Dian-xi Shi,Ming-feng Chen

DOI: https://doi.org/10.1007/11576259_53

2005-01-01

Abstract:In Grid environments, virtual organizations (VOs) often need to define access control policies to govern who can use which resources for which purpose over multiple policy domains. This is challenging, not only because the entities in VOs must collaborate with each other to share resources across administrative domains, but also because there usually exist a large amount of underlying sites (resource providers) and users in VOs. In this paper, we introduce to use trust management approach to address these problems in Grid environments. We propose a rule-based policy language (RPL) framework to describe the authorization and delegation policies related to VOs, sites and users. This paper also introduces the design of an enhanced community authorization service (ECAS) based on RPL framework, which can be seamlessly integrated with local authorization mechanisms. ECAS uses different kinds of delegation policies for flexible collaboration on authorization between entities in VOs. Compared with similar research works, ECAS enhances the flexibility and scalability of decentralized authorization in Grid environments.

Kai Fan,Yuhan Bai,Huiyue Xu,Qiang Pan,Hui Li,Yintang Yang

DOI: https://doi.org/10.1109/icc.2019.8761745

2019-01-01

Abstract:As the number of people using social networks increases, users are often assigned to different domains for better digital right management. However, they are no longer satisfied with accessing data just in one domain with the rapid expansion of information, so there is an urgent need for a way to access data among different domains while guarantee their privacy and security. In this paper, we propose a cross-domain access control scheme based on multi-authority attribute-based encryption for big data from social networks. In our construction, we use a hybrid encryption algorithm that based on symmetric encryption and CP-ABE not only to achieve cross-domain access control, but also to improve the efficiency of the system. Besides, the trusted proxy users for proper storage of symmetric keys ensures the security of the system. Meanwhile, the use of an inter-domain trusted proxy user, instead of an intra-domain data owner to formulate an access control policy, reduces the huge computational overhead associated with the ciphertext re-encryption technology and greatly improves the efficiency of the entire system. Finally, security analysis and performance analysis show that the proposed scheme is a secure and trusted networking.

Yi Chen,Junzhou Luo,Xudong Ni

DOI: https://doi.org/10.1109/chinagrid.2008.35

2008-01-01

Abstract:Due to the nowadays increasing applications of grid computing technology, the risks of grid security are growing, such as the problem of access control inter-domain in grid environment. Recently, trust management is considered as an effective approach for enhancing grid security. As the fuzzy feature of trust and the advantage of fuzzy theory for trust representation and reasoning, this paper presents a two-level fuzzy trust model for grid environment as well as an inter-domain access control method based on it. The model adopts fuzzy math theory and considers direct trust and recommended trust comprehensively between domains. Case study and simulation results show that the scheme can realize access control inter-domain in grid environment correctly and effectively.

Xia Hui,Fu Xiao,San-Shun Zhang,Xiang-Guo Cheng,Zhen-Kuan Pan

DOI: https://doi.org/10.1109/tnse.2018.2866783

IF: 6.6

2018-01-01

IEEE Transactions on Network Science and Engineering

Abstract:The concept of social networking is integrated into the Cyber-Physical Systems (CPSs) for the purpose of allowing smart objects to establish social relationships in an autonomous way. Solutions based on social relationships are considered to be promising approaches for resource/service discovery. The primary issues in a social-CPS (SCPS) involve how to define, quantify and eventually establish social relationships between objects, and how to build a reliable system. In this paper, we first put forward a definition of the trustworthiness management in a SCPS. And we subsequently build a reputation-based trust mechanism that quantifies the direct trustworthiness between objects, using a fuzzy logic model to address the perceptions of uncertainty and risk contained in this concept of trust. Then we propose a light-weight paradigm for service discovery which makes use of indirect trustworthiness for service provider ranking, based on the theories of the directed acyclic graph. Several rules are introduced for the weighted recommendation paths, and an expurgation mechanism is proposed to simplify the process of indirect trustworthiness evaluation. The convincing experimental results show that our mechanism performs better than the other two methods with four aspects of satisfaction rate, quality of recommended information, accuracy of trust assessment and convergence time.

Ying Chen,Shoubao Yang,Leitao Guo

DOI: https://doi.org/10.1007/11590354_22

2005-01-01

Abstract:To improve system scalability and restrain cheat, which are two important aspects in resource sharing gird environment, a dynamic-role based access control framework is proposed in this paper. This framework imports trust model, proposes “conversion parameter” and dynamic-role to resolve the problems of access control across multi domains. Simulation results show that it can realize access control easily, prohibit malicious behavior of entities, and improve the scalability of the system. An implementation is also shown in this paper.

Ran Yang,Chuang Lin,Yixin Jiang,Xiaowen Chu

DOI: https://doi.org/10.1109/icc.2011.5963329

2011-01-01

Communications

Abstract:The rapid development of applications running on global information infrastructure poses the problem of securing information sharing among domain collaborations. Existing access control models are defective in dynamic authorization based on user's trustworthiness and do not take full advantages of the infrastructure in implementing access control system. In this work, we propose a trust and role based access control model and the corresponding framework in infrastructure-centric environment. With the extension to RBAC model, trust level requirements, which dictate that the roles in the privilege context must be activated by the trustworthy user, can be specified. The comprehensive trust model, which calculates the user's trust level in multiple trust contexts based on behavior histories, is proposed. Moreover, by taking advantages of the infrastructure services, our scheme is flexible and scalable in that system administrators are free to choose custom scoring functions while the infrastructure trust evaluation services are relieved of the heavy burdens of history record maintenance and trust level update.

LENG Chun-xia,YU Hui-qun,HAN Jian-min

2009-01-01

Abstract:The access control mechanism in open systems can not only respond to the access requirement of a large amount of users whose identities are not recognizable in advance, but also reflect context information in user's access requirements. We propose a trustworthiness- and context-based access control model (TC-RBAC) and give a method of evaluating the trustworthiness of users. By means of trustworthiness, the applicable roles are assigned to the users whose identities are not recognizable in advance. Besides, context constraint contributes to the decisions of authorization according to context information in user's access requirements. These satisfy the design demands of the access control mechanism in open systems.

Yan Li,Huiping Sun,Zhong Chen,Jinqiang Ren,Haining Luo

DOI: https://doi.org/10.1109/SecTech.2008.50

2008-01-01

Abstract:With the development of grid technology, sensitive files and data protection become difficult tasks multi-domains. Traditional access control mechanisms are not suitable to such distributed environment. Several models and mechanisms utilize trust to assist access control decision. But few explicitly consider trust and risk as two separate factors which affect interactions between peers. In this paper, we present a novel mechanism which considers both trust and risk as two vital parameters to assist access control decision. In addition, a novel model of trust evaluation is proposed to represent the confidence in the peer. And to appease people’s anxiety about loss, a new model of risk assessment is also presented to indicate impacts on resources. At the end of this paper, simulation results will indicate that our mechanism is able to secure local system more efficiently and reliably.

Feng Liang,Haoming Guo,Shengwei Yi,Shilong Ma

DOI: https://doi.org/10.4304/jnw.7.3.524-531

2012-01-01

Abstract:In order to collaborate large numbers of heterogeneous distributed devices over multiple domains within a modern large-scale device collaboration system, a fine-grained, flexible and secure approach is required for device authentication and authorization. This paper proposed a Multiple-Policy supported Attribute-Based Access Control model and its architecture to address these demands. With eXtensible Access Control Markup Language standard, this model exceeds the traditional Attribute-Based Access Control Model by providing cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show the performance of this architecture is acceptable within production environment.

Liyang Bai,Kai Fan,Yuhan Bai,Xiaochun Cheng,Hui Li,Yintang Yang

DOI: https://doi.org/10.1016/j.sysarc.2020.101957

IF: 5.836

2020-01-01

Journal of Systems Architecture

Abstract:With the development of informatization, smart city has become a new concept for the next generation of urbanization globally. In the face of intensive data requests and constrained resources, it is particularly important to design a safe and energy-efficient computing system.In this paper, we propose a multi-domain access control scheme suitable for smart city construction. We divide the huge equipment group into multiple domains for parallel distributed management to improve data processing efficiency. Based on attribute mapping, we show a safe and efficient cross-domain access control method. We introduce a trusted third-party (TTP) and an attribute mapping center (MC), using attribute certificates, digital mapping tables, B+ tree index, and buffer to improve mapping efficiency. In the complex one-to-many data transmission process, the outsourced ciphertext-policy attribute-based encryption (CP-ABE) is used to provide users with personalized services while reducing the computing burden. Finally, through analysis and simulation, it is found that this scheme has higher safety and efficiency.

Xu Jing,Zhengnan Liu,Shuqin Li,Bin Qiao,Gexu Tan

DOI: https://doi.org/10.1007/s13198-015-0411-1

2015-12-22

International Journal of System Assurance Engineering and Management

Abstract:In traditional role-based access control (RBAC) model, the permission is bound with identity statically, without being dynamically adjusted by user behavior. Cloud users distribute widely and constitute complex and have legitimate identity whose behavior may be incredible, but any attack is achieved through malicious behavior. The cloud-user behavior assessment based dynamic access control model was proposed by introducing user behavior risk value, user trust degree and other factors into RBAC. First, the times of threat behavior was introduced into the information security risk equation to improve the accuracy of user behavior risk value. Then, both the times of threat behavior and the uneven interval of risk threshold were introduced the trust model based on behavior risk evolution to improve the accuracy of user trust degree. Finally, the dynamic authorization was achieved by mapping trust level and permissions. By the simulation experiment in a small campus cloud system, it can be shown that the change of user behavior risk value and user trust degree is more rational under different times and frequencies of threat behavior, and dynamic authorization is flexible by mapping the risk level and the user permissions.

LI Han,GUO He,FENG Xin,WANG Yu-xin,YANG Yuan-sheng

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.07.025

2012-01-01

Abstract:Role-based access control is currently accepted as the most commonly used and advanced access control policy.Since it is primarily applied to ensure the security of new software systems rather than legacy systems,an approach is proposed to reengineering legacy access control policies.The approach defines a transformation oriented access control policy language,studies the method of exacting legacy access control policies and gives a set of transformation rule and an algorithm to achieve access control policy reorganization.A case study is demonstrated to depict the proposed approach is a feasible approach to improve the performance of legacy access control policies by introducing roles and role hierarchy.