Tianyang Li,Ting He

DOI: https://doi.org/10.1109/ICSS.2014.26

2014-01-01

Abstract:Privacy protection is still a key challenge in the web service composition area. The user and web service provider frequently share their privacy data with other web service will increase the risk of misuse and disclosure of privacy. In this paper, we first analyze the privacy protection problem according to define four types shared data within web service composition, and then present web service composition and privacy models, our models allow user and web service provider to define user's privacy preference and web service's privacy policy specification. An algorithm is presented to check the policy compliance on the dependency edge and select a set of policy compliant web services with compositing a well privacy protection web service composition. Experiments demonstrate the applicability of our models and algorithm.

Bo Yu,Lin Yang,Yongjun Wang,Bofeng Zhang,Linru Ma,Yuan Cao

DOI: https://doi.org/10.1007/978-94-007-5699-1_98

2012-01-01

Abstract:Service composition has become the main style of cross-domain business collaboration environments, and security issues prohibit the widespread use of composite services. Based on attribute, this paper presents a multiple policies collaborative access control model which combines the attribute policies of composite service, component services and user domain. This model can provide fine-grained access control for service composition and support collaborative authorization based on business attributes in business collaboration environments while keeping the standalone of component service access control. The analysis result shows that this model not only satisfies the access control requirements of business process in composite service, but also provides fine-grained access control for component services. © 2012 Springer Science+Business Media.

Yiqun Zhu,Jianhua Li,Quanhai Zhang

DOI: https://doi.org/10.1007/s11859-008-0116-2

2008-01-01

Wuhan University Journal of Natural Sciences

Abstract:Growing numbers of users and many access policies in service-oriented environments cause various problems in protecting resource. In this paper we analyze the relationships of resource attributes to user attributes in all policies, and propose a general attribute based role-based access control (GARBAC) model. The proposed model introduces the notions of composition permission and single attribute expression and composite attribute expression, defines a set of rules based on different attribute expression to assign users to roles. The model is a general access control model, and can support many access control policies, and also can be used to wider application for service.

Mudhakar Srivatsa,Arun Iyengar,Thomas Mikalsen,Isabelle Rouvellou,Jian Yin

DOI: https://doi.org/10.1109/ICWS.2007.31

2007-01-01

Abstract:Service composition has emerged as a fundamental technique for developing Web applications. Multiple services, often from different organizations or trust domains, may be dynamically composed to satisfy a user's request. Access control in the presence of service compositions is a challenging security problem. In this paper, we present an access control model and techniques for specifying and enforcing access control rules on Web service compositions. A key advantage of our approach is that past histories of service invocations can be used to make access control decisions. Our approach allows role hierarchies and separation of duty constraints. Access controls rules may be parameterized by one or more arguments. We have implemented our access control model via a declarative policy specification language which uses pure-past linear temporal logic (PPLTL). We describe an implementation of our approach using a supply chain management (SCM) application. Our experiments show that our approach can enforce expressive and flexible access control policies while incurring reasonable performance overhead on the application.

ZHANG Shuai,SUN Jian-ling,XU Bin,HUANG Chao

DOI: https://doi.org/10.3785/j.issn.1008-973X.2012.11.015

2012-01-01

Abstract:A dynamic multiple domains access control model base on role based access control(RBAC) was proposed in order to solve the problem that current single domain based access control model cannot fulfill the authorization requirements for service compositions crossing multiple enterprises.The process structures were analyzed and a role mining algorithm was proposed to find the role set with minimized permissions that meet the access requirements of composite services.Authorization negotiations were set up among relevant domains for each cross domain operation in composite services and cross domain role mappings were built according the mined role sets with minimized cost to fulfill the cross domain operations.Based on this model,a runtime framework aligned with current industry standard was proposed to authorize dynamically based on the current running status of composite services.Simulation experiments showed the effectiveness of key part of the role mining algorithm.

袁平鹏,陈刚,董金祥

DOI: https://doi.org/10.3321/j.issn:1003-9775.2004.04.006

2004-01-01

Abstract:An access control paradigm composed of basic model and role model is proposed for collaborative applications. Basic model specifies the relationship among privileges and the way of ranking privileges. It relates privilege with operations on the objects, so the model appears more straightforward. Moreover, if Brokers' implementation permits, the model can support any grained access control. Role model re-defines the role concept of RBAC96, divides the permissions of role into public permissions, protect permissions and private permissions. It allows user to define roles more flexibly, prevents private permissions of roles from being inherited and reduces the definition of ancillary roles.

Sven Hartmann,Hui Ma,Panrawee Vechsamutvaree

DOI: https://doi.org/10.1007/978-3-662-54054-1_5

2016-01-01

Abstract:Web services have emerged as an open standard-based means for publishing and sharing data through the Internet. Whenever web services disclose sensitive data to service consumers, data privacy becomes a fundamental concern for service providers. In many applications, sensitive data may only be disclosed to particular users for specific purposes. That is, access to sensitive data is often restricted, and web services must be aware of these restrictions such that the required privacy of sensitive data can be guaranteed. Privacy preservation is a major challenge that has attracted much attention by researchers and practitioners. Hippocratic databases have recently emerged to protect privacy in relational database systems where the access decisions, allowed or denied, are based on privacy policies and authorization tables. In particular, the specific purpose of a data access has been considered. Ontologies has been used to represent classification hierarchies, which can be efficiently accessed via ontology query languages. In this paper, we propose an ontology-based data access model so that different levels of data access can be provided to web service users with different roles for different purposes. For this, we utilize ontologies to represent purpose hierarchies and data generalization hierarchies. For more complex service requests that require composite web services we discuss the privacy-aware composition of web services. To demonstrate the usefulness of our access control model we have implemented prototypes of financial web services, and used them to evaluate the performance of the proposed approach.

Aiqiang Gao,Dongqing Yang,Shiwei Tang,Ming Zhang

DOI: https://doi.org/10.1109/icpca.2008.4783602

2008-01-01

Abstract:The emerging paradigm of pervasive computing and web services needs a flexible service discovery and composition infrastructure. The widespread use of Web services in pervasive environments is hindered by the lack of adequate security and privacy support. In this paper, we discuss an access control protocol for conversation-based (composite) Web services. This approach takes into account the conversational nature of composite web services and differentiates two types of web service: goal-driven and interaction-intensive. The former is goal driven and the client cares about the final goal and participates the conversation at only a few steps. While the interaction-intensive composite web service is interaction heavy, and the service and the client need to interact with each other frequently to exchange access control credentials.

Yi Zheng,Dickson K. W. Chiu,Hongbing Wang,Patrick C. K. Hung

DOI: https://doi.org/10.1109/edocw.2007.32

2007-01-01

Abstract:Information privacy is usually concerned with the confidentiality of personally identifiable information (PII) such as electronic medical records. Nowadays, Web Services are used to support different applications which may contain PII, such as healthcare applications. Thus, the information access control mechanism for Web services must be embedded into privacy-enhancing technologies. Further as application goes mobile and ubiquitous, location become an important determinant for enforcing privacy constraints. On the other hand, Role-based Access Control (RBAC) model has been widely investigated and applied into various applications for a period of time. This paper presents a privacy access control policy enforcement model extended from RBAC with location intelligence for Web services-based applications. In addition, we illustrate the realization of this model with a middleware architecture. This paper also illustrates our proposed mechanism in the context of eXtensible Access Control Markup Language (XACML) and WS-PolicyConstraints.

Huaijin Wang,Zhibo Liu,Yanbo Dai,Shuai Wang,Qiyi Tang,Sen Nie,Shi Wu

2024-12-02

Abstract:Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.

Software Engineering,Cryptography and Security

Linyuan Liu,Haibin Zhu,Zhiqiu Huang,Dongqing Xie

DOI: https://doi.org/10.1016/j.csi.2010.09.001

2011-03-01

Abstract:With the popularity of Internet technology, web services are becoming the most promising paradigm for distributed computing. This increased use of web services has meant that more and more personal information of consumers is being shared with web service providers, leading to the need to guarantee that the private data of consumers are not illegitimate collected, used and disclosed in services collaboration. This paper studies how to realize the minimal privacy authorization while achieving the functional goals. Initially, this paper uses authorization policies to specify the privacy privileges of the services collaboration, and utilizes the trust relationships among services to make authorization decision. Next, it models the interface behaviors of services by extending the interface automata to support privacy semantics. Furthermore, it quantitatively analyzes the minimum set of privacy privileges which are required by the services to achieve the functional goals, and presents the minimal authorization algorithm, which helps us to automatically derive optimal authorization policies for a services collaboration. Finally, it verifies the correctness and efficiency of the approach proposed by this paper through a case study.

computer science, software engineering, hardware & architecture

Chen Jianfei,Han Weili

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.03.052

2012-01-01

Abstract:In Web Service composition,the access control policies are usually defined by external sub-services for protecting safe use of resources,while in composite scripts there are the complex control logic structure as well.These two factors make it extremely complicated for a system security administrator to specify the access control policies for composite services.In this paper we propose a condition-based access control policy model and the related policy composition algebra,and map the control structures familiar in WS-BPEL to corresponding policy composition expression,then construct the access control policies of the composite service based on the composition of access control policies of external sub-services.Finally,we design a prototype to depict the total process of policy composition.

Yunfei Meng,Zhiqiu Huang,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.48550/arXiv.2105.12935

2021-05-27

Cryptography and Security

Abstract:Aiming at the privacy preservation of dynamic Web service composition, this paper proposes a SDN-based runtime security enforcement approach for privacy preservation of dynamic Web service composition. The main idea of this approach is that the owner of service composition leverages the security policy model (SPM) to define the access control relationships that service composition must comply with in the application plane, then SPM model is transformed into the low-level security policy model (RSPM) containing the information of SDN data plane, and RSPM model is uploaded into the SDN controller. After uploading, the virtual machine access control algorithm integrated in the SDN controller monitors all of access requests towards service composition at runtime. Only the access requests that meet the definition of RSPM model can be forwarded to the target terminal. Any access requests that do not meet the definition of RSPM model will be automatically blocked by Openflow switches or deleted by SDN controller, Thus, this approach can effectively solve the problems of network-layer illegal accesses, identity theft attacks and service leakages when Web service composition is running. In order to verify the feasibility of this approach, this paper implements an experimental system by using POX controller and Mininet virtual network simulator, and evaluates the effectiveness and performance of this approach by using this system. The final experimental results show that the method is completely effective, and the method can always get the correct calculation results in an acceptable time when the scale of RSPM model is gradually increasing.

Wuhui Chen,Incheon Paik,Patrick C. K. Hung

DOI: https://doi.org/10.3233/FI-2015-1178

2015-01-01

Fundamenta Informaticae

Abstract:A Web service is defined as an autonomous unit of application logic that provides either some business functionality or information to other applications through an Internet connection. Web services are based on a set of eXtensible Markup Language XML standards such as Universal Description, Discovery and Integration UDDI, Web Services Description Language WSDL, and Simple Object Access Protocol SOAP. Nowadays Web services are becoming more and more popular for supporting different social applications, thus there are also increasing demands and discussions about Web services privacy protection in information. In general, privacy policies describe an organization's data practices on what information they collect from individuals e.g., consumers and what e.g., purposes they do with it. To enable privacy protection for Web service consumers across multiple domains and services, the World Wide Web Consortium W3C published a document called “Web Services Architecture WSA Requirements” that defines some specific privacy requirements for Web services as a future research topic. This paper presents a mathematical model to construct the privacy policies in SOAP Message Exchange Patterns MEP for social services. Further, this paper also presents the privacy policies in security tokens with SOAP messages.

QIAN Ji-an,JIANG Xing-hao,SUN Tan-feng

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.02.029

2011-01-01

Abstract:With more and more information collected via networks,customers' requirements for privacy protection could be satisfied by making privacy policies by themselves.Privacy ontology reflects the common knowledge of privacy and customers' basic needs for privacy protection.Privacy ontology-based personalized access control(PO-PAC)model adopts common policies in combination with personalized policies based on privacy ontology.Users' personalized requirements with different granularity are realized by multi-level chain activation mode.

Yuan Tian,Biao Song,Eui-Nam Huh

DOI: https://doi.org/10.1109/icmss.2009.5301210

2009-01-01

Abstract:Privacy and data protection have become a critical issue in recent years. Not surprisingly, many technologies have been proposed to support privacy data management. The widely used access control model, role based access control (RBAC), significantly simplifies the specification and management of data. In this paper we proposed a privacy-aware system to improve the performance in RBAC, which properly expresses the relationship between data elements. As some vulnerabilities may be raised after certain sensitive data are disclosed, our privacy data graph successfully solved this problem by reducing disclosure of data minimizing overhead. We extend our previous work by refining the definition of roles, thus results in low storage overhead. A full detailed view of the role-based privacy management with experimental results is provided.

Zhen Qin,Xian-ping Tao,Yu Huang,Jian Lu,Tao Wu

DOI: https://doi.org/10.1109/WISA.2010.10

2010-01-01

Abstract:Privacy is an increasingly cited concept in the large-scale deployment of web services in pervasive computing. The necessity of putting data-owners' personal information online and unwanted intentions to access data-owners' information augment the risk of privacy disclosure. To address this problem, we propose a policy-based privacy protection mechanism that protects personal information by policy from privacy violations. The policy is automatically generated based on granular computing, which attains policies about information disclosure degree from the historical access records, and data-owner's feedback improves the accuracy of our algorithm. Due to the obvious advantages to describing problem spaces at different granularities and hierarchies in granular computing, we present Infospace, a framework for storage and description of personal information in different predefined hierarchies. Besides, through case study we show the effectiveness of our new mechanism.

李鑫,李凡,刘启和

2009-01-01

Journal of Computer Applications

Abstract:Based on the context-aware computing,this paper proposed a novel context model for Web service composition.In this model,the information involved in the service composition was classified as service and user contexts,and the former was too distinguished as profile,conversation and grounding contexts;On the other hand,this paper adopted multi-policies to manage the contexts.Therefore,the policy description language extended by service was defined,and the language was based on(Event Condition Action) ECA rule.Not only the service policies were described by the above language,but also the description for composite service was realized by the language.The model not only sufficiently utilizes the context-aware computing,but also has good cooperation,expansibility and flexibility.

Zhu Yiqun,Li Jianhua,Zhang Quanhai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.054

2008-01-01

Abstract:In accordance with the increasing customers and the various resource access policies in service-oriented environments,the limi- tation of the related research is anallyzed,and a multi-policy services-oriented attribute-based role-based access control(AB-RBAC) model is proposed.Based on the relationship between the resource attribute and the user attribute in multi-policies,different role groups are defined,and relevant rules are made.User-rde assignment is realized based on a finite set of rules,and the requirement of multiple access policies is satis- fied.The flexibility of access control is enhanced,and the efficiency of the system is improved.A case that uses the AB-RBAC model is de- scribed,and a detailed comparison among several models is made,which clearly shows the advantages of AB-RBAC.

Baopeng Zhang,Yuanchun Shi,Xin Xiao

DOI: https://doi.org/10.1093/comjnl/bxm103

2010-01-01

The Computer Journal

Abstract:Service composition allows distributed application, such as multimedia application, to be composed from atomic service units and to adapt dynamically to users' requirements and environment conditions in pervasive computing system. It augments the adaptation action space for the application of pervasive computing. According to the multidimensional QoS (Quality of Service) requirement of pervasive computing system, we proposed a comprehensive service composition method to enhance the capability of application adaptation. First, according to a hierarchy policy model and a policy specification language, strengthened by event calculus, service discovery policy action integrating the situation of user, application, environment and resource can be triggered. Secondly, the proposed physical space model can support the location-aware service discovery and explicit range query to improve the efficiency of the query. To the end, an adaptation policy evaluation model is utilized to maximize an evaluation criterion–quality of satisfaction of users and environment by optimizing the optional service selection and the composition path. Through experiment and discussion of the algorithm, the paper further illustrates the great potential advantage of the solution to service composition.