Li Duan,Shiping Chen,Yang Zhang,Chunhong Liu,Dongxi Liu,Ren Ping Liu,Junliang Chen

DOI: https://doi.org/10.1109/scc.2015.39

2015-01-01

Abstract:During business consolidation, multiple organizations need to share data for common interests. However, these organizations may apply different or even conflicting policies, on account of different rules and rule combining algorithms chosen by them. Thus, it is necessary to combine policies from multiple organizations into a global one to manage the access to the shared data. Existing policy combining approaches are unable to automatically combine policies into a global one. In this paper, we propose an approach to address the issue of multiple policies combination. Its key idea is to first decompose the rules in each policy into various classes, and then combine the rules of the corresponding classes to a global compact policy. The latter ensures compliance with each of the original policies at the syntax and semantic levels. To validate our approach, we provide a proof-of-concept implementation of the automated policy combination.

Feng Liang,Haoming Guo,Shengwei Yi,Shilong Ma

DOI: https://doi.org/10.4304/jnw.7.3.524-531

2012-01-01

Abstract:In order to collaborate large numbers of heterogeneous distributed devices over multiple domains within a modern large-scale device collaboration system, a fine-grained, flexible and secure approach is required for device authentication and authorization. This paper proposed a Multiple-Policy supported Attribute-Based Access Control model and its architecture to address these demands. With eXtensible Access Control Markup Language standard, this model exceeds the traditional Attribute-Based Access Control Model by providing cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show the performance of this architecture is acceptable within production environment.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

Yuqing Sun,Chen Chen

DOI: https://doi.org/10.1007/978-3-642-23620-4_26

2011-01-01

Abstract:In dynamic collaboration, participants oftentimes need to share resources with each other under the same criteria. However, since each participant has its own authorization policies as a way of controlling resource access, their discrepancies make such collaboration difficult. It is desired to develop a practical and automatic way to generate the collaborative policies for coequal authorizations. In this paper, we investigate this problem by proposing an authorization framework based on the widely adopted XACML policy. Each practical XACML policy is converted into Boolean expressions and further refined as a set of atomic rules against the policy structure. With the rule set, the combination algorithms in policies and the collaboration preference of participants, the collaborative authorization policy is automatically generated. We analyze the consistency of the collaborative policies with previous authorization policies. Some experiments are performed to exam our approach and show that it can efficiently solve the problem of coequal authorizations.

feng liang,haoming guo,shengwei yi,xiaoqiang zhang,shilong ma

DOI: https://doi.org/10.1007/978-94-007-2169-2_124

2012-01-01

Abstract:Containing multiple domains and a large number of heterogeneous distributed devices, large-scale device collaboration systems require a fine-grained, flexible and secure mechanism for device access control. This chapter presents and evaluates a distributed device access control architecture Multiple Policies supported Attribute-Based Access Control (MPABAC) to support device authentication and authorization among multiple domains. Based on eXtensible Access Control Markup Language (XACML) standard and Attribute-Based Access Control (ABAC) model, this architecture supports cross-domain authentication and authorization, hierarchical policy combination and enforcement, unified device access control and fine-grained attributes-based privilege description. Experiments show that the performance of this implementation is acceptable within the production environment.

Bo Yu,Lin Yang,Yongjun Wang,Bofeng Zhang,Linru Ma,Yuan Cao

DOI: https://doi.org/10.1007/978-94-007-5699-1_98

2012-01-01

Abstract:Service composition has become the main style of cross-domain business collaboration environments, and security issues prohibit the widespread use of composite services. Based on attribute, this paper presents a multiple policies collaborative access control model which combines the attribute policies of composite service, component services and user domain. This model can provide fine-grained access control for service composition and support collaborative authorization based on business attributes in business collaboration environments while keeping the standalone of component service access control. The analysis result shows that this model not only satisfies the access control requirements of business process in composite service, but also provides fine-grained access control for component services. © 2012 Springer Science+Business Media.

Ziyi Su,Frederique Biennier

DOI: https://doi.org/10.48550/arXiv.1305.1727

2013-05-08

Cryptography and Security

Abstract:In an open information systems paradigm, real-time context-awareness is vital for the success of cooperation, therefore dynamic security attributes of partners should considered in coalition for avoiding security conflicts. Furthermore, the cross-boundary asset sharing activities and risks associated to loss of governance call for a continuous regulation of partners' behavior, paying attention to the resource sharing and consuming activities. This paper describes an attribute-based usage control policy shceme compline to this needs. A concise syntax with EBNF is used to summarize the base policy model. The semantics of negotiation process is disambiguated with abductive constraint logic programming (ACLP) and Event Calculus (EC). Then we propose a policy ratification method based on a policy aggregation algebra that elaborate the request space and policy rule relation. This method ensures that, when policies are aggregated due to resource sharing and merging activities, the resulting policy correctly interprets the original security goals of the providers' policies.

Bo Lang,Nan Zhao,Kun Ge,Kai Chen

DOI: https://doi.org/10.1109/icpca.2008.4783596

2008-01-01

Abstract:Attribute Based Access Control (ABAC) is a promising access control model for pervasive computing. XACML is recognized as an effective ABAC policy description method that can exactly describe the semantics of a policy. However, the description of a XACML policy is complex and it is difficult for users to compose such a policy, which seriously embarrasses the application of XACML. Aiming at this problem, this paper presents an XACML policy generating method basing on a user-oriented ABAC policy view. On the basis of analyzing the XACML policy description language, the paper first establishes a policy description template composed of primary policy description elements of XACML, and then proposes an ABAC concept model called Access Control Cube (ACCube) and submits a comprehensible user-oriented policy view basing on the ACCube. The policy view and the XACML policy template provide an easy and effective way for users to define XACML policies. Users can describe their ABAC policies by creating the policy views, which can then be transformed into XACML policies. The transforming algorithm is given in the paper. According to the foregoing method, we develop a XACML policy generating tool named XACML Policy Builder. An example of using XACML Policy Builder for building XACML policy is also given.

Li Lin,Jian Hu,Jianbiao Zhang

DOI: https://doi.org/10.1007/s11704-016-5503-9

IF: 2.6688

2016-01-01

Frontiers of Computer Science

Abstract:Combining different independent cloud services must coordinate their access control policies. Otherwise unauthorized access to composite cloud service can occur when there’s a conflict among different cloud service providers’ access control policies, and then it will bring serious data security and privacy issues. In this paper, we propose Packet, a novel access control policy composition method that can detect and resolve policy conflicts in cloud service composition, including those conflicts related to privacyaware purposes and conditions. The Packet method is divided into four steps. First, employing a unified description, heterogeneous policies are transformed into a unified attributebased format. Second, to improve the conflict detection efficiency, policy conflicts on the same resource can be eliminated by adopting cosine similarity-based algorithm. Third, exploiting a hierarchical structure approach, policy conflicts related to different resources or privacy-aware purposes and conditions can be detected. Fourth, different conflict resolution techniques are presented based on the corresponding conflict types. We have successfully implemented the Packet method in Openstack platform. Comprehensive experiments have been conducted, which demonstrate the effectiveness of the proposed method by the comparison with the existing XACML-based system at conflict detection and resolution performance.

Hu Luokai,Ying Shi,Jia Xiangyang,Zhao Kai

DOI: https://doi.org/10.6138/jit.2010.11.2.14

2010-01-01

Abstract:With the development of cloud computing, the mutual understandability among distributed Access Control Policies (ACPs) and attribute of entities has become an important issue in the security field of open distributed environment. Semantic Web technology provides the solution to semantic interoperability of heterogeneous applications. In this paper, we analysis existing access control approaches and present a new Semantics Based Cross Domain Access Control Approach with Semantic Access Control Policy Language (SACPL) for describing ACPs. Semantic access control architecture is designed to embed SACPL language and Access Control Oriented Ontology System (ACOOS) into the access control process. Using the approach presented, access control across different domains can be effectively solved through the description and management of semantic attribute. This study enriches the research that the semantic web technology is applied in the field of security, and provides a new way of thinking of access control in cloud computing.

Mingjie Yu,Fenghua Li,Nenghai Yu,Xiao Wang,Yunchuan Guo

DOI: https://doi.org/10.1016/j.dcan.2022.09.002

IF: 6.348

2022-10-01

Digital Communications and Networks

Abstract:Policy conflicts may cause substantial economic losses. Although a large amount of effort has been spent on detecting intra-domain policy conflict, it can not detect conflicts of heterogeneous policies. In this paper, considering background knowledge, we propose a conflict detection mechanism to search and locate conflicts of heterogeneous policies. First, we propose a general access control model to describe authorization mechanisms of cloud service and a translation scheme designed to translate a cloud service policy to an Extensible Access Control Markup Language (XACML) policy. Then the scheme based on Multi-terminal Multi-data-type Interval Decision Diagram (MTMIDD) and Extended MTMIDD (X-MTMIDD) is designed to represent XACML policy and search the conflict among heterogeneous policies. To reduce the rate of false positives, the description logic is used to represent XACML policy and eliminate false conflicts. Experimental results show the efficiency of our scheme.

telecommunications

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Aijuan Zhang,Jingxiang Gao,Cheng Ji

DOI: https://doi.org/10.4028/www.scientific.net/AMR.225-226.848

2011-01-01

Abstract:Distributed applications often require integrating security policies of collaborating parties. The integration must be able to support complex authorization specifications and the fine-grained resources access requirements that the various parties may have. But now security modeling is not considered as a vital part in software development. In this paper, it is proposed to integrate the design of access control policy into software development. In this paper, UML is used to model access control policy, and then a framework is designed to generate the security model result expressed in XACML and to verify the policy correct and complete.

Peng Zhao,Lifa Wu,Zheng Hong,He Sun

DOI: https://doi.org/10.23919/jcc.2019.09.017

2019-01-01

China Communications

Abstract:Multicloud access control is important for resource sharing and security interoperability across different clouds, and heterogeneity of access control policy is an important challenge for cloud mashups. XACML is widely used in distributed environment as a declaratively fine-grained, attribute-based access control policy language, but the policy integration of XACML lacks formal description and theory foundation. Multicloud Access Control Policy Integration Framework (MACPIF) is proposed in the paper, which consists of Attribute-based Policy Evaluation Model (ABPEM), Four-value Logic with Completeness (FLC) and Four-value Logic based Policy Integration Operators (FLPIOs). ABPEM evaluates access control policy and extends XACML decision to four-value. According to policy decision set and policy integration characteristics, we construct FLC and define FLPIOs including Intersection, Union, Difference, Implication and Equivalence. We prove that MACPIF can achieve policy monotonicity, functional completeness, canonical suitability and canonical completeness. Analysis results show that this framework can meet the requirements of policy integration in Multicloud.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.1142/s0218194015710047

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Xinming Wang,Haoxiang Tan,Kaijun Chen,Hua Tang,Gansen Zhao,Yong Tang,Ruihua Nie

DOI: https://doi.org/10.1007/s11859-015-1123-8

2015-01-01

Abstract:Integrating and sharing data from different data sources is one of the trends to make better use of data. However,data integration hampers data confidentiality where each data source has its own access control policy. This paper includes a discussion on the issue about access control across multiple data sources when they are combined together in the scenario of searching over these data. A method based on multilevel security for data integration is proposed. The proposed method allows the merging of policies and also tackles the issue of policy conflicts between different data sources.

Hong Xiang,Xiaofeng Xia,Haibo Hu,Sheng Wang,Jun Sang,Chunxiao Ye

DOI: https://doi.org/10.5755/j01.itc.45.3.13187

IF: 0.813

2016-01-01

Information Technology And Control

Abstract:The requirement to develop an organization makes collaboration with other organizations necessary, so the organizations can share resources to perform common tasks. Different organizational domains use different access control models to protect their resources from unauthorized access. Organizational collaboration is an important goal for distributed computing paradigms, but policy inconsistencies between domains will cause problems in a collaboration model that add to the problems involved in constructing the collaboration model itself. These problems provide the two challenges that motivate the research presented here: (1) the construction of a collaboration model across multiple domains protected by different access control models; and (2) ensuring that the access control policy used by a participating domain contains no inconsistencies. We also present our new approach to solving the inter-domain role mapping (IDRM) problem, i.e., to determine the minimal role set that covers requested permissions from a collaborating domain. We also analyse our algorithms, present the results of our tests, and compare our results with the results of existing approaches. DOI: http://dx.doi.org/10.5755/j01.itc.45.3.13187

Gang Liu,Wenxian Pei,Yumin Tian,Chen Liu,Shancang Li

DOI: https://doi.org/10.1016/j.jii.2021.100200

IF: 11.718

2021-01-01

Journal of Industrial Information Integration

Abstract:Attributed-based access control (ABAC) is widely used in systems with large resources and users such as the Industrial Internet of Things (IIoT), Industrial information integration system, and so on. Attribute-based security policy is highly flexible and expressive, but conflicts between policies occur frequently, affecting the security and availability of the system. Based on analyzing the ABAC security policies represented by the eXtensible Access Control Markup Language (XACML), this study proposes a formal definition of explicit conflicting rules, probable-conflicting rules, and never-conflicting rules. Also, we found that conflicts occur on a pair of rules in which attribute expressions have overlapping values and that be applied to the same request. A new conflict detection method is proposed in which implicit conflicting rules are converted to explicit conflicting rules by completing the absent attribute expressions and then compare all the rules in pairs to detect all the probable conflicting rules in a rule set. In this way, we can analyze the conflicting probability of each pair of policy rules. Furthermore, we define two metrics to evaluate the conflict level of a rule set. Experiment results show that implicit conflicting rules are more numerous than explicit conflicting rules in the policy set. Also, with an increase in the number of attribute expressions in each rule, the conflicting level of a rule set is significantly reduced, which provides a reference for policymaking. With this method, administrators can formulate more robust and efficient security policies, improve the security and availability of systems.

Luokai Hu,Shi Ying,Xiangyang Jia,Kai Zhao

DOI: https://doi.org/10.1007/978-3-642-10665-1_13

2009-01-01

Abstract:With the development of cloud computing, the mutual understandability among distributed Access Control Policies (ACPs) has become an important issue in the security field of cloud computing. Semantic Web technology provides the solution to semantic interoperability of heterogeneous applications. In this paper, we analysis existing access control methods and present a new Semantic Access Control Policy Language (SACPL) for describing ACPs in cloud computing environment. Access Control Oriented Ontology System (ACOOS) is designed as the semantic basis of SACPL. Ontology-based SACPL language can effectively solve the interoperability issue of distributed ACPs. This study enriches the research that the semantic web technology is applied in the field of security, and provides a new way of thinking of access control in cloud computing.

Rong-bin WANG,Shu-yu CHEN,Wei-ping WANG,Ling YU

DOI: https://doi.org/10.13196/j.cims.2009.05.193.wangrb.021

2009-01-01

Abstract:To realize dynamic generation of the access control policies and improve the dynamic adaptability of authorization verification for requester in grid, the automatic composition scheme for access control policy set in grid was put forward. According to the services composition constraints, the composition relationships of policy set for autonomous domains of Virtual Organization (VO) was constructed. The theory of algebra set was used to implement composition and computing for the policy set. And the automatic composition for policy set was realized by means of automatic composition engine and automatic trigger rules, and the access control polices set in VO was therefore generated. As there might be conflicts and redundancy policy subset in composed polices set, a method to resolve conflicts and automatic permission combination was proposed. The automatic composition algorithm was also presented. By analysis and implementation of the scheme, it was demonstrated that the scheme was with higher flexibility and dynamic adaptability.