Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-319-72389-1_27

2017-01-01

Abstract:Attribute-Based Access Control (ABAC) is a promising approach for addressing intricate management requirements in dynamic and distributed environments. Nevertheless, because of lacking flexible access exception handling mechanism, rigid rules in ABAC influence the resource availability and ultimately the working efficiency. In this paper, we propose a novel fuzzy ABAC model (FABAC) that extends the ABAC with better usability. We introduce the fuzzy mechanism into decision-making process. Based on the membership grades of requests to rules and the spare credits of respective subjects, our framework permits additional requests failing in rule matching, thus enhancing the information flows in business processes. Furthermore, we develop the credit system with history-based recovery mechanism, wherein the subject’s credits and corresponding recovery rate are impacted by the past authorizations on substandard requests, for maintaining the risk of abuse under control. The analysis reveals that our model contributes to attaining better tradeoff between security and usability.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1002/cpe.5556

2020-01-01

Abstract:Owing to the rapid progress of network researching, attribute-based access control (ABAC) has attracted more and more attention due to its appreciable expressiveness, flexibility, and scalability. Unfortunately, collecting user attributes is necessary to complete the standard ABAC decision process, which increases the risk of privacy disclosure. This problem increases public doubts about ABAC and hinders its popularization. In this paper, a privacy-protected and efficient attribute-based access control (EPABAC) scheme is proposed to prevent the privacy leakage of access subject in the decision-making process of ABAC by introducing a novel hash-based binary search tree. The analyses and experimental evaluations show that the EPABAC achieves user privacy protection in the decision-making process with acceptable additional computing overhead.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Gang Liu,Hui-min Song,Run-nan Zhang,Can Wang,Quan Wang,Lu Fang

DOI: https://doi.org/10.12783/dtcse/aics2016/8254

2017-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Currently, resource sharing and system security are critical issues. This paper proposes a hierarchical system based access control model termed H-ABAC. It improves the attribute based access control(ABAC) model in reducing the management stress and addressing the problem of insufficient policy repository space. The following describes the H-ABAC model in terms of its self-administering mode, attribute definitions, policy formulation and authorization architecture, which demonstrate the advantages of H-ABAC. This supervisor mode not only reduces system administrator stress but also prevents all problems of a session in role-based access control (RBAC). Different definitions of the attributes in H-ABAC can be employed for different fields with different access control granularities, which enhances the flexibility of the model compared with traditional access control models. A scenario that illustrates how this new model is applied to the real world is provided.

Gang Liu,Lu Fang,Quan Wang,Xiaoqian Qi,Juan Cui,Jiayu Liu

DOI: https://doi.org/10.1007/978-3-030-15093-8_4

2018-01-01

Abstract:In information systems where there are a large number of different resources and the resource attributes change frequently, the security, reliability and dynamics of access permissions should be guaranteed. The changing raises security concerns related to authorization, and access control, but existing access control models are difficult to meet practical requirements. In this paper, a resource and attribute based access control model named RA-BAC was proposed. The model bases on attribute-based access control (ABAC) and links access control policy with resource, and redefines the access control rules. Besides, we compare RA-BAC and ABAC from the perspective of theory and simulation experiment respectively to show the advantage of RA-BAC model. We give a detailed analysis combining with instances to show the practicability of the RA-BAC model. RA-BAC solves the problems of policy conflict and policy library expansion in the ABAC model when there are too many resources and the attributes of resources are changed frequently in the system. Using RA-BAC model in system can makes permission query efficient and reduce workload of the system administrator of managing the policy library.

Liang FANG,Li-Hua YIN,Yun-Chuan GUO,Bin-Xing FANG

DOI: https://doi.org/10.11897/SP.J.1016.2017.01680

2017-01-01

Abstract:New computing paradigms, including Cloud Computing and Internet of Things(IOTs) provide us convenient services such as data sharing and effective computing.It greatly improves the efficiency of data processing and makes full use of the computing and storage resources.However, huge number of data with specific ownership also stored in these new computing paradigms.If they don't obtain efficient protection, it will bring serious risks of data leakage, thus causing tremendous loses for users.Therefore, measures should be taken to make sure that the data only can be accessed by users with appropriate permissions.Access control, which can be used to prevent unauthorized access, attracts extensive attention from both academia and industry.Among the access control schemes, Attribute-Based Access Control(ABAC), which takes attributes as the key element to build up the whole access control system, is the most suitable scheme to achieve fine-grained access control for the new computing paradigms which have features such as large scale, dynamicity and strong privacy need etc.With the help of ABAC, we can provide an ideal access control system for computing paradigms like Cloud Computing and Internet of Things.In this paper, we discuss and analyze the existing problem, current research situation and development trend in the preparation and executing stage of ABAC.In particular, we elaborate the researches including the entity attributes mining, permission allocate mining, access control policy specification, multi-authorities research, user identity and access permission management.Finally, possible future work and some conclusions are pointed out.

Gang Liu,Huimin Song,Can Wang,Runnan Zhang,Fang Lu

2017-01-01

Abstract:—Currently, resource sharing and system security are critical issues. This paper proposes a POL module composed of PRIV ILEGE attribute (PA), obligation and log which improves attribute based access control (ABAC) model in dynamically granting authorizations and revoking authorizations. The following describes the new model termed PABAC in terms of the POL module structure, attribute definitions, policy formulation and authorization architecture, which demonstrate the advantages of it. The POL module addresses the problems which are not predicted before and not described by access control policy. It can be one of the subject attributes or resource attributes according to the practical application, which enhances the flexibility of the model compared with ABAC. A scenario that illustrates how this model is applied to the real world is provided.

shaomin zhang,hongbian yang,baoyi wang

DOI: https://doi.org/10.1007/978-3-642-27287-5_94

2012-01-01

Abstract:For the problems of attribute elements maintenance difficulty and heterogeneous attribute of multi-domain in ABAC model, we propose the method of using ontology to maintain access control elements and distributed attribute management, which describe the logical relationships among attributes with OWL and introduce attribute mapping technology in access control decision-making. It can reduce the complexity of attribute management and raise the security of the cross-domain access. It makes up the defects in original ABAC model, and has a good reference to research the cross-domain access control.

Baiyu Liu,Abhinav Palia,Shan-Ho Yang

DOI: https://doi.org/10.48550/arXiv.1804.06044

2018-04-17

Cryptography and Security

Abstract:Along with the classical problem of managing multiple identities, actions, devices, APIs etc. in different businesses, there has been an escalating need for having the capability of flexible attribute based access control~(ABAC) mechanisms. In order to fill this gap, several variations of ABAC model have been proposed such as \textit{Amazon's AWS IAM}, which uses JSON as their underlying storage data structure and adds policies/constraints as fields over the regular ABAC. However, these systems still do not provide the capability to have customized permissions and to perform various operations (such as comparison/aggregation) on them. In this paper, we introduce a string based resource naming strategy that supports the customized and conditional permissions for resource access. Further, we propose the basic architecture of our system which, along with our naming scheme, makes the system scalable, secure, efficient, flexible and customizable. Finally, we present the proof of concept for our algorithm as well as the experimental set up and the future trajectory for this work.

Liangqiang Huang,Yan Zhu,Xin Wang,Faisal Khurshid

DOI: https://doi.org/10.1007/978-3-030-27615-7_4

2019-01-01

Abstract:In the current age of big data, the access control mechanism of HBase, a kind of NoSQL big data management system, needs to be improved, because there are some limitations of Role-Based Access Control (RBAC) in HBase. The coarse-grained access permissions produce little effect in many cases, and the elements used for authorization are not comprehensive enough. Attribute-Based Access Control (ABAC) is suitable for the authorization of NoSQL data storages due to its flexibility. However, it has not been investigated in HBase deeply. The objective of this paper is to study the data access control in HBase and to develop an ABAC-based mechanism for the security of HBase data. In light of the wide column feature of HBase, an Attribute-Based Fine-Grained Access Control mechanism (AGAC) is proposed, which covers two aspects, users' atomic operations and five granularity levels. When a user needs to access data in HBase storage, the AGAC will give the permission or deny by verifying user's atomic operations and by analyzing user's attributes according to the access control policies related to the data granularity level. This access control mechanism is verified on publically available email dataset and is proven to be effective to improve the access control capability of HBase.

Guowei Wu,Dongze Lu,Feng Xia,Lin Yao

DOI: https://doi.org/10.48550/arXiv.1201.0205

2011-12-31

Abstract:Access control is an issue of paramount importance in cyber-physical systems (CPS). In this paper, an access control scheme, namely FEAC, is presented for CPS. FEAC can not only provide the ability to control access to data in normal situations, but also adaptively assign emergency-role and permissions to specific subjects and inform subjects without explicit access requests to handle emergency situations in a proactive manner. In FEAC, emergency-group and emergency-dependency are introduced. Emergencies are processed in sequence within the group and in parallel among groups. A priority and dependency model called PD-AGM is used to select optimal response-action execution path aiming to eliminate all emergencies that occurred within the system. Fault-tolerant access control polices are used to address failure in emergency management. A case study of the hospital medical care application shows the effectiveness of FEAC.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

张立臣,王小明

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.01.095

2009-01-01

Abstract:Based on the current trust models,proposed the trustworthiness-based fuzzy adaptive access control model for pervasive computing(TBFAAC).The model extends the concept of trustworthiness,establishing the interval value fuzzy policy rules of permissions,achieving the effective authorization through the fuzzy reasoning based on the context information related to the subject.Described the main elements and the interval value fuzzy reasoning algorithm of the model.The TBFAAC model provides the technology for dynamic authorization in pervasive computing.

Junhao Geng,Sumei Zhang

DOI: https://doi.org/10.1109/cis.2009.260

2009-01-01

Abstract:To meet the requirements that full business model of complex information system needs simplified, precise and consistent access control method, analyzing meta-model of full business model, granularities of access control elements, Full Business Model Oriented Access Control (FBMOAC) model is proposed and built, and an algorithm of permission consistency control is presented based on the formal description. Through building access subject granularities, access object granularities, permission assignment control granularities and the dependency, contradiction, delegation, nesting relationships between granularities, FBMOAC supports simplifying the authorization process, controlling access objects precisely and implementing the consistency control of permissions.

Junbiao Wang,Jianxin Zhang,Jianjun Jiang,Shichao Zhang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2008.04.005

2008-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Aim. Existing access control models are, in our opinion, not sufficiently effective. We now propose a novel access control model based on RBAC (Role-Based Access Control), which, we believe, is sufficiently effective. In the full paper, we explain our model in some detail. In this abstract, we just add some pertinent remarks to listing the two topics of explanation. The first topic is: the analysis of RBAC-based access control model. In the first topic, with the help of Fig.1 in the full paper, we explain in some detail how the FICS (Flexible Information Coding System) controls access. The second topic is: the implementation of our novel and effective RBAC-based access control model. Its three subtopics are: the concepts of traditional RBAC model that we utilize (subtopic 2.1), the restrictions we impose on accessing our novel and effective model (subtopic 2.2), and the access assignment strategy of FICS (subtopic 2.3). A large Chinese aircraft manufacturing enterprise has made use of our novel and effective RBAC-based access control model and has gradually widened and continues to widen the scope of its application. How the large enterprise utilizes our novel and effective model are briefly described in Fig.4 and Table 1 in the full paper.

Minghui Jing,Hongming Cai,Fenglin Bu

DOI: https://doi.org/10.1109/apscc.2011.63

2011-01-01

Abstract:RBAC as a kind of permission access control technologies supports enterprise information security effectively. However, in many cases, traditional RBAC can only establish a permission access control mechanism based on discrete group-role or user-role management inside an organization. And the user group whose organization structure is more complicated is not supported by RBAC. It is also lack of the adaptability of dynamic changes to the complex organization structure. To solve these problems, a permission model called Flexible Organization Structure-Based Access Control (FOSBAC) is proposed, which combines the flexible organization structure with the access control to achieve the dynamic management of permissions. First, the general framework and the formal description of FOSBAC are given. Then, the application template using the XACML specification is constructed and an analysis on a case of accessing financial statements is used to demonstrate the feasibility of the application. Finally, it is shown that FOSBAC possesses better adaptability to complex organization structure and higher management efficiency in comparison with RBAC and ROBAC.

Yan Zhu,Ruyun Yu,Yao Qin,Di Ma,William Cheng-Chung Chu

DOI: https://doi.org/10.1109/QRS.2018.00041

2018-01-01

Abstract:In this paper we address the problem of reliability and security in an open-access data sharing system. We propose a new framework, called cryptographic attribute-based access control (CABAC), in consistent with the standard ABAC model. Moreover, two new mechanisms, real-time Tokens and secure policy decision-making, are introduced for ensuring secure attribute authorization and verifiable policy decision-making. More important, we present a practical CABAC system to support adaptability and flexibility using dynamically chosen policy and real-time attribute acquisition. We prove that our CABAC system is provably secure in four aspects: the attribute Tokens are existentially unforgeable against chosen-time and chosen-attribute attacks, respectively; the secure policy is existentially unforgeable against chosen-object attack under eBDH assumption; and our entire system is semantically secure against chosen-plaintext attack with Token and policy queries under eGDHE assumption.

Yan Zhu,Ruyun Yu,Di Ma,William Cheng-Chung Chu

DOI: https://doi.org/10.1109/tr.2019.2948713

IF: 5.883

2019-01-01

IEEE Transactions on Reliability

Abstract:This article aims to establish a cryptographic solution to improve security and reliability of the National Institute of Standards and Technology's attribute-based access control (ABAC) model. By breaking down the existing structure of attribute-based encryption, we propose a new cryptographic ABAC (C-ABAC) framework with dynamic policy authorization and real-time attribute credentials. Moreover, a practical C-ABAC construction is proposed to support provable policy decision making and verifiable attribute Tokens among multiple distributed authorities. In this construction, we develop a concrete approach of generating a cryptographic policy from access control markup language. We also prove that attribute Token has existential unforgeability under chosen-attribute and chosen-nonce attacks, and the cryptographic policy is existentially unforgeable under chosen-object attack. In addition, our C-ABAC construction provides semantic security against chosen-plaintext attack with Token and policy queries under the extended general Diffie–Hellman exponent assumption. Finally, we evaluate the performance of the C-ABAC system according to complexity analysis and experimental results. The results show that the C-ABAC system is reliable and easy to implement.

FU Zheng-fang,WANG Xiao-ming,DOU Weng-yang,WU Qian

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.09.009

2007-01-01

Abstract:In open information system, access control is an important measure that assures the information system security. Traditional access control model hardly consider the issue of subjects' trust worthiness and privilege partition. Introducing the idea of fuzzy logic,this paper advances Trust-authorization-based fuzzy access control model and exerts fuzzy synthetic judgment method to calculate subjects' trust worthiness, establishes fuzzy control rules, automatically authorizes subjects' relevant privilege by fuzzy adjudging, which can satisfy requirements of open information system access control.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Hui Qi,Xiong Luo,Xiaoqiang Di,Jinqing Li,Huamin Yang,Zhengang Jiang

DOI: https://doi.org/10.1109/cyberc.2016.21

2016-01-01

Abstract:Combining the role-based access control ( RBAC) model with the attribute-based access control ( ABAC) model is a popular direction of current research on access control models. At present, many RABAC ( RBAC + ABAC) models have been proposed. On the basis of RBAC model, these models dynamically apply ABAC rules to user-role mapping, role-permission mapping and user-permission mapping, thus realizing the usability and flexibility of access control models to some extent. But these models still have some insufficiencies in access control granularity and flexibility. This paper analyzes the defects of existing RABAC models and their causes, proposes a more fine-grained, flexible and efficient RABAC model, and realizes an access control system based on this model. Through the well-designed ABAC rules and their application modes, the system has achieved the goal of the RABAC model proposed by this paper and facilitated the administrator's management of access control rules.