Yinyan Zhao,Mang Su,Jie Wan,Jinpeng Hou,Dong Mei

DOI: https://doi.org/10.1142/s0218126621501899

2021-01-01

Abstract:The rapid growth of communication networking, ubiquitous sensing, and signal processing, has promoted the development of the Internet of Things (IoT). However, the IoT is essentially dynamic and has no clearly defined network boundary, unauthorized access and data leakage may be much easier. Attribute-based access control (ABAC) can solve the problem of fine-grained access control and large-scale user dynamic expansion in complex information systems, and provides an ideal access control solution for an open network environment, which is more suitable for the dynamic access environment of IoT. However, the dynamic nature of IoT brings new challenges to access control. On the one hand, as new devices and services are continuously deployed, administrators need to manually formulate new rules, which is time-consuming and error-prone. On the other hand, as the IoT environment is continuously changing, the access policy easily becomes unsuitable for the current environment. In order to solve the above two problems, we propose a new scheme named Policy Maintenance-based machine learning (PMML), which includes two modules named Policy Generalization (PG) and Policy Evaluation (PE). After the access control model is deployed, automated PG and PE are carried out to maintain the rule set. In the PG module, we define a novel measure, resource similarity, and integrate it into policy mining so that policies could generalize among related resources. In the PE module, we introduce a quantitative method to assess rules and prune rules of low-quality. We conduct our experiments on real-world enterprise access logs from Amazon, and thoroughly analyzed the effects of different hyper-parameters on the experimental results. The experimental results have qualitatively and quantitatively shown the effectiveness of our proposed scheme.

Meiping Liu,Cheng Yang,Hao Li,Yana Zhang

DOI: https://doi.org/10.3390/s20061741

IF: 3.9

2020-01-01

Sensors

Abstract:Internet of Multimedia Things (IoMT) brings convenient and intelligent services while also bringing huge challenges to multimedia data security and privacy. Access control is used to protect the confidentiality and integrity of restricted resources. Attribute-Based Access Control (ABAC) implements fine-grained control of resources in an open heterogeneous IoMT environment. However, due to numerous users and policies in ABAC, access control policy evaluation is inefficient, which affects the quality of multimedia application services in the Internet of Things (IoT). This paper proposed an efficient policy retrieval method to improve the performance of access control policy evaluation in multimedia networks. First, retrieve policies that satisfy the request at the attribute level by computing based on the binary identifier. Then, at the attribute value level, the depth index was introduced to reconstruct the policy decision tree, thereby improving policy retrieval efficiency. This study carried out simulation experiments in terms of the different number of policies and different policy complexity situation. The results showed that the proposed method was three to five times more efficient in access control policy evaluation and had stronger scalability.

Jiansheng Zhang,Yang Xin,Yulong Gao,Xiaohui Lei,Yixian Yang

DOI: https://doi.org/10.1109/access.2021.3071031

IF: 3.9

2021-01-01

IEEE Access

Abstract:Internet of Things (IoT) has been widely used in various fields of our daily life in the past years. Obviously, in the future, the significance of its security will be more evident and enormous. However, there are still many security issues in the IoT, which makes it vulnerable to be attacked easily by some potential factors. Targeting at these issue, in this paper, we propose a secure access management scheme in IoT based on blockchain. Firstly, in our work, by using the Decisional Learning with Error (DLWE) problem, we propose a secure Key-policy Attribute-based Encryption (KP-ABE) scheme, it can implement fine-grained access control in IoT. Secondly, we use blockchain to solve the authentication and access management challenges. In addition, the smart contract in blockchain can process transactions automatically, which greatly reduces the management cost and running time for this scheme. Last but not the least, we further analyze the security of our proposed scheme. The result shows that our scheme can resist some common attacks in IoT, and it is more secure and efficient.

Evan Martin,Tao Xie

DOI: https://doi.org/10.1109/POLICY.2006.19

2006-01-01

Abstract:To ease the burden of implementing and maintaining access-control aspects in a system, a growing trend among developers is to write access-control policies in a specification language such as XACML and integrate the policies with applications through the use of a Policy Decision Point (PDP). To assure that the specified polices reflect the expected ones, recent research has developed policy verification tools; however, their applications in practice are still limited, being constrained by the limited set of supported policy language features and the unavailability of policy properties. This paper presents a data-mining approach to the problem of verifying that expressed access-control policies reflect the true desires of the policy author. We developed a tool to investigate this approach by automatically generating requests, evaluating those requests to get responses, and applying machine learning on the requestresponse pairs to infer policy properties. These inferred properties facilitate the inspection of the policy behavior. We applied our tool on an access-control policy of a central grades repository system for a university. Our results show that machine learning algorithms can provide valuable insight into basic policy properties and help identify specific bug-exposing requests.

Xianfei Zhou,Kai Xu,Naiyu Wang,Jianlin Jiao,Ning Dong,Meng Han,Hao Xu

DOI: https://doi.org/10.1109/access.2021.3051945

IF: 3.9

2021-01-01

IEEE Access

Abstract:With the popular use of IoT devices, edge computing has been widely applied in the Internet of things (IoT) and regarded as a promising solution for its wide distribution, decentralization, low latency. At the same time, in response to the massive computing data and intelligent requirements of various applications in the IoT, artificial intelligence (AI) technology has also achieved rapid development. As a result, edge intelligence (EI) for the Internet of Things has attracted widespread attention. Driven by the requirement that making full use of data, machine learning (ML) models trained in EI are usually shared. However, there may be some security and privacy issues due to the openness and heterogeneity of edge intelligence. How to ensure flexible data access and data security as well as the accountability for edge nodes and users in EI model sharing have become important issues. In this article, we propose a Ciphertext Policy Attribute Based Proxy Re-encryption (CP-ABPRE) scheme with accountability to address the security and privacy issues in EI model sharing. In our scheme, a user can delegate the access right to others to make model access more flexible. Furthermore, each entity that may need to be held accountable is embedded a unique ID to achieve traceability. Finally, security analysis and performance evaluation are given to prove that our scheme is CPA secure and does not lose much efficiency with more features.

computer science, information systems,telecommunications,engineering, electrical & electronic

Varun Gumma,Barsha Mitra,Soumyadeep Dey,Pratik Shashikantbhai Patel,Sourabh Suman,Saptarshi Das

DOI: https://doi.org/10.48550/arXiv.2111.07060

2021-11-13

Abstract:In recent years, Attribute-Based Access Control (ABAC) has become quite popular and effective for enforcing access control in dynamic and collaborative environments. Implementation of ABAC requires the creation of a set of attribute-based rules which cumulatively form a policy. Designing an ABAC policy ab initio demands a substantial amount of effort from the system administrator. Moreover, organizational changes may necessitate the inclusion of new rules in an already deployed policy. In such a case, re-mining the entire ABAC policy will require a considerable amount of time and administrative effort. Instead, it is better to incrementally augment the policy. Keeping these aspects of reducing administrative overhead in mind, in this paper, we propose PAMMELA, a Policy Administration Methodology using Machine Learning to help system administrators in creating new ABAC policies as well as augmenting existing ones. PAMMELA can generate a new policy for an organization by learning the rules of a policy currently enforced in a similar organization. For policy augmentation, PAMMELA can infer new rules based on the knowledge gathered from the existing rules. Experimental results show that our proposed approach provides a reasonably good performance in terms of the various machine learning evaluation metrics as well as execution time.

Cryptography and Security,Machine Learning

Aodi Liu,Xuehui Du,Na Wang

DOI: https://doi.org/10.1155/2021/3970485

IF: 1.968

2021-02-17

Security and Communication Networks

Abstract:Access control technology is critical to the safe and reliable operation of information systems. However, owing to the massive policy scale and number of access control entities in open distributed information systems, such as big data, the Internet of Things, and cloud computing, existing access control permission decision methods suffer from a performance bottleneck. Consequently, the large access control time overhead affects the normal operation of business services. To overcome the above-mentioned problem, this paper proposes an efficient permission decision engine scheme based on machine learning (EPDE-ML). The proposed scheme converts the attribute-based access control request into a permission decision vector, and the access control permission decision problem is transformed into a binary classification problem that allows or denies access. The random forest algorithm is used to construct a vector decision classifier in order to establish an efficient permission decision engine. Experimental results show that the proposed method can achieve a permission decision accuracy of around 92.6% on a test dataset, and its permission decision efficiency is significantly higher than that of the benchmark method. In addition, its performance improvement becomes more obvious as the scale of policy increases.

computer science, information systems,telecommunications

Khaled Riad,Jieren Cheng

DOI: https://doi.org/10.1016/j.ins.2020.09.051

IF: 8.1

2020-01-01

Information Sciences

Abstract:This paper addresses the access control issue for the comprehensive and distributed Internet of Things (IoT) environments. The typical eXtensible Access Control Markup Language (XACML) which implements the sophisticated access conditions in XML files, is widely used to guarantee access control decisions for the distributed IoT environments. To the best of our knowledge, the typical XACML-based access control schemes never consider the authentication run-time parameters. Moreover, the access control schemes that are mainly based on the typical XACML cannot secure themselves against some kinds of attacks, such as the Masquerade attack. Also, those schemes are not secure in opposition to Man-in-the-Middle (MITM) attack. Therefore, this paper proposes an adaptive XACML scheme that extends the typical XACML by integrating an access code generation and verification schemes for heterogeneous distributed IoT environments. Our adaptive XACML scheme considers some sensitive authentication run-time parameters before authorizing the user. Moreover, our scheme is proven secure against the Masquerade attack and MITM attack through hashing the generated access code using Message Digest Algorithm 5 (MD5) and Secure Hash Algorithm-1 (SHA-1) Checksum Utility. The experimental analysis of many different configurations supports the efficacy and efficiency of our adaptive XACML. It also shows exceptional compatibility and performance with different implementations. The processing time comparison between our adaptive XACML and Typical XACML, has shown that there is a low time overhead when using our adaptive XACML. This processing time overhead is nothing compared to the extra features that have been achieved in excess of the typical XACML and the security against Masquerade and MITM attacks. Therefore, our adaptive XACML scheme has the capability to be applied in various distinct distributed environments not only IoT. (c) 2020 Elsevier Inc. All rights reserved.

Xuanxia Yao,Jinyuan Zhou,Xiaojiang Du,Shurong Zhang

DOI: https://doi.org/10.1109/jiot.2024.3456553

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Nowadays, we are living in an open network environment with varieties of smart devices, which makes individual privacy face unprecedented threats. For one thing, a plenty of sensitive information may be gathered without the owners knowledge. For the other, the Internet of Things (IoT) based services and various intelligent applications require a large amount of perceptual data. And in practice, these data are usually encrypted and stored in storage providers like cloud for security and cost saving. To fully harness the productivity value of data and protect privacy, ciphertext-policy attribute-based encryption (CP-ABE) is widely used. Nevertheless, most existing CP-ABE schemes cannot work well for IoT because of the heavy overhead and the open and distributed environment. To lower the cost, a lightweight ciphertext-policy attribute-based encryption scheme without pairing is proposed and proved in the set-selective mode. Both the theoretical analysis and experiments show its advantages in computation, communication and storage overhead. For flexible access control in IoT, we attempt to employ the Masked Authenticated Message (MAM) mechanism of the IOTA to manage authorization for our CP-ABE scheme. Comparisons with similar schemes show that it can overcome the low throughput and monetary cost in other distributed ledger based access control schemes.

Kai Fan,Huiyue Xu,Longxiang Gao,Hui Li,Yintang Yang

DOI: https://doi.org/10.1016/j.future.2019.04.003

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:The fog-to-things paradigm is introduced to mitigate the heavy burden on the edge of cloud-based network due to the centralized processing and storing of the massive volume of IoT data. Fog-enabled IoT architectures ensure small latency and enough computing resource that enables real time devices and applications. However, there still exist security and privacy challenges on data access control for fog-enabled IoT. Ciphertext-policy attribute-based encryption (CP-ABE) can be adopted to realize data access control in cloud-fog computing systems. In this paper, we propose an efficient and privacy preserving outsourced multi-authority access control scheme, named PPO-MACS. All attributes of users are transformed to be anonymous and authenticable to realize privacy preserving. And the verifiable outsourced decryption is introduced to reduce computation overheads on the end user side. Meanwhile, an efficient user revocation method is proposed. Security and performance analysis show that our scheme is secure and highly efficient.

Zenghui Yang,Xiubo Chen,Yunfeng He,Luxi Liu,Yinmei Che,Xiao Wang,Ke Xiao,Gang Xu

DOI: https://doi.org/10.1016/j.hcc.2024.100199

2024-01-01

High-Confidence Computing

Abstract:With the wide application of the Internet of Things (IoT), storing large amounts of IoT data and protecting data privacy has become a meaningful issue. In general, the access control mechanism is used to prevent illegal users from accessing private data. However, traditional data access control schemes face some non-ignorable problems, such as only supporting coarse-grained access control, the risk of centralization, and high trust issues. In this paper, an attribute-based data access control scheme using blockchain technology is proposed. To address these problems, attribute-based encryption (ABE) has become a promising solution for encrypted data access control. Firstly, we utilize blockchain technology to construct a decentralized access control scheme, which can grant data access with transparency and traceability. Furthermore, our scheme also guarantees the privacy of policies and attributes on the blockchain network. Secondly, we optimize an ABE scheme, which makes the size of system parameters smaller and improves the efficiency of algorithms. These optimizations enable our proposed scheme supports large attribute universe requirements in IoT environments. Thirdly, to prohibit attribute impersonation and attribute replay attacks, we design a challenge-response mechanism to verify the ownership of attributes. Finally, we evaluate the security and performance of the scheme. And comparisons with other related schemes show the advantages of our proposed scheme. Compared to existing schemes, our scheme has more comprehensive advantages, such as supporting a large universe, full security, expressive policy, and policy hiding.

Leila Karimi,Mai Abdelhakim,James Joshi

DOI: https://doi.org/10.48550/arXiv.2105.08587

IF: 5.414

2021-05-18

Machine Learning

Abstract:With rapid advances in computing systems, there is an increasing demand for more effective and efficient access control (AC) approaches. Recently, Attribute Based Access Control (ABAC) approaches have been shown to be promising in fulfilling the AC needs of such emerging complex computing environments. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with a higher cost. Further, increasing complexities of organizational systems and the need for federated accesses to their resources make the task of AC enforcement and management much more challenging. In this paper, we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interacting with users/administrators of the system to receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. We focus on developing an adaptive ABAC policy learning model for a home IoT environment as a running example. We evaluate our proposed approach over real and synthetic data. We consider both complete and sparse datasets in our evaluations. Our experimental results show that the proposed approach achieves performance that is comparable to ones based on supervised learning in many scenarios and even outperforms them in several situations.

Yutang Xia,Shengfang Zhai,Qinting Wang,Huiting Hou,Zhonghai Wu,Qingni Shen

DOI: https://doi.org/10.1109/bibm55620.2022.9995559

2022-01-01

Abstract:The healthcare system is a distributed collaborative system and the sensitivity of the medical data is one of the most important requirements. Preventing unauthorized access to healthcare information and data sharing security in the healthcare environment are critical processes that affect the credibility of the system. To achieve this goal and to meet the requirements of the healthcare system, access control is an important measure to realize the safe sharing of resources. The attribute-based access control (ABAC) model meets the complex security requirements of large and complex systems and provides a dynamic, flexible and scalable solution. The main obstacle to deploying ABAC is the precise development of ABAC policies. Manually developing access control policies is tedious, time-consuming and error prone. Most systems have high-level requirement specifications, which are written in natural language. These natural language (NL) documents have the intended access control policies for the systems. In this paper, we propose a new approach towards extracting policies from natural language documents. By fully taking advantage of Bidirectional Encoder Representations from Transformers (BERT) and Semantic role labeling (SRL), we are able to correctly identify access control policy (ACP) sentences with an average F1 score of 85% and correctly extract rules with an average F1 score of 72%, which outperforms the state-of-the-art and leads to a performance improvement of 7% and 2% respectively over the previously reported results.

Jianfei Sun,Hu Xiong,Ximeng Liu,Yinghui Zhang,Xuyun Nie,Robert H. Deng

DOI: https://doi.org/10.1109/JIOT.2020.2974257

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:With the booming of Internet of Things (IoT), smart health (s-health) is becoming an emerging and attractive paradigm. It can provide an accurate prediction of various diseases and improve the quality of healthcare. Nevertheless, data security and user privacy concerns still remain issues to be addressed. As a high potential and prospective solution to secure IoT-oriented s-health applications, ciphertext policy attribute-based encryption (CP-ABE) schemes raise challenges, such as heavy overhead and attribute privacy of the end users. To resolve these drawbacks, an optimized vector transformation approach is first proposed to efficiently transform the access policy and user attribute set into respective vectors of shorter length while other approaches result in redundant and longer vectors. Our transformation approach can greatly relieve the costly overheard of key generation, encryption, and decryption phases. Then, based on the transformation approach and the offline/online computation technology, we propose a lightweight policy-hiding CP-ABE scheme for the IoT-oriented s-health application. With our proposed scheme, data users in the s-health system can perform lightweight encryption and decryption without leaking any sensitive privacy about the attributes of the user. Finally, the formal security analysis, the theoretic performance evaluation and experiment results indicate that the solution is secure and efficient.

LAN Ze-Jun,GUAN Jian-Feng

2024-01-01

Abstract:Abstract： \justifying Attribute-Based Access Control (ABAC) has been chosen to replace the traditional access control model due to its dynamics, flexibility and scalability recently. However, during the migration and deployment process of ABAC policies, the key issue is how to mine an accurate and concise access control policy collection and quickly evaluate the policies when an access request arrives. Previous studies have typically taken the problems of policy mining and policy evaluation separately. Policy mining primarily focuses on the compactness of the policy itself, while policy evaluation concentrates on assessing the performance of policy matching. The lack of coordination between policy mining and policy evaluation results in that the concise strategy obtained through policy mining cannot maximize the performance of policy evaluation. To trick this issue, this paper proposed a decision tree based ABAC policy mining and policy evaluation (DTAME) scheme that addresses both issues concurrently by introducing an ABAC policy mining and evaluation method based on the decision tree algorithm. On the other hand, some hotspot policy rules are frequently accessed in some scenarios. Therefore, to maximize evaluation performance, this paper also optimizes the algorithm based on access control logs. Experimental results show that the DTAME can enhance the performance of policy evaluation while ensuring that the mined policies remain compact and effective.

Fan Deng,Zhenhua Yu,Wenjing Liu,Xiaoqing Luo,Yu Fu,Ben Qiang,Chaoyang Xu,Zhiwu Li

DOI: https://doi.org/10.1016/j.ins.2020.08.044

IF: 8.1

2020-01-01

Information Sciences

Abstract:In recent years, XACML (eXtensible Access Control Markup Language) has been widely used in the development of various applications, especially Web services. The evaluation time of a PDP (Policy Decision Point) grows significantly when the PDP loads a large-scale policy set coded in XACML. In order to improve the PDP evaluation performance, we propose an optimized policy evaluation engine, namely XDLEngine, and make the following contributions. First, XDLEngine has an advantage in the process of handling a large-scale policy set, and innovatively adopts the LDA (Latent Dirichlet Allocation) topic model to cluster policies. Second, according to the clustering results of the LDA model, we digitize and vectorize all rules in policy sets, which facilitates the rule matching. Third, the cosine similarity is introduced to classify the rules under each topic, which greatly reduces the number of comparisons in the process of rule matching and improves the matching efficiency of XDLEngine. Finally, due to the independence between different topics, we use a multi-threaded parallel search in the process of rule matching, which significantly lowers the evaluation time of XDLEngine. The experimental results show that when the number of requests reaches 20,000, the evaluation time of XDLEngine for a practical large-scale policy set with 120,000 rules is approximately 2.48%, 3.47% and 3.68% of that of the Sun PDP, XEngine and HPEngine, respectively. (C) 2020 Elsevier Inc. All rights reserved.

Qi Han,Yinghui Zhang,Hui Li

DOI: https://doi.org/10.1016/j.future.2018.01.019

IF: 7.307

2018-01-01

Future Generation Computer Systems

Abstract:The term of Internet of Things (IoT) remarkably increases the ubiquity of the internet by integrating smart object-based infrastructures. How to achieve efficient fine-grained data access control while preserving data privacy is a challenge task in the scenario of IoT. Despite ciphertext-policy attribute-based encryption (CP-ABE) can provide fine-grained data access control by allowing the specific users whose attributes match the access policy to decrypt ciphertexts. However, existing CP-ABE schemes will leak users’ attribute values to the attribute authority (AA) in the phase of key generation, which poses a significant threat to users’ privacy. To address this issue, we propose a new CP-ABE scheme which can successfully protect the user’s attribute values against the AA based on 1-out-of-n oblivious transfer technique. In addition, we use Attribute Bloom Filter to protect the attribute type of the access policy in the ciphertext. Finally, security and efficiency evaluations show that the proposed scheme can achieve the desired security goals, while keeping comparable computation overhead.

Xu He,Lixiang Li,Haipeng Peng

DOI: https://doi.org/10.1109/jiot.2023.3329703

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:When users access the Internet of Things (IoT) devices, authenticating their identities and permissions is an important measure to ensure system security and achieve access control. Standalone authentication (SAA) is an efficient authentication method because it allows IoT devices to independently finish user authentication, avoiding the reliance on a single authentication center in traditional authentication methods. Attribute-based encryption (ABE) supports fine-grained access control and can be used to realize SAA. In certain SAA scenarios, the underlying ABE scheme should also meet some special requirements of security and function. For example, when a central authority seeks help from multiple proxy authorities (PAs) to share the burden of managing users' access rights, dishonest PAs may grant access rights to illegal users to gain benefits. This situation where the authority abuses its capability of access rights management is referred to as the key escrow problem in ABE (because for ABE, users' decryption keys represent their access rights). Therefore, we propose a key-policy ABE (KP-ABE) scheme without key escrow to prevent dishonest authorities from abusing their power. Compared with related schemes, the new scheme can relatively fully solve the key escrow problem, has high access policy expressiveness, and is efficient. These advantages ensure that the proposed scheme can be used to achieve secure and efficient SAA in IoT.

Kaiqing Huang,Xueli Wang,Zhiqiang Lin

DOI: https://doi.org/10.1155/2021/8872699

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the assistance of edge computing which reduces the heavy burden of the cloud center server by using the network edge servers, the Internet of Things (IoTs) architectures enable low latency for real-time devices and applications. However, there still exist security challenges on data access control for the IoT. Multiauthority attribute-based encryption (MA-ABE) is a promising technique to achieve access control over encrypted data in cross-domain applications. Based on the characteristics and technical requirements of the IoT, we propose an efficient fine-grained revocable large universe multiauthority access control scheme. In the proposed scheme, the most expensive encryption operations have been executed in the user’s initialization phase by adding a reusable ciphertext pool besides splitting the encryption algorithm to online encryption and offline encryption. Massive decryption operations are outsourced to the near-edge servers for reducing the computation overhead of decryption. An efficient revocation mechanism is designed to change users’ access privileges dynamically. Moreover, the scheme supports ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves system resources. With the help of the chameleon hash function, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption. The performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.

E. Chen,Yan Zhu,Zhiyuan Zhou,Shou-Yu Lee,W. Eric Wong,William Cheng-Chung Chu

DOI: https://doi.org/10.1109/jiot.2021.3109147

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The decentralization mechanism provides manufacturers and distributors with greater customization and flexibility they need through Internet of Things (IoT)-based industrial collaboration systems (IoT-ICS), but it has brought forward security concerns about the shared data-processing tasks and IoT-based access to services and resources. To address them, we propose a practical blockchain solution to achieve decentralized policy management and evaluation on attribute-based access control (ABAC). By offloading the responsibility of ABAC policy administration and decision making to blockchain nodes, a blockchain-based access control framework, called Policychain, is presented to ensure policy with high availability, autonomy, and traceability. To deliver a solid design, we first present a transaction-oriented policy expression scheme with a well-defined syntax and semantics. The scheme can translate ABAC policies into the blockchain transactions with JavaScript object notation (JSON) syntax and script-based logical expression. We further realize a script-driven policy evaluation by extending blockchain inherent scripting instructions to support attribute acquisition of ABAC entities. Furthermore, we propose a policy lifecycle management scheme from policy creation, renovation, to revocation, in which policies are verified by three validation principles at the transaction level. Finally, we provide sophisticated analysis and experiments to show that our framework is secure and practical for decentralized policy management on ABAC in IoT-ICS.