The cloud allows clients to store and share data.Depending on the user’s needs,it is imperative to design an effective access control plan to share the information only with approved users.The user loses control of t...The cloud allows clients to store and share data.Depending on the user’s needs,it is imperative to design an effective access control plan to share the information only with approved users.The user loses control of their data when the data is outsourced to the cloud.Therefore,access control mechanisms will become a significant challenging problem.The Ciphertext-Policy Attribute-Based Encryption(CP-ABE)is an essential solution in which the user can control data access.CP-ABE encrypts the data under a limited access policy after the user sets some access policies.The user can decrypt the data if they satisfy the limited access policy.Although CP-ABE is an effective access control program,the privacy of the policy might be compromised by the attackers.Namely,the attackers can gather important information from plain text policy.To address this issue,the SHA-512 algorithm is presented to create a hash code for the user’s attributes in this paper.Depending on the created hash codes,an access policy will be formed.It leads to protecting the access policy against attacks.The effectiveness of the proposed scheme is assessed based on decryption time,private key generation time,ciphertext generation time,and data verification time.展开更多
The traditional air traffic control information sharing data has weak security characteristics of personal privacy data and poor effect,which is easy to leads to the problem that the data is usurped.Starting from the ...The traditional air traffic control information sharing data has weak security characteristics of personal privacy data and poor effect,which is easy to leads to the problem that the data is usurped.Starting from the application of the ATC(automatic train control)network,this paper focuses on the zero trust and zero trust access strategy and the tamper-proof method of information-sharing network data.Through the improvement of ATC’s zero trust physical layer authentication and network data distributed feature differentiation calculation,this paper reconstructs the personal privacy scope authentication structure and designs a tamper-proof method of ATC’s information sharing on the Internet.From the single management authority to the unified management of data units,the systematic algorithm improvement of shared network data tamper prevention method is realized,and RDTP(Reliable Data Transfer Protocol)is selected in the network data of information sharing resources to realize the effectiveness of tamper prevention of air traffic control data during transmission.The results show that this method can reasonably avoid the tampering of information sharing on the Internet,maintain the security factors of air traffic control information sharing on the Internet,and the Central Processing Unit(CPU)utilization rate is only 4.64%,which effectively increases the performance of air traffic control data comprehensive security protection system.展开更多
When implementing open access, policy pioneers and flagship institutions alike have faced considerable challenges in meeting their own aims and achieving a recognized success. Legitimate authority, sufficient resource...When implementing open access, policy pioneers and flagship institutions alike have faced considerable challenges in meeting their own aims and achieving a recognized success. Legitimate authority, sufficient resources and the right timing are crucial, but the professionals charged with implementing policy still need several years to accomplish significant progress. This study defines a methodological standard for evaluating the first generation of open access policies. Evaluating implementation establishes evidence, enables reflection, and may foster the emergence of a second generation of open access policies.While the study is based on a small number of cases, these case studies cover most of the pioneer institutions, present the most significant issues and offer an international overview.Each case is reconstructed individually on the basis of public documents and background information, and supported by interviews with professionals responsible for open access implementation. This article presents the highlights from each case study. The results are utilized to indicate how a second generation of policies might define open access as a key component of digital research infrastructures that provide inputs and outputs for research,teaching and learning in real time.展开更多
Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships o...Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control(GARBAC) model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user's attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.展开更多
The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access...The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access control policy(NLACP)to a machine-readable form.To study the automation process,we consider the hierarchical ABAC model as our reference model since it better reflects the requirements of real-world organizations.Therefore,this paper focuses on the questions of:how can we automatically infer the hierarchical structure of an ABAC model given NLACPs;and,how can we extract and define the set of authorization attributes based on the resulting structure.To address these questions,we propose an approach built upon recent advancements in natural language processing and machine learning techniques.For such a solution,the lack of appropriate data often poses a bottleneck.Therefore,we decouple the primary contributions of this work into:(1)developing a practical framework to extract authorization attributes of hierarchical ABAC system from natural language artifacts,and(2)generating a set of realistic synthetic natural language access control policies(NLACPs)to evaluate the proposed framework.Our experimental results are promising as we achieved-in average-an F1-score of 0.96 when extracting attributes values of subjects,and 0.91 when extracting the values of objects’attributes from natural language access control policies.展开更多
Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealt...Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealth of policy information that needs to be manually examined. Furthermore, there is no standard definition of what constitutes an over-entitled permission within an organisation’s access control policy, making it not possible to develop automated rule-based approaches. It is often the case that over-entitled permissions are subjective to an organisation’s role-based structure, where access is be divided and managed based on different employee needs. In this context, an irregular permission could be one where an employee has frequently changed roles, thus accumulating a wide-ranging set of permissions. There is no one size fits all approach to identifying permissions where an employee is receiving more permission than is necessary, and it is necessary to examine them in the context of the organisation to establish their individual risk. Risk is not a binary measure and, in this work, an approach is built using Fuzzy Logic to determine an overall risk rating, which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation. This requires the exploratory use of establishing resource sensitivity and user trust as measures to determine a risk rating. The paper presents a generic solution, which has been implemented to perform experimental analysis on Microsoft’s New Technology File System to show how this works in practice. A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.展开更多
The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access...The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access control policy(NLACP)to a machine-readable form.To study the automation process,we consider the hierarchical ABAC model as our reference model since it better reflects the requirements of real-world organizations.Therefore,this paper focuses on the questions of:how can we automatically infer the hierarchical structure of an ABAC model given NLACPs;and,how can we extract and define the set of authorization attributes based on the resulting structure.To address these questions,we propose an approach built upon recent advancements in natural language processing and machine learning techniques.For such a solution,the lack of appropriate data often poses a bottleneck.Therefore,we decouple the primary contributions of this work into:(1)developing a practical framework to extract authorization attributes of hierarchical ABAC system from natural language artifacts,and(2)generating a set of realistic synthetic natural language access control policies(NLACPs)to evaluate the proposed framework.Our experimental results are promising as we achieved-in average-an F1-score of 0.96 when extracting attributes values of subjects,and 0.91 when extracting the values of objects’attributes from natural language access control policies.展开更多
I. IntroductionThere have been numerous studies on free capital mobility, its management and impact on developing countries’ economy during the past decades. International capital flows create opportunities for portf...I. IntroductionThere have been numerous studies on free capital mobility, its management and impact on developing countries’ economy during the past decades. International capital flows create opportunities for portfolio diversification and risk sharing. In classical cases, capital mobility permits a more efficient global allocation of savings and directs resources toward their most productive uses (Fischer, 1998, etc.). However,展开更多
Quality of service (QoS) support is a key attribute for multimedia traffic including video, voice, and data in wireless local area networks (LANs) but is limited in 802.11-based wireless LANs. A polling-based sche...Quality of service (QoS) support is a key attribute for multimedia traffic including video, voice, and data in wireless local area networks (LANs) but is limited in 802.11-based wireless LANs. A polling-based scheme called the point coordination function (PCF) was developed for 802.11 LANs to support the transmission of multimedia traffic. However, the PCF is not able to meet the desired practical traffic differentiation requirements for real-time data. This paper describes a QoS support polling scheme based on the IEEE 802.11 medium access control (MAC) protocol. The scheme uses a two-level polling mechanism with the QoS classes differentiated by two different access policies. Stations with higher priority traffic such as key or real-time data form the first level and can access the common channel through an exhaustive access policy. Other stations with lower priority traffic form the second level and can access the channel through a gated access policy. A system model based on imbedded Markov chain theory and a generation function were setup to explicitly analyze the mean information packet waiting time of the two-level polling scheme. Theoretical and simulation results show that the new scheme efficiently differentiates services to guarantee better QoS and system stability.展开更多
Web service composition is a low cost and efficient way to leverage the existing resource and implementation.In current Web service composition implementations,the issue of how to define the role for a new composite W...Web service composition is a low cost and efficient way to leverage the existing resource and implementation.In current Web service composition implementations,the issue of how to define the role for a new composite Web service has been little addressed.Adjusting the access control policy for a new composite Web service always causes substantial administration overhead from the security administrator.Furthermore,the distributed nature of Web service based applications makes traditional role mining methods obsolete.In this paper,we analyze the minimal role mining problem for Web service composition,and prove that this problem is NP-complete.We propose a sub-optimal greedy algorithm based on the analysis of necessary role mapping for interoperation across multiple domains.Simulation shows the effectiveness of our algorithm,and compared to the existing methods,our algorithm has significant performance advantages.We also demonstrate the practical application of our method in a real agent based Web service system.The results show that our method could find the minimal role mapping efficiently.展开更多
文摘The cloud allows clients to store and share data.Depending on the user’s needs,it is imperative to design an effective access control plan to share the information only with approved users.The user loses control of their data when the data is outsourced to the cloud.Therefore,access control mechanisms will become a significant challenging problem.The Ciphertext-Policy Attribute-Based Encryption(CP-ABE)is an essential solution in which the user can control data access.CP-ABE encrypts the data under a limited access policy after the user sets some access policies.The user can decrypt the data if they satisfy the limited access policy.Although CP-ABE is an effective access control program,the privacy of the policy might be compromised by the attackers.Namely,the attackers can gather important information from plain text policy.To address this issue,the SHA-512 algorithm is presented to create a hash code for the user’s attributes in this paper.Depending on the created hash codes,an access policy will be formed.It leads to protecting the access policy against attacks.The effectiveness of the proposed scheme is assessed based on decryption time,private key generation time,ciphertext generation time,and data verification time.
基金This work was supported by National Natural Science Foundation of China(U2133208,U20A20161).
文摘The traditional air traffic control information sharing data has weak security characteristics of personal privacy data and poor effect,which is easy to leads to the problem that the data is usurped.Starting from the application of the ATC(automatic train control)network,this paper focuses on the zero trust and zero trust access strategy and the tamper-proof method of information-sharing network data.Through the improvement of ATC’s zero trust physical layer authentication and network data distributed feature differentiation calculation,this paper reconstructs the personal privacy scope authentication structure and designs a tamper-proof method of ATC’s information sharing on the Internet.From the single management authority to the unified management of data units,the systematic algorithm improvement of shared network data tamper prevention method is realized,and RDTP(Reliable Data Transfer Protocol)is selected in the network data of information sharing resources to realize the effectiveness of tamper prevention of air traffic control data during transmission.The results show that this method can reasonably avoid the tampering of information sharing on the Internet,maintain the security factors of air traffic control information sharing on the Internet,and the Central Processing Unit(CPU)utilization rate is only 4.64%,which effectively increases the performance of air traffic control data comprehensive security protection system.
文摘When implementing open access, policy pioneers and flagship institutions alike have faced considerable challenges in meeting their own aims and achieving a recognized success. Legitimate authority, sufficient resources and the right timing are crucial, but the professionals charged with implementing policy still need several years to accomplish significant progress. This study defines a methodological standard for evaluating the first generation of open access policies. Evaluating implementation establishes evidence, enables reflection, and may foster the emergence of a second generation of open access policies.While the study is based on a small number of cases, these case studies cover most of the pioneer institutions, present the most significant issues and offer an international overview.Each case is reconstructed individually on the basis of public documents and background information, and supported by interviews with professionals responsible for open access implementation. This article presents the highlights from each case study. The results are utilized to indicate how a second generation of policies might define open access as a key component of digital research infrastructures that provide inputs and outputs for research,teaching and learning in real time.
基金Supported by the National Natural Science Foundation of China (60402019, 60772098 and 60672068)
文摘Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control(GARBAC) model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user's attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.
文摘The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access control policy(NLACP)to a machine-readable form.To study the automation process,we consider the hierarchical ABAC model as our reference model since it better reflects the requirements of real-world organizations.Therefore,this paper focuses on the questions of:how can we automatically infer the hierarchical structure of an ABAC model given NLACPs;and,how can we extract and define the set of authorization attributes based on the resulting structure.To address these questions,we propose an approach built upon recent advancements in natural language processing and machine learning techniques.For such a solution,the lack of appropriate data often poses a bottleneck.Therefore,we decouple the primary contributions of this work into:(1)developing a practical framework to extract authorization attributes of hierarchical ABAC system from natural language artifacts,and(2)generating a set of realistic synthetic natural language access control policies(NLACPs)to evaluate the proposed framework.Our experimental results are promising as we achieved-in average-an F1-score of 0.96 when extracting attributes values of subjects,and 0.91 when extracting the values of objects’attributes from natural language access control policies.
基金This work was undertaken during a project funded by the UK’s Digital Catapult Researcher in Residency Fellowship programme (Grant Ref: EP/M029263/1)The funding supported the research, development, and empirical testing presented in this paper.
文摘Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealth of policy information that needs to be manually examined. Furthermore, there is no standard definition of what constitutes an over-entitled permission within an organisation’s access control policy, making it not possible to develop automated rule-based approaches. It is often the case that over-entitled permissions are subjective to an organisation’s role-based structure, where access is be divided and managed based on different employee needs. In this context, an irregular permission could be one where an employee has frequently changed roles, thus accumulating a wide-ranging set of permissions. There is no one size fits all approach to identifying permissions where an employee is receiving more permission than is necessary, and it is necessary to examine them in the context of the organisation to establish their individual risk. Risk is not a binary measure and, in this work, an approach is built using Fuzzy Logic to determine an overall risk rating, which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation. This requires the exploratory use of establishing resource sensitivity and user trust as measures to determine a risk rating. The paper presents a generic solution, which has been implemented to perform experimental analysis on Microsoft’s New Technology File System to show how this works in practice. A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.
基金supported by Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia.
文摘The National Institute of Standards and Technology(NIST)has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access control policy(NLACP)to a machine-readable form.To study the automation process,we consider the hierarchical ABAC model as our reference model since it better reflects the requirements of real-world organizations.Therefore,this paper focuses on the questions of:how can we automatically infer the hierarchical structure of an ABAC model given NLACPs;and,how can we extract and define the set of authorization attributes based on the resulting structure.To address these questions,we propose an approach built upon recent advancements in natural language processing and machine learning techniques.For such a solution,the lack of appropriate data often poses a bottleneck.Therefore,we decouple the primary contributions of this work into:(1)developing a practical framework to extract authorization attributes of hierarchical ABAC system from natural language artifacts,and(2)generating a set of realistic synthetic natural language access control policies(NLACPs)to evaluate the proposed framework.Our experimental results are promising as we achieved-in average-an F1-score of 0.96 when extracting attributes values of subjects,and 0.91 when extracting the values of objects’attributes from natural language access control policies.
文摘I. IntroductionThere have been numerous studies on free capital mobility, its management and impact on developing countries’ economy during the past decades. International capital flows create opportunities for portfolio diversification and risk sharing. In classical cases, capital mobility permits a more efficient global allocation of savings and directs resources toward their most productive uses (Fischer, 1998, etc.). However,
基金Supported by the National Natural Science Foundation of China(Nos. F0424104 and 60362001)the Natural Science Foundation of Yunnan Province of China (No. 2004F0011R)
文摘Quality of service (QoS) support is a key attribute for multimedia traffic including video, voice, and data in wireless local area networks (LANs) but is limited in 802.11-based wireless LANs. A polling-based scheme called the point coordination function (PCF) was developed for 802.11 LANs to support the transmission of multimedia traffic. However, the PCF is not able to meet the desired practical traffic differentiation requirements for real-time data. This paper describes a QoS support polling scheme based on the IEEE 802.11 medium access control (MAC) protocol. The scheme uses a two-level polling mechanism with the QoS classes differentiated by two different access policies. Stations with higher priority traffic such as key or real-time data form the first level and can access the common channel through an exhaustive access policy. Other stations with lower priority traffic form the second level and can access the channel through a gated access policy. A system model based on imbedded Markov chain theory and a generation function were setup to explicitly analyze the mean information packet waiting time of the two-level polling scheme. Theoretical and simulation results show that the new scheme efficiently differentiates services to guarantee better QoS and system stability.
文摘Web service composition is a low cost and efficient way to leverage the existing resource and implementation.In current Web service composition implementations,the issue of how to define the role for a new composite Web service has been little addressed.Adjusting the access control policy for a new composite Web service always causes substantial administration overhead from the security administrator.Furthermore,the distributed nature of Web service based applications makes traditional role mining methods obsolete.In this paper,we analyze the minimal role mining problem for Web service composition,and prove that this problem is NP-complete.We propose a sub-optimal greedy algorithm based on the analysis of necessary role mapping for interoperation across multiple domains.Simulation shows the effectiveness of our algorithm,and compared to the existing methods,our algorithm has significant performance advantages.We also demonstrate the practical application of our method in a real agent based Web service system.The results show that our method could find the minimal role mapping efficiently.
