Big Data Access Control Mechanism Based on Two-Layer Permission Decision Structure

Big data resources are characterized by large scale, wide sources, and strong dynamics. Existing access controlmechanisms based on manual policy formulation by security experts suffer from drawbacks such as low policymanagement efficiency and difficulty in accurately describing the access control policy. To overcome theseproblems, this paper proposes a big data access control mechanism based on a two-layer permission decisionstructure. This mechanism extends the attribute-based access control (ABAC) model. Business attributes areintroduced in the ABAC model as business constraints between entities. The proposed mechanism implementsa two-layer permission decision structure composed of the inherent attributes of access control entities and thebusiness attributes, which constitute the general permission decision algorithm based on logical calculation andthe business permission decision algorithm based on a bi-directional long short-term memory (BiLSTM) neuralnetwork, respectively. The general permission decision algorithm is used to implement accurate policy decisions,while the business permission decision algorithm implements fuzzy decisions based on the business constraints.The BiLSTM neural network is used to calculate the similarity of the business attributes to realize intelligent,adaptive, and efficient access control permission decisions. Through the two-layer permission decision structure,the complex and diverse big data access control management requirements can be satisfied by considering thesecurity and availability of resources. Experimental results show that the proposed mechanism is effective andreliable. In summary, it can efficiently support the secure sharing of big data resources.

Security and Privacy Frameworks for Access Control Big Data Systems

In the security and privacy fields,Access Control(AC)systems are viewed as the fundamental aspects of networking security mechanisms.Enforcing AC becomes even more challenging when researchers and data analysts have to analyze complex and distributed Big Data(BD)processing cluster frameworks,which are adopted to manage yottabyte of unstructured sensitive data.For instance,Big Data systems’privacy and security restrictions are most likely to failure due to the malformed AC policy configurations.Furthermore,BD systems were initially developed toped to take care of some of the DB issues to address BD challenges and many of these dealt with the“three Vs”(Velocity,Volume,and Variety)attributes,without planning security consideration,which are considered to be patch work.Some of the BD“three Vs”characteristics,such as distributed computing,fragment,redundant data and node-to node communication,each with its own security challenges,complicate even more the applicability of AC in BD.This paper gives an overview of the latest security and privacy challenges in BD AC systems.Furthermore,it analyzes and compares some of the latest AC research frameworks to reduce privacy and security issues in distributed BD systems,which very few enforce AC in a cost-effective and in a timely manner.Moreover,this work discusses some of the future research methodologies and improvements for BD AC systems.This study is valuable asset for Artificial Intelligence(AI)researchers,DB developers and DB analysts who need the latest AC security and privacy research perspective before using and/or improving a current BD AC framework.

Ensuring Security, Confidentiality and Fine-Grained Data Access Control of Cloud Data Storage Implementation Environment

With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.

Study on Mandatory Access Control in a Secure Database Management System

This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relation hierarchical data model. Based on the multilevel relation hierarchical data model, the concept of upper lower layer relational integrity is presented after we analyze and eliminate the covert channels caused by the database integrity. Two SQL statements are extended to process polyinstantiation in the multilevel secure environment. The system is based on the multilevel relation hierarchical data model and is capable of integratively storing and manipulating multilevel complicated objects ( e.g., multilevel spatial data) and multilevel conventional data ( e.g., integer, real number and character string).

EduASAC:A Blockchain-Based Education Archive Sharing and Access Control System

In the education archive sharing system,when performing homomorphic ciphertext retrieval on the storage server,there are problems such as low security of shared data,confusing parameter management,and weak access control.This paper proposes an Education Archives Sharing and Access Control(EduASAC)system to solve these problems.The system research goal is to realize the sharing of security parameters,the execution of access control,and the recording of system behaviors based on the blockchain network,ensuring the legitimacy of shared membership and the security of education archives.At the same time,the system can be combined with most homomorphic ciphertext retrieval schemes running on the storage server,making the homomorphic ciphertext retrieval mechanism controllable.This paper focuses on the blockchain access control framework and specifically designs smart contracts that conform to the business logic of the EduASAC system.The former adopts a dual-mode access control mechanism combining Discretionary Access Control(DAC)and Mandatory Access Control(MAC)and improves the tagging mode after user permission verification based on the Authentication and Authorization for Constrained Environments(ACE)authorization framework of Open Authorization(OAuth)2.0;the latter is used in the system to vote on nodes to join requests,define access control policies,execute permission verification processes,store,and share system parameters,and standardize the behavior of member nodes.Finally,the EduASAC system realizes the encryption,storage,retrieval,sharing,and access control processes of education archives.To verify the performance of the system,simulation experiments were conducted.The results show that the EduASAC system can meet the high security needs of education archive sharing and ensure the system’s high throughput,low latency,fast decision-making,and fine-grained access control ability.

基于Xen虚拟机的USB数据安全性分析及保护机制研究

基于Xen虚拟机的虚拟架构,分析了USB设备的数据安全风险和安全需求,对Xen虚拟机的内部驱动和安全机制进行了细粒度研究,提出了一种基于Xen虚拟机的USB数据保护机制,从虚拟USB接口访问控制、PVUSB后端驱动/QEMU设备模拟数据加解密两方面保护USB数据安全。

一种新型的USB存储设备访问控制方案

针对使用USB存储设备所引发的信息安全问题,提出了一种基于嵌入式Linux系统的USB存储设备访问控制方案。该方案在保持主机系统软硬件结构不变的基础上增加了嵌入式Linux平台,并利用Linux USB从设备端驱动,在嵌入式平台中实现了对USB存储设备的访问控制;同时结合用户实际需要,采用基于角色的访问控制方式,给出了详细的设计思路和软硬件框架。试验结果表明,该方案可以有效地防范针对USB接口存储设备的攻击,从而达到保障用户信息安全的目的。

USB存储设备访问控制与数据安全系统

针对USB存储设备接入与控制,结合访问控制技术、数据隐藏技术、加密技术,提出了一种USB存储设备的访问控制与数据安全系统,在一定程度上抵制了非法使用USB事件,有效地保证了数据安全。

USB存储设备访问控制的设计与实现

针对企业内部使用USB存储设备引起的安全隐患,提出了一种基于WDM(Win32驱动程序模型)的USB存储设备访问控制方案,主要从设备过滤驱动层的角度详细描述了监控USB存储设备的工作原理和实现细节。

基于Thin Hypervisor的USB设备访问控制

USB移动存储设备体积小、容量大、便于携带等优点,被广泛应用于数据的传输和备份.但是USB移动存储设备的这些特点也给数据的保护带来了很大的挑战.因为盗窃数据者可以轻易的利用USB移动存储设备带走数据.目前存在的针对USB存储设备访问控制的研究,主要基于应用层或操作系统内核层.当系统中存在恶意代码时,这些安全访问控制实施的模块很容易被旁路.为解决实施模块的安全性问题,实现了一种基于Thin Hypervisor的USB存储设备安全访问控制系统,它利用Thin Hypervisor对操作系统透明的特点,使得该系统不受操作系统安全性的影响,从而达到更加安全的目的.

基于DSP和USB的安全数据交换系统

在研究现有数据安全传输方案的基础上,设计并实现了一种基于DSP和USB接口的数据安全传输方案。该方案设计研制硬件安全板卡,硬件采用高速DSP芯片实现协议控制和密码算法,采用USB和EMAC作为数据传输接口。数据交换软件设计私有安全可靠通信协议,执行DES、AES、RSA等标准安全加密算法,保证数据的物理隔离和安全传输。测试证明,安全数据交换系统能够实现数据的机密性、完整性、不可否认性,保证数据可靠传输,具有较高的传输速率。

Data Hiding and Security for XMLDatabase: A TRBAC-Based Approach

In order to cope with varying protection granularity levels of XML(extensible Markup Language) documents, we propose a TXAC (Two-level XML. Access Control) framework,in which an extended TRBAC ( Temporal Role-Based Access Control) approach is proposed to deal withthe dynamic XML data With different system components, LXAC algorithm evaluates access requestsefficiently by appropriate access control policy in dynamic web environment. The method is aflexible and powerful security system offering amulti-level access control solution.

Adaptive Particle Swarm Optimization Data Hiding for High Security Secret Image Sharing

The main aim of this work is to improve the security of data hiding forsecret image sharing. The privacy and security of digital information have becomea primary concern nowadays due to the enormous usage of digital technology.The security and the privacy of users’ images are ensured through reversible datahiding techniques. The efficiency of the existing data hiding techniques did notprovide optimum performance with multiple end nodes. These issues are solvedby using Separable Data Hiding and Adaptive Particle Swarm Optimization(SDHAPSO) algorithm to attain optimal performance. Image encryption, dataembedding, data extraction/image recovery are the main phases of the proposedapproach. DFT is generally used to extract the transform coefficient matrix fromthe original image. DFT coefficients are in float format, which assists in transforming the image to integral format using the round function. After obtainingthe encrypted image by data-hider, additional data embedding is formulated intohigh-frequency coefficients. The proposed SDHAPSO is mainly utilized for performance improvement through optimal pixel location selection within the imagefor secret bits concealment. In addition, the secret data embedding capacityenhancement is focused on image visual quality maintenance. Hence, it isobserved from the simulation results that the proposed SDHAPSO techniqueoffers high-level security outcomes with respect to higher PSNR, security level,lesser MSE and higher correlation than existing techniques. Hence, enhancedsensitive information protection is attained, which improves the overall systemperformance.

分布式数据库隐私数据细粒度安全访问控制研究

为控制隐私数据的细粒度安全访问行为,提出分布式数据库隐私数据细粒度安全访问控制。通过分布式数据库空间划分,过滤隐私数据,利用分区方程,分解数据库空间内隐私数据,将隐私数据反应函数的构建过程定义为对分布式数据库中隐私数据挖掘的博弈过程,获取博弈因子,将细粒度划分问题转化为隐私数据在最小二乘准则下的规划问题,划分隐私数据的细粒度。利用加密算法,对隐私数据加密,依据密钥分发算法为用户分发密钥,通过密钥转换,将加密后的隐私数据上传到分布式数据库,利用数据库验证用户的令牌是否包含隐私数据的信息,建立令牌请求机制,实现隐私数据的细粒度安全访问控制。实验结果表明,经过文中方法控制后,分布式数据库的响应性能有所提高,在保证正确性的同时,还可以提高对恶意访问行为的控制能力,具有较高的实际应用价值。

A distributed authentication and authorization scheme for in-network big data sharing

Big data has a strong demand for a network infrastructure with the capability to support data sharing and retrieval efficiently. Information-centric networking （ICN） is an emerging approach to satisfy this demand, where big data is cached ubiquitously in the network and retrieved using data names. However, existing authentication and authorization schemes rely mostly on centralized servers to provide certification and mediation services for data retrieval. This causes considerable traffic overhead for the secure distributed sharing of data. To solve this problem, we employ identity-based cryptography （IBC） to propose a Distributed Authentication and Authorization Scheme （DAAS）, where an identity-based signature （IBS） is used to achieve distributed verifications of the identities of publishers and users. Moreover, Ciphertext-Policy Attribnte-based encryption （CP-ABE） is used to enable the distributed and fine-grained authorization. DAAS consists of three phases： initialization, secure data publication, and secure data retrieval, which seamlessly integrate authentication and authorization with the in- terest/data communication paradigm in ICN. In particular, we propose trustworthy registration and Network Operator and Authority Manifest （NOAM） dissemination to provide initial secure registration and enable efficient authentication for global data retrieval. Meanwhile, Attribute Manifest （AM） distribution coupled with automatic attribute update is proposed to reduce the cost of attribute retrieval. We examine the performance of the proposed DAAS, which shows that it can achieve a lower bandwidth cost than existing schemes.

基于零信任安全模型的电力敏感数据访问控制方法

针对大数据环境下数据访问控制难度大、数据窃取行为增多造成的电力敏感数据的大量泄露问题,为保护电力敏感数据安全,提出了以零信任安全模型为基础的电力敏感数据访问控制方法.以零信任安全模型为基础,采集用户访问行为信任因素,构建零信任安全模型,采用层次分解模型分解信任属性,基于权重分配法构建判断矩阵计算用户访问行为信任值,结合自适应机制和时间衰减算法,完善信任值的更新与记录.引用按层生长决策树进行电力敏感数据访问分级,在用户认证基础上设置签密参数,引用公私钥实现访问认证信息签密.实验测试结果表明,该方法能够有效抑制恶性数据访问行为,数据加密时间开销小,平均时间开销低于1.4s内1200条,访问控制失误率低于5%,整体控制效果达到了理想标准.

基于属性加密算法的计算机数据安全访问控制技术

该文针对云计算环境下计算机数据文件访问、传输存在的安全隐患,提出基于属性加密算法的计算机数据安全访问控制技术方案,假定在通信信道可靠、第三方审计机构可信和云计算数据中心忠实的前提下,在现有云计算数据存储安全体系架构基础上使用AES对称加密算法对CDC中的数据文件进行加密处理从而实现USER安全访问,与传统访问控制技术方案相比安全、可靠性更高。该文主要对上述技术方案的参与构成、主要定义、方案内容及重要程序的实现过程进行分析,又通过仿真实验模拟运行环境对该技术应用的可行性和优化路径进行探究,以期为计算机数据安全访问控制提供参考。

基于主从多链的数据分类分级访问控制模型

为解决数据混合存储导致精准查找速度慢、数据未分类分级管理造成安全治理难等问题,构建基于主从多链的数据分类分级访问控制模型,实现数据的分类分级保障与动态安全访问。首先,构建链上链下混合式可信存储模型,以平衡区块链面临的存储瓶颈问题;其次,提出主从多链架构,并设计智能合约,将不同隐私程度的数据自动存储于从链;最后,以基于角色的访问控制为基础,构建基于主从多链与策略分级的访问控制(MCLP-RBAC)机制并给出具体访问控制流程设计。在分级访问控制策略下,所提模型的吞吐量稳定在360 TPS(Transactions Per Second)左右。与BC-BLPM方案相比,发送速率与吞吐量之比达到1∶1,具有一定优越性;与无访问策略相比,内存消耗降低35.29%;与传统单链结构相比,内存消耗平均降低52.03%;与数据全部上链的方案相比,平均存储空间缩小36.32%。实验结果表明,所提模型能有效降低存储负担,实现分级安全访问,具有高扩展性,适用于多分类数据的管理。

Correlation Composition Awareness Model with Pair Collaborative Localization for IoT Authentication and Localization

Secure authentication and accurate localization among Internet of Things(IoT)sensors are pivotal for the functionality and integrity of IoT networks.IoT authentication and localization are intricate and symbiotic,impacting both the security and operational functionality of IoT systems.Hence,accurate localization and lightweight authentication on resource-constrained IoT devices pose several challenges.To overcome these challenges,recent approaches have used encryption techniques with well-known key infrastructures.However,these methods are inefficient due to the increasing number of data breaches in their localization approaches.This proposed research efficiently integrates authentication and localization processes in such a way that they complement each other without compromising on security or accuracy.The proposed framework aims to detect active attacks within IoT networks,precisely localize malicious IoT devices participating in these attacks,and establish dynamic implicit authentication mechanisms.This integrated framework proposes a Correlation Composition Awareness(CCA)model,which explores innovative approaches to device correlations,enhancing the accuracy of attack detection and localization.Additionally,this framework introduces the Pair Collaborative Localization(PCL)technique,facilitating precise identification of the exact locations of malicious IoT devices.To address device authentication,a Behavior and Performance Measurement(BPM)scheme is developed,ensuring that only trusted devices gain access to the network.This work has been evaluated across various environments and compared against existing models.The results prove that the proposed methodology attains 96%attack detection accuracy,84%localization accuracy,and 98%device authentication accuracy.