Relational abstraction in community-based secure collaboration

Users of an online community are willing to share resources because they can expect rea-sonable behaviour from other members of the community. Such expectations are known as social contracts. In this work, we study the specification and enforcement of social contracts in a computer mediated collaboration environment. Specifically, we examine social contracts that contain both relationship- and history-based elements. A series of policy languages, all based on modal and temporal logics, with increasing expressiveness, have been proposed to express social contracts. Reference monitors are designed to correctly and efficiently enforce the specified policies. A technique called “relational abstraction ” is employed to reduce the reference monitor into a purely relationship-based protection system, that is, what is commonly known as a social network system.

Designing Secure Access Control Model in Cyber Social Networks

Nowadays, information security in online communication has become an indisputable topic. People prefer pursuing their connection and public relations due to the greater flexibility and affordability of online communication. Recently, organizations have established online networking sites concerned with sharing assets among their employees. As more people engage in social network, requirements for protecting information and resources becomes vital. Over the years, many access control methods have been proposed. Although these methods cover various information security aspects, they have not provided an appropriate approach for securing information within distributed online networking sites. Moreover, none of the previous research provides an access control method in case an existing resource encompassing various parts and each part has its own accessing control policy. In this research, we investigate the access control requirements in order to conserve data and encompassed resources, which are shared in the social network, from users with unapproved access. Under the proposed method, users are able to define policies easily to protect their individual information and resources from unauthorized users. In addition, requestors are able to generate inquiries in easy and efficient way. We define an appropriate format to present rules and queries, which are converted from policies and inquiries respectively. The proposed approach defines a method in case a user would like to access a resource belonging to another user where both users are members of different online networking sites. In order to add more flexibility, this method controls access to data and resources by evaluating requestor’s attributes, object’s attributes, action or operation taken by requestor, environmental condition, and policies which are created by users or a super user of social network to protect the users’ resources. This approach is called Policy-Based Attribute Access Control (PBAAC). The policies defined to secure a resource may conflict with other policies. The proposed method offers an appropriate solution to resolve this issue. Due to achievement of better performance with regards to efficiency, this research analyzes the method to compromise simple rules, complex rules, or rules including several attributes. The results prove that simple rules provide better performance

A Dynamic Risk-Based Access Control Approach: Model and Implementation

Access control (AC) refers to mechanisms and policies that restrict access to resources, thus regulating access to physical or virtual resources of an information system. AC approaches are used to represent these mechanisms and policies by which users are granted access and specific access privileges to the resources or information of the system for which AC is provided. Traditional AC approaches encompass a variety of widely used approaches, including attribute-based access control (ABAC), mandatory access control (MAC), discretionary access control (DAC) and role-based access control (RBAC). Emerging AC approaches include risk adaptive access control (RAdAC), an approach that suggests that AC can adapt depending on specific situations. However, traditional and emerging AC approaches rely on static pre-defined risk mitigation tasks and do not support the adaptation of an AC risk mitigation process (RMP). There are no provided mechanisms and automated support that allow AC approaches to construct RMPs and to adapt to provide more flexible, custom-tailored responses to specific situations in order to minimize risks. Further, although existing AC approaches can operate in several knowledge domains at once, they do not explicitly take into account the relationships among risks related to different dimensions, e.g., security, productivity. In addition, although in the real world, risks accumulate over time, existing AC approaches do not appropriately provide means for risk resolution in situations in which risks accumulate as different, dangerous tasks impact risk measures. This thesis presents the definition, the implementation, and the application through two case studies of a novel AC risk-mitigation approach that combines dynamic RMP construction and risk assessment extended to include forecasting based on multiple risk-related utilities and events; provides support for a dynamic risk assessment that depends on one or multiple risk dimensions (e.g., security and productivity); offers cumulative risk assessment in which each action of interest can impact the risk-related utilities in a dynamic way; and presents an implementation of an adaptive simulation method based on risk-related utilities and events