Self-adaptive Authorisation Infrastructures

Traditional approaches in access control rely on immutable criteria in which to decide and award access. These approaches are limited, notably when handling changes in an organisation’s protected resources, resulting in the inability to accommodate the dynamic aspects of risk at runtime. An example of such risk is a user abusing their privileged access to perform insider attacks. This thesis proposes self-adaptive authorisation, an approach that enables dynamic access control. A framework for developing self-adaptive authorisation is defined, where autonomic controllers are deployed within legacy based authorisation infrastructures to enable the runtime management of access control. Essential to the approach is the use of models and model driven engineering (MDE). Models enable a controller to abstract from the authorisation infrastructure it seeks to control, reason about state, and provide assurances over change to access. For example, a modelled state of access may represent an active access control policy. Given the diverse nature in implementations of authorisation infrastructures, MDE enables the creation and transformation of such models, whereby assets (e.g., policies) can be automatically generated and deployed at runtime. A prototype of the framework was developed, whereby management of access control is focused on the mitigation of abuse of access rights. The prototype implements a feedback loop to monitor an authorisation infrastructure in terms of modelling the state of access control and user behaviour, analyse potential solutions for handling malicious behaviour, and act upon the infrastructure to control future access control decisions. The framework was evaluated against mitigation of simulated insider attacks, involving the abuse of access rights governed by access control methodologies. In addition, to investigate the framework’s approach in a diverse and unpredictable environment, a live experiment was conducted. This evaluated the mitigation of abuse performed by real users as well as demonstrating the consequence of self-adaptation through observation of user response

Towards SDN-based smart contract solution for IoT access control

Access control is essential for the IoT environment to ensure that only approved and trusted parties are able to configure devices, access sensor information, and command actuators to execute activities. The IoT ecosystem is subject to various access control complications due to the limited latency between IoT devices and the Internet, low energy requirements of IoT devices, the distributed framework, ad-hoc networks, and an exceptionally large number of heterogeneous IoT devices that need to be managed. The motivation for this proposed work is to resolve the incurring challenges of IoT associated with management and access control security. Each IoT domain implementation has particular features and needs separate access control policies to be considered in order to design a secure solution. This research work aims to resolve the intricacy of policies management, forged policies, dissemination, tracking of access control policies, automation, and central management of IoT nodes and provides a trackable and auditable access control policy management system that prevents forged policy dissemination by applying Software Defined Network (SDN) and blockchain technology in an IoT environment. Integration of SDN and blockchain provides a robust solution for IoT environment security. Recently, smart contracts have become one of blockchain technology’s most promising applications. The integration of smart contracts with blockchain technology provides the capability of designing tamper-proof and independently verifiable policies. In this paper, we propose a novel, scalable solution for implementing immutable, verifiable, adaptive, and automated access control policies for IoT devices together with a successful proof of concept that demonstrates the scalability of the proposed solution. The performance of the proposed solution is evaluated in terms of throughput and resource access delay between the blockchain component and the controller as well as from node to node. The number of nodes in the IoT network and the number of resource access requests were independently and systematically increased during the evaluations. The results illustrate that the resource access delay and throughput were affected neither linearly nor exponentially; hence, the proposed solution shows no significant degradation in performance with an increase in the number of nodes and/or requests

Design and Implementation of a Measurement-Based Policy-Driven Resource Management Framework For Converged Networks

This paper presents the design and implementation of a measurement-based QoS and resource management framework, CNQF (Converged Networks QoS Management Framework). CNQF is designed to provide unified, scalable QoS control and resource management through the use of a policy-based network management paradigm. It achieves this via distributed functional entities that are deployed to co-ordinate the resources of the transport network through centralized policy-driven decisions supported by measurement-based control architecture. We present the CNQF architecture, implementation of the prototype and validation of various inbuilt QoS control mechanisms using real traffic flows on a Linux-based experimental test bed.Comment: in Ictact Journal On Communication Technology: Special Issue On Next Generation Wireless Networks And Applications, June 2011, Volume 2, Issue 2, Issn: 2229-6948(Online

Towards Adaptable and Adaptive Policy-Free Middleware

We believe that to fully support adaptive distributed applications, middleware must itself be adaptable, adaptive and policy-free. In this paper we present a new language-independent adaptable and adaptive policy framework suitable for integration in a wide variety of middleware systems. This framework facilitates the construction of adaptive distributed applications. The framework addresses adaptability through its ability to represent a wide range of specific middleware policies. Adaptiveness is supported by a rich contextual model, through which an application programmer may control precisely how policies should be selected for any particular interaction with the middleware. A contextual pattern mechanism facilitates the succinct expression of both coarse- and fine-grain policy contexts. Policies may be specified and altered dynamically, and may themselves take account of dynamic conditions. The framework contains no hard-wired policies; instead, all policies can be configured.Comment: Submitted to Dependable and Adaptive Distributed Systems Track, ACM SAC 200

Approaches and frameworks for management and research in small-scale fisheries in the developing world

Commonly adopted approaches to managing small-scale fisheries (SSFs) in developing countries do not ensure sustainability. Progress is impeded by a gap between innovative SSF research and slower-moving SSF management. The paper aims to bridge the gap by showing that the three primary bases of SSF management--ecosystem, stakeholders’ rights and resilience--are mutually consistent and complementary. It nominates the ecosystem approach as an appropriate starting point because it is established in national and international law and policy. Within this approach, the emerging resilience perspective and associated concepts of adaptive management and institutional learning can move management beyond traditional control and resource-use optimization, which largely ignore the different expectations of stakeholders; the complexity of ecosystem dynamics; and how ecological, social, political and economic subsystems are linked. Integrating a rights-based perspective helps balance the ecological bias of ecosystem-based and resilience approaches. The paper introduces three management implementation frameworks that can lend structure and order to research and management regardless of the management approach chosen. Finally, it outlines possible research approaches to overcome the heretofore limited capacity of fishery research to integrate across ecological, social and economic dimensions and so better serve the management objective of avoiding fishery failure by nurturing and preserving the ecological, social and institutional attributes that enable it to renew and reorganize itself. (PDF contains 29 pages

Resilient Critical Infrastructure Management using Service Oriented Architecture

Abstract—The SERSCIS project aims to support the use of interconnected systems of services in Critical Infrastructure (CI) applications. The problem of system interconnectedness is aptly demonstrated by ‘Airport Collaborative Decision Making’ (ACDM). Failure or underperformance of any of the interlinked ICT systems may compromise the ability of airports to plan their use of resources to sustain high levels of air traffic, or to provide accurate aircraft movement forecasts to the wider European air traffic management systems. The proposed solution is to introduce further SERSCIS ICT components to manage dependability and interdependency. These use semantic models of the critical infrastructure, including its ICT services, to identify faults and potential risks and to increase human awareness of them. Semantics allows information and services to be described in such a way that makes them understandable to computers. Thus when a failure (or a threat of failure) is detected, SERSCIS components can take action to manage the consequences, including changing the interdependency relationships between services. In some cases, the components will be able to take action autonomously — e.g. to manage ‘local’ issues such as the allocation of CPU time to maintain service performance, or the selection of services where there are redundant sources available. In other cases the components will alert human operators so they can take action instead. The goal of this paper is to describe a Service Oriented Architecture (SOA) that can be used to address the management of ICT components and interdependencies in critical infrastructure systems. Index Terms—resilience; QoS; SOA; critical infrastructure, SLA

Enabling the Autonomic Management of Federated Identity Providers

The autonomic management of federated authorization infrastructures (federations) is seen as a means for improving the monitoring and use of a service provider’s resources. However, federations are comprised of independent management domains with varying scopes of control and data ownership. The focus of this paper is on the autonomic management of federated identity providers by service providers located in other domains, when the identity providers have been diagnosed as the source of abuse. In particular, we describe how an autonomic controller, external to the domain of the identity provider, exercises control over the issuing of privilege attributes. The paper presents a conceptual design and implementation of an effector for an identity provider that is capable of enabling cross-domain autonomic management. The implementation of an effector for a SimpleSAMLphp identity provider is evaluated by demonstrating how an autonomic controller, together with the effector, is capable of responding to malicious abuse

Policy-based autonomic control service

Recently, there has been a considerable interest in policy-based, goal-oriented service management and autonomic computing. Much work is still required to investigate designs and policy models and associate meta-reasoning systems for policy-based autonomic systems. In this paper we outline a proposed autonomic middleware control service used to orchestrate selfhealing of distributed applications. Policies are used to adjust the systems autonomy and define self-healing strategies to stabilize/correct a given system in the event of failures

Co-management: A Synthesis of the Lessons Learned from the DFID Fisheries Management Science Programme

For the last eleven years, the UK Department for International Development (DfID) have been funding research projects to support the sustainable management of fisheries resources (both inland and marine) in developing countries through the Fisheries Management Science Programme (FMSP). A number of these projects that have been commissioned in this time have examined fisheries co-management. While these projects have, for the most part, been implemented separately, the FMSP has provided an opportunity to synthesise and draw together some of the information generated by these projects. We feel that there is value in distilling some of the important lessons and describing some of the useful tools and examples and making these available through a single, accessible resource. The wealth of information generated means that it is impossible to cover everything in detail but it is hoped that this synthesis will at least provide an overview of the co-management process together with some useful information relating to implementing co-management in a developing country context and links to the more detailed re-sources available, in particular on information systems for co-managed fisheries, participatory fish stock assessment (ParFish) and adaptive learning that have, in particular, been drawn upon for this synthesis. This synthesis is aimed at anyone interested in fisheries management in a developing country context