Common Representation of Information Flows for Dynamic Coalitions

We propose a formal foundation for reasoning about access control policies within a Dynamic Coalition, defining an abstraction over existing access control models and providing mechanisms for translation of those models into information-flow domain. The abstracted information-flow domain model, called a Common Representation, can then be used for defining a way to control the evolution of Dynamic Coalitions with respect to information flow

Context-Based Access for Infrequent Requests in Tanzania\u27s Health Care System

Access control is an important aspect of any information system. It is a way of ensuring that users can only access what they are authorised to and no more. This can be achieved by granting users access to resources based on pre-defined organisational and legislative rules. Although access control has been extensively studied, and as a result, a wide range of access control models, mechanisms and systems have been proposed, specific access control requirements for healthcare systems that needs to support the continuity of care in an accountable manner have not been addressed. This results in a gap between what is required by the application domain and what is actually practised, and thus access control solutions implemented for the domain become too restrictive. The continuity of care is defined as the delivery of seamless health care services to patients through integration, coordination and sharing of information between providers. This thesis, therefore, designs a context-based access control model that allows healthcare professionals to bypass access rules in an accountable manner in case of an infrequent access request involving an emergency situation. This research uses the Tanzania\u27s healthcare system as a case study domain

A Novel Cyberspace-Oriented Access Control Model

With the developments of mobile communication, networks and information technology, many new information service patterns and dissemination modes emerge with some security and privacy threats in access control, i.e., the ownership of data is separated from the administration of them, secondary/mutiple information distribution etc. Existing access control models, which are always proposed for some specific scenarios, are hardly to achieve fine-grained and adaptive access control. In this paper, we propose a novel Cyberspace-oriented Access Control model, termed as CoAC, which avoids the aforementioned threats by comprehensively considering some vital factors, such as the access requesting entity, general tense, access point, resource, device, networks, internet-based interactive graph and chain of resource transmission. By appropriately adjusting these factors, CoAC covers most of typical access control models and fulfills the requirements of new information service patterns and dissemination modes. We also present the administrative model of our proposed CoAC model and formally describe the administrative functions and methods used in the administrative model by utilizing Z-notation. Our CoAC is flexible and scalable, it can be further refined and expanded to figure out new opportunities and challenges in the upcoming access control techniques

Estabelecimento de redes de comunidades sobreponíveis

Doutoramento em Engenharia InformáticaUma das áreas de investigação em Telecomunicações de interesse crescente prende-se com os futuros sistemas de comunicações móveis de 4a geração e além destes. Nos últimos anos tem sido desenvolvido o conceito de redes comunitárias, no qual os utilizadores se agregam de acordo com interesses comuns. Estes conceitos têm sido explorados de uma forma horizontal em diferentes camadas da comunicação, desde as redes comunitárias de comunicação (Seattle Wireless ou Personal Telco, p.ex.) até às redes de interesses peer-to-peer. No entanto, estas redes são usualmente vistas como redes de overlay, ou simplesmente redes de associação livre. Na prática, a noção de uma rede auto-organizada, completamente orientada ao serviço/comunidade, integralmente suportada em termos de arquitetura, não existe. Assim este trabalho apresenta uma realização original nesta área de criação de redes comunitárias, com uma arquitetura subjacente orientada a serviço, e que suporta integralmente múltiplas redes comunitárias no mesmo dispositivo, com todas as características de segurança, confiança e disponibilização de serviço necessárias neste tipo de cenários (um nó pode pertencer simultaneamente a mais do que uma rede comunitária). Devido à sua importância para os sistemas de redes comunitárias, foi dado particular atenção a aspetos de gestão de recursos e controlo de acessos. Ambos realizados de uma forma descentralizada e considerando mecanismos dotados de grande escalabilidade. Para isso, é apresentada uma linguagem de políticas que suporta a criação de comunidades virtuais. Esta linguagem não é apenas utilizada para o mapeamento da estrutura social dos membros da comunidade, como para, gerir dispositivos, recursos e serviços detidos pelos membros, de uma forma controlada e distribuída.One of the research areas with increasing interest in the field of telecommunications, are the ones related to future telecommunication systems, both 4th generation and beyond. In parallel, during the last years, several concepts have been developed related to clustering of users according to their interested, in the form of community networks. Solutions proposed for these concepts tackle the challenges horizontally, for each layer of the communication stack, ranging from community based communication networks (e.g. Seattle Wireless, or Personal Telco), to interest networks based on peer-to-peer protocols. However, these networks are presented either as free joining, or overlay networks. In practice, the notion of a self-organized, service and community oriented network, with these principles embedded in its design principles, is yet to be developed. This work presents an novel instantiation of a solution in the area of community networks, with a underlying architecture which is fully service oriented, and envisions the support for multiple community networks in the same device. Considerations regarding security, trust and service availability for this type of environments are also taken. Due to the importance of resource management and access control, in the context of community driven communication networks, a special focus was given to the support of scalable and decentralized management and access control methods. For this purpose, it is presented a policy language which supports the creation and management of virtual communities. The language is not only used for mapping the social structure of the community members, but also to, following a distributed approach, manage devices, resources and services owned by each community member

Self-Protecting Access Control: On Mitigating Privacy Violations with Fault Tolerance

Self-protecting access control mechanisms can be described as an approach to enforcing security in a manner that automatically protects against violations of access control rules. In this chapter, we present a comparative analysis of standard Cryptographic Access Control (CAC) schemes in relation to privacy enforcement on the Web. We postulate that to mitigate privacy violations, self-protecting CAC mechanisms need to be supported by fault-tolerance. As an example of how one might to do this, we present two solutions that are inspired by the autonomic computing paradigm1. Our solutions are centered on how CAC schemes can be extended to protect against privacy violations that might arise from key updates and collusion attacks

Context-aware access control in ubiquitous computing (CRAAC)

Ubiquitous computing (UbiComp) envisions a new computing environment, where computing devices and related technology are widespread (i.e. everywhere) and services are provided at anytime. The technology is embedded discreetly in the environment to raise users' awareness. UbiComp environments support the proliferation of heterogeneous devices such as embedded computing devices, personal digital assistants (PDAs), wearable computers, mobile phones, laptops, office desktops (PCs), and hardware sensors. These devices may be interconnected by common networks (e.g. wired, wireless), and may have different levels of capabilities (i.e. computational power, storage, power consumption, etc). They are seamlessly integrated and interoperated to provide smart services (i.e. adaptive services). A UbiComp environment provides smart services to users based on the users' and/or system's current contexts. It provides the services to users unobtrusively and in turn the user's interactions with the environment should be as non-intrusive and as transparent as possible. Access to such smart services and devices must be controlled by an effective access control system that adapts its decisions based on the changes in the surrounding contextual information. This thesis aims at designing an adaptive fine-grained access control solution that seamlessly fits into UbiComp environments. The solution should be flexible in supporting the use of different contextual information and efficient, in terms of access delays, in controlling access to resources with divergent levels of sensitivity. The main contribution of this thesis is the proposal of the Context-Risk-Aware Access Control (CRAAC) model. CRAAC achieves fine-grained access control based upon the risk level in the underlying access environment and/or the sensitivity level of the requested resource object. CRAAC makes new contributions to the access control field, those include 1) introducing the concept of level of assurance based access control, 2) providing a method to convert the contextual attributes values into the corresponding level of assurance, 3) Proposing two methods to aggregate the set of level of assurance into one requester level of assurance, 4) supporting four modes of working each suits a different application context and/or access control requirements, 5) a comprehensive access control architecture that supports the CRAAC four modes of working, and 6) an evaluation of the CRAAC performance at runtime.EThOS - Electronic Theses Online Serviceral Centre and Educational BureauCairo UniversityGBUnited Kingdo

Analysis of the methods for attribute-based access control

Приведён аналитический обзор основных моделей и методов разграничения доступа, начиная от традиционных (DAC, MAC, RBAC) и до последних разработок—многочисленных моделей, реализующих атрибутное разграничение доступа (ABAC). Описана разрабатываемая в настоящее время модель типизированного атрибутного разграничения доступа (ТАРД). Сформулированы требования к методам разграничения доступа, обеспечивающие безопасное совместное использование информационных ресурсов как в локальных, так и в глобальных вычислительных средах. Проанализированы достоинства и недостатки существующих моделей ABAC. Показано, что модели ТАРД отвечают поставленным требованиям универсальности, гибкости, удобства администрирования, способствующим обеспечению безопасности разграничения доступа вне зависимости от типа операционной среды