Expressive Policy-Based Access Control for Resource-Constrained Devices

Upcoming smart scenarios enabled by the Internet of Things envision smart objects that expose services that can adapt to user behavior or be managed with the goal of achieving higher productivity, often in multi-stakeholder applications. In such environments, smart things are cheap sensors (and actuators) and, therefore, constrained devices. However, they are also critical components because of the importance of the provided information. Therefore, strong security is a must. Nevertheless, existing feasible approaches do not cope well with the principle of least privilege; they lack both expressiveness and the ability to update the policy to be enforced in the sensors. In this paper, we propose an access control model that comprises a policy language that provides dynamic fine-grained policy enforcement in the sensors based on local context conditions. This dynamic policy cycle requires a secure, efficient, and traceable message exchange protocol. For that purpose, a security protocol called Hidra is also proposed. A security and performance evaluation demonstrates the feasibility and adequacy of the proposed protocol and access control model.This work was supported in part by the Training and Research Unit through UPV/EHU under Grant UFI11/16 and in part by the Department of Economic Development and Competitiveness of the Basque Government through the Security Technologies SEKUTEK Collaborative Research Projec

Context-driven Policies Enforcement for Edge-based IoT Data Sharing-as-a-Service

Sharing real-time data originating from connected devices is crucial to real-world intelligent Internet of Things (IoT) applications, i.e., based on artificial intelligence/machine learning (AI/ML). Such IoT data sharing involves multiple parties for different purposes and is usually based on data contracts that might depend on the dynamic change of IoT data variety and velocity. It is still an open challenge to support multiple parties (aka tenants) with these dynamic contracts based on the data value for their specific contextual purposes.This work addresses these challenges by introducing a novel dynamic context-based policy enforcement framework to support IoT data sharing (on-Edge) based on dynamic contracts. Our enforcement framework allows IoT Data Hub owners to define extensible rules and metrics to govern the tenants in accessing the shared data on the Edge based on policies defined with static and dynamic contexts. We have developed a proof-of-concept prototype for sharing sensitive data such as surveillance camera videos to illustrate our proposed framework. The experimental results demonstrated that our framework could soundly and timely enforce context-based policies at runtime with moderate overhead. Moreover, the context and policy changes are correctly reflected in the system in nearly real-time.acceptedVersio

Towards an aspect weaving BPEL engine

This position paper proposes the use of dynamic aspects and the visitor design pattern to obtain a highly configurable and extensible BPEL engine. Using these two techniques, the core of this infrastructural software can be customised to meet new requirements and add features such as debugging, execution monitoring, or changing to another Web Service selection policy. Additionally, it can easily be extended to cope with customer-specific BPEL extensions. We propose the use of dynamic aspects not only on the engine itself but also on the workflow in order to tackle the problems of Web Service hot deployment and hot fixes to long running processes. In this way, composing aWeb Service "on-the-fly" means weaving its choreography interface into the workflow

Security Management System for 4G Heterogeneous Networks

There is constant demand for the development of mobile networks to meet the service requirements of users, and their development is a significant topic of research. The current fourth generation (4G) of mobile networks are expected to provide high speed connections anywhere at any time. Various existing 4G architectures such as LTE and WiMax support only wireless technologies, while an alternative architecture, Y-Comm, has been proposed to combine both existing wired and wireless networks. Y-Comm seeks to meet the main service requirements of 4G by converging the existing networks, so that the user can get better service anywhere and at any time. One of the major characteristics of Y-Comm is heterogeneity, which means that networks with different topologies work together to provide seamless communication to the end user. However, this heterogeneity leads to technical issues which may compromise quality of service, vertical handover and security. Due to the convergence characteristic of Y-Comm, security is considered more significant than in the existing LTE and WiMax networks. These security concerns have motivated this research study to propose a novel security management system. The research aims to meet the security requirements of 4G mobile networks, e.g. preventing end user devices from being used as attack tools. This requirement has not been met clearly in previous studies of Y-Comm, but this study proposes a security management system which does this. This research follows the ITU-T recommendation M.3400 dealing with security violations within Y-Comm networks. It proposes a policy-based security management system to deal with events that trigger actions in the system and uses Ponder2 to implement it. The proposed system, located in the top layer of the Y-Comm architecture, interacts with components of Y-Comm to enforce the appropriate policies. Its four main components are the Intelligent Agent, the Security Engine, the Security Policies Database and the Security Administrator. These are represented in this research as managed objects to meet design considerations such as extensibility and modifiability. This research demonstrates that the proposed system meets the security requirements of the Y-Comm environment. Its deployment is possible with managed objects built with Ponder2 for all of the components of Y-Comm, which means that the security management system is able to prevent end user devices from being used as attack tools. It can also achieve other security goals of Y-Comm networks

Building a payment card skimmer database

Amb l'auge de les targetes de crèdit com a part integral de l'economia, els delictes relacionats amb elles ha augmentat corresponentment. Una de les maneres més comunes de robar les dades de targetes de crèdit és a través de skimmers als sortidors de gasolina. L'skimmer consisteix en una simple PCB (circuit imprès) que és insertada dins el sortidor per robar les dades de les targetes dels clients. Les despeses com a causa del frau poden arribar fins als milers per persona. Grups criminals instal·len diversos skimmers a través de comtats i estats dels Estats Units. Quan els skimmers són descoberts eventualment, és pràcticament impossible dur a terme una investigació policial satisfactòriament. Els departaments policials rarament colaboren sobre aquests casos que abasten diversos comtats i estats, el qual elimina qualsevol possibilitat de ser resolts. Skimmer Tracker és una aplicació web que permet a departaments policials publicar els skim- mers que hagin trobat. Compartint l'evidència de diferents casos pretenem connectar-los com a part del mateix cas a través d'anàlisi basat en visió per computador.With the rise of credit cards as an integral part of the economy, crime related to them has risen accordingly. One of the most common ways to steal credit card data is through skimmers in gas-pumps. The skimmer device consists of a simple PCB (printed circuit board), and it is inserted inside the gas-pump to steal consumer's credit cards. Incurred costs due to fraud can go well into the thousands per person. Criminals install multiple skimmers across counties and states in the US. When skimmers are eventually discovered it is practically impossible for police to conduct a successful investigation on them. Police departments rarely collaborate on these sorts of cases that span different counties and states, which eliminates any possibility of them being solved. Skimmer Tracker is a web application that lets law enforcement agencies publish the skimmers they find. With this sharing of evidence we aim to group different skimmers and connect them as part of the same case through computer vision based analysis