Identifying Native Applications with High Assurance

The work described in this paper investigates the problem of identifying and deterring stealthy malicious processes on a host. We point out the lack of strong application iden- tication in main stream operating systems. We solve the application identication problem by proposing a novel iden- tication model in which user-level applications are required to present identication proofs at run time to be authenti- cated by the kernel using an embedded secret key. The se- cret key of an application is registered with a trusted kernel using a key registrar and is used to uniquely authenticate and authorize the application. We present a protocol for secure authentication of applications. Additionally, we de- velop a system call monitoring architecture that uses our model to verify the identity of applications when making critical system calls. Our system call monitoring can be integrated with existing policy specication frameworks to enforce application-level access rights. We implement and evaluate a prototype of our monitoring architecture in Linux as device drivers with nearly no modication of the ker- nel. The results from our extensive performance evaluation shows that our prototype incurs low overhead, indicating the feasibility of our model

A probabilistic approach to hybrid role mining

Role mining algorithms address an important access con-trol problem: configuring a role-based access control sys-tem. Given a direct assignment of users to permissions, role mining discovers a set of roles together with an assignment of users to roles. The results should closely agree with the direct assignment. Moreover, the roles should be under-standable from the business perspective in that they reflect functional roles within the enterprise. This requires hybrid role mining methods that work with both direct assignments and business information from the enterprise. In this paper, we provide statistical measures to analyze the relevance of different kinds of business information for defining roles. We then present an approach that incor-porates relevant business information into a probabilistic model with an associated algorithm for hybrid role mining. Experiments on actual enterprise data show that our algo-rithm yields roles that both explain the given user-permission assignments and are meaningful from the business perspec-tive

Dynamic User-Oriented Role-Based Access Control Model (DUO-RBAC)

Most researchers now trend to use role mining to generate role-based access control model from the existing user-permission assignments. User-oriented role-based access control is a type of role-based access control model, which aims to use role mining from end user perspective to generate a user-oriented RBAC model, since the user almost prefer a simple and minimum role assignments. This research is the first for generating a dynamic user-oriented rolebased access control model (DUO-RBAC) for inserting a new user-permission assignments (new UPA) to the existing user-oriented RBAC model. In a quick clarification, if there is a system which has user-permission assignments, a user-oriented RBAC model can be generated which contains new roles, each one assigns to users and permissions. Then, if we have a new users with new permissions should enter the system which has the model, we will regenerate a new model with new roles assignments to include these new users. Re-generating roles will be done by our dynamic model, with three constraints. First, there are no changes in the number of role assignments for each user in the system after the inserting process, since the user will be conflicted if he has different number of roles from time to time. Second, the permissions that each user has before the inserting process must be the same after generating the new model. Last one, will take into account that each user assign to number of roles no more than t (maximum number of roles that each user can assign), where t is predefined in the existing user-oriented RBAC model. Also, we develop a new algorithm, which based on user-oriented role mining to find the optimal way for inserting the new user permission assignments to the existing model. Our experiments applied on benchmark “Access Control” real datasets to evaluate the results and show the effectiveness of our developed algorithm of several measures. Those measures are: optimal number of roles to make the objective function minimized, optimal number of user-role assignments and generating a new model from end user perspective (keep the new generated model suitable from end-user perspective)

Modeling Support for Role-Based Delegation in Process-Aware Information Systems

In the paper, an integrated approach for the modeling and enforcement of delegation policies in process-aware information systems is presented. In particular, a delegation extension for process-related role-based access control (RBAC) models is specified. The extension is generic in the sense that it can be used to extend process-aware information systems or process modeling languages with support for processrelated RBAC delegationmodels.Moreover, the detection of delegation-related conflicts is discussed and a set of pre-defined resolution strategies for each potential conflict is provided. Thereby, the design-time and runtime consistency of corresponding RBAC delegation models can be ensured. Based on a formal metamodel, UML2 modeling support for the delegation of roles, tasks, and duties is provided. A corresponding case study evaluates the practical applicability of the approach with real-world business processes. Moreover, the approach is implemented as an extension to the BusinessActivity library and runtime engine

Automatic vs Manual Provenance Abstractions: Mind the Gap

In recent years the need to simplify or to hide sensitive information in provenance has given way to research on provenance abstraction. In the context of scientific workflows, existing research provides techniques to semi automatically create abstractions of a given workflow description, which is in turn used as filters over the workflow's provenance traces. An alternative approach that is commonly adopted by scientists is to build workflows with abstractions embedded into the workflow's design, such as using sub-workflows. This paper reports on the comparison of manual versus semi-automated approaches in a context where result abstractions are used to filter report-worthy results of computational scientific analyses. Specifically; we take a real-world workflow containing user-created design abstractions and compare these with abstractions created by ZOOM UserViews and Workflow Summaries systems. Our comparison shows that semi-automatic and manual approaches largely overlap from a process perspective, meanwhile, there is a dramatic mismatch in terms of data artefacts retained in an abstracted account of derivation. We discuss reasons and suggest future research directions.Comment: Preprint accepted to the 2016 workshop on the Theory and Applications of Provenance, TAPP 201