Toward Effective Access Control Using Attributes and Pseudoroles

Sharing of information is fundamental to modern computing environments across many application domains. Such information sharing, however, raises security and privacy concerns that require effective access control to prevent unauthorized access and ensure compliance with various laws and regulations. Current approaches such as Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC) and their variants are inadequate. Although it provides simple administration of access control and user revocation and permission review, RBAC demands complex initial role engineering and makes access control static. ABAC, on the other hand, simplifies initial security setup and enables flexible access control, but increases the complexity of managing privileges, user revocation and user permissions review. These limitations of RBAC and ABAC have thus motivated research into the development of newer models that use attributes and policies while preserving RBAC\u27s advantages. This dissertation explores the role of attributes---characteristics of entities in the system---in achieving effective access control. The first contribution of this dissertation is the design and development of a secure access system using Ciphertext-Policy Attribute-Based Encryption (CP-ABE). The second contribution is the design and validation of a two-step access control approach, the BiLayer Access Control (BLAC) model. The first layer in BLAC checks whether subjects making access requests have the right BLAC pseudoroles---a pseudorole is a predefined subset of a subject\u27s static attributes. If requesting subjects hold the right pseudoroles, the second layer checks rule(s) within associated BLAC policies for further constraints on access. BLAC thus makes use of attributes effectively while preserving RBAC\u27s advantages. The dissertation\u27s third contribution is the design and definition of an evaluation framework for time complexity analysis, and uses this framework to compare BLAC model with RBAC and ABAC. The fourth contribution is the design and construction of a generic access control threat model, and applying it to assess the effectiveness of BLAC, RBAC and ABAC in mitigating insider threats

The Secured Cloud Storage with Efficient Key Generation in cloud computing

Many cloud storage encryption schemes have been acquainted with shield data from the individuals who don't approach. We make utilization of numerous schemes which expected that cloud storage suppliers are protected and secure. In any case, by and by, a few specialists (i.e., coercers) may endeavor to uncover data from the cloud without the authorization of the data proprietor. In this paper, we present that the discovery of namelessness clients with the utilization of our productive deniable encryption conspire, while the phony clients endeavors to get data from the cloud they will be given some phony files. With the goal that programmers can't hack the files from the cloud. Also, they are happy with their copy document by that way we can secure the proprietor mystery files or confidential files. Anyway by and by, a few specialists may propel cloud storage suppliers to make open client insider facts and confidential data. In this paper, we present our plan for another cloud storage encryption plot that empowers cloud storage suppliers to make persuading counterfeit client insider facts to secure client protection. Since coercers can't confess whenever acquired privileged insights are valid or not, the cloud storage supplier guarantee that client security is still safely ensured

A review of the state of the art in privacy and security in the eHealth cloud

The proliferation and usefulness of cloud computing in eHealth demands high levels of security and privacy for health records. However, eHealth clouds pose serious security and privacy concerns for sensitive health data. Therefore, practical and effective methods for security and privacy management are essential to preserve the privacy and security of the data. To review the current research directions in security and privacy in eHealth clouds, this study has analysed and summarized the state of the art technologies and approaches reported in security and privacy in the eHealth cloud. An extensive review covering 132 studies from several peer-reviewed databases such as IEEE Xplore was conducted. The relevant studies were reviewed and summarized in terms of their benefits and risks. This study also compares several research works in the domain of data security requirements. This paper will provide eHealth stakeholders and researchers with extensive knowledge and information on current research trends in the areas of privacy and security

Highly Scalable and Secure Mobile Applications in Cloud Computing Systems

Cloud computing provides scalable processing and storage resources that are hosted on a third-party provider to permit clients to economically meet real-time service demands. The confidentiality of client data outsourced to the cloud is a paramount concern since the provider cannot necessarily be trusted with read access to voluminous sensitive client data. A particular challenge of mobile cloud computing is that a cloud application may be accessed by a very large and dynamically changing population of mobile devices requiring access control. The thesis addresses the problems of achieving efficient and highly scalable key management for resource-constrained users of an untrusted cloud, and also of preserving the privacy of users. A model for key distribution is first proposed that is based on dynamic proxy re-encryption of data. Keys are managed inside the client domain for trust reasons, computationally-intensive re-encryption is performed by the cloud provider, and key distribution is minimized to conserve communication. A mechanism manages key evolution for a continuously changing user population. Next, a novel form of attribute-based encryption is proposed that authorizes users based on the satisfaction of required attributes. The greater computational load from cryptographic operations is performed by the cloud provider and a trusted manager rather than the mobile data owner. Furthermore, data re-encryption may be optionally performed by the cloud provider to reduce the expense of user revocation. Another key management scheme based on threshold cryptography is proposed where encrypted key shares are stored in the cloud, taking advantage of the scalability of storage in the cloud. The key share material erodes over time to allow user revocation to occur efficiently without additional coordination by the data owner; multiple classes of user privileges are also supported. Lastly, an alternative exists where cloud data is considered public knowledge, but the specific information queried by a user must be kept private. A technique is presented utilizing private information retrieval, where the query is performed in a computationally efficient manner without requiring a trusted third-party component. A cloaking mechanism increases the privacy of a mobile user while maintaining constant traffic cost

A security concept for distributed data processing systems

Today, the amount of raw data available is abundant. As only a small part of this data is in a form fit for further processing, there is many data left to analyze and process. At the same time, cloud services are ubiquitous and allow even small businesses to perform large tasks of distributed data processing without the significant costs required for a suitable computational infrastructure. However, as more and more users transfer their data into the cloud for processing and storage, concerns about data security arise. An extensive review of data security research in today's cloud solutions confirms these concerns to be justified. The existing strategies for securing one's data are not adequate for many use cases. Therefore, this work proposes a holistic security concept for distributed data processing in the cloud. For the purpose of providing security in heterogeneous cloud environments, it statically analyzes a data flow prior to execution and determines the optimal security measurements. Without imposing strict requirements on the cloud services involved, it can be deployed in a broad range of scenarios. The concept's generic design can be adopted by existing data rocessing tools. An exemplary implementation is provided for the mashup tool FlexMash. Requirements, such as data confidentiality, integrity, access control, and scalability were evaluated to be met.Die heutige Menge an vorhandenen Daten ist enorm. Viele davon müssen zunächst verarbeitet und analysiert werden, da nur ein geringer Teil dieser Daten für die weitere Verarbeitung geeignet ist. Cloud-basierte Dienste sind allgegenwärtig und erlauben es auch kleineren Unternehmen Datenverarbeitung durchzuführen, ohne die Kosten von notwendiger Infrastruktur tragen zu müssen. Mit einer zunehmenden Zahl an Nutzern von Clouds wachsen jedoch auch Bedenken der Sicherheit. Eine ausführliche Durchsicht der aktuellen Forschung zu diesem Thema bestätigt diese Bedenken und existierende Strategien zur Sicherung der eigenen Daten berücksichtigen viele Fälle nicht. Daher stellt diese Arbeit ein ganzheitliches Sicherheitskonzept für die verteilte Datenverarbeitung in der Cloud vor. Damit Sicherheit in heterogenen Cloudumgebungen gewährleistet werden kann, wird ein Datenfluss vor der Ausführung statisch analysiert und es werden die für diesen Fluss optimalen Sicherheitsmaßnahmen festgelegt. Das Konzept besitzt einen breiten Anwendungsbereich, da keine straffen Anforderungen an die genutzten Dienste gestellt werden. Das generische Design des Konzepts ermöglicht eine einfache Integration in bereits existierende Datenverarbeitungsanwendungen, wie beispielhaft an FlexMash gezeigt wird. Anforderungen, wie die Vertraulichkeit von Daten, deren Integrität, Zugriffskontrolle und Skalierbarkeit des Systems konnten erreicht werden

Novel reversible text data de-identification techniques based on native data structures

Technological development in today's digital world has resulted in the collection and storage of large amounts of personal data. These data enable both direct services and non-direct activities, known as secondary use. The secondary use of data can improve decision-making, service experiences, and healthcare systems. However, the widespread reuse of personal data raises significant privacy and policy issues, especially for health- related information; these data may contain sensitive data, leading to privacy breaches if compromised. Legal systems establish laws to protect the privacy of personal data disclosed for secondary use. A well-known example is the General Data Protection Regulation (GDPR), which outlines a specific set of rules for sharing and storing personal data to protect individual privacy. The GDPR explicitly points to data de-identification, especially pseudonymization, as one measure that can help meet the requirements for the processing of personal data. The literature on privacy preservation approaches has largely been developed in the field of data anonymization, where personal data are irreversibly removed or obfuscated and there is no means by which to recover an individual's identity if needed. By contrast, pseudonymization is a promising technique to protect privacy while enabling the recovery of de-identified data. Significantly, many existing approaches for pseudonymization were developed long before the GDPR requirements were established, and so they may fail to satisfy its provisions. Therefore, it is worthwhile to offer technical solutions to preserve privacy while supporting the legitimate use of data. This thesis proposes a novel de-identification system for unstructured textual data, known as ARTPHIL, that generates de-identified data in compliance with the GDPR requirement for strong pseudonymization. The system was evaluated using 2014 i2b2 testing data. The proposed system achieved a recall of 96.93% in terms of detecting and encrypting personal health information, as specified under guidelines provided by the Health Insurance Portability and Accountability Act (HIPAA). The system used a novel and lightweight cryptography algorithm E-ART to encrypt personal data cost-effectively and without compromising security. The main novelty of the E-ART algorithm is the use of the reflection property of a balanced binary tree data structure as substitution method instead of complex and multiple iterations. The performance and security of the proposed algorithm were compared to two symmetric encryption algorithms: The Advanced Encryption Standard and Data Encryption Standard. The security analysis showed comparable results, but the performance analysis indicated that E‐ART had the shortest ciphertext and running time with comparable memory usage, which indicates the feasibility of using ARTPHIL for delay-sensitive or data-intensive application

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Европейский и национальный контексты в научных исследованиях

В настоящем электронном сборнике «Европейский и национальный контексты в научных исследованиях. Технология» представлены работы молодых ученых по геодезии и картографии, химической технологии и машиностроению, информационным технологиям, строительству и радиотехнике. Предназначены для работников образования, науки и производства. Будут полезны студентам, магистрантам и аспирантам университетов.=In this Electronic collected materials “National and European dimension in research. Technology” works in the fields of geodesy, chemical technology, mechanical engineering, information technology, civil engineering, and radio-engineering are presented. It is intended for trainers, researchers and professionals. It can be useful for university graduate and post-graduate students