130,246 research outputs found
Modularity for Security-Sensitive Workflows
An established trend in software engineering insists on using components
(sometimes also called services or packages) to encapsulate a set of related
functionalities or data. By defining interfaces specifying what functionalities
they provide or use, components can be combined with others to form more
complex components. In this way, IT systems can be designed by mostly re-using
existing components and developing new ones to provide new functionalities. In
this paper, we introduce a notion of component and a combination mechanism for
an important class of software artifacts, called security-sensitive workflows.
These are business processes in which execution constraints on the tasks are
complemented with authorization constraints (e.g., Separation of Duty) and
authorization policies (constraining which users can execute which tasks). We
show how well-known workflow execution patterns can be simulated by our
combination mechanism and how authorization constraints can also be imposed
across components. Then, we demonstrate the usefulness of our notion of
component by showing (i) the scalability of a technique for the synthesis of
run-time monitors for security-sensitive workflows and (ii) the design of a
plug-in for the re-use of workflows and related run-time monitors inside an
editor for security-sensitive workflows
An Innovative Workspace for The Cherenkov Telescope Array
The Cherenkov Telescope Array (CTA) is an initiative to build the next
generation, ground-based gamma-ray observatories. We present a prototype
workspace developed at INAF that aims at providing innovative solutions for the
CTA community. The workspace leverages open source technologies providing web
access to a set of tools widely used by the CTA community. Two different user
interaction models, connected to an authentication and authorization
infrastructure, have been implemented in this workspace. The first one is a
workflow management system accessed via a science gateway (based on the Liferay
platform) and the second one is an interactive virtual desktop environment. The
integrated workflow system allows to run applications used in astronomy and
physics researches into distributed computing infrastructures (ranging from
clusters to grids and clouds). The interactive desktop environment allows to
use many software packages without any installation on local desktops
exploiting their native graphical user interfaces. The science gateway and the
interactive desktop environment are connected to the authentication and
authorization infrastructure composed by a Shibboleth identity provider and a
Grouper authorization solution. The Grouper released attributes are consumed by
the science gateway to authorize the access to specific web resources and the
role management mechanism in Liferay provides the attribute-role mapping
A Sustainable Model based on the Social Network Service to Support the Research Cycle
Third International Conference on Open Repositories 2008, 1-4 April 2008, Southampton, United KingdomIn this paper, we analyze requirements for institutional repositories from the viewpoint of the research cycle, and find that it is critical any existing repository system has little functions managing social relations of researchers. This leads us to a general model in which an SNS platform is an interface for researchers and an institutional repository is a backyard system. The SNS platform enables researchers to work together with co-workers. In addition to the interface, the SNS platform provides authentication and authorization mechanism for other backyard systems. Due to the mechanism, we can use, for instance, a search engine with the access control. Therefore academic resources not available to the public, such as a manuscript of a paper, can be safely indexed. Managing the authentication and authorization mechanism is done in a sustainable manner, compared to other standard authentication or authorization systems, such as SSO or ACL (Access Control List)
Generic POLCA : a production and materials flow control mechanism for quick response manufacturing
A production and materials flow control mechanism for quick response manufacturing (QRM) is proposed. This is
called generic paired-cell overlapping loops of cards with authorization (GPOLCA). It is an adaptation of the POLCA
mechanism developed as part of the QRM strategy. GPOLCA implements an input–output control order release strategy
based on an inventory of production authorization cards instead of materials. It is best suited for companies that
manufacture large variety of products with variable demand. A description of GPOLCA is made together with a
comparative study of its performance in relation with other mechanisms namely MRP and POLCA. The results show that
GPOLCA attains better performance
PCPT and ACPT: Copyright Protection and Traceability Scheme for DNN Models
Deep neural networks (DNNs) have achieved tremendous success in artificial
intelligence (AI) fields. However, DNN models can be easily illegally copied,
redistributed, or abused by criminals, seriously damaging the interests of
model inventors. The copyright protection of DNN models by neural network
watermarking has been studied, but the establishment of a traceability
mechanism for determining the authorized users of a leaked model is a new
problem driven by the demand for AI services. Because the existing traceability
mechanisms are used for models without watermarks, a small number of
false-positives are generated. Existing black-box active protection schemes
have loose authorization control and are vulnerable to forgery attacks.
Therefore, based on the idea of black-box neural network watermarking with the
video framing and image perceptual hash algorithm, a passive copyright
protection and traceability framework PCPT is proposed that uses an additional
class of DNN models, improving the existing traceability mechanism that yields
a small number of false-positives. Based on an authorization control strategy
and image perceptual hash algorithm, a DNN model active copyright protection
and traceability framework ACPT is proposed. This framework uses the
authorization control center constructed by the detector and verifier. This
approach realizes stricter authorization control, which establishes a strong
connection between users and model owners, improves the framework security, and
supports traceability verification
Process Driven Access Control and Authorisation Approach
Compliance to regulatory requirements is key to successful collaborative business process execution. The review the EU general data protection regulation (GDPR) brought to the fore the need to comply with data privacy. Access control and authorization mechanisms in workflow management systems based on roles, tasks and attributes do not sufficiently address the current complex and dynamic privacy requirements in collaborative business process environments due to diverse policies. This paper proposes process driven authorization as an alternative approach to data access control and authorization where access is granted based on legitimate need to accomplish a task in the business process. Due to vast sources of regulations, a mechanism to derive and validate a composite set of constraints free of conflicts and contradictions is presented. An extended workflow tree language is also presented to support constraint modeling. An industry case Pick and Pack process is used for illustration
Honeykeys: deception mechanisms in single packet authorization
Single packet authorization is a technique that allows shielding a protected network service from an outside world. The protection is achieved by hiding the respective transport layer port until cryptographically protected packet received by another service authorizes port opening. The technique has a known weakness related to the key leakage. If secret key is known to the attacker, the shield can be removed by one message. The paper proposes to use a novel Honeykeys authorization scheme that is aimed at deceiving the attacker by storing decoy cryptographic keys on both server and client sides along with the actual keys. In such scheme, if keys are compromised it will not lead to the full-scale system compromise. In addition to that, Honeykeys scheme allows establishing segregation of duties in the authorization process and enables early detection of compromised keys. Apart from presenting theoretical concept of Honeykeys the paper shows preliminary implementation results from the pilot project. These results show acceptable authorization delay times imposed by additional security mechanism
Enhanced security architecture for support of credential repository in grid computing.
Grid Computing involves heterogeneous computers and resources, multiple administrative domains and the mechanisms and techniques for establishing and maintaining effective and secure communications between devices and systems. Both authentication and authorization are required. Current authorization models in each domain vary from one system to another, which makes it difficult for users to obtain authorization across multiple domains at one time. We propose an enhanced security architecture to provide support for decentralized authorization based on attribute certificates which may be accessed via the Internet. This allows the administration of privileges to be widely distributed over the Internet in support of autonomy for resource owners and providers. In addition, it provides a uniform approach for authorization which may be used by resource providers from various domains. We combine authentication with the authorization mechanism by using both MyProxy online credential repository and LDAP directory server. In our architecture, we use MyProxy server to store identity certificates for authentication, and utilize an LDAP server-based architecture to store attribute certificates for authorization. Using a standard web browser, a user may connect to a grid portal and allow the portal to retrieve those certificates in order to access grid resources on behalf of the user. Thus, our approach can make use of the online credential repository to integrate authentication, delegation and attribute based access control together to provide enhanced, flexible security for grid system. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2004 .C54. Source: Masters Abstracts International, Volume: 43-01, page: 0231. Adviser: R. D. Kent. Thesis (M.Sc.)--University of Windsor (Canada), 2004
- …