456,683 research outputs found
Distributed Access Control for Web and Business Processes
Middleware influenced the research community in developing a number of systems for controlling access to distributed resources. Nowadays a new paradigm for the lightweight integration of business resources from different partners is starting to take hold – Web Services and Business Processes for Web Services. Security and access control policies for Web Services protocols and distributed systems are well studied and almost standardized, but there is not yet a comprehensive proposal for an access control architecture for business processes. So, it is worth looking at the available approaches to distributed authorization as a starting point for a better understanding of what they already have and what they still need to address the security challenges for business processes
PSecurity Specification Language for Distributed Health Information System (DiHIS)
The introduction of policy based management which to manage distributed,
complex and numerous systems is widely accepted and used in various sectors. The
policy creators create policies that suit best for their operations and management. Since
there are numerous of policies, this research focuses on the security policies only which
are appointed to the distributed system of health information system. In order to
implement the security policies, we need a language that can represent the security
policies for distributed health information system completely. From the literature review
conducted, there are numerous of security languages have been introduced since two
decades ago. Those languages carry their own approaches representing the security policy
and some of them do not support the characteristics of distributed system. There is no
security language to implement the security policy for distributed health information
system. This thesis introduces and initiates a security language to implement security
policies in distributed health information system called DiHIS. Adding to that, there are
three existing security languages used for discussion and comparison with the proposed
DiHIS security language. They are ASL, LaSCO and Ponder. DiHIS security language
has shown that it is able to represent the Security Policy Model for Clinical Information
System completely compares to those three security languages. This language also has an
added value when it covers the Need To Know Policy which other security languages do
not. Need To Know Policy is one of the crucial issues in the health sector. DiHIS security
language has also been tested with the application domain in health information system.
The strength of the language can be seen with the ability of DiHIS to represent the
security policies in various connections between various organizations involved in
distributed health information system
Globally reasoning about localised security policies in distributed systems
In this report, we aim at establishing proper ways for model checking the
global security of distributed systems, which are designed consisting of set of
localised security policies that enforce specific issues about the security
expected.
The systems are formally specified following a syntax, defined in detail in
this report, and their behaviour is clearly established by the Semantics, also
defined in detail in this report. The systems include the formal attachment of
security policies into their locations, whose intended interactions are trapped
by the policies, aiming at taking access control decisions of the system, and
the Semantics also takes care of this.
Using the Semantics, a Labelled Transition System (LTS) can be induced for
every particular system, and over this LTS some model checking tasks could be
done. We identify how this LTS is indeed obtained, and propose an alternative
way of model checking the not-yet-induced LTS, by using the system design
directly. This may lead to over-approximation thereby producing imprecise,
though safe, results. We restrict ourselves to finite systems, in the sake of
being certain about the decidability of the proposed method.
To illustrate the usefulness and validity of our proposal, we present 2 small
case-study-like examples, where we show how the system can be specified, which
policies could be added to it, and how to decide if the desired global security
property is met.
Finally, an Appendix is given for digging deeply into how a tool for
automatically performing this task is being built, including some
implementation issues. The tool takes advantage of the proposed method, and
given some system and some desired global security property, it safely (i.e.
without false positives) ensures satisfaction of it
Integrating security policy design in the software design
Security is an integral part of most distributed modern software systems, but
is still not considered as an explicit part in the development process.
Security mechanisms and policies are generally added to existing systems as an
afterthought, with all the problems of unsatisfied security requirements,
integration difficulties and mismatches between running system and the design
models. We propose to integrate the design of application-oriented access
control policies early into the system’s development process. The standard
language for modeling the design of systems the Unified Modeling Language
(UML), is used to specify access control policies. Within the integration we
will develop extensions of the UML model support the automatic generation and
verification of a access control policy to configure a distributed component-
based for view-based access control
Ponder: A Language for Specifying Security and Management Policies for Distributed Systems
Working Pape
An introduction to Quality of Security Services
We examine the concept of security as a dimension of Quality of Service in distributed systems. We provide a discussion and examples of user- specified security variables and show how the range of service levels associated with these variables can support the provision of Quality of Security Service. We also discuss various design implications regarding security ranges provided in a QoS-aware distributed system. Our goal has been to provide an understanding of QoSS and variant security, and to determine whether these concepts can be useful in improving security service and system performance in QoS-aware distributed systems. We described the general requirements for system attributes to participate in the provision of Quality of Service, and described how certain security attributes might meet these requirements. We then described various forms of user and application security "ranges "and showed how these ranges can make sense in relation to existing security policies, when those ranges are presented as user choices. Finally we described security ranges as forming a coherent system of relationships in a distributed multi-tiered system. Our conclusion is that it may be possible for security to be a semantically meaningful dimension of Quality of Service without compromising existing security policies. Further study is needed to understand the effectiveness of QoSS in improving system performance in QoS-aware systems.Approved for public release; distribution is unlimited
EFFICIENT RUNTIME SECURITY SYSTEM FOR DECENTRALISED DISTRIBUTED SYSTEMS
Distributed systems can be defined as systems that are scattered over geographical distances and provide different activities through communication, processing, data transfer and so on. Thus, increasing the cooperation, efficiency, and reliability to deal with users and data resources jointly. For this reason, distributed systems have been shown to be a promising infrastructure for most applications in the digital world. Despite their advantages, keeping these systems secure, is a complex task because of the unconventional nature of distributed systems which can produce many security problems like phishing, denial of services or eavesdropping. Therefore, adopting security and privacy policies in distributed systems will increase the trustworthiness between the users and these systems. However, adding or updating security is considered one of the most challenging concerns and this relies on various security vulnerabilities which existing in distributed systems. The most significant one is inserting or modifying a new security concern or even removing it according to the security status which may appear at runtime. Moreover, these problems will be exacerbated when the system adopts the multi-hop concept as a way to deal with transmitting and processing information. This can pose many significant security challenges especially if dealing with decentralized distributed systems and the security must be furnished as end-to-end. Unfortunately, existing solutions are insufficient to deal with these problems like CORBA which is considered a one-to-one relationship only, or DSAW which deals with end-to-end security but without taking into account the possibility of changing information sensitivity during runtime. This thesis provides a proposed mechanism for enforcing security policies and dealing with distributed systems’ security weakness in term of the software perspective. The proposed solution utilised Aspect-Oriented Programming (AOP), to address security concerns during compilation and running time. The proposed solution is based on a decentralized distributed system that adopts the multi-hop concept to deal with different requested tasks. The proposed system focused on how to achieve high accuracy, data integrity and high efficiency of the distributed system in real time. This is done through modularising the most efficient security solutions, Access Control and Cryptography, by using Aspect-Oriented Programming language. The experiments’ results show the proposed solution overcomes the shortage of the existing solutions by fully integrating with the decentralized distributed system to achieve dynamic, high cooperation, high performance and end-to-end holistic security
Stochastic Tools for Network Intrusion Detection
With the rapid development of Internet and the sharp increase of network
crime, network security has become very important and received a lot of
attention. We model security issues as stochastic systems. This allows us to
find weaknesses in existing security systems and propose new solutions.
Exploring the vulnerabilities of existing security tools can prevent
cyber-attacks from taking advantages of the system weaknesses. We propose a
hybrid network security scheme including intrusion detection systems (IDSs) and
honeypots scattered throughout the network. This combines the advantages of two
security technologies. A honeypot is an activity-based network security system,
which could be the logical supplement of the passive detection policies used by
IDSs. This integration forces us to balance security performance versus cost by
scheduling device activities for the proposed system. By formulating the
scheduling problem as a decentralized partially observable Markov decision
process (DEC-POMDP), decisions are made in a distributed manner at each device
without requiring centralized control. The partially observable Markov decision
process (POMDP) is a useful choice for controlling stochastic systems. As a
combination of two Markov models, POMDPs combine the strength of hidden Markov
Model (HMM) (capturing dynamics that depend on unobserved states) and that of
Markov decision process (MDP) (taking the decision aspect into account).
Decision making under uncertainty is used in many parts of business and
science.We use here for security tools.We adopt a high-quality approximation
solution for finite-space POMDPs with the average cost criterion, and their
extension to DEC-POMDPs. We show how this tool could be used to design a
network security framework.Comment: Accepted by International Symposium on Sensor Networks, Systems and
Security (2017
- …