AN OBLIGATION MODEL FOR USAGE CONTROL

ABSTRACT How to control the access and usage of digital resources is one of the most important issues in computer security nowadays. Among them, how to control the resources when they have been passed to the client-side is a research hot spot. The Usage Control Model (UCON) has been proposed to solve this problem. In this research, we focus on one core component of the UCON model, the obligation. We propose a new obligation model to solve the problems the current ones can not deal with, especially for post-obligation. We also offer two testing scenarios, propose an architecture for a prototype based on the proposed model and apply the scenarios to the prototype architecture for proof-of-concept

Quantitative Evaluation and Reevaluation of Security in Services

Services are software components or systems designed to support interoperable machine or application-oriented interaction over a network. The popularity of services grows because they are easily accessible, very flexible, provide reach functionality, and can constitute more complex services. During the service selection, the user considers not only functional requirements to a service but also security requirements. The user would like to be aware that security of the service satisfies security requirements before starting the exploitation of the service, i.e., before the service is granted to access assets of the user. Moreover, the user wants to be sure that security of the service satisfies security requirements during the exploitation which may last for a long period. Pursuing these two goals require security of the service to be evaluated before the exploitation and continuously reevaluated during the exploitation. This thesis aims at a framework consisting of several quantitative methods for evaluation and continuous reevaluation of security in services. The methods should help a user to select a service and to control the service security level during the exploitation. The thesis starts with the formal model for general quantitative security metrics and for risk that may be used for the evaluation of security in services. Next, we adjust the computation of security metrics with a refined model of an attacker. Then, the thesis proposes a general method for the evaluation of security of a complex service composed from several simple services using different security metrics. The method helps to select the most secure design of the complex service. In addition, the thesis describes an approach based on the Usage Control (UCON) model for continuous reevaluation of security in services. Finally, the thesis discusses several strategies for a cost-effective decision making in the UCON unde

Usage control in service-oriented architectures

Abstract. Usage control governs the handling of sensitive data after it has been given away. The enforcement of usage control requirements is a challenge because the service requester in general has no control over the service provider’s information processing devices. We analyze applicable trust models, conclude that observation-based enforcement is often more appropriate than enforcement by direct control over the service provider’s actions, and present a logical architecture that blends both forms of enforcement with the business logics of serviceoriented architectures.