Toward Effective Access Control Using Attributes and Pseudoroles

Sharing of information is fundamental to modern computing environments across many application domains. Such information sharing, however, raises security and privacy concerns that require effective access control to prevent unauthorized access and ensure compliance with various laws and regulations. Current approaches such as Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC) and their variants are inadequate. Although it provides simple administration of access control and user revocation and permission review, RBAC demands complex initial role engineering and makes access control static. ABAC, on the other hand, simplifies initial security setup and enables flexible access control, but increases the complexity of managing privileges, user revocation and user permissions review. These limitations of RBAC and ABAC have thus motivated research into the development of newer models that use attributes and policies while preserving RBAC\u27s advantages. This dissertation explores the role of attributes---characteristics of entities in the system---in achieving effective access control. The first contribution of this dissertation is the design and development of a secure access system using Ciphertext-Policy Attribute-Based Encryption (CP-ABE). The second contribution is the design and validation of a two-step access control approach, the BiLayer Access Control (BLAC) model. The first layer in BLAC checks whether subjects making access requests have the right BLAC pseudoroles---a pseudorole is a predefined subset of a subject\u27s static attributes. If requesting subjects hold the right pseudoroles, the second layer checks rule(s) within associated BLAC policies for further constraints on access. BLAC thus makes use of attributes effectively while preserving RBAC\u27s advantages. The dissertation\u27s third contribution is the design and definition of an evaluation framework for time complexity analysis, and uses this framework to compare BLAC model with RBAC and ABAC. The fourth contribution is the design and construction of a generic access control threat model, and applying it to assess the effectiveness of BLAC, RBAC and ABAC in mitigating insider threats

Secure access control for health information sharing systems

The 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) encourages healthcare providers to share information to improve healthcare quality at reduced cost. Such information sharing, however, raises security and privacy concerns that require appropriate access control mechanisms to ensure Health Insurance Portability and Accountability Act (HIPAA) compliance. Current approaches such as Role-Based Access Control (RBAC) and its variants, and newer approaches such as Attribute-Based Access Control (ABAC) are inadequate. RBAC provides simple administration of access control and user permission review, but demands complex initial role engineering and makes access control inflexible. ABAC, on the other hand, simplifies initial setup but increases the complexity of managing privileges and user permissions. These limitations have motivated research into the development of newer access control models that use attributes and policies while preserving RBAC\u27s strengths. The BiLayer Access Control (BLAC) model is a two-step method being proposed to integrate attributes with roles: an access request is checked against pseudoroles, i.e., the list of subject attributes (first layer), and then against rules within the policies (second layer) associated with the requested object. This paper motivates the BLAC approach, outlines the BLAC model, and illustrates its usefulness to healthcare information sharing environments

Insider threat mitigation and access control in healthcare systems

Rapid and reliable information sharing of patient healthcare information has become critical for achieving better care with lower costs. However, such healthcare information sharing requires to be done securely with privacy guarantees, as required by law. Among its other requirements, the Health Insurance Portability and Accountability Act (HIPAA) requires the use of appropriate access control mechanisms to protect healthcare information. Despite these legal requirements, currently implemented access control models in the healthcare domain are typically inadequate as demonstrated by the large and increasing numbers of successful attacks on healthcare systems. In particular, current access control models do not provide sufficient protection for healthcare systems from attacks by insiders, i.e., authorized healthcare personnel. This paper examines how healthcare information can be protected from unauthorized or improper use, disclosure, alteration, and destruction by health- care providers. Using a holistic approach toward modeling access control, the authors construct a threat model for access control in healthcare systems. The constructed model is then used to assess the effectiveness of current access control mechanisms such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), as well as the BiLayer Access Control (BLAC) model, which was proposed as a flexible, higher-performance replacement for both RBAC and ABAC

AAC-IoT: Attribute Access Control Scheme for IoT Using Lightweight Cryptography and Hyperledger Fabric Blockchain

The Internet of Things (IoT) is an integrated environment as it merges physical smart objects to the Internet via wireless technologies to share data. The global connectivity of IoT devices brings the needs to ensure security and privacy for data owners and data users. In this paper, an attribute-based access control scheme for IoT (AAC-IoT) using Hyperledger Fabric (HLF) blockchain is proposed to address the security challenges. In the AAC-IoT scheme, data owners are registered and authenticated using identities, certificates and signatures. Data users, however, are registered with identities, certificates, signatures and physical unclonable function (PUF); then a credence score is computed for users to predict the originality during authentication. For access control, attribute-based access control (ABAC) is used, and the number of attributes is selected based on the sensitivity of the data. In accordance with the attributes count, the access control policies are generated. The novel concept of attribute count is determined from a fuzzy logic method using data type and preference. Hyperledger Fabric (HLB) blockchain is presented to manage meta-data and security credentials from data owners and data users, respectively, using a lightweight hashing algorithm. The AAC-IoT model using HLF blockchain is developed with Java programming language and iFogSim simulator. The performance metrics are measured based on latency, throughput and storage overhead, and the results show better outcome than the previous research work

Privacy-Preserving Trust-Aware Group-Based Framework in Mobile Crowdsensing

In practical mobile crowdsensing (MCS) systems, many cooperative sensing tasks require a group of reliable participants to perform collaboratively. In this article, we address the problem of group formulation in MCS, which aims to recruit highly trusted participants and form a high-reputation group. We propose a novel Privacy-preserving Trust-Aware Group Formation (PTAGF) framework that ensures trust and privacy between the group members. This framework consists of three mechanisms; the member trust assessment mechanism, the group forming mechanism, and the two-layer privacy-preserving mechanism. Furthermore, we prove that the group forming problem is NP-hard, and thus propose a heuristic-based Trust-Aware Group Formulation (TAGF) algorithm. A theoretical analysis is provided, which demonstrates that the proposed framework achieves privacy and security. Finally, we experimentally evaluate the performance of PTAGF on a real-world dataset against two state-of-the-art approaches. The results demonstrate that PTAGF outperforms these approaches in terms of trustworthiness in group selection. Moreover, it achieves reasonable task coverage and running time with different communities size, group sizes, and task scales

Credit card fraud detection in the era of disruptive technologies: A systematic review

Credit card fraud is becoming a serious and growing problem as a result of the emergence of innovative technologies and communication methods, such as contactless payment. In this article, we present an in-depth review of cutting-edge research on detecting and predicting fraudulent credit card transactions conducted from 2015 to 2021 inclusive. The selection of 40 relevant articles is reviewed and categorized according to the topics covered (class imbalance problem, feature engineering, etc.) and the machine learning technology used (modelling traditional and deep learning). Our study shows a limited investigation to date into deep learning, revealing that more research is required to address the challenges associated with detecting credit card fraud through the use of new technologies such as big data analytics, large-scale machine learning and cloud computing. Raising current research issues and highlighting future research directions, our study provides a useful source to guide academic and industrial researchers in evaluating financial fraud detection systems and designing robust solutions