Narrow Results

In recent years, a large number of renewable energy power plants have been built all over the country, which has led to a sharp increase in the pressure on the current centralized electricity trading platform. There are data storage bottlenecks and data privacy problems in the current blockchain-based power transaction and access control system. In this paper, the interstellar file system is proposed to store the data of the new distributed power trading platform in a distributed way, so as to improve the storage capacity of the physical nodes; An improved ciphertext strategy attribute encryption scheme, which is lightweight, traceable and supports outsourced decryption combined with state secret algorithm, is adopted to integrate the user’s unique identity into the user’s private key and part of the expensive decryption calculation is outsourced to the cloud server to realize fine-grained data access control in the electricity market. The experimental results show that compared to the basic CP-ABE scheme, when the encryption attribute is 100, the decryption time of the proposed scheme is reduced from 556ms to 1.1ms; Compared to blockchain-based solutions alone, when storing data of 15MB, GAS consumption decreases from 2968738133 to 89360. The scheme can greatly improve the storage capacity of the system, improve the operational efficiency and meet the actual performance requirements.

In recent years, blockchain (BC) technologies have been increasing for data secrecy, system reliability and safety. BC is vulnerable to cyberattacks despite its utility. According to the statistics, attacks are rare, which differs greatly from the average. The goal of BC attack detection is to discover insights, patterns and anomalies within massive data repositories, it may benefit from deep learning. In this paper, the Prevention of Insider Attacks using Blockchain with Hierarchical Auto-associative Polynomial Convolutional Neural Network in Cloud Platform (PIS-BCNN-CP) is proposed. Here, the node authentication is handled by the smart contract. The aim of authorizing a node is to confirm that only a particular node has the possibility to submit and recover the information. Then Hierarchical Auto-associative Polynomial Convolutional Neural Network (HAAPCNN) is proposed to detect the Insider Attacks as Malicious and Normal. Generally, HAAPCNN does not agree with any optimization strategies to determine the optimal parameters for guaranteeing the exact detection of insider attacks. Hence, the Bear Smell Search Algorithm (BSSA) is exploited to optimize the weight parameters of a HAAPCNN. The BC Enabled Secure Data Storage depends on Proof of Continuous Work (PoCW) consensus BC algorithm is used. The proposed system is implemented and evaluated using performance metrics. The results provide higher accuracy, and lower False Negative Rate when compared with existing state-of-the-art methods.

Since the advent of networked systems, fuzzy graph theory has surfaced as a fertile paradigm for handling uncertainties and ambiguities. Among the different modes of handling challenges created by the uncertainties and ambiguities of current networked systems, integrating fuzzy graph theory with cryptography has emerged as the most promising approach. In this regard, this review paper elaborates on potentially studying fuzzy graph-based cryptographic techniques, application perspectives, and future research directions. Since the expressive power of fuzzy graphs allows the cryptographic schemes to handle imprecise information and to enhance security in many domains, several domains have benefited, such as image encryption, key management, and attribute-based encryption. The paper analyzes in depth the research landscape, mainly by focusing on the varied techniques used, such as fuzzy logic for key generation and fuzzy attribute representation for access control policies. A comparison with performance metrics unveils the trade-offs and advantages of different fuzzy graph-based approaches in efficiency, security strength, and computational overhead. Additionally, the survey explores the security applications of fuzzy graph-based cryptography and underpins potential development for secure communication in wireless sensor networks, privacy-preserving data mining, fine-grained access control in cloud computing, and blockchain security. Some challenges and research directions, such as the standardization of fuzzy logic operators, algorithmic optimization, integration with emerging technologies, and exploitation of post-quantum cryptography applications, are also brought out. This review will thus bring insight into this interdisciplinary domain and stimulate further research for the design of more robust, adaptive, and secure cryptographic systems in the wake of rising complexities and uncertainties.

In a wireless sensor network, we often require the deployment of new nodes to extend the lifetime of the network because some sensor nodes may be lost due to power exhaustion problem or they may be also malicious nodes. In order to protect malicious nodes from joining the sensor network, access control mechanism becomes a major challenging problem in the design of sensor network protocols. Existing access control protocols designed for wireless sensor networks require either high communication overheads or they are not scalable due to involvement of the base station during authentication and key establishment processes. In this paper, we propose a new access control scheme for large-scale distributed wireless sensor networks, which not only identifies the identity of each node but it has also ability to differentiate between old nodes and new nodes. The proposed scheme does not require involvement of the base station during authentication and key establishment processes, and it can be easily implemented as a dynamic access control protocol. In addition, our scheme significantly reduces communication costs in order to authenticate neighbor nodes among each other and establish symmetric keys between neighbor nodes as compared with existing approaches. Further, our scheme is secure against different attacks and unconditionally secure against node capture attacks. The simulation results of our scheme using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool ensure that our scheme is safe.

In recent years, intense usage of computing has been the main strategy of investigations in several scientific research projects. The progress in computing technology has opened unprecedented opportunities for systematic collection of experimental data and the associated analysis that were considered impossible only few years ago.

This paper focuses on the strategies in use: it reviews the various components that are necessary for an effective solution that ensures the storage, the long term preservation, and the worldwide distribution of large quantities of data that are necessary in a large scientific research project.

The paper also mentions several examples of data management solutions used in High Energy Physics for the CERN Large Hadron Collider (LHC) experiments in Geneva, Switzerland which generate more than 30,000 terabytes of data every year that need to be preserved, analyzed, and made available to a community of several tenth of thousands scientists worldwide.

Access control in a hierarchy refers to a selective access to a database. A large number of users work with the same database. These users are organized in a hierarchical structure and therefore have different access rights to the data. This paper offers a solution to the problem of access control in a hierarchy based on quantum cryptography. Each user has two keys: a classical key and a quantum key. Our scheme offers several security advantages over the classical schemes to date. It protects users from identity theft and prevents collusion attacks. Most importantly though, our scheme adapts to dynamic changes of the user hierarchy: users may join, leave, or change position in the hierarchy, without affecting the rest of the user structure.

Security is a concept which people recognize as important, yet regularly ignore for reasons such as cost or design constraints. The world is quickly shifting towards the wireless with phenomena akin to the Internet of Thing (IoT) accelerating this progression. Technologies like Bluetooth Low Energy and Radio Frequency Identification are greatly entwined with this trend, and research has been made into reinforcing protection methods. However, security is a choice made by the designer and more often than not is given decreased priority. With the improved creativity and sophistication of malicious exploits this is becoming far less acceptable. Theft of data is trivial for a user with the correct skillset and will be successful without proper defences. Further research needs to be done in the field, and encouraging consistent security practices is an appropriate start.

The rapid growth of communication networking, ubiquitous sensing, and signal processing, has promoted the development of the Internet of Things (IoT). However, the IoT is essentially dynamic and has no clearly defined network boundary, unauthorized access and data leakage may be much easier. Attribute-based access control (ABAC) can solve the problem of fine-grained access control and large-scale user dynamic expansion in complex information systems, and provides an ideal access control solution for an open network environment, which is more suitable for the dynamic access environment of IoT. However, the dynamic nature of IoT brings new challenges to access control. On the one hand, as new devices and services are continuously deployed, administrators need to manually formulate new rules, which is time-consuming and error-prone. On the other hand, as the IoT environment is continuously changing, the access policy easily becomes unsuitable for the current environment. In order to solve the above two problems, we propose a new scheme named Policy Maintenance-based machine learning (PMML), which includes two modules named Policy Generalization (PG) and Policy Evaluation (PE). After the access control model is deployed, automated PG and PE are carried out to maintain the rule set. In the PG module, we define a novel measure, resource similarity, and integrate it into policy mining so that policies could generalize among related resources. In the PE module, we introduce a quantitative method to assess rules and prune rules of low-quality. We conduct our experiments on real-world enterprise access logs from Amazon, and thoroughly analyzed the effects of different hyper-parameters on the experimental results. The experimental results have qualitatively and quantitatively shown the effectiveness of our proposed scheme.

One of the main features of information flow control is to ensure the enforcement of privacy and regulated accessibility. However, most information flow models that have been proposed do not provide substantial assurance to enforce end-to-end confidentiality policies or they are too restrictive, overprotected, and inflexible. This paper presents an approach to control flow information in object-oriented systems using versions, thus allowing considerable flexibility without compromising system security by leaking sensitive information. Models based on message filtering intercept every message exchanged among objects to control the flow of information. Versions are proposed to provide flexibility and avoid unnecessary and undesirable blocking of messages during the filtering process. Two options of operations are supported by versions — cloning reply and non-cloning reply. Furthermore, we present an algorithm which enforces message filtering through these operations.

Although RDF ontologies are expressed based on XML syntax, existing methods to protect XML documents are not suitable for securing RDF ontologies. The graph style and inference feature of RDF ontologies demands new methods for access control. Driven by this goal, this paper proposes a query-oriented model for RDF ontology access control. The model adopts the concept of ontology view to rewrite user queries. In our approach, ontology views define accessible ontology concepts and instances a user can visit, and enables a controlled inference capability for the user. The design of the views guarantees that the views are free of conflict. Based on that, the paper describes algorithms for rewriting queries according to different views, and provides a system architecture along with an implemented prototype. In the evaluation, the system exhibits a promising result in terms of effectiveness and soundness.

Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

End-user development (EUD) is drawing an increasing attention due to the necessity of users to frequently extend and personalize their applications. In particular, EUD in the context of Web (EUDWeb) is focusing on technologies capable of supporting development tasks that the end-user feels more complex. However, although the specification and implementation of access control is perceived as a particularly complex task, little efforts have been made to support it within current EUDWeb environments. Thus, in this paper we propose an EUDWeb framework and tool for the specification and the generation of web applications embedding access control mechanisms. We extended a previous mockup-based EUDWeb approach, by introducing visual assistance mechanisms enabling the specification of role-based access control policies, and their integration within the application logic. The usability of the proposed framework has been evaluated by means of a user study, in which we have shown that a group of heterogeneous end-users could proficiently use the proposed framework to develop meaningful web applications, some of which including access control functionalities.

In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: (1) if policies are complex, their enforcement can lead to performance decay of database servers; (2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Cloud computing is an emerging computing paradigm in IT industries. The wide adoption of cloud computing is raising concerns about management of data in the cloud. Access control and data security are two critical issues of cloud computing. Time-efficient secure access control (TESAC) model is a new data access control scheme which can minimize many significant problems. This scheme has better performance than other existing models in a cloud computing environment. TESAC is attracting more and more attentions from industries. Hence, the reliability of TESAC becomes extremely important. In this paper, we apply Communication Sequential Processes (CSP) to model TESAC, as well as their security properties. We mainly focus on its data access mechanism part and formalize it in detail. Moreover, using the model checker Process Analysis Toolkit (PAT), we have verified that the TESAC model cannot assure the security of data with malicious users. For the purpose of solving this problem, we introduce a new method similar to digital signature. Our study can improve the security and robustness of the TESAC model.

Access control vulnerabilities that lead to elevated privileges are among the most dangerous vulnerabilities in Web applications. Most of the existing detection methods use dynamic or static analysis techniques alone, which suffer from high manual involvement, low automation, high leakage rate, low page coverage, and other deficiencies. To this end, this paper proposes a novel access control vulnerability detection method (DetAC) based on a sitemap model with global information representation. This method first constructs a static site-wide sitemap model based on the page link addresses in the Web application source code through static analysis techniques. After that, the application is logged in and executed dynamically with different role users. During this process, execution traces and request parameters are collected and converted into annotations to fill the corresponding edges of the static site-wide sitemap model. Then, the sitemap model with global information representation is obtained. This model can represent both the global control flow and data flow of the application. Then DetAC analyzes the role-based and user-based access control policies of the Web application based on the node reachability and annotated data features of the model. And according to the information such as role, user, and access resources, it generates attack vectors to achieve different roles and the same role of different users to access each other’s resources. Finally, access control vulnerabilities are detected based on the equivalence of the results obtained using attack vector access and normal access to the Web application server. DetAC was validated on five real open-source Web applications, and the results showed that DetAC successfully detected up to 12 access control vulnerabilities, which are more than those of the traditional seven tools. The dynamic analysis page coverage rate was significantly improved during the detection process, reaching an average of 91.37%.

This paper presents a pair of role-based access control models for workflow systems, collectively known as the W-RBAC models. The first of these models, W0-RBAC is based on a framework that couples a powerful RBAC-based permission service and a workflow component with clear separation of concerns for ease of administration of authorizations. The permission service is the focus of the work, providing an expressive logic-based language for the selection of users authorized to perform workflow tasks, with preference ranking. W1-RBAC extends the basic model by incorporating exception handling capabilities through controlled and systematic overriding of constraints.

In this paper, we describe a query approximation system which uses the Multi-Layered Database (MLDB), a collection of summarized relational data generated using domain-based concept hierarchies. The system generates approximate answers to queries to handle environmental constraints and access control levels, thus preserving the privacy and security of data. Using concept hierarchy (CH), we generalize attributes to transform base relations to different layers of summarized relations corresponding to access control levels. The summary databases thus formed are the compression of the tuples in the main database using the CH constructed using the domain set. The query is rewritten by traversing the MLDB layers according to the user's access control level. We present summarization methods, query rewriting algorithms, implementation and experimental results of the system. In addition, we analyze some of the known inferences in Multi Level Secure (MLS) databases and then proceed to explore their effects on an approximate query processor that uses the MLDB model. The common relationships among inferential queries are found by analyzing them, and are used in possible solutions to detect and prevent inference problems. These patches are added to the query processor in MLDB to form a system that provides approximate results by preserving privacy and at the same time block the possible inferences. We have observed that these extra patches introduce only very small overheads in the MLDB generation and query processing.

The proper management of privacy and security constraints in information systems in general and access control in particular constitutes a tremendous, but still prevalent challenge. Role-based access control (RBAC) and its variations can be considered as the widely adopted approach to realize authorization in information systems. However, RBAC lacks a proper object-specific support, which disallows establishing the fine-grained access control required in many domains. By comparison, attribute-based access control (ABAC) enables a fine-grained access control based on policies and rules evaluating attributes. As a drawback, ABAC lacks the abstraction of roles. Moreover, it is challenging to engineer and to audit the granted privileges encoded in rule-based policies. This paper presents the generic approach of object-specific role-based access control (ORAC). On one hand, ORAC enables information system engineers, administrators and users to utilize the well-known principle of roles. On the other hand, ORAC allows realizing the access to objects in a fine-grained way where required. The approach was systematically established according to well-elicited key requirements for fine-grained access control in information systems. For the purpose of evaluation, the approach was applied to real-world scenarios and implemented in a proof-of-concept prototype demonstrating its feasibility and applicability.

We discuss a novel role locking protocol (RLP) to prevent illegal information flow among objects in a role-based access control (RBAC) model. In this paper, we define a conflicting relation among roles "a role R₁ conflicts with another role R₂" to show that illegal information flow may occur if a transaction associated with role R₁ is performed before another transaction with role R₂. Here, we introduce a role lock on an object to abort a transaction with role R₁ if another transaction with role R₂ had been already performed on the object. Role locks are not released even if transactions issuing the role locks commit. After data in an object o₁ flow to another object o₂, if the object o₁ is updated, the data in the object o₂ is independent of the object o₁, i.e. obsolete. A role lock on an object can be released if information brought into the object is obsolete. We discuss how to release obsolete role locks. We also discuss how to implement the role locking protocol in single-server and multi-server systems.