Apurva Mohan

An attribute-based authorization policy framework with dynamic conflict resolution

Policy-based authorization systems are becoming more common as information systems become larger and more complex. In these systems, to authorize a requester to access a particular resource, the authorization system must verify that the policy authorizes the access. The overall authorization policy may consist of a number of policy groups, where each group consists of policies defined by different entities. Each policy contains a number of authorization rules. The access request is evaluated against these policies, which may produce conflicting authorization decisions. To resolve these conflicts and to reach a unique decision for the access request at the rule and policy level, rule and policy combination algorithms are used. In the current systems, these rule and policy combination algorithms are defined on a static basis during policy composition, which is not desirable in dynamic systems with fast changing environments. In this paper, we motivate the need for changing the rule and policy combination algorithms dynamically based on contextual information. We propose a framework that supports this functionality and also eliminates the need to recompose policies if the owner decides to change the combination algorithm. It provides a novel method to dynamically add and remove specialized policies, while retaining the clarity and modularity in the policies. The proposed framework also provides a mechanism to reduce the set of potential target matches, thereby increasing the efficiency of the evaluation mechanism. We developed a prototype system to demonstrate the usefulness of this framework by extending some basic capabilities of the XACML policy language. We implemented these enhancements by adding two specialized modules and several new combination algorithms to the Sun XACML engine.

AttributeTrust A Framework for Evaluating Trust in Aggregated Attributes via a Reputation System

To enable a rich attribute-based authorization system, it is desirable that a large number of user attributes are available, possibly provided by multiple entities. The user may be required to aggregate his attributes and present them to a service provider to prove he has the right to access some service. In this paper, we present AttributeTrust - a policy-based privacy enhanced framework for aggregating user attributes and evaluating confidence in these attributes. We envision a future where attribute providers will be commonplace and service providers will face the problem of choosing one among multiple attribute providers that can provide the same user attribute. In AttributeTrust, we address this problem by means of a reputation system model based on transitive trust. Entities express confidence in other entities to supply trusted attributes, forming chains from a service provider to different attribute providers. A service provider uses this transitive reputation to decide whether to accept a particular attribute from a specific attribute provider.We discuss how the AttributeTrust model prevents common attacks on reputation systems. AttributeTrust differs from the current approaches by deriving its attack resistance from its specific context of attribute provisioning, its voting mechanism formulation, and unique properties of its confidence relationships.

Redactable signatures on data with dependencies and their application to personal health records

Storage of personal information by service providers risks privacy loss from data breaches. Our prior work on minimal disclosure credentials presented a mechanism to control the dissemination of personal information. In that work, personal data was broken into individual claims, which can be released in arbitrary subsets while still being cryptographically verifiable. In applying that work, we encountered the problem of connections between claims, which manifest as disclosure dependencies. In this work, we provide an efficient way to provide minimal disclosure, but with cryptographic enforcement of dependencies between claims, as specified by the claims certifier. This provides a mechanism for redactable signatures on data with disclosure dependencies. We show that an implementation of our scheme can verify thousands of dependent claims in tens of milliseconds. We also describe ongoing work in which the approach is being used within a larger system for dispensing personal health records.

Towards addressing common security issues in smart grid specifications

Smart grid standards initiatives aim to coordinate the development of protocols and model standards for interoperability. The smart grid derives its functionality from several existing technologies and standards. At issue is that most of these base standards were developed for specific functionality and security was added later. As such, most standards do not have a unified and comprehensive approach to security, which results in security gaps in these standards. In this paper, we investigate common security issues in smart grid standards that employ communication protocols and the common causes for these issues. We then propose security considerations for developing these standards; to address them, we develop guidelines for drafting security into smart grid standards either when they are updated or when new standards are developed. We draw examples from the ZigBee Smart Energy Profile standard for security requirements, objectives, and to make recommendations for designing security in similar standards. We finally present a retrospective discussion of how following our recommendations would have improved the ZigBee Smart Energy Profile standard by including security in a unified and comprehensive way.

Detection of Conflicts and Inconsistencies in Taxonomy-Based Authorization Policies

The values of data elements stored in biomedical databases often draw from biomedical ontologies. Authorization rules can be defined on these ontologies to control access to sensitive and private data elements in such databases. Authorization rules may be specified by different authorities at different times for various purposes. Since such policy rules can conflict with each other, access to sensitive information may inadvertently be allowed. Another problem in biomedical data protection is inference attacks, in which a user who has legitimate access to some data elements is able to infer information related to other data elements. We propose and evaluate two strategies, one for detecting policy inconsistencies to avoid potential inference attacks and the other for detecting policy conflicts.

Towards Secure Demand-Response Systems on the Cloud

Demand response (DR) systems are gaining fast adoption and utilities are increasingly relying on them for peak load shaving, demand side management, and maintaining power quality. DR systems are cyber-physical systems (CPS) where the communication component is cyber, whereas the control components have physical effects. As DR systems experience wider adoption and manipulate much larger loads, achieving scalability has become an important concern. On the other hand, demand response events are often sporadic, and maintaining systems and infrastructure that could easily scale up or down is often desirable for utility companies in terms of operational cost, which makes us envision that DR systems would eventually move to the cloud. However, moving to cloud is not an elixir as it brings some concerns of its own. In this paper, we focus on Open ADR 2.0-based systems and discuss security properties and challenges that must be considered when migrating DR systems to the cloud.

A medical domain collaborative anomaly detection framework for identifying medical identity theft

Medical identity theft is a serious problem in healthcare systems around the world, especially the US healthcare system. In addition to financial losses to the patients, healthcare providers, and insurance providers, it has devastating effects on the patients healthcare services. Current mechanisms to detect medical identity theft rely on weak detection mechanisms like human operators, network anomalies, or audit. These methods have very low success rates and only identify medical identity theft cases after the fact which does little to actually stop them. In this paper, we present a novel framework that uses sophisticated anomaly detectors using disease ontologies from the medical domain, institutional anomalies, and network anomalies to detect medical identity theft. These various detectors reside with different healthcare entities and collaborate to merge their outputs into a single inference engine to determine suspected cases of medical identity theft with high efficiency. We argue that this method is very effective and cannot be circumvented by medical identity thieves using regular means because the framework leverages inherent relationship between diseases to ensure that a new request for medical care is aligned with the patients medical history. The reasoning engine decides this based on the relationships between the diseases and reasoning whether the new request is an anomaly or not. We develop the system architecture of the framework in a cloud based setting. We implement this framework as a prototype system and evaluate it analytically based on real life use cases and experimentally using performance experiments.

Privacy conscious architecture for improving emergency response in smart cities

With advancements in wireless technologies, location based services (LBS) have become ubiquitous and are fundamental to services that provide emergency response to those that enhance the quality of daily life. Location tracking applications include traffic congestion management, waste management, indoor navigation in malls/airports, receiving coupons/advertisements by retailers, applications to allow parents to track their children, providing centimeter-level guidance to visually impaired users in indoor environments etc. Location tracking also enables applications in device-free situations - intrusion detection by means of tracking people and their movements through walls, monitoring the heartbeat of a person(ex: elderly citizen) through walls etc. In conjunction with location based services, the development of the Internet of Things (IoT) provides rich contextual information which is key to the scalability of smart cities. Managing these technologies along with establishing effective countermeasures against security and privacy concerns of individual citizens as well as service providers and government agencies is essential for their adoption. In this paper we envision a feature of the emergency response system of a smart city whereby critical contextual information from the emergency site is made available to the emergency service provider to enable effective first response strategy. We use the example of a smart building with an infrastructure that consists of an indoor hybrid wireless environment for identifying individuals, tracking their location, monitoring vital statistics and measuring ambient conditions. This information is critical to rescue teams and paramedics. We provide an architecture that addresses the security and privacy issues associated with the highly sensitive information generated by this system.

A Cyber Security Architecture for Microgrid Deployments

Microgrids enable the aggregation of various types of generating and non-generating sources as a unified control unit. Microgrid control networks are connected to external networks - SCADA networks for demand-response applications, enterprise networks and the Internet for remote monitoring and control. These external connections expose microgrids to serious threats from cyber attacks. This is a major concern for microgrids at sensitive installations such as military bases and hospitals. One of the challenges in protecting microgrids is that control networks require very low latency. Cryptographic protection, which adds additional latency to communications, is unacceptable in real-time control, especially with regard to synchronization and stability. Also, a complex network at a microgrid site with interconnected control and SCADA networks makes the process of acquiring security certifications (e.g., DIACAP) extremely difficult. To address these challenges, this chapter presents the SNAPE cyber security architecture, which segregates communications networks needed for fast, real-time control from networks used for external control signals and monitoring, thereby drastically reducing the attack surface of a microgrid control network. Network segregation is achieved by hardware devices that provide strong cryptographic separation. The segregation isolates control networks so that they can use lightweight cryptography to meet the low latency requirements. The novel approach minimizes the cyber security certification burden by reducing the scope of certification to a subset of a microgrid network.

Implementing Cyber Security Requirements and Mechanisms in Microgrids

A microgrid is a collection of distributed energy resources, storage and loads under common coordination and control that provides a single functional interface to enable its management as a single unit. Microgrids provide several advantages such as power quality control, uninterrupted power supply and integration of renewable resources. However, microgrids are increasingly connected to the Internet for remote control and management, which makes them susceptible to cyber attacks. To address this issue, several pilot deployments have implemented bolt-on security mechanisms, typically focused on securing the protocols used in microgrids. Unfortunately, these solutions are inadequate because they fail to address some important cyber security requirements.