Paolo Perlasca

GEO-RBAC: a spatially aware RBAC

Securing access to data in location-based services and mobile applications requires the definition of spatially aware access control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to cope with spatial aspects in real mobile applications, is still missing. In this paper, we make one step towards this direction and we present GEO-RBAC, an extension of the RBAC model to deal with spatial and location-based information. In GEO-RBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device independent position, representing the feature (the road, the town, the region) in which they are located. To make the model more flexible and re-usable, we also introduce the concept of role schema, specifying the name of the role as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to cope with hierarchies, modeling permission, user, and activation inheritance.

A logical framework for reasoning about access control models

The increased availability of tools and technologies to access and use the data has made more urgent the needs for data protection. Moreover, emerging applications and data models call for more flexible and expressive access control models. This has lead to an extensive research activity that has resulted in the definition of a variety of access control models, that greatly differ with respect to the access control policies they can support. The need thus arises of developing some sort of tools that make it possible to reason about the expressive power of such models and to make a comparison among the various proposals. In this paper we make a first step in this direction by proposing a formal framework for reasoning about access control models. The framework we propose is based on a logical formalism and is general enough to model both discretionary and mandatory access control policies. Each instance of the proposed framework corresponds to a C-Datalog program [8], interpreted according to a stable model semantics. In the paper, besides giving the syntax and the formal semantic of our framework, we show some examples of its application.

A system to specify and manage multipolicy access control models

This paper describes the architecture and the core specification language of an extensible access control system, called MACS-Multipolicy Access Control System. Several access control models are supported. by the proposed system, including the mandatory model, a flexible discretionary model, and RBAC. In addition, by using the core specification language, users can define their own access control models. The language is complemented by a number of tools supporting users in the tasks of model specification and analysis, and authorization management. The proposed system is a multipolicy system in that it allows one to apply different policies to different partitions of the set of objects to be protected. Therefore, different access control policies can co-exist, thus enhancing the flexibility of the system.

Data security in location-aware applications: an approach based on RBAC

Data security in a mobile context is a critical issue. Over the last few years a new category of location-based services, the Enterprise LBS (ELBS), has emerged focusing on the demands of mobility in organisations. These applications pose challenging requirements, including the need of selective access to ELBS based on the position of mobile users and spatially bounded organisational roles. To deal with these requirements a novel access control system, named GEO-RBAC, has been developed. GEO-RBAC extends the NIST RBAC (Role-Based Access Control) standard with the notions of spatial role, role-dependent position, role schema and role instance. Further, roles become enabled/disabled based on the position of the user. In the paper we present GEO-RBAC, a full-fledged RBAC-based model, consisting, like RBAC, of three distinct components: the Core GEO-RBAC, the Hierarchical GEO-RBAC and the Constrained GEO-RBAC. The paper focuses on the innovative aspects that have been introduced in the model to account for the spatial dimension. Further, a rigorous specification of the model (reference model) is presented.

On the Composition of Digital Licenses in Collaborative Environments

In the era of Web 2.0, users are not any longer just consumers of resources but they can actively produce, share and modify content, by composing and enhancing digital resources and services. In this context, the intellectual property of the users collaborating in authoring activities should be preserved. Starting from a model for digital licences generation and management useful in collaborative environments like the Web 2.0, in this paper we propose the algorithms of a DRM component responsible for the composition and modification of digital resources and the generation of the related licenses. Then, the paper presents a compliant architecture based on a composition of web services.

Protection and composition of crossmedia content in collaborative environments

A large range of new applications are appearing nowadays on the Web in which content and data produced by single users or groups are going to be adapted, composed and aggregated and then redistributed in other forms to other users and/or groups. In this context, the management of intellectual property rights (IPR) of the users collaborating in authoring and composition activities have to be preserved. In this paper we adopt an MPEG-21 representation of digital contents and propose a system that supports the users in their composition that takes into account the permissions of access/composition/modification that each single user or group can exercise on them. In our environment, users can retrieve digital content and data, check the authoring privileges that can be executed on the component resources to generate composite and aggregated contents, and verify the situations in which the composition can hide some privileges that exist in the original contents. When the user holds the privileges for the composition, a license can be automatically generated for the composite content that preserves the rights the user/group holds on the components. This environment supports collaboration among users belonging to different organizations that would like to work together in the realization of non trivial content/data aggregation processes.

A GPU-based algorithm for fast node label learning in large and unbalanced biomolecular networks

BackgroundSeveral problems in network biology and medicine can be cast into a framework where entities are represented through partially labeled networks, and the aim is inferring the labels (usually binary) of the unlabeled part. Connections represent functional or genetic similarity between entities, while the labellings often are highly unbalanced, that is one class is largely under-represented: for instance in the automated protein function prediction (AFP) for most Gene Ontology terms only few proteins are annotated, or in the disease-gene prioritization problem only few genes are actually known to be involved in the etiology of a given disease. Imbalance-aware approaches to accurately predict node labels in biological networks are thereby required. Furthermore, such methods must be scalable, since input data can be large-sized as, for instance, in the context of multi-species protein networks.ResultsWe propose a novel semi-supervised parallel enhancement of COSNet, an imbalance-aware algorithm build on Hopfield neural model recently suggested to solve the AFP problem. By adopting an efficient representation of the graph and assuming a sparse network topology, we empirically show that it can be efficiently applied to networks with millions of nodes. The key strategy to speed up the computations is to partition nodes into independent sets so as to process each set in parallel by exploiting the power of GPU accelerators. This parallel technique ensures the convergence to asymptotically stable attractors, while preserving the asynchronous dynamics of the original model. Detailed experiments on real data and artificial big instances of the problem highlight scalability and efficiency of the proposed method.ConclusionsBy parallelizing COSNet we achieved on average a speed-up of 180x in solving the AFP problem in the S. cerevisiae, Mus musculus and Homo sapiens organisms, while lowering memory requirements. In addition, to show the potential applicability of the method to huge biomolecular networks, we predicted node labels in artificially generated sparse networks involving hundreds of thousands to millions of nodes.

Introducing cooperation and actions in amalgamated knowledge bases

The theory of amalgamated knowledge bases represents a formal logical foundation for heterogeneous databases. In an amalgamated knowledge base, data sources are modeled by generalized annotated logic. Moreover, an amalgamated knowledge base is equipped with a supervisor acting as a mediator for amalgamating knowledge from the local databases. Even if the framework is quite appealing, it does not model dynamic aspects. Moreover, no communication channels among local databases are supported and cooperation is provided only through the supervisor. In this paper, we extend the theory of amalgamated knowledge bases to deal with actions and cooperation among local databases.

Authorised access web portal for Italian data bank on sudden unexpected perinatal and infant death

Sudden infant death syndrome (SIDS) is common during the first year of life and affects 0.40 every 1000 births (1). Stillbirths are seven times more common than SIDS; in 40–80% of cases remain unexplained and are categorised as sudden intrauterine unexpected death syndrome (2). In 2006, Italy passed legislation that foetuses and infants, from 25 weeks of gestation to one postnatal year, who died suddenly and unexpectedly should be sent to the University of Milan, Italy, for an in-depth diagnostic postmortem with parental permission (3). The Lino Rossi Research Center is currently developing the technical specifications for a web portal (http://users.unimi.it/centrolinorossi) for its national data bank registry, which has been set up to centralise records retrieved from regions across Italy. This will record all postmortem findings, together with clinical information about the pregnancy, foetal development, delivery, environmental conditions and the family situation when the death occurred. The privacy and confidentiality of the data are ensured, in accordance with European legislation. Medical history questionnaires and informed consent will be collected by clinicians and submitted to the regional centres, who will then create a case record on the web portal. Only authorised personnel will have access to the sensitive content, and only one officer in each regional, together with staff in the national centre, will be authorised to access the portal. The main function of the portal will be to enable a regional operator or the national centre to create new case records and to view or edit existing ones. Different information will be required based on whether it was a perinatal death or SIDS. Data on the mother and father will also be entered together with the consent received from at least one parent. This web interface (Fig. 1) will include lists of case records already submitted to the national centre and those that have been created but not yet submitted. Authorised users will be able to search the records submitted by region, case number, year and the type of records (SIDS or perinatal deaths). The user can also amend case records related to their region and provide the diagnostic testing results. The web portal will also provide a list of regional centres, Italian institutions and users that are authorised to submit and edit records. National centre users will also be able to enter the diagnostic investigations, findings and diagnosis. We believe that the investigational data will enhance epidemiological correlations with risk factors and that this database will provide further insight into the causes of SIDS and perinatal deaths.

Multi-species protein function prediction: towards web-based visual analytics

The visualization and analysis of big bio-molecular networks is a key feature for the investigation and prediction of protein functions in a multi-species context. In this paper we present the design of a system that integrates data management, machine learning and visualization facilities to make effective the visual analysis of big networks by means of web-based interfaces.