Xiaopu Ma

Role mining based on weights

Role mining from the existing permissions has been widely applied to aid the process of migrating to an RBAC system. While all permissions are treated evenly in previous approaches, none of the work has employed the weights of permissions in role mining to our knowledge, thus providing the motivation for this work. In this paper, we generalize this to the case where permissions are given weights to reflect their importance to the system. The weights can correspond to the property of operations, the sensitive degree of objects, and the attribute of users associated with permissions. To calculate the weight of permissions, we introduce the concept of similarity between both users and permissions, and use a similarity matrix to reinforce the similarity between permissions. Then we create a link between the reinforced similarity and the weight of permissions. We further propose a weighted role mining algorithm to generate roles based on weights. Experiments on performance study prove the superiority of the new algorithm.

Mining constraints in role-based access control

Abstract Constraints are an important aspect of role-based access control (RBAC) and sometimes argued to be the principal motivation of RBAC. While role engineering is proposed to define an architectural structure of the organization’s security policies, none of the work has employed constraint mining in migrating a non-RBAC system to an RBAC system to our knowledge, thus providing the motivation for this work. In this paper, we first define a wide variety of constraints, which are the best-known ones to date, and then create a relationship between the conventional data mining technology and the constraints. We further propose an anti-association rule mining algorithm to generate the constraints. Experiments on performance study prove the superiority of the new algorithm.

Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control

Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, this paper attempts to address two important issues: the specification and enforcement of SSoD in UCON. We give a set-based specification scheme, which is simpler and more general than existing approaches. As for the enforcement, we study the problem of determining whether an SSoD policy is enforceable, and show that directly enforcing an SSoD policy is a coNP-complete problem. In indirect enforcement, we generate the least restrictive static mutually exclusive attribute (SMEA) constraints to enforce SSoD policies, by using the attribute level SSoD requirement as an intermediate step. The results are fundamental to understanding the effectiveness of using constraints to enforce SSoD policies in UCON.

RMiner: a tool set for role mining

Recently, there are many approaches proposed for mining roles using automated technologies. However, it lacks a tool set that can be used to aid the application of role mining approaches and update role states. In this demonstration, we introduce a tool set, RMiner, which is based on the core of WEKA, an open source data mining tool. RMiner implements most of the classic and latest role mining algorithms and provides interactive tools for administrator to update role states. The running examples of RMiner are presented to demonstrate the effectiveness of the tool set.

Role mining based on cardinality constraints

Role mining was recently proposed to automatically find roles among user‐permission assignments using data mining technologies. However, the current studies about role mining mainly focus on how to find roles, without considering the constraints that are essentially required in role‐based access control systems. In this paper, we present a role mining algorithm with constraints, especially for the cardinality constraints. We illustrate it is essential for role mining to take cardinality constraints into account, and introduce the concepts of the cardinality constraints of roles and permissions. We further propose a role mining algorithm to generate roles based on these two kinds of cardinality constraints. The algorithm uses graph theory to model the role mining problem and maps the relation of two roles to the relation of graph elements. We set an optimization goal for role mining and employ graph optimization theory to find roles that satisfy the aforementioned cardinality constraints. We carry out the experiments to evaluate our approach. The experimental results demonstrate the rationality and effectiveness of the proposed algorithm. Copyright

Specifying and enforcing the principle of least privilege in role-based access control

The principle of least privilege in role‐based access control is an important area of research. There are two crucial issues related to it: the specification and the enforcement. We believe that the existing least privilege specification schemes are not comprehensive enough and few of the enforcement methods are likely to scale well. In this paper, we formally define the basic principle of least privilege problem and present different variations, called the delta‐approx principle of least privilege problem and the minimizing‐approx principle of least privilege problem. Since there may be more than one result to enforce the same principle of least privilege, we introduce the notation about weights of permissions and roles to optimize the results. Then we prove that all least privilege problems are NP‐complete. As an important contribution of the paper, we show that the principle of least privilege problem can be reduced to minimal cost set covering (MCSC) problem. We can borrow the existing solutions of MCSC to solve the principle of least privilege problems. Finally, different algorithms are designed to solve the proposed least privilege problems. Experiments on performance study prove the superiority of our algorithms. Copyright

Role mining based on permission cardinality constraint and user cardinality constraint

Constraint is an essential aspect of role-based access control RBAC and is sometimes argued to be the principle motivation for RBAC. However, most of role mining algorithms do not consider the constraint. Furthermore, they just compare the least cost of the authorization process but do not consider how to assess the accuracy of the derived role state, thus, providing the motivation for this work. In this paper, we first define a wide variety of constraints, especially the permission cardinality constraint and user cardinality constraint. We further propose a role mining algorithm to generate roles based on these two kinds of cardinality constraints that consider the similarity between roles in the process of merging roles in order to improve the accuracy of the role state at the same time. Finally, we carry out the experiments to evaluate our approach. The experimental results demonstrate the effectiveness of our proposed algorithm. Copyright

SMEF: An Entropy-Based Security Framework for Cloud-Oriented Service Mashup

Cloud-oriented service mashup can aggregate many services to provide personalized services for end-users on demand. However, how to securely aggregate mashup services becomes a bottleneck of hampering the development of cloud computing. In this paper, we present a secure cloud service mashup framework called SMEF to address this problem. In SMEF, we employ security entropy to measure the unascertained security degree of service mashup. The nonfunctional criteria of SMEF are aggregated as a single criterion by defining a utility function. Then the relatively optimal mashup services are selected to meet the user requirements. Finally, we have implemented a simulation of SMEF and conducted extensive experiments using simulations of different sizes of services and security factors. Experimental results show the feasibility and efficiency of the SMEF service mashup framework.

SecTag: a multi-policy supported secure web tag framework

Traditional web application development often encounters tight coupling problem between access control logic and business logic. It is hard to configure and modify access control policies after a system has been deployed. In this demonstration, we present SecTag, a multi-policy supported secure web tag framework, to address this problem. We define a series of general-purpose secure attributes that meet the demand of fine-grained access control in web presentation layer. We also design a set of high interactive secure tags, which encapsulate secure features to provide reusable secure components for web development. A running example of SecTag is presented to demonstrate the effectiveness of the proposed framework.

A Role-Based Access Control Architecture for P2P File-Sharing Systems Using Primary/Backup Strategy

Nowadays, P2P file-sharing systems have gained a large acceptance among the internet users. However, there has been little relatively work done in access control for P2P networks, where security is a critical requirement for broader applications of the technology not only in the current but also in the future. In this work, a new architecture is presented in this paper, it integrates the aspects of credential, identity and role-based access control policies to provide scalable, efficient and fault-tolerance access control services. It also preserves the decentralized structure of the P2P platform by employing Primary/Backup Strategy, and resolves the two kinds of interoperability conflicts while mapping role from foreign domain to local domain without centralized authority. We believe that the proposed architecture is realistic, secure and preserves P2P decentralized structure.