Zahir Tari

A role-based access control for intranet security

Secure intranets are founded on the protection of logical resources accessible in corporate enterprises. The paper discusses I-RBAC, role-based access control for intranet security which offers efficient security management based on varied levels of role authorizations.

A role based access control for Web services

Web services are vulnerable to various types of security attacks. We address one type of attacks, where applications trying to access services to which they are not authorized. Existing access control for Web services lack of support for global services. As such services are WAN-based, therefore access control needed to deal with various levels of Web services, including global (for composite services) and local level (for Web servers). We propose two access control: SWS-RBAC (for single services) and CWS-RBAC (for global services). Instead of protecting the content of the services parameters, these models protect the parameters themselves. The proposed approach introduces global roles, which are used in the mapping to local roles of other service providers. To maintain the autonomy of roles between providers, an efficient role-mapping mechanism has been proposed accordingly.

Location-aware cache replacement for mobile environments

Traditional cache replacement policies rely on the temporal locality of users access pattern to improve cache performance. These policies, however, are not ideal in supporting mobile clients. As mobile clients can move freely from one location to another, their access pattern not only exhibits temporal locality, but also exhibits spatial locality. In order to ensure efficient cache utilisation, it is important to take into consideration the location and movement direction of mobile clients when performing cache replacement. In this paper. we propose a mobility-aware cache replacement policy, called MARS, suitable for wireless environments. MARS takes into account important factors (e.g. client access rate, access probability, update probability and client location) in order to improve the effectiveness of onboard caching for mobile clients. Test results show that MARS consistently outperforms existing cache replacement policies and significantly improves mobile clients cache hit ratio.

A Probabilistic Model to Predict the Survivability of SCADA Systems

Recent spate of cyber attacks against critical infrastructure systems, which are vital to society, have shown that in addition to be infeasible to stop every possible attack it is imperative to keep such systems running. Survivability models and tools are good to evaluate systems capacity to handling undesired events. Current survivability measurement techniques are limited, since they only use performance to model system behavior, and do not take into account service interdependencies. This paper introduces a probabilistic model that offers a new direction in measuring survivability. The proposed model solves the issues with current models by combining the formalism of Bayesian networks with information diversity. Service interdependencies are properly taken into account and the information diversity metric is used to represent service behavior. In addition, the model is evaluated through a simulation of a SCADA system, where the entire process to construct and to use the model is detailed.

Mobility-aware cache replacement for users of location-dependent services

Recent advances in wireless communication and global positioning technologies have led to increasing interest in location dependent information services. As mobile users move between locations utilising such services, their access patterns not only exhibit temporal locality, but also spatial locality. Traditional cache replacement policies were designed to deal with temporal locality, as a result, they are inefficient location dependent services. In this paper a mobility-aware algorithm called MARS+ is proposed to detect regular client movement patterns and provides information to improve cache performance. Test results show that MARS+ improves clients cache hit ratio by more than 16% compared to existing policies.

Designing the reengineering service for the DOK federated database system

Addresses the design of the reengineering service for the DOK (Distributed Object Kernel) federated database. This service allows the hiding of the heterogeneity of databases involved in a federation by generating object-oriented representations from their corresponding schemata. We propose a complete methodology that supports the identification and the translation of both the explicit and implicit information. The identification of object-oriented constructs is performed by classifying a relational schema into different categories of relations, namely base, dependent and composite relations. The main difficulty in designing the reengineering service relies on the distinction between the different types of relationships amongst classes. Our approach deals with this problem by analysing relations according two types of correlation: (i) the degree of correlation between the external and primary keys, and (ii) the degree of correlation between sets of tuples in the relations. Examining these correlations uncovers implicit relationships contained as well-hidden classes in a relational schema.

Using agents for secure access to data in the Internet

Relatively few databases are accessible over the Internet. With todays technology one would like to encapsulate a database and make it available over the Internet. A client using such databases would browse an old census database, look up references in an object-oriented database system, access descriptions and pictures over the Internet, or combine different information using NCSA Mosaic, Web, or backend databases. This article describes our experiences within the context of the DOK (distributed object kernel). This project aims to design a secure database middleware that enables users to effectively search, update, and combine information in distributed, heterogeneous environments. The DOK system uses security agents to maintain a DOK federation in a secure state. Different types of security agents are involved in the enforcement of security policies. Coordination agents are responsible for managing the whole federation, and delegate functions to more specific agents, called task agents. By delegating the access to information of local databases to database agents, task agents are able to control any access to a federation by using specifically designed security procedures.

Controlling aggregation in distributed object systems: a graph-based approach

The Distributed Object Kernel is a federated database system providing a set of services which allow cooperative processing across different databases. The focus of this paper is the design of a DOK security service that provides for enforcing both local security policies, related to the security of local autonomous databases, and federated security policies, governing access to data aggregates composed of data from multiple distributed databases. We propose Global Access Control, an extended access control mechanism enabling a uniform expression of heterogeneous security information. Mappings from existing Mandatory and Discretionary Access Controls are described. To permit the control of data aggregation, the derivation of unauthorized information from authorized data, our security framework provides a logic-based language, the Federated Logic Language (FELL), which can describe constraints on both single and multiple states of the federation. To enforce constraints, FELL statements are mapped to state transition graphs which model the different subcomputations required to check the aggregation constraints. Graph aggregation operations are proposed for building compound state transition graphs for complex constraints. To monitor aggregation constraints, two marking techniques, called Linear Marking Technique and Zigzag Marking Technique, are proposed. Finally, we describe a three-layer DOK logical secure architecture enabling the implementation of the different security agents. This includes a Coordination layer, a Task layer, and a Database layer. Each contains specialized agents that enforce a different part of the federated security policy. Coordination is performed by the DOK Manager, enforcing security is performed by a specialized Constraint Manager agent, and the database functions are implemented by user and data agents.

A query propagation approach to improve CORBA Trading Service scalability

Existing CORBA traders, at least most of them, support the core functions of the OMG specification of the Trading Service. We believe that this is useful and can help potential users to use such a service in heterogeneous environments. However we also believe that this is not sufficient because such environments deal with dynamic information and often require scalability (e.g. stock market applications). The CORBA Trading Service uses static information recorded in different components of a trading graph, which reduces its ability to deal with dynamic environments. This paper proposes solutions to the issue of type management and query routing in the context of CORBA Trading Service to improve the scalability and the quality of the results returned by the core trader functions. We propose a query routing mechanism that uses dynamic information recorded within different traders. Some of this information, such as hit factor, is calculated based on the number of offers a remote trader can address and their relative hops away. Finally, we demonstrate that the proposed approach has led to better performance for the core CORBA trader functions.

A gossip-based membership management algorithm for large-scale peer-to-peer media streaming

A new adaptive gossip-based membership management algorithm is proposed. Its adaptive nature enables it to confine the control overhead to local ranges, and adapt to the ever-changing network traffic conditions and group membership. The random nature of the algorithm ensures that it can cope with random failures and offer proactive measures to maintain service at a certain level. Mathematical analysis and simulation results indicate that more than 90% of the nodes can work properly even under very high network dynamics (with a short half-life time of 50 seconds), and all these are achieved by using a relatively low overhead