RESUMEN
In Attribute-Based Access Control (ABAC), access to resources is given based on the attributes of subjects, objects, and environment. There is an imminent need for the development of efficient algorithms that enable migration to ABAC. However, existing policy mining approaches do not consider possible adaptation to the policy of a similar organization. In this article, we address the problem of automatically determining an optimal assignment of attribute values to subjects for enabling the desired accesses to be granted while minimizing the number of ABAC rules used by each subject or other appropriate metrics. We show the problem to be NP-Complete and propose a heuristic solution.
RESUMEN
Over the last few years, various types of access control models have been proposed for expressing the growing needs of organizations. Out of these, there is an increasing interest towards specification and enforcement of flexible and dynamic decision making security policies using Attribute Based Access Control (ABAC). However, it is not easy to migrate an existing security policy specified in a different model into ABAC. Furthermore, there exists no comprehensive approach that can specify, enforce and manage ABAC policies along with other policies potentially already existing in the organization as a unified security policy. In this article, we present a unique and flexible solution that enables concurrent specification and enforcement of such security policies through storing and querying data in a multi-dimensional and multi-granular data model. Specifically, we present a unified database schema, similar to that traditionally used in data warehouse design, that can represent different types of access control policies and store relevant policies as in-memory data, thereby significantly reducing the execution time of access request evaluation. We also present a novel approach for combining multiple access control policies through meta-policies. For ease of management, an administrative schema is presented that can specify different types of administrative policies. Extensive experiments on a wide range of data sets demonstrate the viability of the proposed approach.
RESUMEN
NoSQL databases are being increasingly used for efficient management of high volumes of unstructured data in applications like information retrieval, natural language processing, social computing, etc. However, unlike traditional databases, data protection measures such as access control for these databases are still in their infancy, which could lead to significant vulnerabilities and security/privacy issues as their adoption increases. Attribute-based Access Control (ABAC), which provides a flexible and dynamic solution to access control, can be effective for mediating accesses in typical usage scenarios for NoSQL databases. In this paper, we propose a novel methodology for enabling ABAC in NoSQL databases. Specifically we consider MongoDB, which is one of the most popular NoSQL databases in use today. We present an approach to both specify ABAC access control policies and to enforce them when an actual access request has been made. MongoDB Wire Protocol is used for extracting and processing appropriate information from the requests. We also present a method for supporting dynamic access decisions using environmental attributes and handling of ad-hoc access requests through digitally signed user attributes. Results from an extensive set of experiments on the Enron corpus as well as on synthetically generated data demonstrate the scalability of our approach. Finally, we provide details of our implementation on MongoDB and share a Github repository so that any organization can download and deploy the same for enabling ABAC in their own MongoDB installations.
RESUMEN
Hyperledger Fabric (HLF) is an open-source platform for deploying enterprise-level permissioned blockchains where users from multiple organizations can participate. Preventing unauthorized access to resources in such blockchains is of critical importance. Towards addressing this requirement, HLF supports different access control models. However, support for Attribute-Based Access Control (ABAC) in the current version of HLF is not comprehensive enough to address various requirements that arise when multiple organizations interact in an enterprise setting. To address those shortcomings, in this paper, we develop and present methods for providing full ABAC functionality in Hyperledger Fabric. Performance evaluation under different network configurations using the Hyperledger Caliper benchmarking tool shows that the proposed approach is quite efficient in practice.
RESUMEN
Access control policies are dynamic in nature, and therefore require frequent updates to synchronize with the latest organizational security requirements. As these updates are handled, it is important that all user access requests be answered contemporaneously and correctly without any interruption or delay. In this paper, considering the context of Attribute Based Access Control (ABAC), we propose an approach that is capable of immediately materializing any update to the policy and ensuring that it is taken into account for any subsequent access requests. One possibility is to update the policy based on the incoming changes through ABAC policy mining techniques. However, it turns out that no existing mining approach can offer correct enforcement of policies when access requests are entertained during the updates. We provide a formal proof for this surprising result and then propose an approach called δwOP that does not suffer from this problem. Essentially, δwOP keeps track of the needed information from updates and uses this in conjunction with the existing ABAC policy rules to make access decisions. We present the complexity analysis as well as a comprehensive experimental evaluation to demonstrate the efficacy of the proposed approach for different types of changes.
RESUMEN
Linux has built-in security features based on discretionary access control that can be enhanced using the Linux Security Module (LSM) framework. However, so far there has been no reported work on strengthening Linux with Attribute-Based Access Control (ABAC), which is gaining in popularity in recent years due to its flexibility and dynamic nature. In this paper, a method for enabling ABAC for Linux file system objects using LSM is proposed. We report initial experimental results and also share our public repository links for integrating ABAC in any Linux installation.
RESUMEN
Discovery of Attribute Based Access Control policies through mining has been studied extensively in the literature. However, current solutions assume that the rules are to be mined from a static data set of access permissions and that this process only needs to be done once. However, in real life, access policies are dynamic in nature and may change based on the situation. Simply utilizing the current approaches would necessitate that the mining algorithm be re-executed for every update in the permissions or user/object attributes, which would be significantly inefficient. In this paper, we propose to incrementally maintain ABAC policies by only updating the rules that may be affected due to any change in the underlying access permissions or attributes. A comprehensive experimental evaluation demonstrates that the proposed incremental approach is significantly more efficient than the conventional ABAC mining.
RESUMEN
For any successful business endeavor, recruitment of required number of appropriately qualified employees in proper positions is a key requirement. For effective utilization of human resources, reorganization of such workforce assignment is also a task of utmost importance. This includes situations when the under-performing employees have to be substituted with fresh applicants. Generally, the number of candidates applying for a position is large and hence, the task of identifying an optimal subset becomes critical. Moreover, a human resource manager would also like to make use of the opportunity of retirement of employees to improve manpower utilization. However, the constraints enforced by the security policies prohibit any arbitrary assignment of tasks to employees. Further, the new employees should have the capabilities required to handle the assigned tasks. In this article, we formalize this problem as the Optimal Recruitment Problem (ORP), wherein the goal is to select the minimum number of fresh employees from a set of candidates to fill the vacant positions created by the outgoing employees, while ensuring satisfiability of the specified security conditions. The model used for specification of authorization policies and constraints is Attribute Based Access Control (ABAC), since it is considered to be the de facto next generation framework for handling organizational security policies. We show that the ORP problem is NP-hard and propose a greedy heuristic for solving it. Extensive experimental evaluation shows both the effectiveness as well as efficiency of the proposed solution.
RESUMEN
Effective utilization of human capital is one of the key requirements for any successful business endeavor, with reorganization necessary if there are nonproductive employees or employees that are retiring. However, while reorganizing tasks for newer employees, it should be ensured that the employees have the requisite capabilities of handling the assigned tasks. Furthermore, security constraints forbid any arbitrary assignment of tasks to employees and also enforce major dependencies on other employees who have access to the same tasks. Since Attribute Based Access Control (ABAC) is poised to emerge as the de facto model for specifying access control policies in commercial information systems, we consider organizational policies and constraints to be modeled with ABAC. Given the increasing size and scale of organizations, both in terms of employees and resources that need to be managed, it is crucial that computational solutions are developed to automate the process of employee to task assignment. In this work, we define the Employee Replacement Problem (ERP) which answers the question of whether a given set of employees can be replaced by a smaller set of employees, while ensuring that the desired security constraints are not violated. We prove that the problem is NP-hard and use CNF-SAT to obtain a solution. An extensive experimental evaluation is carried out on diverse data sets to validate the efficiency of the proposed solution.
RESUMEN
In Attribute-Based Access Control (ABAC), a user is permitted or denied access to an object based on a set of rules (together called an ABAC Policy) specified in terms of the values of attributes of various types of entities, namely, user, object and environment. Efficient evaluation of these rules is therefore essential for ensuring decision making at on-line speed when an access request comes. Sequentially evaluating all the rules in a policy is inherently time consuming and does not scale with the size of the ABAC system or the frequency of access requests. This problem, which is quite pertinent for practical deployment of ABAC, surprisingly has not so far been addressed in the literature. In this paper, we introduce two variants of a tree data structure for representing ABAC policies, which we name as PolTree. In the binary version (B-PolTree), at each node, a decision is taken based on whether a particular attribute-value pair is satisfied or not. The n-ary version (N-PolTree), on the other hand, grows as many branches out of a given node as the total number of possible values for the attribute being checked at that node. An extensive experimental evaluation with diverse data sets shows the scalability and effectiveness of the proposed approach.
RESUMEN
In the present day computing environment, where access control decisions are often dependent on contextual information like the location of the requesting user and the time of access request, Attribute Based Access Control (ABAC) has emerged as a suitable choice for expressing security policies. In an ABAC system, access decisions depend on the set of attribute values associated with the subjects, resources and the environment in which an access request is made. In such systems, the task of managing the set of attributes associated with the entities as well as that of analyzing and understanding the security implications of each attribute assignment is of paramount importance. In this paper, we first introduce a comprehensive attribute based administrative model, named as AMABAC (Administrative Model for ABAC), for ABAC systems and then suggest a methodology for analyzing the security properties of ABAC in the presence of the administrative model. For performing analysis, we use µZ, a SMT (Satisfiability Modulo Theories) based model checking tool. We study the impact of the various components of ABAC and AMABAC on the time taken for security analysis.
RESUMEN
QSAR/QSPR/QSTR modeling and chemical grouping approach are presented to provide information on the biological properties of various substituted benzene derivatives. A novel descriptor, viz., the square of electrophilicity index (ω2 ) is proposed to provide a compact correlation between the structure of the compounds and their biological properties which is marginally superior to electrophilicity index (ω) or ω3 in most of the cases, and more or less similar to that obtained from hydrophobicity (or lipophilicity). Besides the straightforward case study, neural networks (NN) are employed to ascertain the robustness of the QSAR model obtained by implementing multiple linear regression (MLR).
Asunto(s)
Benceno/toxicidad , Electricidad , Interacciones Hidrofóbicas e Hidrofílicas , Relación Estructura-Actividad Cuantitativa , Animales , Benceno/química , CyprinidaeRESUMEN
The flexibility, portability and identity-less access control features of Attribute Based Access Control(ABAC) make it an attractive choice to be employed in many application domains. However, commercially viable methods for implementation of ABAC do not exist while a vast majority of organizations use Role Based Access Control (RBAC) or their temporal extensions, such as Temporal Role Based Access Control (TRBAC). In this paper, we present a solution for organizations having a RBAC/TRBAC that can deploy an ABAC policy. Essentially, we propose a method for the translation of an ABAC policy (including time constraints) into a form that can be adopted by an RBAC/TRBAC system. We experimentally demonstrate that time taken to evaluate an access request in RBAC and TRBAC systems is significantly less than that of the corresponding ABAC system. Since the cost of security management is more expensive under RBAC when compared to ABAC, we present an analysis of the different management costs and present mitigation approaches by considering various administrative operations.
RESUMEN
Particle Swarm Optimization (PSO), a population based technique for stochastic search in a multidimensional space, has so far been employed successfully for solving a variety of optimization problems including many multifaceted problems, where other popular methods like steepest descent, gradient descent, conjugate gradient, Newton method, etc. do not give satisfactory results. Herein, we propose a modified PSO algorithm for unbiased global minima search by integrating with density functional theory which turns out to be superior to the other evolutionary methods such as simulated annealing, basin hopping and genetic algorithm. The present PSO code combines evolutionary algorithm with a variational optimization technique through interfacing of PSO with the Gaussian software, where the latter is used for single point energy calculation in each iteration step of PSO. Pure carbon and carbon containing systems have been of great interest for several decades due to their important role in the evolution of life as well as wide applications in various research fields. Our study shows how arbitrary and randomly generated small Cn clusters (n = 3-6, 10) can be transformed into the corresponding global minimum structure. The detailed results signify that the proposed technique is quite promising in finding the best global solution for small population size clusters.
RESUMEN
In this paper, we propose a hierarchical state-based model for representing an echocardiogram video. It captures the semantics of video segments from dynamic characteristics of objects present in each segment. Our objective is to provide an effective method for segmenting an echo video into view, state, and substate levels. This is motivated by the need for building efficient indexing tools to support better content management. The modeling is done using four different views, namely, short axis, long axis, apical four chamber, and apical two chamber. For view classification, an artificial neural network is trained with the histogram of a region of interest of each video frame. Object states are detected with the help of synthetic M-mode images. In contrast to traditional single M-mode, we present a novel approach named sweep M-mode for state detection. We also introduce radial M-mode for substate identification from color flow Doppler 2-D imaging. The video model described here represents the semantics of video segments using first-order predicates. Suitable operators have been defined for querying the segments. We have carried out experiments on 20 echo videos and compared the results with manual annotation done by two experts. View classification accuracy is 97.19%. Misclassification error of the state detection stage is less than 13%, which is within acceptable range since only frames at the state boundaries are found to be misclassified.
Asunto(s)
Inteligencia Artificial , Ecocardiografía/métodos , Aumento de la Imagen/métodos , Interpretación de Imagen Asistida por Computador/métodos , Imagenología Tridimensional/métodos , Reconocimiento de Normas Patrones Automatizadas/métodos , Grabación en Video/métodos , Algoritmos , Simulación por Computador , Humanos , Modelos Cardiovasculares , Reproducibilidad de los Resultados , Sensibilidad y EspecificidadRESUMEN
The flexibility, portability and identity-less access control features of Attribute Based Access Control (ABAC) make it an attractive choice to be employed in many application domains. However, commercially viable methods for implementation of ABAC do not exist while a vast majority of organizations use Role Based Access Control (RBAC) systems. In this paper, we present a way in which organizations having a RBAC system can deploy an ABAC policy. Thus, we propose a method for the translation of an ABAC policy into a form that can be adopted by an RBAC system. We compare the cost of enforcement in ABAC and RBAC with respect to time taken to evaluate an access request, and experimentally demonstrate that RBAC is significantly better in this respect. Since the cost of security management is more expensive under RBAC when compared to ABAC, we present an analysis of the different management costs and present mitigation approaches by considering various administrative operations.
RESUMEN
In Attribute-based Access Control (ABAC) systems, utilizing environment attributes along with the subject and object attributes introduces a dynamic nature to the access decisions. The inclusion of environment attributes helps in achieving a more fine-grained access control. In this paper, we present an ABAC policy mining algorithm that considers the environment attributes and their associated values while forming the rules. Furthermore, we use gini impurity to form the rules. This helps to minimize the number of rules in the generated policy. The experimental evaluation shows that our approach is quite effective in practice.
RESUMEN
Successful deployment of attribute-based access control requires the process of policy engineering which involves constructing a set of appropriate rules, known as a policy. Policy engineering is performed either by a top-down approach that may ignore some of the existing accesses in the organization or a bottom-up approach that may form rules which are not relevant to the organizational processes. In this work, we propose a hybrid approach toward policy engineering that addresses the limitations of the top-down and the bottom-up approaches while preserving their individual advantages.
RESUMEN
Attribute Based Access Control (ABAC) is fast replacing traditional access control models due to its dynamic nature, flexibility and scalability. ABAC is often used in collaborative environments. However, a major hurdle to deploying ABAC is to precisely configure the ABAC policy. In this paper, we present an ABAC mining approach that can automatically discover the appropriate ABAC policy rules. We first show that the ABAC mining problem is equivalent to identifying a set of functional dependencies in relational databases that cover all of the records in a table. We also propose a more efficient algorithm, called ABAC-SRM which discovers the most general policy rules from a set of candidate rules. We experimentally show that ABAC-SRM is accurate and significantly more efficient than the existing state of the art.
RESUMEN
Video object tracking plays an important role in many computer vision-aided applications. This paper presents a novel multi-path analysis-based video object tracking algorithm. Trajectory of the moving object is refined using a Kalman filter-based prediction method. The proposed algorithm has been used successfully to analyze one of the complex infant neurological examinations often referred to as Hammersmith lateral tilting test. This is an important test of the infant neurological assessment process, and this test is difficult to grade by visual observation. It has been shown in this paper that the proposed video object tracking algorithm can be used to analyze the videos of fast moving objects by incorporating application-specific information. For example, the proposed tracking algorithm can be used to assess lateral tilting test of the Hammersmith infant neurological examinations. The algorithm has been tested with several video recordings of this test which were captured at the neurodevelopment clinic of the SSKM Hospital, Kolkata, India during the period of the study. It is found that the proposed algorithm is capable of estimating the score for the test with high values of sensitivity and specificity.