Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Previous Work
Background
Conclusion and Discussion
References
All Topics
Computer Science
Distributed Systems

Context-Aware Access Control Using Semantic Policies

Profile image of Allan JostAllan Jost

2008, Ubiquitous Computing And …

Abstract

One of the aspects of autonomic computing is self-protecting where systems are required to consistently enforce security policies in order to allow legitimate actions. The information that comes through the feedback loop after being monitored and analayzed tells the systems what is happening in the environments. The analyzed information describes situation and it is called context. The challenge lies in the question of how the autonomic system protects itself through changes of the situation or context, in other words, how access control policies can be properly written and enforced based on the context. Moreover, when the situation or context changes the policies must also reflect this change. A rudimentary approach is to manually write access control policies for all possible instantiations of the context. This is a cumbersome process and difficult to maintain with a large complex system. This paper focuses on access control policies and addresses these issues by representing context in semantic knowledge and extending a standard access control policy language, XACML, to incorporate the semantic knowledge. The work is validated by a proof of concept implementation.

Related papers

Semantic context aware security policy deployment
Geo Alfaro

2009

The successful deployment of a security policy is closely related not only to the complexity of the security requirements but also to the capabilities/functionalities of the security devices. The complexity of the security requirements is additionally increased when contextual constraints are taken into account. Such situations appear when addressing the dynamism of some security requirements or when searching a finer granularity for the security rules. The context denotes those specific conditions in which the security requirements are to be met. (Re)deploying a contextual security policy depends on the security device functionalities: either (1) the devices include all functionalities necessary to deal with a context and the policy is consequently deployed for ensuring its automatic changes or (2) the devices do not have the right functionalities to entirely interpret a contextual requirement. We present a solution to cope with this issue: the (re)deployment of access control policies in a system that lacks the necessary functionalities to deal with contexts.

View PDFchevron_right
A Policy Language for Abstraction and Automation in Application-oriented Access Controls
Tanya McGill

z.cliffe.schreuders.org

This paper presents a new policy language, known as functionality-based application confinement policy language (FBAC-PL). FBAC-PL takes a unique approach to expressing application-oriented access control policies. Policies for restricting applications are defined in terms of the features applications provide, by means of parameterised and hierarchical policy abstractions known as functionalities. Policies also include metadata for management and the automation of policy specification. The result is a novel scheme for application confinement policy that reuses, encapsulates and abstracts policy details, and facilitates a priori policy specification: that is, without having to rely solely on learning modes for creating policies to restrict applications. This paper presents the policy language, and illustrates its use with examples. A Linux-based implementation, which uses FBAC-PL, has demonstrated that this approach can overcome policy complexity and usability issues of previous schemes.

View PDFchevron_right
Invited Talk - Towards Semantics-Aware Access Control
Ernesto Damiani

IFIP International Federation for Information Processing, 2004

Semantic-Web style metadata for advanced context representation and domain knowledge are likely to play a more and more important role within access control models and languages. This paper outlines how context metadata can be referred to in semantics-aware access control policies and discusses the main open issues in designing, producing, and maintaining metadata for security.

View PDFchevron_right
Utilizing Semantic Knowledge for Access Control in Pervasive and Ubiquitous Systems
Allan Jost

Mobile Networks and Applications, 2010

Controlling access in pervasive environments is crucial and a significant challenge because users and devices can connect from anywhere which results in users and resources becoming available at any point of time and location depending on the situation. Access control policies for this type of environment are required to conform to high-level business notions. In pervasive environments, these high-level notions refer to contexts of the situation which can change unpredictably and must be interpreted semantically to maintain proper access control. Therefore, it is necessary to have a formal representation that represents semantics of the contexts, reflects the change of the situation, and can be shared and understood by a policy system. This paper addresses these issues by introducing a context management system that uses a semantic web approach as an underlying mechanism to model and represent semantics of the contexts. The system stores current contexts in a semantic knowledge base which is used

View PDFchevron_right
Applying semantic knowledge to real-time update of access control policies
Indrakshi Ray

IEEE Transactions on Knowledge and Data Engineering, 2005

Real-time update of access control policies, that is, updating policies while they are in effect and enforcing the changes immediately, is necessary for many security-critical applications. In this paper, we consider real-time update of access control policies in a database system. Updating policies while they are in effect can lead to potential security problems, such as, access to database objects by unauthorized users. In this paper, we propose several algorithms that not only prevent such security breaches but also ensure the correctness of execution. The algorithms differ from each other in the degree of concurrency provided and the semantic knowledge used. Of the algorithms presented, the most concurrency is achieved when transactions are decomposed into atomic steps. Once transactions are decomposed, the atomicity, consistency, and isolation properties no longer hold. Since the traditional transaction processing model can no longer be used to ensure the correctness of the execution, we use an alternate semantic-based transaction processing model. To ensure correct behavior, our model requires an application to satisfy a set of necessary properties, namely, semantic atomicity, consistent execution, sensitive transaction isolation, and policy-compliant. We show how one can verify an application statically to check for the existence of these properties.

View PDFchevron_right
CAMAC: A Context-Aware Mandatory Access Control Model
Haadi Jafarian

2009

Mandatory access control models have traditionally been employed as a robust security mechanism in multilevel security environments such as military domains. In traditional mandatory models, the security classes associated with entities are context-insensitive. However, context-sensitivity of security classes and flexibility of access control mechanisms may be required especially in pervasive computing environments. To this aim, we propose a context-aware mandatory access control model (CAMAC) capable of dynamic adaptation of access control policies to context, and of handling context-sensitive class association, in addition to preservation of confidentiality and integrity as specified in traditional mandatory access control models. In order to prevent any ambiguity, a formal specification of the model and its elements such as context predicates, context types, level update rules, and operations is required. High expressiveness of the model allows specification of the traditional mandatory access control models such as BLP, Biba, Dion, and Chinese Wall. The model can also be considered as an information flow control model with context-sensitive association of security classes.

View PDFchevron_right
Context-aware Automatic Access Policy Specification for IoT Environments
Ashraf Alkhresheh

2018

Data privacy becomes a primary impediment to the realization of the IoT vision. One approach to the IoT security and privacy problem is to restrict access to sensitive data via access control and authorization models. Yet access context in IoT changes frequently raising the need for flexible and dynamic access control policies. Towards developing dynamic access control policies, context-based access control techniques are being investigated due to their robustness in assigning dynamic access permissions according to changes in context. In this paper, we propose to automate the generation of access control policies to overcome the inflexibility in traditional access policy specification techniques, and improve its adaptability to dynamic IoT environments. In our framework, we use context, attributes, and predication to describe the core access control elements. In response to access requests, our algorithm automatically produces conflict-free access control policies and makes the fin...

View PDFchevron_right
Context-Aware Policy Enforcement for PaaS-Enabled Access Control
Iraklis Paraskakis

IEEE Transactions on Cloud Computing, 2019

It is generally conceded that, due to security and privacy concerns, enterprises and users are reluctant to embrace the cloud computing paradigm and hence benefit from the cost reductions and the increased flexibility or business agility that this paradigm brings about. These concerns stem mainly from the significantly-expanded attack surfaces that result from the heterogeneous nature of cloud services and the dynamicity inherent in cloud environments. In order to alleviate these concerns, effective and flexible access control approaches are required to consider the contextual parameters that characterise data access requests in the cloud. In this respect, this work presents PaaSword: a novel holistic access control framework-essentially a PaaS offering-that extends the popular XACML standard with semantic reasoning capabilities that support the federation of effective context-aware access control policies and their infusion into cloud applications with minimal manual intervention and effort. To determine the performance of our solution, a comparative evaluation test is presented and discussed, against a well-known reference implementation of the XACML standard, namely the open source WSO2 Balana engine.

View PDFchevron_right
An Ontological Template for Context Expressions in Attribute-based Access Control Policies
Iraklis Paraskakis

Proceedings of the 7th International Conference on Cloud Computing and Services Science, 2017

By taking up the cloud computing paradigm enterprises are able to realise significant cost savings whilst increasing their agility and productivity. However, due to security concerns, many enterprises are reluctant to migrate their critical data and operations to the cloud. One way to alleviate these concerns is to devise suitable policies that infuse adequate access controls into cloud services. However, the dynamicity inherent in cloud environments, coupled with the heterogeneous nature of cloud services, hinders the formulation of effective and interoperable access control policies that are suitable for the underlying domain of application. To this end, this work proposes an ontological template for the semantic representation of context expressions in access control policies. This template is underpinned by a suitable set of interrelated concepts that generically capture a wide range of contextual knowledge that must be considered during the evaluation of policies.

View PDFchevron_right
Dynamic deployment of context-aware access control policies for constrained security devices
Joaquin Alfaro

Journal of Systems and Software, 2011

Securing the access to a server, guaranteeing a certain level of protection over an encrypted communication channel, executing particular counter measures when attacks are detected are examples of security requirements. Such requirements are identied based on organizational purposes and expectations in terms of resource access and availability and also on system vulnerabilities and threats. All these requirements belong to the so-called security policy. Deploying the policy means enforcing, i.e., conguring, those security components and mechanisms so that the system behavior be nally the one specied by the policy. The deployment issue becomes more dicult as the growing organizational requirements and expectations generally leave behind the integration of new security functionalities in the information system: the information system will not always embed the necessary security functionalities for the proper deployment of contextual security requirements. To overcome this issue, our solution is based on a central entity approach which takes in charge unmanaged contextual requirements and dynamically redeploys the policy when context changes are detected by this central entity.

View PDFchevron_right

References (37)

  1. Uv::http://www.w3.org/1999/02/22- rdf-syntax-ns#type: Uv::http://www.w3.org/2002/07/owl#ObjectP roperty: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Alice: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#hasLocation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#room_122: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Alice: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inConsultation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#consultation_1: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Jane: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#hasLocation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#room_122: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Jane: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inConsultation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#consultation_1: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Bob: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inCall: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#Phone_Call_1: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Bob: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inSameCall: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#Alice: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Bob: Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inConsultation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#consultation_1: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Web_NCAP Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#hasLocation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#room_122: Uv::http://flame.cs.dal.ca/~dersingh/owl/ont ology.owl#Web_NCAP Uv::http://flame.cs.dal.ca/~dersingh/ owl/ontology.owl#inConsultation: Uv::http://flame.cs.dal.ca/~dersingh/owl/ontol ogy.owl#consultation_1: 10 REFERENCES
  2. N. Chase, "An autonomic computing roadmap", http://www.ibm.com/developerworks/library/ac- roadmap, 2004.
  3. B. Foote, and J. Yoder, "Big Ball of Mud", in Pattern Languages of Program Design 4, ed. N. Harrison, B. Foote, H. Rohnert, Addison-Wesley, 2000.
  4. P. Lin, A. MacArthur, and J. Leaney, "Defining Autonomic Computing: A Software Engineering Perspective", Proc. Australian Software Engineering Conference, pp. 88-97, 2005.
  5. J. O. Kephart, D. M. Chess. "The Vision of Autonomic Computing." Computer, Jan., 2003, pp41-50.
  6. M. Weiser, "Creating the Invisible Interface", Symposium on User Interface Software and Technology, New York, NY, ACM Press, 1994.
  7. S. Dobson et. al.,"A Survey of Autonomic Communications", ACM Transactions on Autonomous and Adaptive Systems (TAAS), pp. 223-259, December 2006.
  8. T. Moses, "eXtensible Access Control Markup Language (XACML) version 2.0," 2005, http://docs.oasis- open.org/xacml/2.0/access_control-xacml-2.0- core-spec-os.pdf.
  9. H. Cheng, T Finin, and A. Joshi, "An Ontology for Context-Aware Pervasive Computing Environments," Proc. IJCAI Workshop on Ontologies and Distributed Systems, IJCAI, 2003, http://www.cs.vu.nl/~heiner/IJCAI- 03/Papers/Chen.pdf.
  10. A. Corradi, R. Montanari, and D. Tibaldi, "Context-based Access Control for Ubiquitous Service Provisioning", pp. 444-451, 28th Annual International Computer Software and Applications Conference (COMPSAC'04), 2004.
  11. L. Kagal, "A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments", Dissertation, 2004.
  12. L. Kagal, and T. Berners-Lee, "Rein: Where policies meet rules in the semantic web," Technical report, MIT, 2005.
  13. L. Kagal, T. Finin, and A. Joshi, "A Policy Language for a Pervasive Computing Environment", In IEEE 4th International Workshop on Policies for distributed Systems and Networks, 2003.
  14. A. Patwardhan, V. Korolev, L. Kagal, and A. Joshi, "Enforcing Policies in Pervasive Environments", International Conference on Mobile and Ubiquitous Systems: Networking and Services, August 2004.
  15. A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, and L. Lott., "KAoS policy and domain services: Toward a description-logic approach to policy representation, deconfliction, and enforcement", In Proc. 4 th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'03), page 93, 2003.
  16. E. Damiani, S. De Capitani di Vimercati, C. Fugazza, and P. Samarati, "Extending Policy Languages to the Semantic Web", International Conference on Web Engineering (ICWE2004), Lecture Notes in Computer Science, pp. 330-343, July 2004.
  17. T. Priebe, W. Dobmeier, and N. Kamprath, "Supporting Attribute-based Access Control with Ontologies," First International Conference on Availability, Reliability and Security (ARES'06), pp. 465-472, 2006.
  18. A. Toninelli, R. Montanari, and L. Kagal, O. Lassila, "A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments", International Semantic Web Conference, pp. 473-486, 2006.
  19. V. C. Hu, D. F. Ferraiolo, and D. R. Kuhn, "Assessment of Access Control Systems", National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, Interagency Report 7316, September 2006.
  20. A. Dersingh, R. Liscano, and A. Jost, "Bridging the Policy Gap in Pervasive Access Control: A Semantic Web Approach," 4 th International Workshop on Managing Ubiquitous Communications and Services, Munich, Germany, May 2007.
  21. G. Antoniou, and F. V. Harmelen, "A Semantic Web Primer", The MIT Press Cambridge, Massachusetts London, England, 2004.
  22. J. Heflin, "OWL Web Ontology Language Use Cases and Requirements", http://www.w3.org/TR/webont-req/, February 2004.
  23. W. Chunkun, "Policy-based Network
  24. Management", Proceeding of IEEE International Conference on Communication Technology, vol 1, pp. 101-105, August 2000.
  25. S. Waldbusser, J. Saperia, and T. Hongal, "Policy Based Management MIB", IETF, RFC 4011, March 2005.
  26. N. Damianou, N. Dulay, E. Lupu, M. Sloman, "The PONDER Policy Specification Language", In Proc. International Workshop of Policies for Distributed Systems and Networks (Policy 2001).
  27. Bristol, UK, January 2001. LNCS 1995: 18-39, Springer-Verlag (2001).
  28. A. Corradi, R. Montanari, and D. Tibaldi, "Context-based Access Control for Ubiquitous Service Provisioning", pp. 444-451, 28th Annual International Computer Software and Applications Conference (COMPSAC'04), 2004.
  29. D. L. McGuinness, and F. van Harmelen, "OWL Web Ontology Language Overview", http://www.w3.org/TR/owl-features/, February 2004.
  30. I. Horrocks, P. F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, M. Dean: SWRL: A Semantic Web Rule Language Combining OWL and RuleML, W3C Member Submission (21 May 2004).
  31. Protégé Editor and API, http://protege.stanford.edu Accessed July 2007.
  32. Jena API for Java, http://jena.sourceforge.net Access July 2007.
  33. Jess Rule Engine, http://herzberg.ca.sandia.gov/jess Accessed July 2007.
  34. MySQL database, http://www.mysql.com.
  35. Accessed July 2007.
  36. E. F. Sadok and R. Liscano, "A Web Services Framework for 1451 Sensor Networks", Proceedings of the 2005 IEEE Instrumentation and Measurement Technology Conference, 2005. (IMTC 2005) Ottawa, ON Canada May 17-19, 2005.
  37. C. McGregor and B. Kneale, Simulated Neonatal Intensive Care Units to Support Neonatologist International Mobility", Proceedings of the Third IASTED International Conference of Telehealth (Telehealth 2007), Montral, Canada.

Related papers

A Semantic Policy Framework for Context-Aware Access Control Applications
A. S. M. Kayes

12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2013), 2013

Due to the rapid advancement of communication technologies, the ability to support access control to resources in open and dynamic environments is crucial. On the one hand, users demand access to resources and services in an anywhere, anytime fashion. On the other hand, additional challenges arise when ensuring privacy and security requirements of the stakeholders in dynamically changing environments. Conventional Role-based Access Control (RBAC) systems evaluate access permissions depending on the identity/role of the users who are requesting access to resources. However, this approach does not incorporate dynamically changing context information which could have an impact on access decisions in open and dynamic environments. In such environments, an access control model with both dynamic associations of user-role and role-permission capabilities is needed. In order to achieve the above goal, this paper proposes a novel policy framework for context-aware access control (CAAC) applications that extends the RBAC model with dynamic attributes defined in an ontology. We introduce a formal language for specifying our framework including its basic elements, syntax and semantics. Our policy framework uses the relevant context information in order to enable user-role assignment, while using purpose-oriented situation information to enable role-permission assignment. We have developed a prototype to realize the framework and demonstrated the framework through a healthcare case study.

View PDFchevron_right
ICAF: A Context-Aware Framework for Access Control
A. S. M. Kayes

17th Australasian Conference on Information Security and Privacy (ACISP 2012), 2012

Context-aware systems acquire and integrate multi-faceted knowledge about their environments in order to make decisions. A number of attempts to build frameworks for context-aware systems have been made, but these have not provided adequate support for context-aware access control. In this paper, we present a framework for context-aware access control and its prototype implementation. The framework includes a context model for classifying and capturing access control-oriented contextual information, a situation model for identifying and defining contextual conditions of concern, and a policy model for specifying context-aware access control policies.

View PDFchevron_right
A Context-Aware Access Control Framework for Software Services
A. S. M. Kayes

11th International Conference on Service Oriented Computing (ICSOC 2013), 2013

Due to the rapid advancement of communication technologies, the ability to support access control to resources in open and dynamic environments is crucial. On the one hand, users demand access to resources and services in an anywhere, anytime fashion. On the other hand, additional challenges arise when ensuring privacy and security requirements of the stakeholders in dynamically changing environments. Conventional Role-based Access Control (RBAC) systems evaluate access permissions depending on the identity/role of the users who are requesting access to resources. However, this approach does not incorporate dynamically changing context information which could have an impact on access decisions in open and dynamic environments. In such environments, an access control model with both dynamic associations of user-role and role-permission capabilities is needed. In order to achieve the above goal, this paper proposes a novel policy framework for context-aware access control (CAAC) applications that extends the RBAC model with dynamic attributes defined in an ontology. We introduce a formal language for specifying our framework including its basic elements, syntax and semantics. Our policy framework uses the relevant context information in order to enable user-role assignment, while using purpose-oriented situation information to enable role-permission assignment. We have developed a prototype to realize the framework and demonstrated the framework through a healthcare case study.

View PDFchevron_right
An Ontology-Based Approach to Context-Aware Access Control for Software Services
A. S. M. Kayes

14th International Conference on Web Information System Engineering (WISE 2013), 2013

In modern communication environments, the ability to provide access control to services in a context-aware manner is crucial. By leveraging the dynamically changing context information, we can achieve context-specific control over access to services, better satisfying the security and privacy requirements of the stakeholders. In this paper, we introduce a General Ontology-Based Context-Aware Access Control (CAAC) Framework that adopts an ontological approach in modelling dynamic context information and the corresponding access control policies. It includes a context model specific to access control, capturing the relevant low-level context information and inferring the high-level implicit context information. Using the context model, the policy model of the framework provides support for specifying and enforcing context-aware access control policies. We have developed a prototype and have presented a healthcare case study to realise the framework. Experimental results demonstrate the feasibility of our approach and quantify the performance overhead of supporting context-awareness for software services.

View PDFchevron_right
Semantic-based Obligation for Context-Based Access Control
ahmed saaudi

2019

In this paper, we present a dynamic and extensible semantic-based obligation framework. Our framework is meant to be used in conjunction with context-based authorization. Our approach is suitable to incorporate dynamically changing obligation requirements. We express obligation requirements and contextual information as ontologies. We employ Description logic and Logic Programming technologies for modeling contexts, privileges and obligations. We show how semantic-based techniques can be used to support adaptive and dynamic obligation for Context-Based Access Control (CBAC) policies. We also show that our framework is expressive enough to incorporate obligation’s needs in dynamic environments. Furthermore, we have developed a proof of concept implementation to demonstrate our work.

View PDFchevron_right

Related topics

  • Autonomic Computing
  • Access Control Policy
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved