As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and ...As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and diverse communication needs.It is crucial to design control sequences with robust randomness and conflict-freeness to properly address differentiated access control in data link.In this paper,we propose a hierarchical access control scheme based on control sequences to achieve high utilization of time slots and differentiated access control.A theoretical bound of the hierarchical control sequence set is derived to characterize the constraints on the parameters of the sequence set.Moreover,two classes of optimal hierarchical control sequence sets satisfying the theoretical bound are constructed,both of which enable the scheme to achieve maximum utilization of time slots.Compared with the fixed time slot allocation scheme,our scheme reduces the symbol error rate by up to 9%,which indicates a significant improvement in anti-interference and eavesdropping capabilities.展开更多
The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust netw...The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.展开更多
The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upo...The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upon blockchain have been explored recently for Internet of Things(IoTs).However,the access from a legitimate user may be denied without the pre-defined policy and data update on the blockchain could be costly to the owners.In this paper,we first address these issues by incorporating the Accountable Subgroup Multi-Signature(ASM)algorithm into the Attribute-based Access Control(ABAC)method with Policy Smart Contract,to provide a finegrained and flexible solution.Next,we propose a policy-based Chameleon Hash algorithm that allows the data to be updated in a reliable and convenient way by the authorized users.Finally,we evaluate our work by comparing its performance with the benchmarks.The results demonstrate significant improvement on the effectiveness and efficiency.展开更多
In the security and privacy fields,Access Control(AC)systems are viewed as the fundamental aspects of networking security mechanisms.Enforcing AC becomes even more challenging when researchers and data analysts have t...In the security and privacy fields,Access Control(AC)systems are viewed as the fundamental aspects of networking security mechanisms.Enforcing AC becomes even more challenging when researchers and data analysts have to analyze complex and distributed Big Data(BD)processing cluster frameworks,which are adopted to manage yottabyte of unstructured sensitive data.For instance,Big Data systems’privacy and security restrictions are most likely to failure due to the malformed AC policy configurations.Furthermore,BD systems were initially developed toped to take care of some of the DB issues to address BD challenges and many of these dealt with the“three Vs”(Velocity,Volume,and Variety)attributes,without planning security consideration,which are considered to be patch work.Some of the BD“three Vs”characteristics,such as distributed computing,fragment,redundant data and node-to node communication,each with its own security challenges,complicate even more the applicability of AC in BD.This paper gives an overview of the latest security and privacy challenges in BD AC systems.Furthermore,it analyzes and compares some of the latest AC research frameworks to reduce privacy and security issues in distributed BD systems,which very few enforce AC in a cost-effective and in a timely manner.Moreover,this work discusses some of the future research methodologies and improvements for BD AC systems.This study is valuable asset for Artificial Intelligence(AI)researchers,DB developers and DB analysts who need the latest AC security and privacy research perspective before using and/or improving a current BD AC framework.展开更多
In the environment of big data,the traditional access control lacks effective and flexible access mechanism.Based on attribute access control,this paper proposes a HBMC-ABAC big data access control framework.It solves...In the environment of big data,the traditional access control lacks effective and flexible access mechanism.Based on attribute access control,this paper proposes a HBMC-ABAC big data access control framework.It solves the problems of difficult authority change,complex management,over-authorization and lack of authorization in big data environment.At the same time,binary mapping codes are proposed to solve the problem of low efficiency of policy retrieval in traditional ABAC.Through experimental analysis,the results show that our proposed HBMC-ABAC model can meet the current large and complex environment of big data.展开更多
With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality a...With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.展开更多
Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets...Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.展开更多
Big data resources are characterized by large scale, wide sources, and strong dynamics. Existing access controlmechanisms based on manual policy formulation by security experts suffer from drawbacks such as low policy...Big data resources are characterized by large scale, wide sources, and strong dynamics. Existing access controlmechanisms based on manual policy formulation by security experts suffer from drawbacks such as low policymanagement efficiency and difficulty in accurately describing the access control policy. To overcome theseproblems, this paper proposes a big data access control mechanism based on a two-layer permission decisionstructure. This mechanism extends the attribute-based access control (ABAC) model. Business attributes areintroduced in the ABAC model as business constraints between entities. The proposed mechanism implementsa two-layer permission decision structure composed of the inherent attributes of access control entities and thebusiness attributes, which constitute the general permission decision algorithm based on logical calculation andthe business permission decision algorithm based on a bi-directional long short-term memory (BiLSTM) neuralnetwork, respectively. The general permission decision algorithm is used to implement accurate policy decisions,while the business permission decision algorithm implements fuzzy decisions based on the business constraints.The BiLSTM neural network is used to calculate the similarity of the business attributes to realize intelligent,adaptive, and efficient access control permission decisions. Through the two-layer permission decision structure,the complex and diverse big data access control management requirements can be satisfied by considering thesecurity and availability of resources. Experimental results show that the proposed mechanism is effective andreliable. In summary, it can efficiently support the secure sharing of big data resources.展开更多
This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relatio...This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relation hierarchical data model. Based on the multilevel relation hierarchical data model, the concept of upper lower layer relational integrity is presented after we analyze and eliminate the covert channels caused by the database integrity. Two SQL statements are extended to process polyinstantiation in the multilevel secure environment. The system is based on the multilevel relation hierarchical data model and is capable of integratively storing and manipulating multilevel complicated objects ( e.g., multilevel spatial data) and multilevel conventional data ( e.g., integer, real number and character string).展开更多
Data trading enables data owners and data requesters to sell and purchase data.With the emergence of blockchain technology,research on blockchain-based data trading systems is receiving a lot of attention.Particularly...Data trading enables data owners and data requesters to sell and purchase data.With the emergence of blockchain technology,research on blockchain-based data trading systems is receiving a lot of attention.Particularly,to reduce the on-chain storage cost,a novel paradigm of blockchain and cloud fusion has been widely considered as a promising data trading platform.Moreover,the fact that data can be used for commercial purposes will encourage users and organizations from various fields to participate in the data marketplace.In the data marketplace,it is a challenge how to trade the data securely outsourced to the external cloud in a way that restricts access to the data only to authorized users across multiple domains.In this paper,we propose a cross-domain bilateral access control protocol for blockchain-cloud based data trading systems.We consider a system model that consists of domain authorities,data senders,data receivers,a blockchain layer,and a cloud provider.The proposed protocol enables access control and source identification of the outsourced data by leveraging identity-based cryptographic techniques.In the proposed protocol,the outsourced data of the sender is encrypted under the target receiver’s identity,and the cloud provider performs policy-match verification on the authorization tags of the sender and receiver generated by the identity-based signature scheme.Therefore,data trading can be achieved only if the identities of the data sender and receiver simultaneously meet the policies specified by each other.To demonstrate efficiency,we evaluate the performance of the proposed protocol and compare it with existing studies.展开更多
Security and access control for data storage in 5G industrial Internet collaborative systems are facing significant challenges.The characteristics of 5 G networks,such as low latency and high speed,facilitate data tra...Security and access control for data storage in 5G industrial Internet collaborative systems are facing significant challenges.The characteristics of 5 G networks,such as low latency and high speed,facilitate data transmission in the industrial Internet but also increase vulnerability to attacks like theft and tampering.Moreover,in 5G industrial Internet collaborative system environments,data flows across multiple entities and links,which necessitates a flexible access control model to meet specific data access requirements.Traditional role-based and attribute-based access control mechanisms are difficult to apply in such dynamic application scenarios.To address these challenges,we propose a novel data storage solution for 5G industrial Internet collaborative systems.Similar to existing approaches,it provides integrity and confidentiality protection for transmitted data.In terms of security,only authenticated data owners and users can obtain file decryption keys,preventing malicious attackers from data forgery.Regarding access control,decryption is permitted only to authorized data users,safeguarding against unauthorized file access.Furthermore,by introducing an attribute-based encryption mechanism,only data users with specific attributes can decrypt files.In terms of efficiency,our approach utilizes bilinear and modular exponentiation operations solely during the authentication process.For handling substantial data loads,lightweight cryptographic algorithms are employed.Consequently,our solution achieves higher efficiency compared with other known methods.Experimental results demonstrate the feasibility of our approach in real-world applications.展开更多
In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many ...In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many new security challenges, which have not been well solved. Data access control is an effective way to ensure the big data security in the cloud. In this paper,we study the problem of fine-grained data access control in cloud computing.Based on CP-ABE scheme,we propose a novel access control policy to achieve fine-grainedness and implement the operation of user revocation effectively.The analysis results indicate that our scheme ensures the data security in cloud computing and reduces the cost of the data owner significantly.展开更多
To solve the problems of data sharing in social network,such as management of private data is too loose,access permissions are not clear,mode of data sharing is too single and soon on,we design a hierarchical access c...To solve the problems of data sharing in social network,such as management of private data is too loose,access permissions are not clear,mode of data sharing is too single and soon on,we design a hierarchical access control scheme of private data based on attribute encryption.First,we construct a new algorithm based on attribute encryption,which divides encryption into two phases,and we can design two types of attributes encryption strategy to make sure that different users could get their own decryption keys corresponding to their permissions.We encrypt the private data hierarchically with our algorithm to realize“precise”,“more accurate”,“fuzzy”and“private”four management modes,then users with higher permissions can access the private data inferior to their permissions.And we outsource some complex operations of decryption to DSP to ensure high efficiency on the premise of privacy protection.Finally,we analyze the efficiency and the security of our scheme.展开更多
With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issu...With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.展开更多
With the growth of requirements for data sharing,a novel business model of digital assets trading has emerged that allows data owners to sell their data for monetary gain.In the distributed ledger of blockchain,howeve...With the growth of requirements for data sharing,a novel business model of digital assets trading has emerged that allows data owners to sell their data for monetary gain.In the distributed ledger of blockchain,however,the privacy of stakeholder's identity and the confidentiality of data content are threatened.Therefore,we proposed a blockchainenabled privacy-preserving and access control scheme to address the above problems.First,the multi-channel mechanism is introduced to provide the privacy protection of distributed ledger inside the channel and achieve coarse-grained access control to digital assets.Then,we use multi-authority attribute-based encryption(MAABE)algorithm to build a fine-grained access control model for data trading in a single channel and describe its instantiation in detail.Security analysis shows that the scheme has IND-CPA secure and can provide privacy protection and collusion resistance.Compared with other schemes,our solution has better performance in privacy protection and access control.The evaluation results demonstrate its effectiveness and practicability.展开更多
Constraint is an important aspect of role based access control and is sometimes argued to be the principal motivation for role based access control (RBAC). But so far few authors have discussed consistency maintenan...Constraint is an important aspect of role based access control and is sometimes argued to be the principal motivation for role based access control (RBAC). But so far few authors have discussed consistency maintenance for constraint in RBAC model. Based on researches of constraints among roles and types of inconsistency among constraints, this paper introduces corresponding formal rules, rule based reasoning and corresponding methods to detect, avoid and resolve these inconsistencies. Finally, the paper introduces briefly the application of consistency maintenance in ZD PDM, an enterprise oriented product data management (PDM) system.展开更多
Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security pla...Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security played a vital role in ensuring that the communication between cloud users and service providers remained unadulterated and authentic.In most cloud-based data distribution environments,emphasis is placed on accepting trusted client users’requests,but the cloud servers’integrity is seldom verified.This paper designs a trust-based access control model based on user and server characteristics in a multi-cloud environment to address this issue.The proposed methodology consists of data encryption using Cyclic Shift Transposition Algorithm and trust-based access control method.In this trust-based access control mechanism framework,trust values are assigned to cloud users using direct trust degrees.The direct trust degree is estimated based on the following metrics:success and failure rate of interactions,service satisfaction index,and dishonesty level.In addition to this,trust values are assigned to cloud servers based on the metrics:server load,service rejection rate,and service access delay.The role-Based Access control policy of each user is modified based on his trust level.If the server fails to meet the minimum trust level,then another suitable server will be selected.The proposed system is found to outperform other existing systems in a multi-cloud environment.展开更多
Big data technologies have seen tremendous growth in recent years. They are widely used in both industry and academia. In spite of such exponential growth, these technologies lack adequate measures to protect data fro...Big data technologies have seen tremendous growth in recent years. They are widely used in both industry and academia. In spite of such exponential growth, these technologies lack adequate measures to protect data from misnse/abuse. Corporations that collect data from multiple sources are at risk of liabilities due to the exposure of sensitive information. In the current implementation of Hadoop, only file-level access control is feasible. Providing users with the ability to access data based on the attlibutes in a dataset or the user's role is complicated because of the sheer volume and multiple formats (structured, unstructured and semi-structured) of data. In this paper, we propose an access control framework, which enforces access control policies dynamically based on the sensitivity of the data. This framework enforces access control policies by harnessing the data context, usage patterns and informat/on sensitivity. Information sensitivity changes over time with the addition and removal of datasets, which can lead to modifications in access control decisions. The proposed framework accommodates these changes. The proposed framework is automated to a large extent as the data itself determines the sensitivity with minimal user intervention. Our experimental results show that the proposed framework is capable of enforcing access control policies on non-multimedia datasets with minimal overhead.展开更多
When the Wireless Sensor Network(WSN)is combined with the Internet of Things(IoT),it can be employed in a wide range of applications,such as agriculture,industry 4.0,health care,smart homes,among others.Accessing the ...When the Wireless Sensor Network(WSN)is combined with the Internet of Things(IoT),it can be employed in a wide range of applications,such as agriculture,industry 4.0,health care,smart homes,among others.Accessing the big data generated by these applications in Cloud Servers(CSs),requires higher levels of authenticity and confidentiality during communication conducted through the Internet.Signcryption is one of the most promising approaches nowadays for overcoming such obstacles,due to its combined nature,i.e.,signature and encryption.A number of researchers have developed schemes to address issues related to access control in the IoT literature,however,the majority of these schemes are based on homogeneous nature.This will be neither adequate nor practical for heterogeneous IoT environments.In addition,these schemes are based on bilinear pairing and elliptic curve cryptography,which further requires additional processing time and more communication overheads that is inappropriate for real-time communication.Consequently,this paper aims to solve the above-discussed issues,we proposed an access control scheme for IoT environments using heterogeneous signcryption scheme with the efficiency and security hardiness of hyperelliptic curve.Besides the security services such as replay attack prevention,confidentiality,integrity,unforgeability,non-repudiations,and forward secrecy,the proposed scheme has very low computational and communication costs,when it is compared to existing schemes.This is primarily because of hyperelliptic curve lighter nature of key and other parameters.The AVISPA tool is used to simulate the security requirements of our proposed scheme and the results were under two backbends(Constraint Logic-based Attack Searcher(CL-b-AtSER)and On-the-Fly Model Checker(ON-t-FL-MCR))proved to be SAFE when the presented scheme is coded in HLPSL language.This scheme was proven to be capable of preventing a variety of attacks,including confidentiality,integrity,unforgeability,non-repudiation,forward secrecy,and replay attacks.展开更多
基金supported by the National Science Foundation of China(No.62171387)the Science and Technology Program of Sichuan Province(No.2024NSFSC0468)the China Postdoctoral Science Foundation(No.2019M663475).
文摘As an important resource in data link,time slots should be strategically allocated to enhance transmission efficiency and resist eavesdropping,especially considering the tremendous increase in the number of nodes and diverse communication needs.It is crucial to design control sequences with robust randomness and conflict-freeness to properly address differentiated access control in data link.In this paper,we propose a hierarchical access control scheme based on control sequences to achieve high utilization of time slots and differentiated access control.A theoretical bound of the hierarchical control sequence set is derived to characterize the constraints on the parameters of the sequence set.Moreover,two classes of optimal hierarchical control sequence sets satisfying the theoretical bound are constructed,both of which enable the scheme to achieve maximum utilization of time slots.Compared with the fixed time slot allocation scheme,our scheme reduces the symbol error rate by up to 9%,which indicates a significant improvement in anti-interference and eavesdropping capabilities.
基金funded by the Basic Research Operating Expenses Postgraduate Innovation Programme(Grant No.W24YJS00010,received by J.Yan)the National Key R&D Program of China(Grant No.2018YFA0701604,received by H.Zhou)the National Natural Science Foundation of China(NSFC)(Grant No.62341102,received by H.Zhou).
文摘The 6G network architecture introduces the paradigm of Trust+Security,representing a shift in network protection strategies from external defense mechanisms to endogenous security enforcement.While ZTNs(zerotrust networks)have demonstrated significant advancements in constructing trust-centric frameworks,most existing ZTN implementations lack comprehensive integration of security deployment and traffic monitoring capabilities.Furthermore,current ZTN designs generally do not facilitate dynamic assessment of user reputation.To address these limitations,this study proposes a DPZTN(Data-plane-based Zero Trust Network).DPZTN framework extends traditional ZTN models by incorporating security mechanisms directly into the data plane.Additionally,blockchain infrastructure is used to enable decentralized identity authentication and distributed access control.A pivotal element within the proposed framework is ZTNE(Zero-Trust Network Element),which executes access control policies and performs real-time user traffic inspection.To enable dynamic and fine-grained evaluation of user trustworthiness,this study introduces BBEA(Bayesian-based Behavior Evaluation Algorithm).BBEA provides a framework for continuous user behavior analysis,supporting adaptive privilege management and behavior-informed access control.Experimental results demonstrate that ZTNE combined with BBEA,can effectively respond to both individual and mixed attack types by promptly adjusting user behavior scores and dynamically modifying access privileges based on initial privilege levels.Under conditions supporting up to 10,000 concurrent users,the control system maintains approximately 65%CPU usage and less than 60%memory usage,with average user authentication latency around 1 s and access control latency close to 1 s.
基金supported by the National Natural Science Foundation of China under Grant 61972148。
文摘The traditional centralized data sharing systems have potential risks such as single point of failures and excessive working load on the central node.As a distributed and collaborative alternative,approaches based upon blockchain have been explored recently for Internet of Things(IoTs).However,the access from a legitimate user may be denied without the pre-defined policy and data update on the blockchain could be costly to the owners.In this paper,we first address these issues by incorporating the Accountable Subgroup Multi-Signature(ASM)algorithm into the Attribute-based Access Control(ABAC)method with Policy Smart Contract,to provide a finegrained and flexible solution.Next,we propose a policy-based Chameleon Hash algorithm that allows the data to be updated in a reliable and convenient way by the authorized users.Finally,we evaluate our work by comparing its performance with the benchmarks.The results demonstrate significant improvement on the effectiveness and efficiency.
文摘In the security and privacy fields,Access Control(AC)systems are viewed as the fundamental aspects of networking security mechanisms.Enforcing AC becomes even more challenging when researchers and data analysts have to analyze complex and distributed Big Data(BD)processing cluster frameworks,which are adopted to manage yottabyte of unstructured sensitive data.For instance,Big Data systems’privacy and security restrictions are most likely to failure due to the malformed AC policy configurations.Furthermore,BD systems were initially developed toped to take care of some of the DB issues to address BD challenges and many of these dealt with the“three Vs”(Velocity,Volume,and Variety)attributes,without planning security consideration,which are considered to be patch work.Some of the BD“three Vs”characteristics,such as distributed computing,fragment,redundant data and node-to node communication,each with its own security challenges,complicate even more the applicability of AC in BD.This paper gives an overview of the latest security and privacy challenges in BD AC systems.Furthermore,it analyzes and compares some of the latest AC research frameworks to reduce privacy and security issues in distributed BD systems,which very few enforce AC in a cost-effective and in a timely manner.Moreover,this work discusses some of the future research methodologies and improvements for BD AC systems.This study is valuable asset for Artificial Intelligence(AI)researchers,DB developers and DB analysts who need the latest AC security and privacy research perspective before using and/or improving a current BD AC framework.
文摘In the environment of big data,the traditional access control lacks effective and flexible access mechanism.Based on attribute access control,this paper proposes a HBMC-ABAC big data access control framework.It solves the problems of difficult authority change,complex management,over-authorization and lack of authorization in big data environment.At the same time,binary mapping codes are proposed to solve the problem of low efficiency of policy retrieval in traditional ABAC.Through experimental analysis,the results show that our proposed HBMC-ABAC model can meet the current large and complex environment of big data.
文摘With the development of cloud computing, the mutual understandability among distributed data access control has become an important issue in the security field of cloud computing. To ensure security, confidentiality and fine-grained data access control of Cloud Data Storage (CDS) environment, we proposed Multi-Agent System (MAS) architecture. This architecture consists of two agents: Cloud Service Provider Agent (CSPA) and Cloud Data Confidentiality Agent (CDConA). CSPA provides a graphical interface to the cloud user that facilitates the access to the services offered by the system. CDConA provides each cloud user by definition and enforcement expressive and flexible access structure as a logic formula over cloud data file attributes. This new access control is named as Formula-Based Cloud Data Access Control (FCDAC). Our proposed FCDAC based on MAS architecture consists of four layers: interface layer, existing access control layer, proposed FCDAC layer and CDS layer as well as four types of entities of Cloud Service Provider (CSP), cloud users, knowledge base and confidentiality policy roles. FCDAC, it’s an access policy determined by our MAS architecture, not by the CSPs. A prototype of our proposed FCDAC scheme is implemented using the Java Agent Development Framework Security (JADE-S). Our results in the practical scenario defined formally in this paper, show the Round Trip Time (RTT) for an agent to travel in our system and measured by the times required for an agent to travel around different number of cloud users before and after implementing FCDAC.
文摘Attribute-based Encryption(ABE)enhances the confidentiality of Electronic Health Records(EHR)(also known as Personal Health Records(PHR))by binding access rights not to individual identities,but to user attribute sets such as roles,specialties,or certifications.This data-centric cryptographic paradigm enables highly fine-grained,policydriven access control,minimizing the need for identity management and supporting scalable multi-user scenarios.This paper presents a comprehensive and critical survey of ABE schemes developed specifically for EHR/PHR systems over the past decade.It explores the evolution of these schemes,analyzing their design principles,strengths,limitations,and the level of granularity they offer in access control.The review also evaluates the security guarantees,efficiency,and practical applicability of these schemes in real-world healthcare environments.Furthermore,the paper outlines the current state of ABE as a mechanism for safeguarding EHR data and managing user access,while also identifying the key challenges that remain.Open issues such as scalability,revocation mechanisms,policy updates,and interoperability are discussed in detail,providing valuable insights for researchers and practitioners aiming to advance the secure management of health information systems.
基金Key Research and Development and Promotion Program of Henan Province(No.222102210069)Zhongyuan Science and Technology Innovation Leading Talent Project(224200510003)National Natural Science Foundation of China(No.62102449).
文摘Big data resources are characterized by large scale, wide sources, and strong dynamics. Existing access controlmechanisms based on manual policy formulation by security experts suffer from drawbacks such as low policymanagement efficiency and difficulty in accurately describing the access control policy. To overcome theseproblems, this paper proposes a big data access control mechanism based on a two-layer permission decisionstructure. This mechanism extends the attribute-based access control (ABAC) model. Business attributes areintroduced in the ABAC model as business constraints between entities. The proposed mechanism implementsa two-layer permission decision structure composed of the inherent attributes of access control entities and thebusiness attributes, which constitute the general permission decision algorithm based on logical calculation andthe business permission decision algorithm based on a bi-directional long short-term memory (BiLSTM) neuralnetwork, respectively. The general permission decision algorithm is used to implement accurate policy decisions,while the business permission decision algorithm implements fuzzy decisions based on the business constraints.The BiLSTM neural network is used to calculate the similarity of the business attributes to realize intelligent,adaptive, and efficient access control permission decisions. Through the two-layer permission decision structure,the complex and diverse big data access control management requirements can be satisfied by considering thesecurity and availability of resources. Experimental results show that the proposed mechanism is effective andreliable. In summary, it can efficiently support the secure sharing of big data resources.
文摘This paper proposes a security policy model for mandatory access control in class B1 database management system whose level of labeling is tuple. The relation hierarchical data model is extended to multilevel relation hierarchical data model. Based on the multilevel relation hierarchical data model, the concept of upper lower layer relational integrity is presented after we analyze and eliminate the covert channels caused by the database integrity. Two SQL statements are extended to process polyinstantiation in the multilevel secure environment. The system is based on the multilevel relation hierarchical data model and is capable of integratively storing and manipulating multilevel complicated objects ( e.g., multilevel spatial data) and multilevel conventional data ( e.g., integer, real number and character string).
基金supported by Basic Science Research Program through the National Research Foundation of Korea(NRF)funded by the Ministry of Education(No.2022R1I1A3063257)supported by the MSIT(Ministry of Science and ICT),Korea,under the Special R&D Zone Development Project(R&D)—Development of R&D Innovation Valley Support Program(2023-DD-RD-0152)supervised by the Innovation Foundation.
文摘Data trading enables data owners and data requesters to sell and purchase data.With the emergence of blockchain technology,research on blockchain-based data trading systems is receiving a lot of attention.Particularly,to reduce the on-chain storage cost,a novel paradigm of blockchain and cloud fusion has been widely considered as a promising data trading platform.Moreover,the fact that data can be used for commercial purposes will encourage users and organizations from various fields to participate in the data marketplace.In the data marketplace,it is a challenge how to trade the data securely outsourced to the external cloud in a way that restricts access to the data only to authorized users across multiple domains.In this paper,we propose a cross-domain bilateral access control protocol for blockchain-cloud based data trading systems.We consider a system model that consists of domain authorities,data senders,data receivers,a blockchain layer,and a cloud provider.The proposed protocol enables access control and source identification of the outsourced data by leveraging identity-based cryptographic techniques.In the proposed protocol,the outsourced data of the sender is encrypted under the target receiver’s identity,and the cloud provider performs policy-match verification on the authorization tags of the sender and receiver generated by the identity-based signature scheme.Therefore,data trading can be achieved only if the identities of the data sender and receiver simultaneously meet the policies specified by each other.To demonstrate efficiency,we evaluate the performance of the proposed protocol and compare it with existing studies.
基金supported by ZTE Industry-University-Institute Cooperation Funds under Grant No.IA20230628015the State Key Laboratory of Particle Detection and Electronics under Grant No.SKLPDE-KF-202314。
文摘Security and access control for data storage in 5G industrial Internet collaborative systems are facing significant challenges.The characteristics of 5 G networks,such as low latency and high speed,facilitate data transmission in the industrial Internet but also increase vulnerability to attacks like theft and tampering.Moreover,in 5G industrial Internet collaborative system environments,data flows across multiple entities and links,which necessitates a flexible access control model to meet specific data access requirements.Traditional role-based and attribute-based access control mechanisms are difficult to apply in such dynamic application scenarios.To address these challenges,we propose a novel data storage solution for 5G industrial Internet collaborative systems.Similar to existing approaches,it provides integrity and confidentiality protection for transmitted data.In terms of security,only authenticated data owners and users can obtain file decryption keys,preventing malicious attackers from data forgery.Regarding access control,decryption is permitted only to authorized data users,safeguarding against unauthorized file access.Furthermore,by introducing an attribute-based encryption mechanism,only data users with specific attributes can decrypt files.In terms of efficiency,our approach utilizes bilinear and modular exponentiation operations solely during the authentication process.For handling substantial data loads,lightweight cryptographic algorithms are employed.Consequently,our solution achieves higher efficiency compared with other known methods.Experimental results demonstrate the feasibility of our approach in real-world applications.
基金This research is supported by a grant from National Natural Science Foundation of China (No. 61170241, 61472097).This paper is funded by the International Exchange Program of Harbin Engineering University for Innovationoriented Talents Cultivation.
文摘In Cloud Computing, the application software and the databases are moved to large centralized data centers, where the management of the data and services may not be fully trustworthy. This unique paradigm brings many new security challenges, which have not been well solved. Data access control is an effective way to ensure the big data security in the cloud. In this paper,we study the problem of fine-grained data access control in cloud computing.Based on CP-ABE scheme,we propose a novel access control policy to achieve fine-grainedness and implement the operation of user revocation effectively.The analysis results indicate that our scheme ensures the data security in cloud computing and reduces the cost of the data owner significantly.
文摘To solve the problems of data sharing in social network,such as management of private data is too loose,access permissions are not clear,mode of data sharing is too single and soon on,we design a hierarchical access control scheme of private data based on attribute encryption.First,we construct a new algorithm based on attribute encryption,which divides encryption into two phases,and we can design two types of attributes encryption strategy to make sure that different users could get their own decryption keys corresponding to their permissions.We encrypt the private data hierarchically with our algorithm to realize“precise”,“more accurate”,“fuzzy”and“private”four management modes,then users with higher permissions can access the private data inferior to their permissions.And we outsource some complex operations of decryption to DSP to ensure high efficiency on the premise of privacy protection.Finally,we analyze the efficiency and the security of our scheme.
基金financially supported by the National Natural Science Foundation of China(No.61303216,No.61272457,No.U1401251,and No.61373172)the National High Technology Research and Development Program of China(863 Program)(No.2012AA013102)National 111 Program of China B16037 and B08038
文摘With the rapid development of computer technology, cloud-based services have become a hot topic. They not only provide users with convenience, but also bring many security issues, such as data sharing and privacy issue. In this paper, we present an access control system with privilege separation based on privacy protection(PS-ACS). In the PS-ACS scheme, we divide users into private domain(PRD) and public domain(PUD) logically. In PRD, to achieve read access permission and write access permission, we adopt the Key-Aggregate Encryption(KAE) and the Improved Attribute-based Signature(IABS) respectively. In PUD, we construct a new multi-authority ciphertext policy attribute-based encryption(CP-ABE) scheme with efficient decryption to avoid the issues of single point of failure and complicated key distribution, and design an efficient attribute revocation method for it. The analysis and simulation result show that our scheme is feasible and superior to protect users' privacy in cloud-based services.
基金supported by National Key Research and Development Plan in China(Grant No.2020YFB1005500)Beijing Natural Science Foundation(Grant No.M21034)BUPT Excellent Ph.D Students Foundation(Grant No.CX2023218)。
文摘With the growth of requirements for data sharing,a novel business model of digital assets trading has emerged that allows data owners to sell their data for monetary gain.In the distributed ledger of blockchain,however,the privacy of stakeholder's identity and the confidentiality of data content are threatened.Therefore,we proposed a blockchainenabled privacy-preserving and access control scheme to address the above problems.First,the multi-channel mechanism is introduced to provide the privacy protection of distributed ledger inside the channel and achieve coarse-grained access control to digital assets.Then,we use multi-authority attribute-based encryption(MAABE)algorithm to build a fine-grained access control model for data trading in a single channel and describe its instantiation in detail.Security analysis shows that the scheme has IND-CPA secure and can provide privacy protection and collusion resistance.Compared with other schemes,our solution has better performance in privacy protection and access control.The evaluation results demonstrate its effectiveness and practicability.
文摘Constraint is an important aspect of role based access control and is sometimes argued to be the principal motivation for role based access control (RBAC). But so far few authors have discussed consistency maintenance for constraint in RBAC model. Based on researches of constraints among roles and types of inconsistency among constraints, this paper introduces corresponding formal rules, rule based reasoning and corresponding methods to detect, avoid and resolve these inconsistencies. Finally, the paper introduces briefly the application of consistency maintenance in ZD PDM, an enterprise oriented product data management (PDM) system.
文摘Security is an essential part of the cloud environment.For ensuring the security of the data being communicated to and from the cloud server,a significant parameter called trust was introduced.Trust-based security played a vital role in ensuring that the communication between cloud users and service providers remained unadulterated and authentic.In most cloud-based data distribution environments,emphasis is placed on accepting trusted client users’requests,but the cloud servers’integrity is seldom verified.This paper designs a trust-based access control model based on user and server characteristics in a multi-cloud environment to address this issue.The proposed methodology consists of data encryption using Cyclic Shift Transposition Algorithm and trust-based access control method.In this trust-based access control mechanism framework,trust values are assigned to cloud users using direct trust degrees.The direct trust degree is estimated based on the following metrics:success and failure rate of interactions,service satisfaction index,and dishonesty level.In addition to this,trust values are assigned to cloud servers based on the metrics:server load,service rejection rate,and service access delay.The role-Based Access control policy of each user is modified based on his trust level.If the server fails to meet the minimum trust level,then another suitable server will be selected.The proposed system is found to outperform other existing systems in a multi-cloud environment.
文摘Big data technologies have seen tremendous growth in recent years. They are widely used in both industry and academia. In spite of such exponential growth, these technologies lack adequate measures to protect data from misnse/abuse. Corporations that collect data from multiple sources are at risk of liabilities due to the exposure of sensitive information. In the current implementation of Hadoop, only file-level access control is feasible. Providing users with the ability to access data based on the attlibutes in a dataset or the user's role is complicated because of the sheer volume and multiple formats (structured, unstructured and semi-structured) of data. In this paper, we propose an access control framework, which enforces access control policies dynamically based on the sensitivity of the data. This framework enforces access control policies by harnessing the data context, usage patterns and informat/on sensitivity. Information sensitivity changes over time with the addition and removal of datasets, which can lead to modifications in access control decisions. The proposed framework accommodates these changes. The proposed framework is automated to a large extent as the data itself determines the sensitivity with minimal user intervention. Our experimental results show that the proposed framework is capable of enforcing access control policies on non-multimedia datasets with minimal overhead.
文摘When the Wireless Sensor Network(WSN)is combined with the Internet of Things(IoT),it can be employed in a wide range of applications,such as agriculture,industry 4.0,health care,smart homes,among others.Accessing the big data generated by these applications in Cloud Servers(CSs),requires higher levels of authenticity and confidentiality during communication conducted through the Internet.Signcryption is one of the most promising approaches nowadays for overcoming such obstacles,due to its combined nature,i.e.,signature and encryption.A number of researchers have developed schemes to address issues related to access control in the IoT literature,however,the majority of these schemes are based on homogeneous nature.This will be neither adequate nor practical for heterogeneous IoT environments.In addition,these schemes are based on bilinear pairing and elliptic curve cryptography,which further requires additional processing time and more communication overheads that is inappropriate for real-time communication.Consequently,this paper aims to solve the above-discussed issues,we proposed an access control scheme for IoT environments using heterogeneous signcryption scheme with the efficiency and security hardiness of hyperelliptic curve.Besides the security services such as replay attack prevention,confidentiality,integrity,unforgeability,non-repudiations,and forward secrecy,the proposed scheme has very low computational and communication costs,when it is compared to existing schemes.This is primarily because of hyperelliptic curve lighter nature of key and other parameters.The AVISPA tool is used to simulate the security requirements of our proposed scheme and the results were under two backbends(Constraint Logic-based Attack Searcher(CL-b-AtSER)and On-the-Fly Model Checker(ON-t-FL-MCR))proved to be SAFE when the presented scheme is coded in HLPSL language.This scheme was proven to be capable of preventing a variety of attacks,including confidentiality,integrity,unforgeability,non-repudiation,forward secrecy,and replay attacks.
