The main advantages of role-based access control (RBAC) are able to support the well-known security principles and roles'inheritance. But for there remains a lack of specific definition and the necessary formalizat...The main advantages of role-based access control (RBAC) are able to support the well-known security principles and roles'inheritance. But for there remains a lack of specific definition and the necessary formalization for RBAC, it is hard to realize RBAC in practical work. Our contribution here is to formalize the main relations of RBAC and take first step to propose concepts of action closure and deta closure of a role, based on which we got the specification and algorithm for the least privileges of a role. We propose that roles' inheritance should consist of inheritance of actions and inheritance of data, and then we got the inheritance of privileges among roles, which can also be supported by existing exploit tools.展开更多
This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extens...This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.展开更多
Intrusion Detection System(IDS)have received a great deal ofattention because of their excellent ability of preventing networkincidents. Recently, many efficient approaches have been proposed toimprove detection abili...Intrusion Detection System(IDS)have received a great deal ofattention because of their excellent ability of preventing networkincidents. Recently, many efficient approaches have been proposed toimprove detection ability of IDS. While the self-protection abilityof IDS is relatively worse and easy to be exploited by attackers,this paper gives a scheme of Securely Distributed Intrusion DetectionSystem(SDIDS). This system adopts special measurements to enforce thesecurity of IDS components. A new secure mechanism combiningrole-based access control and attribute certificate is used to resistattack to communication.展开更多
Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships o...Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control(GARBAC) model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user's attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.展开更多
Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and th...Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and the operating process is complex.A new role analyzing method was proposed by generating mappings and using them to provide recommendation for systems.The relation among sets of permissions,roles and users was explored by generating mappings,and the relation between sets of users and attributes was analyzed by means of the concept lattice model,generating a critical mapping between the attribute and permission sets,and making the meaning of the role natural and operational.Thus,a role is determined by permission set and user's attributes.The generated mappings were used to automatically assign permissions and roles to new users.Experimental results show that the proposed algorithm is effective and efficient.展开更多
With the rapid growth in the availability of digital health-related data,there is a great demand for the utilization of intelligent information systems within the healthcare sector.These systems can manage and manipul...With the rapid growth in the availability of digital health-related data,there is a great demand for the utilization of intelligent information systems within the healthcare sector.These systems can manage and manipulate this massive amount of health-related data and encourage different decision-making tasks.They can also provide various sustainable health services such as medical error reduction,diagnosis acceleration,and clinical services quality improvement.The intensive care unit(ICU)is one of the most important hospital units.However,there are limited rooms and resources in most hospitals.During times of seasonal diseases and pandemics,ICUs face high admission demand.In line with this increasing number of admissions,determining health risk levels has become an essential and imperative task.It creates a heightened demand for the implementation of an expert decision support system,enabling doctors to accurately and swiftly determine the risk level of patients.Therefore,this study proposes a fuzzy logic inference system built on domain-specific knowledge graphs,as a proof-of-concept,for tackling this healthcare-related issue.The system employs a combination of two sets of fuzzy input parameters to classify health risk levels of new admissions to hospitals.The proposed system implemented utilizes MATLAB Fuzzy Logic Toolbox via several experiments showing the validity of the proposed system.展开更多
基金Supported by the National Natural Science Foun-dation of China (60403027)
文摘The main advantages of role-based access control (RBAC) are able to support the well-known security principles and roles'inheritance. But for there remains a lack of specific definition and the necessary formalization for RBAC, it is hard to realize RBAC in practical work. Our contribution here is to formalize the main relations of RBAC and take first step to propose concepts of action closure and deta closure of a role, based on which we got the specification and algorithm for the least privileges of a role. We propose that roles' inheritance should consist of inheritance of actions and inheritance of data, and then we got the inheritance of privileges among roles, which can also be supported by existing exploit tools.
基金The National High Technology Research and Development Program of China(863Program)(No.2007AA01Z445)
文摘This paper first introduces attribute expression to describe attribute-based access control policy.Secondly,an access control policy enforcement language named A-XACML (attribute-XACML)is proposed,which is an extension of XACML.A-XACML is used as a simple,flexible way to express and enforce access control policies,especially attribute-based access control policy,in a variety of environments.The language and schema support include data types,functions,and combining logic which allow simple and complex policies to be defined.Finally,a system architecture and application case of user-role assignment is given to show how attribute expressions and A-XACML work in access control policy description and enforcement.The case shows that attribute expression and A-XACML can describe and enforce the complex access control policy in a simple and flexible way.
文摘Intrusion Detection System(IDS)have received a great deal ofattention because of their excellent ability of preventing networkincidents. Recently, many efficient approaches have been proposed toimprove detection ability of IDS. While the self-protection abilityof IDS is relatively worse and easy to be exploited by attackers,this paper gives a scheme of Securely Distributed Intrusion DetectionSystem(SDIDS). This system adopts special measurements to enforce thesecurity of IDS components. A new secure mechanism combiningrole-based access control and attribute certificate is used to resistattack to communication.
基金Supported by the National Natural Science Foundation of China (60402019, 60772098 and 60672068)
文摘Growing numbers of users and many access policies that involve many different resource attributes in service-oriented environments cause various problems in protecting resource. This paper analyzes the relationships of resource attributes to user attributes based on access policies for Web services, and proposes a general attribute based role-based access control(GARBAC) model. The model introduces the notions of single attribute expression, composite attribute expression, and composition permission, defines a set of elements and relations among its elements and makes a set of rules, assigns roles to user by inputing user's attributes values. The model is a general access control model, can support more granularity resource information and rich access control policies, also can be used to wider application for services. The paper also describes how to use the GARBAC model in Web services environments.
基金Project(61003140) supported by the National Natural Science Foundation of ChinaProject(013/2010/A) supported by Macao Science and Technology Development FundProject(10YJC630236) supported by Social Science Foundation for the Youth Scholars of Ministry of Education of China
文摘Role mining and setup affect the usage of role-based access control(RBAC).Traditionally,user's role and permission assigning are manipulated by security administrator of system.However,the cost is expensive and the operating process is complex.A new role analyzing method was proposed by generating mappings and using them to provide recommendation for systems.The relation among sets of permissions,roles and users was explored by generating mappings,and the relation between sets of users and attributes was analyzed by means of the concept lattice model,generating a critical mapping between the attribute and permission sets,and making the meaning of the role natural and operational.Thus,a role is determined by permission set and user's attributes.The generated mappings were used to automatically assign permissions and roles to new users.Experimental results show that the proposed algorithm is effective and efficient.
基金funded by the Deanship of Scientific Research at Umm Al-Qura University,Makkah,Kingdom of Saudi Arabia.Under Grant Code:22UQU4281755DSR05.
文摘With the rapid growth in the availability of digital health-related data,there is a great demand for the utilization of intelligent information systems within the healthcare sector.These systems can manage and manipulate this massive amount of health-related data and encourage different decision-making tasks.They can also provide various sustainable health services such as medical error reduction,diagnosis acceleration,and clinical services quality improvement.The intensive care unit(ICU)is one of the most important hospital units.However,there are limited rooms and resources in most hospitals.During times of seasonal diseases and pandemics,ICUs face high admission demand.In line with this increasing number of admissions,determining health risk levels has become an essential and imperative task.It creates a heightened demand for the implementation of an expert decision support system,enabling doctors to accurately and swiftly determine the risk level of patients.Therefore,this study proposes a fuzzy logic inference system built on domain-specific knowledge graphs,as a proof-of-concept,for tackling this healthcare-related issue.The system employs a combination of two sets of fuzzy input parameters to classify health risk levels of new admissions to hospitals.The proposed system implemented utilizes MATLAB Fuzzy Logic Toolbox via several experiments showing the validity of the proposed system.
