Applications that span across multiple clouds are often found to be vulnerable to security threat... more Applications that span across multiple clouds are often found to be vulnerable to security threats. Such highly heterogeneous environments need a fine-grained access control mechanism like Attribute-based Access Control (ABAC) for enforcing security. A first step towards successfully deploying ABAC is to define an appropriate set of access control rules that establish the desired inter-cloud accesses. This becomes more challenging when the access requirements vary with time or the users and objects are updated quite frequently. We study the problem of formulation of an optimal set of ABAC rules for granting inter-cloud accesses in a dynamic environment. The problem being NP-Hard, we propose heuristic solutions. Extensive experiments on benchmark datasets show encouraging results.
Concurrency and Computation: Practice and Experience, 2017
Security of applications has been identified as one of the major concerns in today's multiclo... more Security of applications has been identified as one of the major concerns in today's multicloud collaborative environment. These applications are often bounded by the constraints of the disparate cloud domains they are deployed in. A fine‐grained access control mechanism such as attribute‐based access control (ABAC) is considered to be an appropriate choice for authorization management in this context. However, identifying a suitable set of ABAC rules, often called rule mining, is a critical step in building ABAC‐based systems. We propose 2 approaches for intercloud rule formation in ABAC. In the first approach, we consider cross domain rule mining as the problem of forming a minimal set of positive authorizations only. The second approach shows the advantage of developing deny rules along with positive authorizations in reducing the total number of rules, and hence, the response time for evaluating access requests. The problem is proved to be NP‐hard. Heuristic solutions are proposed and evaluated on benchmark datasets showing encouraging results.
2016 15th International Symposium on Parallel and Distributed Computing (ISPDC), 2016
Security in multi-cloud collaborative environment requires a fine-grained access control mechanis... more Security in multi-cloud collaborative environment requires a fine-grained access control mechanism. Attribute Based Access Control (ABAC) is considered to be a suitable choice in such situations. However, identification of a correct set of ABAC rules is a crucial step in establishing secure collaborations among multiple clouds. In this paper, we formally define cross-domain rule mining as the problem of finding a minimal set of ABAC rules that allow access to the resources of one cloud by the users of another cloud. The problem is shown to be NP-Hard and a heuristic algorithm is proposed to solve it. Experiments on an extensive set of benchmark and synthetic data show encouraging results.
IEEE Transactions on Dependable and Secure Computing, 2015
Role mining is a critical step for organizations that migrate from traditional access control mec... more Role mining is a critical step for organizations that migrate from traditional access control mechanisms to role based access control (RBAC). Additional constraints may be imposed while generating roles from a given user-permission assignment relation. In this paper we consider two such constraints which are the dual of each other. A role-usage cardinality constraint limits the maximum number of roles any user can have. Its dual, the permission-distribution cardinality constraint, limits the maximum number of roles to which a permission can belong. These two constraints impose mutually contradictory requirements on user to role and role to permission assignments. An attempt to satisfy one of the constraints may result in a violation of the other. We show that the constrained role mining problem is NP-Complete and present heuristic solutions. Two distinct frameworks are presented in this paper. In the first approach, roles are initially mined without taking the constraints into account. The user-role and role-permission assignments are then checked for constraint violation in a post-processing step, and appropriately re-assigned, if necessary. In the second approach, constraints are enforced during the process of role mining. The methods are first applied on problems that consider the two constraints individually, and then with both considered together. Both methods are evaluated over a number of real-world data sets.
Applications that span across multiple clouds are often found to be vulnerable to security threat... more Applications that span across multiple clouds are often found to be vulnerable to security threats. Such highly heterogeneous environments need a fine-grained access control mechanism like Attribute-based Access Control (ABAC) for enforcing security. A first step towards successfully deploying ABAC is to define an appropriate set of access control rules that establish the desired inter-cloud accesses. This becomes more challenging when the access requirements vary with time or the users and objects are updated quite frequently. We study the problem of formulation of an optimal set of ABAC rules for granting inter-cloud accesses in a dynamic environment. The problem being NP-Hard, we propose heuristic solutions. Extensive experiments on benchmark datasets show encouraging results.
Concurrency and Computation: Practice and Experience, 2017
Security of applications has been identified as one of the major concerns in today's multiclo... more Security of applications has been identified as one of the major concerns in today's multicloud collaborative environment. These applications are often bounded by the constraints of the disparate cloud domains they are deployed in. A fine‐grained access control mechanism such as attribute‐based access control (ABAC) is considered to be an appropriate choice for authorization management in this context. However, identifying a suitable set of ABAC rules, often called rule mining, is a critical step in building ABAC‐based systems. We propose 2 approaches for intercloud rule formation in ABAC. In the first approach, we consider cross domain rule mining as the problem of forming a minimal set of positive authorizations only. The second approach shows the advantage of developing deny rules along with positive authorizations in reducing the total number of rules, and hence, the response time for evaluating access requests. The problem is proved to be NP‐hard. Heuristic solutions are proposed and evaluated on benchmark datasets showing encouraging results.
2016 15th International Symposium on Parallel and Distributed Computing (ISPDC), 2016
Security in multi-cloud collaborative environment requires a fine-grained access control mechanis... more Security in multi-cloud collaborative environment requires a fine-grained access control mechanism. Attribute Based Access Control (ABAC) is considered to be a suitable choice in such situations. However, identification of a correct set of ABAC rules is a crucial step in establishing secure collaborations among multiple clouds. In this paper, we formally define cross-domain rule mining as the problem of finding a minimal set of ABAC rules that allow access to the resources of one cloud by the users of another cloud. The problem is shown to be NP-Hard and a heuristic algorithm is proposed to solve it. Experiments on an extensive set of benchmark and synthetic data show encouraging results.
IEEE Transactions on Dependable and Secure Computing, 2015
Role mining is a critical step for organizations that migrate from traditional access control mec... more Role mining is a critical step for organizations that migrate from traditional access control mechanisms to role based access control (RBAC). Additional constraints may be imposed while generating roles from a given user-permission assignment relation. In this paper we consider two such constraints which are the dual of each other. A role-usage cardinality constraint limits the maximum number of roles any user can have. Its dual, the permission-distribution cardinality constraint, limits the maximum number of roles to which a permission can belong. These two constraints impose mutually contradictory requirements on user to role and role to permission assignments. An attempt to satisfy one of the constraints may result in a violation of the other. We show that the constrained role mining problem is NP-Complete and present heuristic solutions. Two distinct frameworks are presented in this paper. In the first approach, roles are initially mined without taking the constraints into account. The user-role and role-permission assignments are then checked for constraint violation in a post-processing step, and appropriately re-assigned, if necessary. In the second approach, constraints are enforced during the process of role mining. The methods are first applied on problems that consider the two constraints individually, and then with both considered together. Both methods are evaluated over a number of real-world data sets.
Uploads
Papers by John C John