Biblio

The global Electronic Health Record (EHR) market is growing dramatically and expected to reach \$39.7 billions by 2022. To safe-guard security and privacy of EHR, access control is an essential mechanism for managing EHR data. This paper proposes a hybrid architecture to facilitate access control of EHR data by using both blockchain and edge node. Within the architecture, a blockchain-based controller manages identity and access control policies and serves as a tamper-proof log of access events. In addition, off-chain edge nodes store the EHR data and apply policies specified in Abbreviated Language For Authorization (ALFA) to enforce attribute-based access control on EHR data in collaboration with the blockchain-based access control logs. We evaluate the proposed hybrid architecture by utilizing Hyperledger Composer Fabric blockchain to measure the performance of executing smart contracts and ACL policies in terms of transaction processing time and response time against unauthorized data retrieval.

Nowadays, multimedia content retrieval has become the major service requirement of the Internet and the traffic of these contents has dominated the IP traffic. To reduce the duplicated traffic and improve the performance of distributing massive volumes of multimedia contents, in-network caching has been proposed recently. However, because in-network content caching can be directly utilized to respond users' requests, multimedia content retrieval is beyond content providers' control and makes it hard for them to implement access control and service accounting. In this paper, we propose an attribute-based accountable access control scheme for multimedia content distribution while making the best of in-network caching, in which content providers can be fully offline. In our scheme, the attribute-based encryption at multimedia content provider side and access policy based authentication at the edge router side jointly ensure the secure access control, which is also efficient in both space and time. Besides, secure service accounting is implemented by letting edge routers collect service credentials generated during users' request process. Through the informal security analysis, we prove the security of our scheme. Simulation results demonstrate that our scheme is efficient with acceptable overhead.

IoT middleware is an additional layer between IoT devices and the cloud applications that reduces computation and data handling on the cloud. In a typical IoT system model, middleware primarily connects to different IoT devices via IoT gateway. Device data stored on middleware is sensitive and private to a user. Middleware must have built-in mechanisms to address these issues, as well as the implementation of user authentication and access control. This paper presents the current methods used for access control on middleware and introduces Attribute-based encryption (ABE) on middleware for access control. ABE combines access control with data encryption for ensuring the integrity of data. In this paper, we propose Ciphertext-policy attribute-based encryption, abbreviated CP-ABE scheme on the middleware layer in the IoT system architecture for user access control. The proposed scheme is aimed to provide security and efficiency while reducing complexity on middleware. We have used the AVISPA tool to strengthen the proposed scheme.

In this paper, we focuses on an access control issue in the Internet of Things (IoT). Generally, we firstly propose a decentralized IoT system based on blockchain. Then we establish a secure fine-grained access control strategies for users, devices, data, and implement the strategies with smart contract. To trigger the smart contract, we design different transactions. Finally, we use the multi-index table struct for the access right's establishment, and store the access right into Key-Value database to improve the scalability of the decentralized IoT system. In addition, to improve the security of the system we also store the access records on the blockchain and database.

With the rapid development of Internet of things (IOT) and big data, the number of network terminal devices and big data transmission are increasing rapidly. Traditional cloud computing faces a great challenge in dealing with this massive amount of data. Fog computing which extends the computing at the edge of the network can provide computation and data storage. Attribute based-encryption can effectively achieve the fine-grained access control. However, the computational complexity of the encryption and decryption is growing linearly with the increase of the number of attributes. In order to reduce the computational cost and guarantee the confidentiality of data, distributed access control with outsourced computation in fog computing is proposed in this paper. In our proposed scheme, fog device takes most of computational cost in encryption and decryption phase. The computational cost of the receiver and sender can be reduced. Moreover, the private key of the user is generated by multi-authority which can enhance the security of data. The analysis of security and performance shows that our proposed scheme proves to be effective and secure.

Nowadays, the domain of Information System (IS) security is closely related to that of Risk Management (RM). As an immediate consequence, talking about and tackling the security of IS imply the implementation of a set of mechanisms that aim to reduce or eliminate the risk of IS degradations. Also, the high cadence of IS evolution requires careful consideration of corresponding measures to prevent or mitigate security risks that may cause the degradation of these systems. From this perspective, an access control service is subjected to a number of rules established to ensure the integrity and confidentiality of the handled data. During their lifecycle, the use or manipulation of Access Control Policies (ACP) is accompanied with several defects that are made intentionally or not. For many years, these defects have been the subject of numerous studies either for their detection or for the analysis of the risks incurred by IS to their recurrence and complexity. In our research works, we focus on the analysis and risk assessment of noncompliance anomalies in concrete instances of access control policies. We complete our analysis by studying and assessing the risks associated with the correlation that may exist between different anomalies. Indeed, taking into account possible correlations can make a significant contribution to the reliability of IS. Identifying correlation links between anomalies in concrete instances of ACP contributes in discovering or detecting new scenarios of alterations and attacks. Therefore, once done, this study mainly contributes in the improvement of our risk assessment model.

The Internet of Things (IoT) is a technological vision in which constrained or embedded devices connect together through the Internet. This enables common objects to be empowered with communication and cooperation capabilities. Industry can take an enormous advantage of IoT, leading to the so-called Industrial IoT. In these systems, integrity, confidentiality, and access control over data are key requirements. An emerging approach to reach confidentiality and access control is Attribute-Based Encryption (ABE), which is a technique able to enforce cryptographically an access control over data. In this paper, we propose fABElous, an ABE scheme suitable for Industrial IoT applications which aims at minimizing the overhead of encryption on communication. fABElous ensures data integrity, confidentiality, and access control, while reducing the communication overhead of 35% with respect to using ABE techniques naively.

The Internet of Things (IoT) is enabling a new generation of innovative services based on the seamless integration of smart objects into information systems. Such IoT devices generate an uninterrupted flow of information that can be transmitted through an untrusted network and stored on an untrusted infrastructure. The latter raises new security and privacy challenges that require novel cryptographic methods. Attribute-Based Encryption (ABE) is a new type of public-key encryption that enforces a fine-grained access control on encrypted data based on flexible access policies. The feasibility of ABE adoption in fully-fledged computing systems, i.e. smartphones or embedded systems, has been demonstrated in recent works. In this paper we assess the feasibility of the adoption of ABE in typical IoT constrained devices, characterized by limited capabilities in terms of computing, storage and power. Specifically, an implementation of three ABE schemes for ESP32, a low-cost popular platform to deploy IoT devices, is developed and evaluated in terms of encryption/decryption time and energy consumption. The performance evaluation shows that the adoption of ABE on constrained devices is feasible, although it has a cost that increases with the number of attributes. The analysis in particular highlights how ABE has a significant impact in the lifetime of battery-powered devices, which is impaired significantly when a high number of attributes is adopted.

Policy based Security Management in an accepted practice in the industry, and required to simplify the administrative overhead associated with security management in complex systems. However, the growing dynamicity, complexity and scale of modern systems makes it difficult to write the security policies manually. Using AI, we can generate policies automatically. Security policies generated automatically can reduce the manual burden introduced in defining policies, but their impact on the overall security of a system is unclear. In this paper, we discuss the security metrics that can be associated with a system using generative policies, and provide a simple model to determine the conditions under which generating security policies will be beneficial to improve the security of the system. We also show that for some types of security metrics, a system using generative policies can be considered as equivalent to a system using manually defined policies, and the security metrics of the generative policy based system can be mapped to the security metrics of the manual system and vice-versa.

This paper introduces a new method of applying both an Intrusion Detection System (IDS) and an Intrusion Response System (IRS) to communications protected using Ciphertext-Policy Attribute-based Encryption (CP-ABE) in the context of the Internet of Things. This method leverages features specific to CP-ABE in order to improve the detection capabilities of the IDS and the response ability of the network. It also enables improved privacy towards the users through group encryption rather than one-to-one shared key encryption as the policies used in the CP-ABE can easily include the IDS as an authorized reader. More importantly, it enables different levels of detection and response to intrusions, which can be crucial when using anomaly-based detection engines.

Operating systems such as Linux break the power of the root user into separate privileges (which Linux calls capabilities) and give processes the ability to enable privileges only when needed and to discard them permanently when the program no longer needs them. However, there is no method of measuring how well the use of such facilities reduces the risk of privilege escalation attacks if the program has a vulnerability. This paper presents PrivAnalyzer, an automated tool that measures how effectively programs use Linux privileges. PrivAnalyzer consists of three components: 1) AutoPriv, an existing LLVM-based C/C++ compiler which uses static analysis to transform a program that uses Linux privileges into a program that safely removes them when no longer needed, 2) ChronoPriv, a new LLVM C/C++ compiler pass that performs dynamic analysis to determine for how long a program retains various privileges, and 3) ROSA, a new bounded model checker that can model the damage a program can do at each program point if an attacker can exploit the program and abuse its privileges. We use PrivAnalyzer to determine how long five privileged open source programs retain the ability to cause serious damage to a system and find that merely transforming a program to drop privileges does not significantly improve security. However, we find that simple refactoring can considerably increase the efficacy of Linux privileges. In two programs that we refactored, we reduced the percentage of execution in which a device file can be read and written from 97% and 88% to 4% and 1%, respectively.

Cloud-assisted Internet of Vehicles (IoV)which merges the advantages of both cloud computing and Internet of Things that can provide numerous online services, and bring lots of benefits and conveniences to the connected vehicles. However, the security and privacy issues such as confidentiality, access control and driver privacy may prevent it from being widely utilized for message dissemination. Existing attribute-based message encryption schemes still bring high computational cost to the lightweight vehicles. In this paper, we introduce a secure and privacy-preserving dissemination scheme for warning message in cloud-assisted IoV. Firstly, we adopt attribute-based encryption to protect the disseminated warning message, and present a verifiable encryption and decryption outsourcing construction to reduce the computational overhead on vehicles. Secondly, we present a conditional privacy preservation mechanism which utilizes anonymous identity-based signature technique to ensure anonymous vehicle authentication and message integrity checking, and also allows the trusted authority to trace the real identity of malicious vehicle. We further achieve batch verification to improve the authentication efficiency. The analysis indicate that our scheme gains more security properties and reduces the computational overhead on the vehicles.

After the creation of the internet, the file sharing process has been changed. Several third-party applications have come to live for sharing and chatting purposes. A spammer can profit by these applications in different ways like, can achieve countless data, can acquire the user's personal information, and furthermore. Later that untrusted cloud storages are used for uploading a file even it is maintained by the third party If they use an untrusted cloud, there is a security problem. We need to give more security for file transfer in the defense-based organization. So, we developed a secure application for group member communication in a secure medium. The user belongs to a specific department from a specific group can access the data from the storage node and decrypt it. Every user in the group needs to register in the node to send or receive the data. Group Manager can restrict the access of the users in a Defense Network and he generates a user list, users in that list can only login to the node and share or download the files. We created a secure platform to upload files and share the data with multiple users by using Dynamic broadcasting Encryption. Users in the list can only download and decrypt the files from the storage node.

In this paper we propose ROS-Defender, a holistic approach to secure robotics systems, which integrates a Security Event Management System (SIEM), an intrusion prevention system (IPS) and a firewall for a robotic system. ROS-Defender combines anomaly detection systems at application (ROS) level and network level, with dynamic policy enforcement points using software defined networking (SDN) to provide protection against a large class of attacks. Although SIEMs, IPS, and firewall have been previously used to secure computer networks, ROSDefender is applying them for the specific use case of robotic systems, where security is in many cases an afterthought.

With the exponential growth in the usage of electronic medical records (EMR), the amount of data generated by the healthcare industry has too increased exponentially. These large amounts of data, known as “Big Data” is mostly unstructured. Special big data analytics methods are required to process the information and retrieve information which is meaningful. As patient information in hospitals and other healthcare facilities become increasingly electronic, Big Data technologies are needed now more than ever to manage and understand this data. In addition, this information tends to be quite sensitive and needs a highly secure environment. However, current security algorithms are hard to be implemented because it would take a huge amount of time and resources. Security protocols in Big data are also not adequate in protecting sensitive information in the healthcare. As a result, the healthcare data is both heterogeneous and insecure. As a solution we propose the Secure Pattern-Based Data Sensitivity Framework (PBDSF), that uses machine learning mechanisms to identify the common set of attributes of patient data, data frequency, various patterns of codes used to identify specific conditions to secure sensitive information. The framework uses Hadoop and is built on Hadoop Distributed File System (HDFS) as a basis for our clusters of machines to process Big Data, and perform tasks such as identifying sensitive information in a huge amount of data and encrypting data that are identified to be sensitive.

Platoon is one of cooperative driving applications where a set of vehicles can collaboratively sense each other for driving safety and traffic efficiency. However, platoon without security insurance makes the cooperative vehicles vulnerable to cyber-attacks, which may cause life-threatening accidents. In this paper, we introduce malicious attacks in platoon maneuvers. To defend against these attacks, we propose a Cyphertext-Policy Attribute-Based Encryption (CP-ABE) based Platoon Secure Sensing scheme, named CPSS. In the CPSS, platoon key is encapsulated in the access control structure in the key distribution process, so that interference messages sending by attackers without the platoon key could be ignored. Therefore, the sensing data which contains speed and position information can be protected. In this way, speed and distance fluctuations caused by attacks can be mitigated even eliminated thereby avoiding the collisions and ensuring the overall platoon stability. Time complexity analysis shows that the CPSS is more efficient than that of the polynomial time solutions. Finally, to evaluate capabilities of the CPSS, we integrate a LTE-V2X with platoon maneuvers based on Veins platform. The evaluation results show that the CPSS outperforms the baseline algorithm by 25% in terms of distance variations.

Advances in new Communication and Information innovations has led to a new paradigm known as Internet of Things (IoT). Healthcare environment uses IoT technologies for Patients care which can be used in various medical applications. Patient information is encrypted consistently to maintain the access of therapeutic records by authoritative entities. Healthcare Internet of Things (HIoT) facilitate the access of Patient files immediately in emergency situations. In the proposed system, the Patient directly provides the Key to the Doctor in normal care access. In Emergency care, a Patient shares an Attribute based Key with a set of Emergency Supporting Representatives (ESRs) and access permission to the Doctor for utilizing Emergency key from ESR. The Doctor decrypts the medical records by using Attribute based key and Emergency key to save the Patient's life. The proposed model Secure Information Retrieval using Lightweight Cryptography (SIRLC) reduces the secret key generation time and cipher text size. The performance evaluation indicates that SIRLC is a better option to utilize in Healthcare IoT than Lightweight Break-glass Access Control(LiBAC) with enhanced security and reduced computational complexity.

Ciphertext Policy Attribute Based Encryption techniques provide fine grained access control to securely share the data in the organizations where access rights of users vary according to their roles. We have noticed that various key delegation mechanisms are provided for CP-ABE schemes but no key delegation mechanism exists for CP-ABE with hidden access policy. In practical, users' identity may be revealed from access policy in the organizations and unlimited further delegations may results in unauthorized data access. For maintaining the users' anonymity, the access structure should be hidden and every user must be restricted for specified further delegations. In this work, we have presented a flexible secure key delegation mechanism for CP-ABE with hidden access structure. The proposed scheme enhances the capability of existing CP-ABE schemes by supporting flexible delegation, attribute revocation and user revocation with negligible enhancement in computational cost.

The low attention to security and privacy causes some problems on data and information that can lead to a lack of public trust in e-Gov service. Security threats are not only included in technical issues but also non-technical issues and therefore, it needs the implementation of inclusive security. The application of inclusive security to e-Gov needs to develop a model involving security and privacy requirements as a trusted security solution. The method used is the elicitation of security and privacy requirements in a security perspective. Identification is carried out on security and privacy properties, then security and privacy relationships are determined. The next step is developing the design of an inclusive security model on e-Gov. The last step is doing an analysis of e-Gov service activities and the role of inclusive security. The results of this study identified security and privacy requirements for building inclusive security. Identification of security requirements involves properties such as confidentiality (C), integrity (I), availability (A). Meanwhile, privacy requirement involves authentication (Au), authorization (Az), and Non-repudiation (Nr) properties. Furthermore, an inclusive security design model on e-Gov requires trust of internet (ToI) and trust of government (ToG) as an e-Gov service provider. Access control is needed to provide solutions to e-Gov service activities.

Ciphertext storage can effectively solve the security problems in cloud storage, among which the ciphertext policy attribute-based encryption (CP-ABE) is more suitable for ciphertext access control in cloud storage environment for it can achieve one-to-many ciphertext sharing. The existing attribute encryption scheme CP-ABE has problems with revocation such as coarse granularity, untimeliness, and low efficiency, which cannot meet the demands of cloud storage. This paper proposes an RCP-ABE scheme that supports real-time revocable fine-grained attributes for the existing attribute revocable scheme, the scheme of this paper adopts the version control technology to realize the instant revocation of the attributes. In the key update mechanism, the subset coverage technology is used to update the key, which reduces the workload of the authority. The experimental analysis shows that RCP-ABE is more efficient than other schemes.

Data security and privacy issues are magnified by the volume, the variety, and the velocity of Big Data and by the lack, up to now, of a standard data model and related data manipulation language. In this paper, we focus on one of the key data security services, that is, access control, by highlighting the differences with traditional data management systems and describing a set of requirements that any access control solution for Big Data platforms may fulfill. We then describe the state of the art and discuss open research issues.

Cloud storage solutions have gained momentum in recent years. However, cloud servers can not be fully trusted. Data access control have becomes one of the main impediments for further adoption. One appealing approach is to incorporate the access control into encrypted data, thus removing the need to trust the cloud servers. Among existing cryptographic solutions, Ciphertext Policy Attribute-Based Encryption (CP-ABE) is well suited for fine-grained data access control in cloud storage. As promising as it is, user revocation is a cumbersome problem that impedes its wide application. To address this issue, we design an access control system called DUR-CP-ABE, which implements identity-based User Revocation in a data owner Discretionary way. In short, the proposed solution provides the following salient features. First, user revocation enforcement is based on the discretion of the data owner, thus providing more flexibility. Second, no private key updates are needed when user revocation occurs. Third, the proposed scheme allows for group revocation of affiliated users in a batch operation. To the best of our knowledge, DUR-CP-ABE is the first CP-ABE solution to provide affiliation- based batch revocation functionality, which fits naturally into organizations' Identity and Access Management (IAM) structure. The analysis shows that the proposed access control system is provably secure and efficient in terms of computation, communi- cation and storage.

Cloud storage service makes it very convenient for people to access and share data. At the same time, the confidentiality and privacy of user data is also facing great challenges. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme is widely considered to be the most suitable security access control technology for cloud storage environment. Aiming at the problem of privacy leakage caused by single-cloud CP-ABE which is commonly adopted in the current schemes, this paper proposes a privacy-preserving CP-ABE access control scheme using multi-cloud architecture. By improving the traditional CP-ABE algorithm and introducing a proxy to cut the user's private key, it can ensure that only a part of the user attribute set can be obtained by a single cloud, which effectively protects the privacy of user attributes. Meanwhile, the intermediate logical structure of the access policy tree is stored in proxy, and only the leaf node information is stored in the ciphertext, which effectively protects the privacy of the access policy. Security analysis shows that our scheme is effective against replay and man-in-the-middle attacks, as well as user collusion attack. Experimental results also demonstrates that the multi-cloud CP-ABE does not significantly increase the overhead of storage and encryption compared to the single cloud scheme, but the access control overhead decreases as the number of clouds increases. When the access policy is expressed with a AND gate structure, the decryption overhead is obviously less than that of a single cloud environment.

A significant amount of attempt has been lately committed for the progress of Database Management Systems (DBMS) that ensures high assertion and high security. Common security measures for database like access control measures, validation, encryption technologies, etc are not sufficient enough to secure the data from all the threats. By using an anomaly detection system, we are able to enhance the security feature of the Database management system. We are taking an assumption that the database access control is role based. In this paper, a mechanism is proposed for finding the anomaly in database by using machine learning technique such as classification. The importance of providing anomaly detection technique to a Role-Based Access Control database is that it will help for the protection against the insider attacks. The experimentation results shows that the system is able to detect intrusion effectively with high accuracy and high F1-score.

In recent years, many users have uploaded data to the cloud for easy storage and sharing with other users. At the same time, security and privacy concerns for the data are growing. Attribute-based encryption (ABE) enables both data security and access control by defining users with attributes so that only those users who have matching attributes can decrypt them. For real-world applications of ABE, revocation of users or their attributes is necessary so that revoked users can no longer decrypt the data. In actual implementations, ABE is used in hybrid with a symmetric encryption scheme such as the advanced encryption standard (AES) where data is encrypted with AES and the AES key is encrypted with ABE. The hybrid encryption scheme requires re-encryption of the data upon revocation to ensure that the revoked users can no longer decrypt that data. To re-encrypt the data, the data owner (DO) must download the data from the cloud, then decrypt, encrypt, and upload the data back to the cloud, resulting in both huge communication costs and computational burden on the DO depending on the size of the data to be re-encrypted. In this paper, we propose an attribute-based proxy re-encryption method in which data can be re-encrypted in the cloud without downloading any data by adopting both ABE and Syalim's encryption scheme. Our proposed scheme reduces the communication cost between the DO and cloud storage. Experimental results show that the proposed method reduces the communication cost by as much as one quarter compared to that of the trivial solution.