Biblio

OAuth 2.0 is one of the most widely used Internet protocols for authorization/single sign-on (SSO) and is also the foundation of the new SSO protocol OpenID Connect. Due to its complexity and its flexibility, it is difficult to comprehensively analyze the security of the OAuth 2.0 standard, yet it is critical to obtain practical security guarantees for OAuth 2.0. In this paper, we present the first computationally sound security analysis of OAuth 2.0. First, we introduce a new primitive, the three-party authenticated secret distribution (3P-ASD for short) protocol, which plays the role of issuing the secret and captures the token issue process of OAuth 2.0. As far as we know, this is the first attempt to formally abstract the authorization technology into a general primitive and then define its security. Then, we present a sufficiently rich three-party security model for OAuth protocols, covering all kinds of authorization flows, providing reasonably strong security guarantees and moreover capturing various web features. To confirm the soundness of our model, we also identify the known attacks against OAuth 2.0 in the model. Furthermore, we prove that two main modes of OAuth 2.0 can achieve our desired security by abstracting the token issue process into a 3P-ASD protocol. Our analysis is not only modular which can reflect the compositional nature of OAuth 2.0, but also fine-grained which can evaluate how the intermediate parameters affect the final security of OAuth 2.0.

This paper is focused on the topic of the use of biometrics framework and strategy for secure access identity management of cloud computing services. This paper present's a description of cloud computing security issues and explored a review of previous works that represented various ideas for a cloud access framework. This paper discusses threats like a malicious insider, data breaches, and describes ways to protect them. It describes an innovative way portrayed a framework that fingerprint access-based authentication to protect Cloud services from unauthorized access and DOS, DDoS attacks. This biometrics-based framework as an extra layer of protection, added then it can be robust to prevent unauthorized access to cloud services.

Technologies such as cloud computing and big data management, have lately made significant progress creating an urgent need for specific databases that can safely store extensive data along with high availability. Specifically, a growing number of companies have adopted various types of non-relational databases, commonly referred to as NoSQL databases. These databases provide a robust mechanism for the storage and retrieval of large amounts of data without using a predefined schema. NoSQL platforms are superior to RDBMS, especially in cases when we are dealing with big data and parallel processing, and in particular, when there is no need to use relational modeling. Sensitive data is stored daily in NoSQL Databases, making the privacy problem more serious while raising essential security issues. In our paper, security and privacy issues when dealing with NoSQL databases are introduced and in following, security mechanisms and privacy solutions are thoroughly examined.

Big data analytics, in essence, is becoming the revolution of business intelligence around the world. This momentum has given rise to the hype around analytic technologies, including Apache Hadoop. Hadoop was not originally developed with security in mind. Despite the evolving efforts to integrate security in Hadoop through developing new tools (e.g., Apache Sentry and Ranger) and employing traditional mechanisms (e.g., Kerberos and LDAP), they mainly focus on providing encryption and authentication features, albeit with limited authorization support. Existing solutions in the literature extended these evolving efforts. However, they suffer from limitations, hindering them from providing robust authorization that effectively meets the unique requirements of big data environments. Towards covering this gap, this paper proposes a hybrid authority (HBD-Authority) as a formal attribute-based access control model with context support. This model is established on a novel hybrid approach of authorization transparency that pertains to three fundamental properties of accuracy: correctness, security, and completeness. The model leverages streaming data analytics to foster distributed parallel processing capabilities that achieve multifold benefits: a) efficiently managing the security policies and promptly updating the privileges assigned to a high number of users interacting with the analytic services; b) swiftly deciding and enforcing authorization of requests over data characterized by the 5Vs; and c) providing dynamic protection for data which is frequently updated. The implementation details and experimental evaluation of the proposed model are presented, demonstrating its performance efficiency.

The training process of deep learning model is costly. As such, deep learning model can be treated as an intellectual property (IP) of the model creator. However, a pirate can illegally copy, redistribute or abuse the model without permission. In recent years, a few Deep Neural Networks (DNN) IP protection works have been proposed. However, most of existing works passively verify the copyright of the model after the piracy occurs, and lack of user identity management, thus cannot provide commercial copyright management functions. In this paper, a novel user fingerprint management and DNN authorization control technique based on backdoor is proposed to provide active DNN IP protection. The proposed method can not only verify the ownership of the model, but can also authenticate and manage the user's unique identity, so as to provide a commercially applicable DNN IP management mechanism. Experimental results on CIFAR-10, CIFAR-100 and Fashion-MNIST datasets show that the proposed method can achieve high detection rate for user authentication (up to 100% in the three datasets). Illegal users with forged fingerprints cannot pass authentication as the detection rates are all 0 % in the three datasets. Model owner can verify his ownership since he can trigger the backdoor with a high confidence. In addition, the accuracy drops are only 0.52%, 1.61 % and -0.65% on CIFAR-10, CIFAR-100 and Fashion-MNIST, respectively, which indicate that the proposed method will not affect the performance of the DNN models. The proposed method is also robust to model fine-tuning and pruning attacks. The detection rates for owner verification on CIFAR-10, CIFAR-100 and Fashion-MNIST are all 100% after model pruning attack, and are 90 %, 83 % and 93 % respectively after model fine-tuning attack, on the premise that the attacker wants to preserve the accuracy of the model.

In modern internet-scale computing, interaction between a large number of parties that are not known a-priori is predominant, with each party functioning both as a provider and consumer of services and information. In such an environment, traditional access control mechanisms face considerable limitations, since granting appropriate authorizations to each distinct party is infeasible both due to the high number of grantees and the dynamic nature of interactions. Trust management has emerged as a solution to this issue, offering aids towards the automated verification of actions against security policies. In this paper, we present a trust- and risk-based approach to security, which considers status, behavior and associated risk aspects in the trust computation process, while additionally it captures user-to-user trust relationships which are propagated to the device level, through user-to-device ownership links.

Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.

Internet of Medical Things (IoMT) are getting popular in the smart healthcare domain. These devices are resource-constrained and are vulnerable to attack. As the IoMTs are connected to the healthcare network infrastructure, it becomes the primary target of the adversary due to weak security and privacy measures. In this regard, this paper proposes a security architecture for smart healthcare network infrastructures. The architecture uses various security components or services that are developed and deployed as virtual network functions. This makes the security architecture ready for future network frameworks such as OpenMANO. Besides, in this security architecture, only authenticated and trusted IoMTs serve the patients along with an encryption-based communication protocol, thus creating a secure, privacy-preserving and trusted healthcare network infrastructure.

Modern learning systems, say a tutoring platform, has many characteristics like digital data presentation with interactivity, mobility, which provides information about the study-content as per the learners understanding levels, intelligent learners behavior, etc. A sophisticated ubiquitous learner system maintains security and monitors the mischievous behavior of the learner, and authenticates and authorizes every learner, which is quintessential. Some of the existing security schemes aim only at single entry-point authentication, which may not suit to ubiquitous tutor platform. We propose a secured authentication scheme which is based on the information utility of the learner. Whenever a learner moves into a tutor platform, which has ubiquitous learner system technology, the system at first-begins with learners' identity authentication, and then it initiates trust evaluation after the successful authentication of the learner. Periodic credential verification of the learner will be carried out, which intensifies the authentication scheme of the system proposed. BAN logic has been used to prove the authentication in this system. The proposed authentication scheme has been simulated and analyzed for the indoor tutor platform environment.

This paper describes an approach to the security fault tolerance of access control in which the security breaches of an access control are tolerated by means of a security fault tolerant (SFT) access control. Though an access control is securely designed and implemented, it can contain faults in development or be contaminated in operation. The threats to an access control are analyzed to identify possible security breaches. To tolerate the security breaches, an SFT access control is made to be semantically identical to an access control. Our approach is described using role-based access control (RBAC) and extended access control list (EACL). A healthcare system is used to demonstrate our approach.

To achieve a fine-grained access control function and guarantee the data confidentiality in the cloud storage environment, ciphertext policy attribute-based encryption (CP-ABE) has been widely implemented. However, due to the high computation and communication overhead, the nature of CP-ABE mechanism makes it difficult to be adopted in resource constrained terminals. Furthermore, the way of realizing varying levels of undo operations remains a problem. To this end, the access matrix that satisfies linear secret sharing scheme (LSSS) was optimized with Cauchy matrix, and then a user-level revocation scheme based on Chinese Remainder Theorem was proposed. Additionally, the attribute level revocation scheme which is based on the method of key encrypt key (KEK) and can help to reduce the storage overhead has also been improved.

The field of Big Data is expanding at an alarming rate since its inception in 2012. The excessive use of Social Networking Sites, collection of Data from Sensors for analysis and prediction of future events, improvement in Customer Satisfaction on Online S hopping portals by monitoring their past behavior and providing them information, items and offers of their interest instantaneously, etc had led to this rise in the field of Big Data. This huge amount of data, if analyzed and processed properly, can lead to decisions and outcomes that would be of great values and benefits to organizations and individuals. Security of Data and Privacy of User is of keen interest and high importance for individuals, industry and academia. Everyone ensure that their Sensitive information must be kept away from unauthorized access and their assets must be kept safe from security breaches. Privacy and Security are also equally important for Big Data and here, it is typical and complex to ensure the Privacy and Security, as the amount of data is enormous. One possible option to effectively and efficiently handle, process and analyze the Big Data is to make use of Machine Learning techniques. Machine Learning techniques are straightforward; applying them on Big Data requires resolution of various issues and is a challenging task, as the size of Data is too big. This paper provides a brief introduction to Big Data, the importance of Security and Privacy in Big Data and the various challenges that are required to overcome for applying the Machine Learning techniques on Big Data.

In recent days, cloud computing is one of the emerging fields. It is a platform to maintain the data and privacy of the users. To process and regulate the data with high security, the access control methods are used. The cloud environment always faces several challenges such as robustness, security issues and so on. Conventional methods like Cipher text-Policy Attribute-Based Encryption (CP-ABE) are reflected in providing huge security, but still, the problem exists like the non-existence of attribute revocation and minimum efficient. Hence, this research work particularly on the attribute-based mechanism to maximize efficiency. Initially, an objective coined out in this work is to define the attributes for a set of users. Secondly, the data is to be re-encrypted based on the access policies defined for the particular file. The re-encryption process renders information to the cloud server for verifying the authenticity of the user even though the owner is offline. The main advantage of this work evaluates multiple attributes and allows respective users who possess those attributes to access the data. The result proves that the proposed Data sharing scheme helps for Revocation under a fine-grained attribute structure.

File sharing applications using cloud storage are increasingly popular for personal and business use. Due to data protection concerns, end-to-end encryption is often a desired feature of these applications. Many attempts at designing cryptographic solutions fail to be adopted due to missing relevant features. We present SeGShare, a new architecture for end-to-end encrypted, group-based file sharing using trusted execution environments (TEE), e.g., Intel SGX. SeGShare is the first solution to protect the confidentiality and integrity of all data and management files; enforce immediate permission and membership revocations; support deduplication; and mitigate rollback attacks. Next to authentication, authorization and file system management, our implementation features an optimized TLS layer that enables high throughput and low latency. The encryption overhead of our implementation is extremely small in computation and storage resources. Our enclave code comprises less than 8500 lines of code enabling efficient mitigation of common pitfalls in deploying code to TEEs.

Information-centric networking (ICN) has played an increasingly important role in the next generation network design. However, to make better use of request-response communication mode in the ICN network, revoke user privileges more efficiently and protect user privacy more safely, an effective access control mechanism is needed. In this paper, we propose IBSS (identity-based secret sharing), which achieves efficient content distribution by using improved Shamir's secret sharing method. At the same time, collusion attacks are avoided by associating polynomials' degree with the number of users. When authenticating user identity and transmitting content, IBE and IBS are introduced to achieve more efficient and secure identity encryption. From the experimental results, the scheme only introduces an acceptable delay in file retrieval, and it can request follow-up content very efficiently.

Using the blockchain technology to store the privatedocuments of individuals will help make data more reliable and secure, preventing the loss of data and unauthorized access. The Consensus algorithm along with the hash algorithms maintains the integrity of data simultaneously providing authentication and authorization. The paper incorporates the block chain and the Identity Based Encryption management concept. The Identity based Management system allows the encryption of the user's data as well as their identity and thus preventing them from Identity theft and fraud. These two technologies combined will result in a more secure way of storing the data and protecting the privacy of the user.

Internet of Things (IoT) systems are becoming widely used, which makes them to be a high-value target for both hackers and crackers. From gaining access to sensitive information to using them as bots for complex attacks, the variety of advantages after exploiting different security vulnerabilities makes the security of IoT devices to be one of the most challenging desideratum for cyber security experts. In this paper, we will propose a new IoT system, designed to ensure five data principles: confidentiality, integrity, availability, authentication and authorization. The innovative aspects are both the usage of a web-based communication and a custom dynamic data request structure.

The interface permits the client to scan for a subjective utility on the Play Store; the authorizations posting and the protection arrangement are then routinely recovered, on all events imaginable. The client has then the capability of choosing an interesting authorization, and a posting of pertinent sentences are separated with the guide of the privateer's inclusion and introduced to them, alongside a right depiction of the consent itself. Such an interface allows the client to rapidly assess the security-related dangers of an Android application, by utilizing featuring the pertinent segments of the privateer's inclusion and by introducing helpful data about shrewd authorizations. A novel procedure is proposed for the assessment of privateer's protection approaches with regards to Android applications. The gadget actualized widely facilitates the way toward understanding the security ramifications of placing in 1/3 birthday celebration applications and it has just been checked in a situation to feature troubling examples of uses. The gadget is created in light of expandability, and correspondingly inclines in the strategy can without trouble be worked in to broaden the unwavering quality and adequacy. Likewise, if your application handles non-open or delicate individual information, it would be ideal if you also allude to the extra necessities in the “Individual and Sensitive Information” territory underneath. These Google Play necessities are notwithstanding any prerequisites endorsed by method for material security or data assurance laws. It has been proposed that, an individual who needs to perform the establishment and utilize any 1/3 festival application doesn't perceive the significance and which methods for the consents mentioned by method for an application, and along these lines sincerely gives all the authorizations as a final product of which unsafe applications furthermore get set up and work their malevolent leisure activity in the rear of the scene.

This work describes the architecture and prototype implementation of a novel trust-aware continuous authorization technology that targets consumer Internet of Things (IoT), e.g., Smart Home. Our approach extends previous authorization models in three complementary ways: (1) By incorporating trust-level evaluation formulae as conditions inside authorization rules and policies, while supporting the evaluation of such policies through the fusion of an Attribute-Based Access Control (ABAC) authorization policy engine with a Trust-Level-Evaluation-Engine (TLEE). (2) By introducing contextualized, continuous monitoring and re-evaluation of policies throughout the authorization life-cycle. That is, mutable attributes about subjects, resources and environment as well as trust levels that are continuously monitored while obtaining an authorization, throughout the duration of or after revoking an existing authorization. Whenever change is detected, the corresponding authorization rules, including both access control rules and trust level expressions, are re-evaluated.(3) By minimizing the computational and memory footprint and maximizing concurrency and modular evaluation to improve performance while preserving the continuity of monitoring. Finally we introduce an application of such model in Zero Trust Architecture (ZTA) for consumer IoT.

Software Defined Vehicular Networking (SDVN) could be the future of the vehicular networks, enabling interoperability between heterogeneous networks and mobility management. Thus, the deployment of large SDVN is considered. However, SDVN is facing major security issues, in particular, authentication and access control issues. Indeed, an unauthorized SDN controller could modify the behavior of switches (packet redirection, packet drops) and an unauthorized switch could disrupt the operation of the network (reconnaissance attack, malicious feedback). Due to the SDVN features (decentralization, mobility) and the SDVN requirements (flexibility, scalability), the Blockchain technology appears to be an efficient way to solve these authentication and access control issues. Therefore, many Blockchain-based approaches have already been proposed. However, two key challenges have not been addressed: authentication and access control for SDN controllers and high scalability for the underlying Blockchain network. That is why in this paper we propose an innovative and scalable architecture, based on a set of interconnected Blockchain sub-networks. Moreover, an efficient access control mechanism and a cross-sub-networks authentication/revocation mechanism are proposed for all SDVN devices (vehicles, roadside equipment, SDN controllers). To demonstrate the benefits of our approach, its performances are compared with existing solutions in terms of throughput, latency, CPU usage and read/write access to the Blockchain ledger. In addition, we determine an optimal number of Blockchain sub-networks according to different parameters such as the number of certificates to store and the number of requests to process.

A trust model IMPACT: Intention, Measurability, Predictability, Agility, Communication, and Transparency has been conceptualized to build human trust in autonomous agents. The six critical characteristics must be exhibited by the agents in order to gain and maintain the trust from their human partners towards an effective and collaborative team in achieving common goals. The IMPACT model guided a design of an intelligent adaptive decision aid for dynamic target engagement processes in a military context. Positive feedback from subject matter experts participated in a large scale joint exercise controlling multiple unmanned vehicles indicated the effectiveness of the decision aid. It also demonstrated the utility of the IMPACT model as design principles for building up a trusted human-agent teaming.

Due to the proliferation of Internet-of-Things (IoT) environments, humans working with heterogeneous, smart objects in public IoT environments become more popular than ever before. This situation often requires to establish trust relationships between a user and a smart object for their secure interactions, but without the presence of prior interactions. In this work, we are interested in how a smart object can grant an access right to a human user in the absence of any prior knowledge in which some users may be malicious aiming to breach security goals of the IoT system. To solve this problem, we propose a trust-aware, role-based access control system, namely TARAS, which provides adaptive authorization to users based on dynamic trust estimation. In TARAS, for the initial trust establishment, we take a multidisciplinary approach by adopting the concept of I-sharing from psychology. The I-sharing follows the rationale that people with similar roles and traits are more likely to respond in a similar way. This theory provides a powerful tool to quickly establish trust between a smart object and a new user with no prior interactions. In addition, TARAS can adaptively filter malicious users out by revoking their access rights based on adaptive, dynamic trust estimation. Our experimental results show that the proposed TARAS mechanism can maximize system integrity in terms of correctly detecting malicious or benign users while maximizing service availability to users particularly when the system is fine-tuned based on the identified optimal setting in terms of an optimal trust threshold.

Many technological cases exploiting data science have been realized in recent years; machine learning, Internet of Things, and stream data processing are examples of this trend. Other advanced applications have focused on capturing the value from streaming data of different objects of transport and traffic management in an Intelligent Transportation System (ITS). In this context, security control and trust level play a decisive role in the sustainable adoption of this trend. However, conceptual work integrating the security approaches of different disciplines into one coherent reference architecture is limited. The contribution of this paper is a reference architecture for ITS security (called SITS). In addition, a classification of Big Data technologies, products, and services to address the ITS trust challenges is presented. We also proposed a novel multi-tier ITS security framework for validating the usability of SITS with business intelligence development in the enterprise domain.

Mobile ad hoc networks present numerous advantages compared to traditional networks. However, due to the fact that they do not have any central management point and are highly dynamic, mobile ad hoc networks display many issues. The one study in this paper is the one related to security. A policy based approach for securing messages dissemination in mobile ad hoc network is proposed in order to tackle that issue.

The low attention to security and privacy causes some problems on data and information that can lead to a lack of public trust in e-Gov service. Security threats are not only included in technical issues but also non-technical issues and therefore, it needs the implementation of inclusive security. The application of inclusive security to e-Gov needs to develop a model involving security and privacy requirements as a trusted security solution. The method used is the elicitation of security and privacy requirements in a security perspective. Identification is carried out on security and privacy properties, then security and privacy relationships are determined. The next step is developing the design of an inclusive security model on e-Gov. The last step is doing an analysis of e-Gov service activities and the role of inclusive security. The results of this study identified security and privacy requirements for building inclusive security. Identification of security requirements involves properties such as confidentiality (C), integrity (I), availability (A). Meanwhile, privacy requirement involves authentication (Au), authorization (Az), and Non-repudiation (Nr) properties. Furthermore, an inclusive security design model on e-Gov requires trust of internet (ToI) and trust of government (ToG) as an e-Gov service provider. Access control is needed to provide solutions to e-Gov service activities.