Spelling suggestions: "subject:"computer -- access control"" "subject:"computer -- cccess control""
1 |
A model for the dynamic delegation of authorization rights in a secure workflow management system.Venter, Karin 04 June 2008 (has links)
Businesses are continually striving to become more efficient. In an effort to achieve optimal efficiency, many companies have been forced to re-evaluate the efficiency of their business processes. Consequently, the term “business process re-engineering” (BPR) has been given to the activity of restructuring organizational policies and methods for conducting business. The refinement of business processes is the primary motivation behind the development of automated work- flow systems that ensure the secure and efficient flow of information between activities and participants that constitute the business process. A workflow is an automated business process that comprises a number of related tasks. When these tasks are executed in a systematic way, they contribute to the fulfilment of some goal. The order in which workflow tasks execute is of great significance because these tasks are typically dependent on each other. A workflow management system (WFMS) is responsible for scheduling the systematic execution of workflow tasks whilst considering the dependencies that exist between them. Businesses are realizing the necessity of information management in the functioning and general management of a company. They are recognizing the important role that information security has to play in ensuring that accurate information that is relevant is gathered, applied and maintained to enhance the company’s service to its customers. In a workflow context, information security primarily involves the implementation of access control security mechanisms. These mechanisms help ensure that task dependencies are coordinated and that tasks are performed by authorized subjects only. In doing so, they also assist in the maintenance of object integrity. TheWorkflow Authorization Model (WAM) was developed by Atluri and Huang [AH96b, HA99] with the specific intention of addressing the security requirements of workflow environments. It primarily addresses the granting and revoking of authorizations in a WFMS. TheWAM satisfies most criteria that are required of an optimal access control model. These criteria are the enforcement of separation of duties, the handling of temporal constraints, a role-based application and the synchronization of workflow with authorization flow. Some of these conditions cannot be met through pure role-based access control (RBAC) mechanisms. This dissertation addresses the delegation of task authorizations within a work- flow process by subject roles in the organizational structure. In doing this, a role may have the authority to delegate responsibility for task execution to another individual in a role set. This individual may potentially belong to a role other than the role explicitly authorized to perform the task in question. The proposed model will work within the constraints that are enforced by the WAM. Therefore, the WAM will play a part in determining whether delegation may be approved. This implies that the delegation model may not override any dynamically defined security constraints. The Delegation Authorization Model (DAM) proposed assists in distributing workloads amongst subject roles within an organization, by allowing subjects to delegate task responsibilities to other subjects according to restrictions imposed by security policies. As yet, this area of research has not received much attention. / Prof. M.S. Olivier
|
2 |
A prototype design for RBAC in a workflow environmentCholewka, Damian Grzegorz 13 February 2012 (has links)
M.Sc. / Role-based access control (RBAC) associates roles with privileges and users with roles. These associations are, however, static in that changes are infrequent and explicit. In certain instances this does not reflect business requirements. Access to an object should be based not only on the identity of the object and the user, but also on the actual task that must be performed. Context-sensitive access control meets the requirements in that it also considers the actual task, i.e. the context of the work to be done, when deciding whether an access should be granted or not. Workflow technology provides an appropriate environment for establishing the context of work. This dissertation discusses the implementation of a context-sensitive access control mechanism within a workflow environment. Although the prototype represents scaled-down workflow functionality, it illustrates the concept of context-sensitive access control. Access control was traditionally aimed at physically controlling access to a computer terminal. Large doors were put in place and time was divided between users who needed to work on a terminal. Today, however, physical means of restraining access have to a large extent given way to logical controls. Current access control mechanisms frequently burden the end-users with unnecessary security-related tasks. A user may, for example, be expected to assume a specific role at the beginning of a session, resulting in unnecessary multi-logons. Alternatively, users can automatically play the most senior role that they can hold and consequently receive the permissions associated with that role. The user is therefore trusted to implement the security policy and not misuse granted privileges. It is also possible for an end-user to bypass security functionality inadvertently- end-users do not always remember to do the correct thing. End-users are furthermore not necessarily adequately educated in security principles and may thus regard security-related tasks as hampering the tasks that they regard as being more important.
|
3 |
Mutual authentication in electronic commerce transactions.Kisimov, Martin Valentinov 02 June 2008 (has links)
Electronic commerce is a large and ever growing industry. Online transactions are returning ever-growing revenues to electronic merchants. The e-commerce industry is still facing a range of problems concerning the process of completion of online transactions. Such problems are connected to consumer fears dealing with the identity of online merchants, their security pre- cautions and methods for accepting online payments. This thesis develops and presents a Mutual Authentication Model (MAM), which addresses the problem of mutual authentication between online shoppers and merchants. The model combines existing technologies in the eld of cryp- tography, as well as the use of digital signatures and certi cates. This is done in a speci c manner as for the model to achieve mutual authentication between communicating parties, in an online transactions. The Mutual Authentication Model provides a process through which an online shopper can be quickly and transparently equipped with a digital identi cation, in the form of a digital certi cate of high trust, in order for this shopper to participate in an authen- ticated transaction within the MAM. A few of the advantages of the developed model include the prospect of decreased online credit fraud, as well as an increased rate of completed online transactions. / Prof. S.H. von Solms
|
4 |
The use of a virtual machine as an access control mechanism in a relational database management system.Van Staden, Wynand Johannes 04 June 2008 (has links)
This dissertation considers the use of a virtual machine as an access control mechanism in a relational database management system. Such a mechanism may prove to be more flexible than the normal access control mechanism that forms part of a relational database management system. The background information provided in this text (required to clearly comprehend the issues that are related to the virtual machine and its language) introduces databases, security and security mechanisms in relational database management systems. Finally, an existing implementation of a virtual machine that is used as a pseudo access control mechanism is provided. This mechanism is used to examine data that travels across a electronic communications network. Subsequently, the language of the virtual machine is chiefly considered, since it is this language which will determine the power and flexibility that the virtual machine offers. The capabilities of the language is illustrated by showing how it can be used to implement selected access control policies. Furthermore it is shown that the language can be used to access data stored in relations in a safe manner, and that the addition of the programs to the DAC model does not cause a significant increase in the management of a decentralised access control model. Following the proposed language it is obvious that the architecture of the ìnewî access control subsystem is also important since this architecture determines where the virtual machine fits in to the access control mechanism as a whole. Other extensions to the access control subsystem which are important for the functioning of the new access control subsystem are also reected upon. Finally, before concluding, the dissertation aims to provide general considerations that have to be taken into account for any potential implementation of the virtual machine. Aspects such as the runtime support system, data types and capabilities for extensions are taken into consideration. By examining all of the previous aspects, the access control language and programs, the virtual machine and the extensions to the access control subsystem, it is shown that the virtual machine and the language offered in this text provides the capability of implementing all the basic access control policies that can normally be provided. Additionally it can equip the database administrator with a tool to implement even more complex policies which can not be handled in a simple manner by the normal access control system. Additionally it is shown that using the virtual machine does not mean that certain complex policies have to be implemented on an application level. It is also shown that the new and extended access control subsystem does not significantly alter the way in which access control is managed in a relational database management system. / Prof. M.S. Olivier
|
5 |
Efficient computational approach to identifying overlapping documents in large digital collectionsMonostori, Krisztian, 1975- January 2002 (has links)
Abstract not available
|
6 |
Towards a framework for securing a business against electronic identity theftBechan, Upasna 30 November 2008 (has links)
The continuing financial losses incurred by individuals and companies due to identity information being phished are necessitating more innovative approaches to solving the problem of phishing attacks at the company level. Security standards are developed by respected experts in the profession and are widely accepted in the industry. The purpose of this study was to investigate whether a standard can be adapted to develop a framework that may guide companies in determining how to protect themselves against phishing attacks. A qualitative approach using design research as the methodology was used during the research. The data collection took place by means of a literature survey and semi-structured interviews. The artefact developed was a phishing-prevention framework based on the ISO/IEC 17799 standard, and the evaluation thereof took place through test cases. The findings communicated to the managerial audience was a set of recommendations as a further investment in their security protection against phishing attacks; the findings communicated to the technical audience was the successful adaptation of an existing security standard to produce a usable framework. Further research initiatives should extend the types of test cases that the phishing-prevention framework was evaluated against, and explore the use of tools for determining compliance with the framework. / Theoretical Computing / M. Sc. (Information Systems)
|
7 |
Applications Of Machine Learning To Anomaly Based Intrusion DetectionPhani, B 07 1900 (has links)
This thesis concerns anomaly detection as a mechanism for intrusion detection in a machine learning framework, using two kinds of audit data : system call traces and Unix shell command traces. Anomaly detection systems model the problem of intrusion detection as a problem of self-nonself discrimination problem. To be able to use machine learning algorithms for anomaly detection, precise definitions of two aspects namely, the learning model and the dissimilarity measure are required. The audit data considered in this thesis is intrinsically sequential. Thus the dissimilarity measure must be able to extract the temporal information in the data which in turn will be used for classification purposes. In this thesis, we study the application of a set of dissimilarity measures broadly termed as sequence kernels that are exclusively suited for such applications. This is done in conjunction with Instance Based learning algorithms (IBL) for anomaly detection. We demonstrate the performance of the system under a wide range of parameter settings and show conditions under which best performance is obtained. Finally, some possible future extensions to the work reported in this report are considered and discussed.
|
8 |
Recovery From DoS Attacks In MIPv6 : Modelling And ValidationKumar, Manish C 03 1900 (has links)
Denial-of-Service (DoS) attacks form a very important category of security threats that are possible in MIPv6 (Mobile Internet Protocol version 6). This thesis proposes a scheme for participants (Mobile Node, Home Agent, and Correspondent Node) in MIPv6 to recover from DoS attacks in the event of any of them being subjected to a DoS attack. We propose a threshold based scheme for participants in MIPv6 to detect presence of DoS attacks and to recover from DoS attacks in the event of any of them being subjected to a DoS attack. This is achieved using an infrastructure for MIPv6 that makes such a solution practical even in the absence of IPsec infrastructure. We propose a protocol that uses concepts like Cryptographically Generated Addresses (CGA), short-term IP addresses using a Lamport hash like mechanism and a hierarchy based trust management infrastructure for key distribution.
However, reasoning about correctness of such protocols is not trivial. In addition, new solutions to mitigate attacks may need to be deployed in the network on a frequent basis as and when attacks are detected, as it is practically impossible to anticipate all attacks and provide solutions in advance. This makes it necessary to validate solutions in a timely manner before deployment in real network. However, threshold schemes needed in group protocols make analysis complex. Model checking threshold-based group protocols that employ cryptography have been not successful so far. The testing in a real network or a test bed also will not be feasible if faster and frequent deployment of DoS mitigation solutions is needed. Hence, there is a need for an approach that lies between automated/manual verification and an actual implementation.
It is evident from existing literature that not many simulations for doing security analysis of MIP/MIPv6 have been done. This research is a step in that direction. We propose a simulation based approach for validation using a tool called FRAMOGR [40] that supports executable specification of group protocols that use cryptography. FRAMOGR allows one to specify attackers and track probability distributions of values or paths. This work deals with simulation of DoS attacks and their mitigation solutions for MIP in FRAMOGR. This makes validation of solutions possible without mandating a complete deployment of the protocol to detect vulnerabilities in a solution. This does away with the need for a formal theoretical verification of a DoS mitigation solution. In the course of this work, some DoS attacks and recovery mechanisms are simulated and validated using FRAMOGR. We obtained encouraging results for the performance of the detection scheme. We believe that infrastructure such as FRAMOGR would be required in future for validating new group based threshold protocols that are needed for making MIPv6 more robust.
|
9 |
Towards a framework for securing a business against electronic identity theftBechan, Upasna 30 November 2008 (has links)
The continuing financial losses incurred by individuals and companies due to identity information being phished are necessitating more innovative approaches to solving the problem of phishing attacks at the company level. Security standards are developed by respected experts in the profession and are widely accepted in the industry. The purpose of this study was to investigate whether a standard can be adapted to develop a framework that may guide companies in determining how to protect themselves against phishing attacks. A qualitative approach using design research as the methodology was used during the research. The data collection took place by means of a literature survey and semi-structured interviews. The artefact developed was a phishing-prevention framework based on the ISO/IEC 17799 standard, and the evaluation thereof took place through test cases. The findings communicated to the managerial audience was a set of recommendations as a further investment in their security protection against phishing attacks; the findings communicated to the technical audience was the successful adaptation of an existing security standard to produce a usable framework. Further research initiatives should extend the types of test cases that the phishing-prevention framework was evaluated against, and explore the use of tools for determining compliance with the framework. / Theoretical Computing / M. Sc. (Information Systems)
|
10 |
Distributed Joint Source-Channel Coding For Multiple Access ChannelsRajesh, R 05 1900 (has links)
We consider the transmission of correlated sources over a multiple access channel(MAC). Multiple access channels are important building blocks in many practical communication systems, e.g., local area networks(LAN), cellular systems, wireless multi-hop networks. Thus this topic has been studied for last several decades. One recent motivation is estimating a random field via wireless sensor networks. Often the sensor nodes are densely deployed resulting in correlated observations. These sensor nodes need to transmit their correlated observations to a fusion center which uses this data to estimate the sensed random field. Sensor nodes have limited computational and storage capabilities and very limited energy. Since transmission is very energy intensive, it is important to minimize it. This motivates our problem of energy efficient transmission of correlated sources over a sensor network.
Sensor networks are often arranged in a hierarchical fashion. Neighboring nodes can first transmit their data to a cluster head which can further compress information before transmission to the fusion center. The transmission of data from sensor nodes to their cluster-head is usually through a MAC. At the fusion center the underlying physical process is estimated. The main trade-off possible is between the rates at which the sensors send their observations and the distortion incurred in estimation at the fusion center. The availability of side information at the encoders and/or the decoder can reduce the rate of transmission.
In this thesis, the above scenario is modeled as an information theoretic problem. Efficient joint source-channel codes are discussed under various assumptions on side information and distortion criteria. Sufficient conditions for transmission of discrete/continuous alphabet sources with a given distortion over a discrete/continuous alphabet MAC are given. We recover various previous results as special cases from our results. Furthermore, we study the practically important case of the Gaussian MAC(GMAC) in detail and propose new joint source-channel coding schemes for discrete and continuous sources. Optimal schemes are identified in different scenarios.
The protocols like TDMA, FDMA and CDMA are widely used across systems and standards. When these protocols are used the MAC becomes a system of orthogonal channels. Our general conditions can be specialized to obtain sufficient conditions for lossy transmission over this system. Using this conditions, we identify an optimal scheme for transmission of Gaussian sources over orthogonal Gaussian channels and show that the Amplify and Forward(AF) scheme performs close to the optimal scheme even at high SNR.
Next we investigate transmission of correlated sources over a fast fading MAC with perfect or partial channel state information available at both the encoders and the decoder. We provide sufficient conditions for transmission with given distortions. We also provide power allocation policies for efficient transmission.
Next, we use MAC with side information as a building block of a hierarchical sensor network. For Gaussian sources over Gaussian MACs, we show that AF performs well in such sensor network scenarios where the battery power is at a premium. We then extend this result to the hierarchical network scenario and show that it can perform favourably to the Slepian-Wolf based source coding and independent channel coding scheme.
In a hierarchical sensor network the cluster heads often need to send only a function of the sensor observations to the fusion center. In such a setup the sensor nodes can compress the data sent to the cluster head exploiting the correlation in the data and also the structure of the function to be computed at the cluster head. Depending upon the function, exploiting the structure of the function can substantially reduce the data rate for transmission. We provide efficient joint source-channel codes for transmitting a general class of functions of the sources over the MAC.
|
Page generated in 0.064 seconds