Um serviço de autorização Java EE baseado em certificados de atributos X.509. / A Java EE authorization service based on X.509 attribute certificates.

Guilhen, Stefan Neusatz

03 June 2008

O surgimento e a popularização de arquiteturas de software que fornecem suporte à programação distribuída orientada a objetos, como CORBA, .NET e Java EE, gerou uma demanda por infra-estruturas de segurança eficientes, capazes de proteger os recursos dos sistemas de ataques maliciosos. Essa proteção começa pela identificação dos usuários que interagem com os sistemas, processo conhecido como autenticação. Entretanto, a autenticação por si só não é suficiente para garantir a segurança dos recursos, uma vez que a autenticação não determina quais ações os usuários estão autorizados a executar depois de autenticados. Em outras palavras, um mecanismo de autorização, que faz valer as políticas de controle de acesso aos recursos definidas pelos administradores de sistemas, se faz necessário. Neste trabalho estudamos mecanismos de controle de acesso baseado em papéis e a aplicabilidade dos certificados de atributos X.509 como estrutura de armazenamento desses papéis em um ambiente Java EE. Em particular, estendemos a infra-estrutura de segurança do servidor de aplicações JBoss, de modo que ela passasse a comportar os certificados de atributos X.509. Além disso, analisamos as vantagens e desvantagens do uso de tais certificados e avaliamos o desempenho da extensão desenvolvida em relação a outras alternativas que são oferecidas pelo JBoss para o armazenamento de papéis dos usuários. / The popularization of software architectures that provide support for distributed object-oriented programming, like CORBA, .NET, and Java EE, revealed the need for efficient security infrastructures to protect the resources of enterprise systems from malicious attacks. This protection usually begins with the identification of the users that interact with the systems, a process known as authentication. However, authentication alone is not enough to guarantee the protection of the resources, as it cannot determine what actions a particular user is allowed to execute on a given resource. In other words, an authorization mechanism is needed in order to enforce the access control policies as defined by the system administrators. In this dissertation we studied role-based access control mechanisms and the use of X.509 attribute certificates as data structures that store the users roles in a Java EE environment. Particularly, we added X.509 attribute certificates support to the existing JBoss application server security infrastructure. Furthermore, we evaluated the pros and cons of using these certificates, and compared the performance of the developed extension to the performance of the existing solutions provided by JBoss to store the users roles.

Attribute Certificate

Authorization

Autorização

Certificado de atributos

Java EE

Java EE

Security

Segurança

X.509

X.509

Achieving secure and efficient access control of personal health records in a storage cloud

Binbusayyis, Adel

January 2017

A personal health record (PHR) contains health data about a patient, which is maintained by the patient. Patients may share their PHR data with a wide range of users such as healthcare providers and researchers through the use of a third party such as a cloud service provider. To protect the confidentiality of the data and to facilitate access by authorized users, patients use Attribute-Based Encryption (ABE) to encrypt the data before uploading it onto the cloud servers. With ABE, an access policy is defined based on users' attributes such as a doctor in a particular hospital, or a researcher in a particular university, and the encrypted data can only be decrypted if and only if a user's attributes comply with the access policy attached to a data object. Our critical analysis of the related work in the literature shows that existing ABE based access control frameworks used for sharing PHRs in a storage cloud can be enhanced in terms of scalability and security. With regard to scalability, most existing ABE based access control frameworks rely on the use of a single attribute authority to manage all users, making the attribute authority into a potential bottleneck regarding performance and security. With regard to security, the existing ABE based access control frameworks assume that all users have the same level of trust (i.e. they are equally trustworthy) and all PHR data files have the same sensitivity level, which means that the same protection level is provided. However, in our analysis of the problem context, we have observed that this assumption may not always be valid. Some data, such as patients' personal details and certain diseases, is more sensitive than other data, such as anonymised data. Access to more sensitive data should be governed by more stringent access control measures. This thesis presents our work in rectifying the two limitations highlighted above. In doing so, we have made two novel contributions. The first is the design and evaluation of a Hierarchical Attribute-Based Encryption (HABE) framework for sharing PHRs in a storage cloud. The HABE framework can spread the key management overheads imposed on a single attribute authority tasked with the management of all the users into multiple attribute authorities. This is achieved by (1) classifying users into different groups (called domains) such as healthcare, education, etc., (2) making use of multiple attribute authorities in each domain, (3) structuring the multiple attribute authorities in each domain in a hierarchical manner, and (4) allowing each attribute authority to be responsible for managing particular users in a specific domain, e.g. a hospital or a university. The HABE framework has been analyzed and evaluated in term of security and performance. The security analysis demonstrates that the HABE framework is resistant to a host of security attacks including user collusions. The performance has been analyzed in terms of computational and communication overheads and the results show that the HABE framework is more efficient and scalable than the most relevant comparable work. The second novel contribution is the design and evaluation of a Trust-Aware HABE (Trust+HABE) framework, which is an extension of the HABE framework. This framework is also intended for sharing PHRs in a storage cloud. The Trust+HABE framework is designed to enhance security in terms of protecting access to sensitive PHR data while keeping the overhead costs as low as possible. The idea used here is that we classify PHR data into different groups, each with a distinctive sensitivity level. A user requesting data from a particular group (with a given sensitivity level) must demonstrate that his/her trust level is not lower than the data sensitivity level (i.e. trust value vs data sensitivity verification). A user's trust level is derived based on a number of trust-affecting factors, such as his/her behaviour history and the authentication token type used to identify him/herself etc. For accessing data at the highest sensitivity level, users are required to get special permissions from the data owners (i.e. the patients who own the data), in addition to trust value vs data sensitivity verification. In this way, the framework not only adapts its protection level (in imposing access control) in response to the data sensitivity levels, but also provides patients with more fine-grained access control to their PHR data. The Trust+HABE framework is also analysed and evaluated in term of security and performance. The performance results from the Trust+HABE framework are compared against the HABE framework. The comparison shows that the additional computational, communication, and access delay costs introduced as the result of using the trust-aware approach to access control in this context are not significant compared with computational, communication, and access delay costs of the HABE framework.

004

A quantitative analysis of the fluvio-deltaic Mungaroo Formation : better-defining architectural elements from 3D seismic and well data

Heldreich, Georgina

January 2017

Upper to lower delta plain fluvial sand bodies, sealed by delta plain mudstones, form important hydrocarbon reservoir targets. Modelling complex geobodies in the subsurface is challenging, with a significant degree of uncertainty on dimensions, distribution and connectivity. Studies of modern and ancient paralic systems have produced a myriad of nomenclature and hierarchy schemes for classifying fluvial architectural elements; often lacking clearly-defined terminology. These are largely based on outcrop data where lateral and vertical relationships of bounding scour surfaces can be assessed in detail. Many of these key defining criteria are difficult to recognise or cannot be obtained from typical 3D seismic reflection data at reservoir depths greater than or equal to 2 km subsurface. This research provides a detailed statistical analysis of the Triassic fluvio-deltaic Mungaroo Formation on the North West Shelf of Australia, which is one of the most important gas plays in the world. A multidisciplinary approach addresses the challenge of characterising the reservoir by utilising an integrated dataset of 830 m of conventional core, wireline logs from 21 wells (penetrating up to 1.4 km of the upper Mungaroo Fm) and a 3D seismic volume covering approximately 10,000 km2. Using seismic attribute analysis and frequency decomposition, constrained by well and core data, the planform geobody geometries and dimensions of a variety of architectural elements at different scales of observation are extracted. The results produce a statistically significant geobody database comprising over 27,000 measurements made from more than 6,000 sample points. Three classes of geobodies are identified and interpreted to represent fluvial channel belts and channel belt complexes of varying scales. Fluvial geobody dimensions and geomorphology vary spatially and temporally and the inferred controls on reservoir distribution and architecture are discussed. Results document periods of regression and transgression, interpreted in relation to potential allocyclic and autocyclic controls on the evolution of the depositional system. Statistical analysis of width-to-thickness dimensions and key metrics, such as sinuosity, provided a well-constrained and valuable dataset that augments, and has been compared to, existing published datasets. Uncertainty in interpretation caused by data resolution is addressed; something recognised in many other studies of paralic systems. Given the data distribution, type and resolution, geobodies have possible interpretations as either incised valleys or amalgamated channel belts, with implications for developing predictive models of the system. This study offers the first published, statistically significant dataset for the Mungaroo Formation. It builds upon previous regional work, offering a detailed analysis of this continental scale paralic system and provides insight into the controls and mechanisms that influenced its spatial and temporal evolution. Focusing on improved understanding of geobody distribution and origin, the statistical parameters generated provide a robust dataset that can be used for 3D static reservoir models of analogue systems. Thus, helping to constrain potential geobody dimensions and reduce the uncertainties associated with modelling.

Uma linguagem de definição e manipulação de interfaces com o usuário

Schubert, Edson Gellert

January 1991

Uma interface com o usuário é composta por duas "vias" de comunicação, uma que vai do usuário até o sistema e outra que vai do sistema até o usuário. Cada uma destas "vias" possui um formalismo que define a comunicação associado. Neste trabalho, estes formalismos são descritos com uma gramática de atributos. Esta gramática foi expandida de forma a permitir a definição dos elementos que compõe a interface do usuário, e da estrutura que irá controlar a seqüência de execução das tarefas oferecidas pelos sistemas de aplicação. Ao longo do trabalho são discutidas algumas técnicas de descrição do formalismo de comunicação entre interface e sistema, são abordados os estilos de interação e apresentada as expansões aplicadas sobre gramáticas de atributos. Um exemplo auxilia a compreensão do uso da linguagem proposta, e um protótipo permite a validação das definições. / A user interface is composed by two "ways" of communication, one from the user to the system and the other linking the system to the user. Each of these "ways" has it's own mechanism. In this work, these mechanisms are described through an attribute grammar. This grammar has been expanded to allow the definition of the structure of the interface elements and the control of the execution of the tasks that the application system implements. Through this work, technics that describe the communication between the interface and the system, interaction styles and the extensions made on attribute grammar are discussed. An example is given to explain the use of the proposed mechanism and a prototype validates ideas discussed.

Engenharia : Software

Interface : Usuario

Gramatica : Atributos

Interface gráfica

Graphical interfaces

User interface development systems

Attribute grammar

Seleção de atributos para mineração de processos na gestão de incidentes / Attribute selection for process mining on incident management process

Claudio Aparecido Lira do Amaral

20 March 2018

O processo de tratamento de incidentes é o mais adotado pelas empresas, porém, ainda carece de técnicas que possam gerar estimativas assertivas para o tempo de conclusão. Este trabalho atua no estudo de um processo real, por meio de um procedimento de mineração de processos, capaz de descobrir o modelo do processo sob a forma de um sistema de transição anotado e propõe meios automatizados de escolha dos atributos que o descrevam adequadamente, de modo a gerar estimativas realistas sobre o tempo necessário para sua conclusão. A estratégia resultante da aplicação de técnicas de seleção de atributos - filtro e invólucro - é capaz de propiciar a geração de sistemas de transição anotados mais precisos e com algum grau de generalização. A solução apresentada neste trabalho representa uma melhoria na mineração de processos, no contexto específico da criação de sistemas de transição anotados e no seu uso como um gerador de estatísticas para o processo nele modelado / The incident management process is the most widely adopted by companies. However, still lacks techniques that can generate precise estimates for the completion time. This work performs a study in a real incident management process, by means of process mining, able to find out the real process model in the form of annotated transition system and propose automated means for selecting attributes that describe it accordingly, in order to generate realistic estimates of the time to conclusion. The resulting strategy of application feature selection techniques - filter and wrapper - is able to provide generation of more accurate annotated transition systems with some degree of generalization. The solution presented in this paper represents an improvement in process mining on the specific context of creation annotated transition system and its use as a statistics generator for the whole modeled process

Atributos

Filtro

Incidente

Invólucro

ITIL

Mineração de processos

Attribute

Filter

Incident

ITIL

Process mining

Wrapper

Vårdande : En begreppsanalys

Ebbinghaus, Christine, Jakobsson, Helena

January 2019

Bakgrund: Vårdande är ett centralt begrepp inom sjuksköterskeprofessionen och vårdvetenskapen, dock finns det oklarheter kring vad begreppet innebär, då definitionerna är många och oeniga. Lagar och styrdokument ligger till grund för hur sjuksköterskor ska handla med vårdandet i fokus och sjuksköterskors förhållningssätt beskrivs i Watsons caritasprocesser som en kärleksfull godhet, empatisk förmåga och en genuin närvaro. I enlighet med tidigare forskning anses begreppet vara för betydelsefullt för en otydlig definition. Syfte: Att tydliggöra begreppet vårdande inom sjuksköterskeprofessionen. Metod: En begreppsanalytisk metod av Walker och Avant. Resultat: Det finns flera olika definitioner och synonymer till begreppet vårdande i lexikon och synonymordböcker. Ur facklitteratur och vetenskapliga artiklar framhävs vårdandet utifrån ett sjuksköterske- och patientperspektiv. Begreppet vårdande redovisas slutligen som fyra olika egenskaper: att interagera, att se hela människan, att tillgodose fysiologiska behov och att värna. Alla egenskaper behövs för att kunna beskriva vårdandets innebörd som framställs i form av tre fiktiva berättelser. Slutsats: Examensarbetet har resulterat i en djupare och klarare förståelse av begreppet vårdande. Det har bidragit med en kunskap om hur sjuksköterskors förhållningssätt bör vara, och andra faktorer som är angeläget i mötet med patienter. Att lindra lidande framkom som en konsekvens av vårdandet och synliggör dess betydelse. / Background: The Swedish concept vårdande, which in English translates to both caring and nursing, is a common notion within the nursing profession and the Caring Sciences. However, it is often somewhat unclear what the concept entails, as the definitions are many and often vary in content. Laws and defining guidelines establish how the nurse ought to act with vårdande in mind. In Watson’s Caritas Processes the approach of the nurse is described as a loving, empathic ability and genuine presence. In accordance with earlier scientific research, the concept is of great importance and should possess a clearer definition. Aim: To clarify the concept vårdande within the nursing profession. Method: A concept analytical method by Walker and Avant. Result: There are many definitions and synonyms to vårdande in lexicons and thesauruses. In scientific articles and literature, the concept is highlighted from the perspective of a nurse or patient. The definition of vårdande is finally displayed in four different attributes: to interact, to recognize the complete person, to address physiological needs, and to shield. All these attributes are needed to describe the signification of vårdande, which are displayed in the shape of three fictional stories. Conclusion: This thesis has resulted in a deeper and more defined understanding of the concept of vårdande. It has contributed with an essential applicable approach for nurses, and other factors which are of importance in relation to encountering patients. Alleviation of suffering emerged as a consequence of vårdandet, displaying its significance.

attribute

interact

nurse

patient

shield

attribut

interagera

patient

sjuksköterska

värna

Nursing

Omvårdnad

OVID-BV : optimising value in decision making for best value in the UK social housing sector

Phillips, Steve

January 2007

The Governments' promotion and support of Best Value within the Social Housing Sector has been a prime catalyst in the move by Registered Social Landlord's [RSL's] away from the traditional culture of acceptance of the lowest bid towards consideration of both price and quality criteria as a basis for contractor selection. Manifestly this radical change in the way the sector procures its construction services has forced many of its stakeholders to undergo significant cultural and organisational changes within a relatively short period of time, and problems have developed during this transitional period that have affected the efficiency of the best value process. This research traced the root causes of these problems and its overarching aim was to develop an approach which will enable RSL's and their stakeholders to streamline the best value tender analysis procedure thereby allowing tenders to be dealt with effectively and efficiently whilst also creating a transparent and auditable decision making process. The approach has been established using a mixed methods research methodology utilising; case studies, surveys, rational decision analysis and system evaluation. The main output of the research is the development of a support tool known by the acronym OVID-BV which aids the multi objective decision making process. The underlying rationale for the support tool is based on the innovative use of uncertainty in decision making and the functionality of the tool uses a combination of the analytical hierarchy process (AHP), multi attribute utility theory (MAUT) and whole life costing (WLC).

IaaS-cloud security enhancement : an intelligent attribute-based access control model and implementation

Al-Amri, Shadha M. S.

January 2017

The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view.

WCAG 2.0 Success Criterion 1.1.1 Compliance: Using Accessibility Checkers to Find Empty Alt Attributes in University Home-pages

January 2018

abstract: With 285-million blind and visually impaired worldwide, and 25.5 million in the United States, federally funded universities should be at the forefront when designing accessible websites for the blind community. Fifty percent of the university homepages discussed in my thesis failed accessibility checker tests because alternative text was not provided in the alt-attribute for numerous images, making them inaccessible to blind users. The images which failed included logos, photographs of people, and images with text. Understanding image content and context in relation to the webpage is important for writing alternative text that is useful, yet writers interpret and define the content and context of images differently or not at all. Not all universities follow legal guidelines of using alternative text for online images nor implements best practices of analyzing images prior to describing them within the context of the webpage. When an image used in a webpage is designed only to be seen by sighted users and not to be seen by screen reader software, then that image is not comparably accessible to a blind user, as Section 508 mandates. / Dissertation/Thesis / Masters Thesis Technical Communication 2018

Technical communication

Accessibility

Alt Attribute

Alternative Text

Blind

Images

Visually Impaired

Um filtro iterativo utilizando árvores de decisão / An Iterative Decision Tree Threshold Filter

Picchi Netto, Oscar

24 September 2013

Usar algoritmos de Aprendizado de Máquina é um dos modos ecientes de extrair as informações de grandes bases biológicas. Sabendo-se que a quantidade de dados que são coletados cresce a cada dia, o uso de alguma técnica de seleção de atributos eficiente é, em alguns casos, essencial não só para otimizar o tempo do algoritmo de Aprendizado da Máquina a ser aplicado posteriormente como também para reduzir os dados, de forma que possa ser possível testá-los, por exemplo, em uma bancada de laboratório em algumas situações específicas. O objetivo deste estudo é propor uma abordagem utilizando árvores de decisão em um filtro iterativo, visando auxiliar na extração de informação de grande bases biológicas. Pois, com uma base de menor dimensionalidade, um especialista humano pode entender melhor ou ainda utilizar um algoritmo de Aprendizado de Máquina de forma mais eficaz. O filtro proposto pode utilizar qualquer classificador com um seletor de atributos embutido e qualquer métrica pode ser utilizada para determinar se o atributo deve ser escolhido. Foi fixado, neste estudo, o algoritmo utilizado como J48 e a área embaixo da curva ROC (AUC) como métrica. Em experimentos utilizando diversas bases de dados biomédicas, o filtro proposto foi analisado e sua capacidade de compressão e desempenho foram avaliados em cinco diferentes paradigmas de aprendizado de máquina, utilizando dois limiares diferentes para a métrica escolhida. O melhor limiar obteve uma capacidade de compressão de cerca de 50% dos dados em geral e 99.4% em bases de baixa densidade, geralmente grandes bases. Os valores AUC obtidos pelo filtro quando comparados com cinco algoritmos de paradigmas de aprendizado diferentes mostraram um desempenho melhor em quatro das cinco situações avaliadas. O filtro proposto foi depois analisado e comparado com outros seletores de atributos da literatura e o indutor sozinho. Quanto ao tempo gasto pelo filtro em relação aos outros ele se apresentou no mesmo patamar de 3 dos 4 seletores testados. Quando comparado em relação ao AUC o filtro proposto se mostrou robusto nos cinco indutores analisados, não apresentando nenhuma diferença significativa em nenhum dos cenários testados. Em relação aos indutores, o filtro apresentou um desempenho melhor, mesmo que não significante, em 4 dos 5 indutores. / Using Machine Learning algorithms is an eficient way to extract information from large biological databases. But, in some cases, the amount of data is huge that using an eficient featured subset selection is, in some cases, essencial not only to optimize the learning time but also to reduce the amount of data, allowing, for example, a test in a laboratory workbench. The objective of this study is to propose an approach using decision trees in a iterative filter. The filter helps information extraction from large biological databases, since in a database with few dimensions a human specialist can understand it better or can use Machine Learning algorithms in a more efective way. The proposed lter can use any classier with embed featured subset selection and can use any performance metric to determine which attribute must be chosen. In this study, we have fixed the algorithm used within the filter as J48 and AUC was used as metric for performance evaluation. In experiments using biomedical databases, the proposed filter was analyzed and its compression capacity and performance were tested. In five diferent Machine Learning paradigms, using two diferent thresholds for the chosen metric. The best threshold was capable of reducing around 50% of the data using all databases and 99.4% on the small density bases, usually high dimensional databases. AUC values for the filter when compared with the five algorithm got a better performance in four of five tested situations. The proposed filter then was tested against others featured subset selectors from the literature, and against the inducer alone. Analyzing time the proposed lter is in the same level as 3 of 4 of the tested selectors. When tested for AUC the proposed selector shows itself robust in the five inducers tested, not showing any signicant diference in all tested scenarios. Against the inducers alone our filter showed a better performance, even not signicant, in 4 of the 5 inducers.

Alta Dimensionalidade

Aprendizado de Máquina

Attribute Selection

High Dimensions

Machine Learning

Seleção de Atributos