Multi-Layered Policy Generation and Management in Clouds

Fatemi Moghaddam, Faraz

12 December 2017

No description available.

510

Informatik (PPN619939052)

Access Control and Storage of Distributed IoT Data

Mends, Diana

03 April 2018

There has been a growth of a class of databases known as the Not only SQL (NoSQL) databases in recent years. Its quick growth has been fueled by a high demand by businesses as it offers a convenient way to store data and is significantly different from our traditional relational databases. It is easy to process unstructured data, offers a cloud-friendly ap- proach and grows through the distribution of data over lots of commodity computers. Most of these NoSQL databases are distributed in several different locations, spanning countries and are known as geo-distributed cloud datastores. We work to customize one of these known as Cassandra. Given the size of the database and the size of applications accessing the data stored, it has been challenging to customize it to meet existing application Service Level Agreement (SLAs). We live in an era of data breaches and even though some types of information are stripped of all sensitive data, there are ways to easily identify and link it to data of real persons or government. Data saved in different countries are subject to the rules and regulations of that specific country and security measures employed to safeguard consumer data. In this thesis, we describe mechanisms for selectively replicating data in a large scale NoSQL datastore in respect of privacy and legal regulations. We introduce an easily extensible constraint language to implement these policy constraints through the creation of a pluggable topology provider in the configuration files of Cassandra. Experiments using the modified Cassandra trunk demonstrate that our techniques work well, respect response times and improves read and write latencies.

IoT

NoSQL databases

Distributed databases

Cassandra

Policy Constraints

Access Control

Selective replication

Smart packet access and call admission control for efficient resource management in advanced wireless networks

Phan, V. V. (Vinh V.)

12 April 2005

Abstract Efficient management of rather limited resources, including radio spectrum and mobile-terminal battery power, has been the fundamental design challenge of wireless networks and one of the most widespread research problems over the years. MAC (Medium Access Control) for packet access and CAC (Call Admission Control) for connection-oriented service domains are commonly used as effective tools to manage radio resources, capacity and performance of wireless networks while providing adequate QoS (Quality of Service) to mobile users. Hence, analysis and synthesis of efficient MAC and CAC schemes for advanced wireless networks have significant academic and practical values. This dissertation addresses that topic and presents seven separate contributions of the author: four on adaptive MAC schemes for centralized PRN (Packet Radio Networks), referred to as SPA (Smart Packet Access) and three on CAC schemes for cellular networks, referred to as SCA (Smart Call Admission). These contributions are published in eighteen original papers by the author, which are listed and referred to as Papers I–XVIII in this thesis. In SPA, the first contribution, reported in Papers II and IV, studies implementation losses of adaptive feedback-control MAC schemes for the uplink of DS-CDMA (Direct-Sequence Code Division Multiple Access) PRN in the presence of various system imperfections. The second contribution, reported in Papers XI, XII, XV and XVI, proposes a bit-rate adaptive MAC scheme for DS-CDMA PRN, referred to as SPR (Smart Packet Rate). The third contribution, reported in Papers III, XIII and XIV, develops two alternative MAC schemes with adaptive packet-length over correlated fading channels in DS-CDMA PRN, referred to as SPL (Smart Packet Length). The fourth contribution, reported in Papers XVII and XVIII, develops alternative adaptive MAC schemes for optimal trade-offs between throughput and energy consumption of TCP (Transmission Control Protocol) applications in advanced cellular networks. These include a so-called SPD (Smart Packet Dispatching) for HSPA (High Speed Packet Access) and, again, SPL for LSPA (Low Speed Packet Access). Moving on to SCA, the first contribution, reported in Papers V and VII, provides a simple and accurate analytical method for performance evaluation of a class of fixed-assignment CAC schemes with generic guard-channel policy and queuing priority handoffs in cellular networks. The second contribution, reported in Papers VI, IX and X, proposes a simple and effective SCAC (Soft-decision CAC) scheme for CDMA cellular networks. This is evaluated against fixed-assignment and measurement-based CAC schemes with a simple and reliable method provided as a part of the contribution. The third contribution, reported in Papers I and VIII, incorporates alternative QoS differentiation paradigms and resource partitioning into CAC, defines GoS (Grade of Service) for multimedia cellular networks, and provides an in-hand tool for efficient capacity and GoS management.

call admission control (CAC)

energy efficiency

medium access control (MAC)

resource management

spectral efficiency

wireless networks

A trust-based adaptive access control model for wireless sensor networks

Maw, Htoo Aung

January 2015

Wireless Sensor Networks (WSNs) have recently attracted much interest in the research community because of their wide range of applications. One emerging application for WSNs involves their use in healthcare where they are generally termed Wireless Medical Sensor Networks (WMSNs). In a hospital, fitting patients with tiny, wearable, wireless vital sign sensors would allow doctors, nurses and others to continuously monitor the state of those in their care. In the healthcare industry, patients are expected to be treated in reasonable time and any loss in data availability can result in further decline in the patient's condition or can even lead to death. Therefore, the availability of data is more important than security concerns. The overwhelming priority is to take care of the patient, but the privacy and confidentiality of that patient's medical records cannot be neglected. In current healthcare applications, there are many problems concerning security policy violations such as unauthorised denial of use, unauthorised information modification and unauthorised information release of medical data in the real world environment. Current WSN access control models used the traditional Role-Based Access Control (RBAC) or cryptographic methods for data access control but the systems still need to predefine attributes, roles and policies before deployment. It is, however, difficult to determine in advance all the possible needs for access in real world applications because there may be unanticipated situations at any time. This research proceeds to study possible approaches to address the above issues and to develop a new access control model to fill the gaps in work done by the WSN research community. Firstly, the adaptive access control model is proposed and developed based on the concept of discretionary overriding to address the data availability issue. In the healthcare industry, there are many problems concerning unauthorised information release. So, we extended the adaptive access control model with a prevention and detection mechanism to detect security policy violations, and added the concept of obligation to take a course of action when a restricted access is granted or denied. However, this approach does not consider privacy of patients' information because data availability is prioritised. To address the conflict between data availability and data privacy, this research proposed the Trust-based Adaptive Access Control (TBA2C) model that integrates the concept of trust into the previous model. A simple user behaviour trust model is developed to calculate the behaviour trust value which measures the trustworthiness of the users and that is used as one of the defined thresholds to override access policy for data availability purpose, but the framework of the TBA2C model can be adapted with other trust models in the research community. The trust model can also protect data privacy because only a user who satisfies the relevant trust threshold can get restricted access in emergency and unanticipated situations. Moreover, the introduction of trust values in the enforcement of authorisation decisions can detect abnormal data access even from authorised users. Ponder2 is used to develop the TBA2C model gradually, starting from a simple access control model to the full TBA2C. In Ponder2, a Self-Managed Cell (SMC) simulates a sensor node with the TBA2C engine inside it. Additionally, to enable a full comparison with the proposed TBA2C model, the Break-The-Glass Role Based Access Control (BTGRBAC) model is redesigned and developed in the same platform (Ponder2). The proposed TBA2C model is the first to realise a flexible access control engine and to address the conflict between data availability and data privacy by combining the concepts of discretionary overriding, the user behaviour trust model, and the prevention and detection mechanism.

610.28

Authentication techniques for secure Internet commerce

Ndaba, Sipho Lawrence

23 August 2012

M.Sc.(Computer Science) / The aim of this dissertation (referred to as thesis in the rest of the document) is to present authentication techniques that can be used to provide secure Internet commerce. The thesis presents techniques that can be used to authenticate human users at logon, as well as techniques that are used to authenticate user's PC and the host system during communication. In so doing, the thesis presents cryptography as the most popular approach to provide information security. Chapter 1 introduces the authentication problem, the purpose and the structure of the thesis. The inadequate security of the Internet prevents companies and users to conduct commerce over the Internet. Authentication is one of the means of providing secure Internet commerce. - Chapter 2 provides an overview of the Internet by presenting the Internet history, Internet infrastructure and the current services that are available on the Internet. The chapter defines Internet commerce and presents some of the barriers to the Internet commerce. Chapter 3 provides an overview of network and internetwork security model. The purpose of this chapter is to put authentication into perspective, in relation to the overall security model. Security attacks, security services and security mechanisms are defined in this chapter. The IBM Security Architecture is also presented. Chapter 4 presents cryptography as the popular approach to information security. The conventional encryption and public-key encryption techniques are used to provide some of the security services described in chapter 3. Chapter 5 presents various schemes that can be used to provide computer-to-computer authentication. These schemes are grouped into the following authentication functions: message encryption, cryptographic checksums, hash functions and digital signatures. Chapter 6 differentiates between one-way authentication schemes and mutual authentication schemes. The applicability of each approach depends on the communicating parties. Chapter 7 presents some of the popular and widely used open-systems technologies Internet protocols, which employ some of the schemes discussed in chapter 5 and chapter 6. These include the SSL, PCT, SHTTP, Kerberos, SESAME and SET. Chapter 8 discusses some of the enabling technologies that are used to provide human user authentication in a computer system. The password technology, the biometric technologies and the smart card technology are discussed. The considerations of selecting a specific technology are also discussed. Chapter 9 presents some of the techniques that can be used to authentication Internet users (human users) over the Internet. The techniques discussed are passwords, knowledge-based technique, voice recognition, smart cards, cellular based technique, and the technique that integrates Internet banking. Chapter 10 defines criteria on which the Internet user authentication techniques presented in chapter 9 can be measured against. The evaluation of each of the techniques is made against the specified criteria. In fact, this chapter concludes the thesis. Chapter 11 provides case studies on two of the techniques evaluated in chapter 10. Specifically, the insurance case study and the medical aid case studies are presented.

Electronic commerce -- Security measures

Internet -- Security measures

Computers -- Access control -- Passwords

Critical information infrastructure protection for developing countries

Ellefsen, Ian David

16 August 2012

D.Phil.(Computer Science) / In this thesis we will investigate the development of Critical Information Infrastructure Protection (CIIP) structures in the developing world. Developing regions are experiencing fast-paced development of information infrastructures, and improvements in related technologies such as Internet connectivity and wireless technologies. The use of these new technologies and the number of new users that are introduced to the Internet can allow cyber threats to flourish. In many cases, Computer Security Incident Response Teams (CSIRTs) can be used to provide CIIP. However, the development of traditional CSIRT-like structures can be problematic in developing regions where technological challenges, legal frameworks, and limited capacity can reduce its overall effectiveness. In this thesis we will introduce the Community-oriented Security, Advisory and Warning (C-SAW) Team. This model is designed to address the challenges to CIIP faced by developing regions by defining a structure that is loosely-coupled and flexible in nature. Furthermore, the aspect of community-orientation is used to allow a C-SAW Team to operate within a designated community of members. This thesis is divided into three primary parts. In Part 1 we will discuss the background research undertaken during this study. The background chapters will lay the foundation for the later chapters in this thesis. In Part 2 we will introduce the C-SAW Team model and elaborate on the construction, relationships, positioning, services, and framework in which it can be deployed. Finally, in Part 3 we present our conclusions to this thesis.

Computer crimes prevention

Computer security

Computer networks - Access control

Computer networks - Security measures

Initial Comparative Empirical Usability Testing for the Collaborative Authentication System

Bursum, Kim

14 March 2017

The Collaborative Authentication (co-authentication) system is an authentication system that relies on some or all members of a pre-registered set of secure hardware tokens being concurrently present to an authentication server at the moment of authentication. Previous researchers have compared various embodiments of the co-authentication system to each other including using Quick Response (QR) codes/cellphone cameras and Near Field Communication (NFC) between tokens. This thesis concerns the initial design and implementation of empirical comparative testing mechanisms between one embodiment of the co-authentication system and other commonly used authentication systems. One contribution is the simulated standard user ID and password login in a computer browser and a simulated RSA SecureID ® one time password (OTP) and login with embedded usability testing mechanisms. Another contribution is the development and implementation of a new Bluetooth communication functionality between tokens. A third contribution is the addition of usability testing mechanisms to two versions of this new functionality.

device authentication

smart devices

token communication

access control

public key cryptography

Computer Sciences

Enabling e-learning 2.0 in information security education: a semantic web approach

Goss, Ryan Gavin

January 2009

The motivation for this study argued that current information security ed- ucation systems are inadequate for educating all users of computer systems world wide in acting securely during their operations with information sys- tems. There is, therefore, a pervasive need for information security knowledge in all aspects of modern life. E-Learning 2.0 could possi- bly contribute to solving this problem, however, little or no knowledge currently exists regarding the suitability and practicality of using such systems to infer information security knowledge to learners.

Data protection

Computers -- Access control

A framework for personal health records in online social networking

Van der Westhuizen, Eldridge Welner

January 2012

Since the early 20th century, the view has developed that high quality health care can be delivered only when all the pertinent data about the health of a patient is available to the clinician. Various types of health records have emerged to serve the needs of healthcare providers and more recently, patients or consumers. These health records include, but are not limited to, Personal Health Records, Electronic Heath Records, Electronic Medical Records and Payer-Based Health Records. Payer-Based Health Records emerged to serve the needs of medical aids or health care plans. Electronic Medical Records and Electronic Health Records were targeted at the healthcare provider market, whereas a gap developed in the patient market. Personal Health Records were developed to address the patient market, but adoption was slow at first. The success of online social networking reignited the flame that Personal Health Records needed and online consumer-based Personal Health Records were developed. Despite all the various types of health records, there still seems to be a lack of meaningful use of personal health records in modern society. The purpose of this dissertation is to propose a framework for Personal Health Records in online social networking, to address the issue of a lack of a central, accessible repository for health records. In order for a Personal Health Record to serve this need it has to be of meaningful use. The capability of a PHR to be of meaningful use is core to this research. In order to determine whether a Personal Health Record is of meaningful use, a tool is developed to evaluate Personal Health Records. This evaluation tool takes into account all the attributes that a Personal Health Record which is of meaningful use should comprise of. Suitable ratings are allocated to enable measuring of each attribute. A model is compiled to facilitate the selection of six Personal Health Records to be evaluated. One of these six Personal Health Records acts as a pilot site to test the evaluation tool in order to determine the tool’s utility and effect improvements. The other five Personal Health Records are then evaluated to measure their adherence to the attributes of meaningful use. These findings, together with a literature study on the various types of health records and the evaluation tool, inform the building blocks used to present the framework. It is hoped that the framework for Personal Health Records in online social networking proposed in this research, may be of benefit to provide clear guidance for the achievement of a central or integrated, accessible repository for health records through the meaningful use of Personal Health Records.

Medical care -- Data processing

Medical records -- Access control

Medical informatics

Towards a worldwide storage infrastructure

Quintard, Julien

January 2012

Peer-to-peer systems have recently gained a lot of attention in the academic community especially through the design of KBR (Key-Based Routing) algorithms and DHT (Distributed Hash Table)s. On top of these constructs were built promising applications such as video streaming applications but also storage infrastructures benefiting from the availability and resilience of such scalable network protocols. Unfortunately, rare are the storage systems designed to be scalable and fault-tolerant to Byzantine behaviour, conditions required for such systems to be deployed in an environment such as the Internet. Furthermore, although some means of access control are often provided, such file systems fail to offer the end-users the flexibility required in order to easily manage the permissions granted to potentially hundreds or thousands of end-users. In addition, as for centralised file systems which rely on a special user, referred to as root on Unices, distributed file systems equally require some tasks to operate at the system level. The decentralised nature of these systems renders impossible the use of a single authoritative entity for performing such tasks since implicitly granting her superprivileges, unacceptable configuration for such decentralised systems. This thesis addresses both issues by providing the file system objects a completely decentralised access control and administration scheme enabling users to express access control rules in a flexible way but also to request administrative tasks without the need for a superuser. A prototype has been developed and evaluated, proving feasible the deployment of such a decentralised file system in large-scale and untrustworthy environments.

004.2