Global ETD Search

511	Access Control Administration with Adjustable Decentralization Chinaei, Amir Hossein 22 August 2007 (has links) Access control is a key function of enterprises that preserve and propagate massive data. Access control enforcement and administration are two major components of the system. On one hand, enterprises are responsible for data security; thus, consistent and reliable access control enforcement is necessary although the data may be distributed. On the other hand, data often belongs to several organizational units with various access control policies and many users; therefore, decentralized administration is needed to accommodate diverse access control needs and to avoid the central bottleneck. Yet, the required degree of decentralization varies within different organizations: some organizations may require a powerful administrator in the system; whereas, some others may prefer a self-governing setting in which no central administrator exists, but users fully manage their own data. Hence, a single system with adjustable decentralization will be useful for supporting various (de)centralized models within the spectrum of access control administration. Giving individual users the ability to delegate or grant privileges is a means of decentralizing access control administration. Revocation of arbitrary privileges is a means of retaining control over data. To provide flexible administration, the ability to delegate a specific privilege and the ability to revoke it should be held independently of each other and independently of the privilege itself. Moreover, supporting arbitrary user and data hierarchies, fine-grained access control, and protection of both data (end objects) and metadata (access control data) with a single uniform model will provide the most widely deployable access control system. Conflict resolution is a major aspect of access control administration in systems. Resolving access conflicts when deriving effective privileges from explicit ones is a challenging problem in the presence of both positive and negative privileges, sophisticated data hierarchies, and diversity of conflict resolution strategies. This thesis presents a uniform access control administration model with adjustable decentralization, to protect both data and metadata. There are several contributions in this work. First, we present a novel mechanism to constrain access control administration for each object type at object creation time, as a means of adjusting the degree of decentralization for the object when the system is configured. Second, by controlling the access control metadata with the same mechanism that controls the users’ data, privileges can be granted and revoked to the extent that these actions conform to the corporation’s access control policy. Thus, this model supports a whole spectrum of access control administration, in which each model is characterized as a network of access control states, similar to a finite state automaton. The model depends on a hierarchy of access banks of authorizations which is supported by a formal semantics. Within this framework, we also introduce the self-governance property in the context of access control, and show how the model facilitates it. In particular, using this model, we introduce a conflict-free and decentralized access control administration model in which all users are able to retain complete control over their own data while they are also able to delegate any subset of their privileges to other users or user groups. We also introduce two measures to compare any two access control models in terms of the degrees of decentralization and interpretation. Finally, as the conflict resolution component of access control models, we incorporate a unified algorithm to resolve access conflicts by simultaneously supporting several combined strategies. Access Control Administration Decentralization Authorization Data Security Enhanced Delegation and Revocation Combined Conflict Resolution Policies Health Informatics E-Commerce Enterprise Content Managment Computer Science
512	Interoperability of Digital Rights Management Systems via the Exchange of XML-based Rights Expressions Guth, Susanne 02 1900 (has links) (PDF) The dissertation deals with the cutting-edge subject of electronic contracts, which have the potential to automatically process and control the access rights for (electronic) goods. The dissertation shows the design and the implementation of a rights expression exchange framework. The framework enables digital rights management systems to exchange electronic contracts with each other and thus, provides DRM system compatibility. The electronic contracts, which are formulated in a standardized rights expression language, serve as exchange format between different DRM systems. The dissertation introduces a methodology for the standardized composition, exchange and processing of electronic contracts respectively rights expressions. (author´s abstract)
513	Access Control Administration with Adjustable Decentralization Chinaei, Amir Hossein 22 August 2007 (has links) Access control is a key function of enterprises that preserve and propagate massive data. Access control enforcement and administration are two major components of the system. On one hand, enterprises are responsible for data security; thus, consistent and reliable access control enforcement is necessary although the data may be distributed. On the other hand, data often belongs to several organizational units with various access control policies and many users; therefore, decentralized administration is needed to accommodate diverse access control needs and to avoid the central bottleneck. Yet, the required degree of decentralization varies within different organizations: some organizations may require a powerful administrator in the system; whereas, some others may prefer a self-governing setting in which no central administrator exists, but users fully manage their own data. Hence, a single system with adjustable decentralization will be useful for supporting various (de)centralized models within the spectrum of access control administration. Giving individual users the ability to delegate or grant privileges is a means of decentralizing access control administration. Revocation of arbitrary privileges is a means of retaining control over data. To provide flexible administration, the ability to delegate a specific privilege and the ability to revoke it should be held independently of each other and independently of the privilege itself. Moreover, supporting arbitrary user and data hierarchies, fine-grained access control, and protection of both data (end objects) and metadata (access control data) with a single uniform model will provide the most widely deployable access control system. Conflict resolution is a major aspect of access control administration in systems. Resolving access conflicts when deriving effective privileges from explicit ones is a challenging problem in the presence of both positive and negative privileges, sophisticated data hierarchies, and diversity of conflict resolution strategies. This thesis presents a uniform access control administration model with adjustable decentralization, to protect both data and metadata. There are several contributions in this work. First, we present a novel mechanism to constrain access control administration for each object type at object creation time, as a means of adjusting the degree of decentralization for the object when the system is configured. Second, by controlling the access control metadata with the same mechanism that controls the users’ data, privileges can be granted and revoked to the extent that these actions conform to the corporation’s access control policy. Thus, this model supports a whole spectrum of access control administration, in which each model is characterized as a network of access control states, similar to a finite state automaton. The model depends on a hierarchy of access banks of authorizations which is supported by a formal semantics. Within this framework, we also introduce the self-governance property in the context of access control, and show how the model facilitates it. In particular, using this model, we introduce a conflict-free and decentralized access control administration model in which all users are able to retain complete control over their own data while they are also able to delegate any subset of their privileges to other users or user groups. We also introduce two measures to compare any two access control models in terms of the degrees of decentralization and interpretation. Finally, as the conflict resolution component of access control models, we incorporate a unified algorithm to resolve access conflicts by simultaneously supporting several combined strategies. Access Control Administration Decentralization Authorization Data Security Enhanced Delegation and Revocation Combined Conflict Resolution Policies Health Informatics E-Commerce Enterprise Content Managment Computer Science
514	Distributed Power Control and Medium Access Control Protocol Design for Multi-Channel Ad Hoc Wireless Networks Almotairi, Khaled Hatem January 2012 (has links) In the past decade, the development of wireless communication technologies has made the use of the Internet ubiquitous. With the increasing number of new inventions and applications using wireless communication, more interference is introduced among wireless devices that results in limiting the capacity of wireless networks. Many approaches have been proposed to improve the capacity. One approach is to exploit multiple channels by allowing concurrent transmissions, and therefore it can provide high capacity. Many available, license-exempt, and non-overlapping channels are the main advantages of using this approach. Another approach that increases the network capacity is to adjust the transmission power; hence, it reduces interference among devices and increases the spatial reuse. Integrating both approaches provides further capacity. However, without careful transmission power control (TPC) design, the network performance is limited. The first part of this thesis tackles the integration to efficiently use multiple channels with an effective TPC design in a distributed manner. We examine the deficiency of uncontrolled asymmetrical transmission power in multi-channel ad hoc wireless networks. To overcome this deficiency, we propose a novel distributed transmission power control protocol called the distributed power level (DPL) protocol for multi-channel ad hoc wireless networks. DPL allocates different maximum allowable power values to different channels so that the nodes that require higher transmission power are separated from interfering with the nodes that require lower transmission power. As a result, nodes select their channels based on their minimum required transmission power to reduce interference over the channels. We also introduce two TPC modes for the DPL protocol: symmetrical and asymmetrical. For the symmetrical mode, nodes transmit at the power that has been assigned to the selected channel, thereby creating symmetrical links over any channel. The asymmetrical mode, on the other hand, allows nodes to transmit at a power that can be lower than or equal to the power assigned to the selected channel. In the second part of this thesis, we propose the multi-channel MAC protocol with hopping reservation (MMAC-HR) for multi-hop ad hoc networks to overcome the multi-channel exposed terminal problem, which leads to poor channel utilization over multiple channels. The proposed protocol is distributed, does not require clock synchronization, and fully supports broadcasting information. In addition, MMAC-HR does not require nodes to monitor the control channel in order to determine whether or not data channels are idle; instead, MMAC-HR employs carrier sensing and independent slow channel hopping without exchanging information to reduce the overhead. In the last part of this thesis, a novel multi-channel MAC protocol is developed without requiring any change to the IEEE 802.11 standard known as the dynamic switching protocol (DSP) based on the parallel rendezvous approach. DSP utilizes the available channels by allowing multiple transmissions at the same time and avoids congestion because it does not need a dedicated control channel and enables nodes dynamically switch among channels. Specifically, DSP employs two half-duplex interfaces: One interface follows fast hopping and the other one follows slow hopping. The fast hopping interface is used primarily for transmission and the slow hopping interface is used generally for reception. Moreover, the slow hopping interface never deviates from its default hopping sequence to avoid the busy receiver problem. Under single-hop ad hoc environments, an analytical model is developed and validated. The maximum saturation throughput and theoretical throughput upper limit of the proposed protocol are also obtained. Ad hoc Networks multiple channels Transmission power control Medium Access Control frequency hopping sequence multiple (parallel) rendezvous protocol Electrical and Computer Engineering
515	Advanced link and transport control protocols for broadband optical access networks Xiao, Chunpeng 13 November 2006 (has links) The objective of this dissertation is to improve the service quality of broadband optical access networks by developing advanced link- and transport- layer protocols. Current access technologies represent a significant bottleneck in bandwidth and service quality between a high-speed residential/enterprise network and a largely overbuilt core network. Although it is believed that passive optical network (PON) will be the most promising solution to provide truly broadband connections to end users, a suit of protocols are required to provide quality of service (QoS). In this dissertation, we design a new reservation MAC scheme that arbitrates upstream transmission, prevents collisions, and varies bandwidth according to demand and priority. The new access scheme exploits both WDM and TDM to cater for both light and heavy bandwidth requirements. Next, we introduce delta compression as an efficient method for fast content download. In the third part of this dissertation, we enhance the transport performance of Ethernet services by addressing the throughput optimization issue at the edge of the network. A novel SLA-aware transport control scheme is proposed to utilize reserved bandwidth more efficiently using a shifted additive increase multiplicative decrease (AIMD) algorithm, and to detect congestion more accurately based on hypothesis test. The performance of the proposed scheme is compared with traditional TCP through theoretical analyses and simulations. Passive optical networks Media access control Ethernet services Transport control protocol Quality of service Optical fibers Computer networks Ethernet (Local area network system) Optical communications
516	The Feasibility, Reliable Communication And Networking Aspects Of Passive Wireless Sensor Networks Yagli, Mehmet 01 September 2006 (has links) (PDF) The primary challenge in wireless sensor network (WSN) deployment is the limited network lifetime due to the finite-capacity batteries. In accordance with this challenge, the vast majority of research efforts thus far have focused on the development of energy-efficient communication and computing mechanisms for WSNs. In this thesis, a fundamentally different approach and hence completely new WSN paradigm, i.e., the Passive Wireless Sensor Network (PWSN), is introduced. The objective of PWSN is to eliminate the limitation on the system lifetime of the WSNs. In PWSN, power is externally supplied to the sensor network node via an external RF source. Hence, the lifetime of the system is no longer determined by the lifetime of the batteries. An alternative communication scheme, modulated backscattering, is also discussed to be utilized in PWSN. The feasibility of the proposed system is investigated along with the open research challenges for reliable communication and networking in PWSN. Additionally, a new medium access schemee for PWSN, Ultra-Wideband PWSN Medium Access Control (UWB PWSN MAC), is presented.
517	Flexible access control for campus and enterprise networks Nayak, Ankur Kumar 07 April 2010 (has links) We consider the problem of designing enterprise network security systems which are easy to manage, robust and ﬂexible. This problem is challenging. Today, most approaches rely on host security, middleboxes, and complex interactions between many protocols. To solve this problem, we explore how new programmable networking paradigms can facilitate ﬁne-grained network control. We present Resonance, a system for securing enterprise networks , where the network elements themselves en- force dynamic access control policies through state changes based on both ﬂow-level information and real-time alerts. Resonance uses programmable switches to manipulate traffic at lower layers; these switches take actions (e.g., dropping or redirecting traffic) to enforce high-level security policies based on input from both higher-level security boxes and distributed monitoring and inference systems. Using our approach, administrators can create security applications by first identifying a state machine to represent different policy changes and then, translating these states into actual network policies. Earlier approaches in this direction (e.g., Ethane, Sane) have remained low-level requiring policies to be written in languages which are too detailed and are difficult for regular users and administrators to comprehend. As a result, significant effort is needed to package policies, events and network devices into a high-level application. Resonance abstracts out all the details through its state-machine based policy specification framework and presents security functions which are close to the end system and hence, more tractable. To demonstrate how well Resonance can be applied to existing systems, we consider two use cases. First relates to "Network Admission Control" problem. Georgia Tech dormitories currently use a system called START (Scanning Technology for Automated Registration, Repair, and Response Tasks) to authenticate and secure new hosts entering the network [23]. START uses a VLAN-based approach to isolate new hosts from authenticated hosts, along with a series of network device interactions. VLANs are notoriously difficult to use, requiring much hand-holding and manual configuration. Our interactions with the dorm network administrators have revealed that this existing system is not only difficult to manage and scale but also inﬂexible, allowing only coarse-grained access control. We implemented START by expressing its functions in the Resonance framework. The current system is deployed across three buildings in Georgia Tech with both wired as well as wireless connectivities. We present an evaluation of our system's scalability and performance. We consider dynamic rate limiting as the second use case for Resonance. We show how a network policy that relies on rate limiting and traffic shaping can easily be implemented using only a few state transitions. We plan to expand our deployment to more users and buildings and support more complex policies as an extension to our ongoing work. Main contributions of this thesis include design and implementation of a ﬂexible access control model, evaluation studies of our system's scalability and performance, and a campus-wide testbed setup with a working version of Resonance running. Our preliminary evaluations suggest that Resonance is scalable and can be potentially deployed in production networks. Our work can provide a good platform for more advanced and powerful security techniques for enterprise networks. Access control Security Enterprise networks Programmable networks Computer networks Security measures Computer networks Management Computer networks Local area networks (Computer networks)
518	Design and implementation of an attribute-based authorization management system Mohan, Apurva 05 April 2011 (has links) The proposed research is in the area of attribute-based authorization systems. We address two specific research problems in this area. First, evaluating authorization policies in multi-authority systems where there are multiple stakeholders in the disclosure of sensitive data. The research proposes to consider all the relevant policies related to authorization in real time upon the receipt of an access request and to resolve any differences that these individual policies may have in authorization. Second, to enable a lot of entities to participate in the authorization process by asserting attributes on behalf of the principal accessing resources. Since it is required that these asserted attributes be trusted by the authorization system, it is necessary that these entities are themselves trusted by the authorization system. Two frameworks are proposed to address these issues. In the first contribution a dynamic authorization system is proposed which provides conflict detection and resolution among applicable policies in a multi-authority system. The authorization system is dynamic in nature and considers the context of an access request to adapt its policy selection, execution and conflict handling based on the access environment. Efficient indexing techniques are used to increase the speed of authorization policy loading and evaluation. In the second contribution, we propose a framework for service providers to evaluate trust in entities asserting on behalf of service users in real time upon receipt of an access request. This trust evaluation is done based on a reputation system model, which is designed to protect itself against known attacks on reputation systems. Policy-based systems Reputation systems XACML Trust metrics Attribute-based systems Authorization systems Computer security Data protection Computers Access control Software protection
519	Applications Of Machine Learning To Anomaly Based Intrusion Detection Phani, B 07 1900 (has links) This thesis concerns anomaly detection as a mechanism for intrusion detection in a machine learning framework, using two kinds of audit data : system call traces and Unix shell command traces. Anomaly detection systems model the problem of intrusion detection as a problem of self-nonself discrimination problem. To be able to use machine learning algorithms for anomaly detection, precise deﬁnitions of two aspects namely, the learning model and the dissimilarity measure are required. The audit data considered in this thesis is intrinsically sequential. Thus the dissimilarity measure must be able to extract the temporal information in the data which in turn will be used for classiﬁcation purposes. In this thesis, we study the application of a set of dissimilarity measures broadly termed as sequence kernels that are exclusively suited for such applications. This is done in conjunction with Instance Based learning algorithms (IBL) for anomaly detection. We demonstrate the performance of the system under a wide range of parameter settings and show conditions under which best performance is obtained. Finally, some possible future extensions to the work reported in this report are considered and discussed. Intrusion Detection Cryptography Computer Access Control Machine Learning Sequence Kernel Anomaly Detection Data Mining System Call Traces Intrusion Detection Systems (IDS) Computer Science
520	Recovery From DoS Attacks In MIPv6 : Modelling And Validation Kumar, Manish C 03 1900 (has links) Denial-of-Service (DoS) attacks form a very important category of security threats that are possible in MIPv6 (Mobile Internet Protocol version 6). This thesis proposes a scheme for participants (Mobile Node, Home Agent, and Correspondent Node) in MIPv6 to recover from DoS attacks in the event of any of them being subjected to a DoS attack. We propose a threshold based scheme for participants in MIPv6 to detect presence of DoS attacks and to recover from DoS attacks in the event of any of them being subjected to a DoS attack. This is achieved using an infrastructure for MIPv6 that makes such a solution practical even in the absence of IPsec infrastructure. We propose a protocol that uses concepts like Cryptographically Generated Addresses (CGA), short-term IP addresses using a Lamport hash like mechanism and a hierarchy based trust management infrastructure for key distribution. However, reasoning about correctness of such protocols is not trivial. In addition, new solutions to mitigate attacks may need to be deployed in the network on a frequent basis as and when attacks are detected, as it is practically impossible to anticipate all attacks and provide solutions in advance. This makes it necessary to validate solutions in a timely manner before deployment in real network. However, threshold schemes needed in group protocols make analysis complex. Model checking threshold-based group protocols that employ cryptography have been not successful so far. The testing in a real network or a test bed also will not be feasible if faster and frequent deployment of DoS mitigation solutions is needed. Hence, there is a need for an approach that lies between automated/manual verification and an actual implementation. It is evident from existing literature that not many simulations for doing security analysis of MIP/MIPv6 have been done. This research is a step in that direction. We propose a simulation based approach for validation using a tool called FRAMOGR [40] that supports executable specification of group protocols that use cryptography. FRAMOGR allows one to specify attackers and track probability distributions of values or paths. This work deals with simulation of DoS attacks and their mitigation solutions for MIP in FRAMOGR. This makes validation of solutions possible without mandating a complete deployment of the protocol to detect vulnerabilities in a solution. This does away with the need for a formal theoretical verification of a DoS mitigation solution. In the course of this work, some DoS attacks and recovery mechanisms are simulated and validated using FRAMOGR. We obtained encouraging results for the performance of the detection scheme. We believe that infrastructure such as FRAMOGR would be required in future for validating new group based threshold protocols that are needed for making MIPv6 more robust. Mobile Internet Protocol Computer Access Control Computer Security FRAMOGR Denial-of-Service (DoS) Attacks Communication Engineering

Search results