Generalization and enforcement of role-based access control using a novel event-based approach.

摘要

Protecting information against unauthorized access is a key issue in information system security. Advanced access control models and mechanisms have now become necessary for applications and systems due to emerging acts, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act. Role-Based Access Control (RBAC) is a viable alternative to traditional discretionary and mandatory access control.; In this thesis, we have focused on several aspects of RBAC; including generalization and enforcement of RBAC; by exploiting and extending a well-established event-based framework that has a solid theoretical foundation. Specifically, we have addressed the following problems and made the following contributions: (1) Enforcement of existing RBAC Approaches: Security mechanisms are required for enforcing security policies. We have provided a flexible event-based technique for enforcing the RBAC standard and other current extensions in a uniform manner using an event framework. We have extended the event specification and detection with interval-based semantics for event operators and alternative actions for active rules. (2) Generalization of RBAC and Snoop: We have generalized RBAC policies with expressive event pattern constraints. We have shown how to model diverse constraints, such as precedence, dependency, non-occurrence, and their combinations, using event patterns that are not available in existing RBAC approaches. Event patterns are event expressions that have simple and complex events as constituent events and they control the state change. Snoop, an event specification language, provides the basis for extensions needed to support the generalized RBAC. The generalization of RBAC using constraints based on event patterns can be accomplished by the extended Snoop. (3) Enforcement of Generalized RBAC: We have shown the modeling and enforcement of generalized RBAC policies using the extended local event detector (LED). We have introduced event registrar graphs for capturing simple and complex event occurrences and keeping track of event patterns. (4) Usability in RBAC: We have enhanced the usability of RBAC by adding an intelligent module for discovering roles and guiding (or prompting) the user to acquire appropriate roles for performing operations on objects. This approach relieves the user from the details of role-permission assignment and allows concentrating on their task. We have developed several algorithms for discovering roles, and Analyzed their complexity and effectiveness. (5) Novel Applications: We have developed various applications for demonstrating the applicability of the results obtained in this thesis. (i) We have shown how role-based security policies can be supported in web gateways using a smart push-pull approach. (ii) We have shown how event operators based on interval-based semantics can be utilized for information filtering. (iii) We provided an integrated model for advanced data stream applications that supports not only stream processing but also complicated event and rule processing. (Abstract shortened by UMI.)