Please wait a minute...
Frontiers of Computer Science

ISSN 2095-2228

ISSN 2095-2236(Online)

CN 10-1014/TP

Postal Subscription Code 80-970

2018 Impact Factor: 1.129

Front. Comput. Sci.    2016, Vol. 10 Issue (6) : 1142-1157    https://doi.org/10.1007/s11704-016-5503-9
RESEARCH ARTICLE
Packet: a privacy-aware access control policy composition method for services composition in cloud environments
Li LIN1,2,3(),Jian HU1,2,Jianbiao ZHANG1,2,3
1. College of Computer Science, Beijing University of Technology, Beijing 100124, China
2. Beijing Key Laboratory of Trusted Computing, Beijing 100124, China
3. National Engineering Laboratory for Classified Information Security Protection, Beijing 100124, China
 Download: PDF(842 KB)  
 Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks
Abstract

Combining different independent cloud services must coordinate their access control policies. Otherwise unauthorized access to composite cloud service can occur when there’s a conflict among different cloud service providers’ access control policies, and then it will bring serious data security and privacy issues. In this paper, we propose Packet, a novel access control policy composition method that can detect and resolve policy conflicts in cloud service composition, including those conflicts related to privacyaware purposes and conditions. The Packet method is divided into four steps. First, employing a unified description, heterogeneous policies are transformed into a unified attributebased format. Second, to improve the conflict detection efficiency, policy conflicts on the same resource can be eliminated by adopting cosine similarity-based algorithm. Third, exploiting a hierarchical structure approach, policy conflicts related to different resources or privacy-aware purposes and conditions can be detected. Fourth, different conflict resolution techniques are presented based on the corresponding conflict types. We have successfully implemented the Packet method in Openstack platform. Comprehensive experiments have been conducted, which demonstrate the effectiveness of the proposed method by the comparison with the existing XACML-based system at conflict detection and resolution performance.

Keywords cloud service composition      access control      privacy      policy composition      unified policy format      conflict detection      similarity analysis      conflict resolution     
Corresponding Author(s): Li LIN   
Just Accepted Date: 23 March 2016   Online First Date: 19 September 2016    Issue Date: 11 October 2016
 Cite this article:   
Li LIN,Jian HU,Jianbiao ZHANG. Packet: a privacy-aware access control policy composition method for services composition in cloud environments[J]. Front. Comput. Sci., 2016, 10(6): 1142-1157.
 URL:  
https://academic.hep.com.cn/fcs/EN/10.1007/s11704-016-5503-9
https://academic.hep.com.cn/fcs/EN/Y2016/V10/I6/1142
1 Breiter G, Naik V K. A framework for controlling and managing hybrid cloud service integration. In: Proceedings of IEEE International Conference on Cloud Engineering. 2013, 217–224
https://doi.org/10.1109/ic2e.2013.48
2 Bonatti P, De Capitani di Vimercati S, Samarati P. An algebra for composing access control policies. ACM Transactions on Information and System Security, 2002, 5(1): 1–35
https://doi.org/10.1145/504909.504910
3 Lin L, Huai J P, Li X X. Attribute-based access control policies composition algebra. Journal of Software, 2009, 20(2): 403–414
https://doi.org/10.3724/SP.J.1001.2009.00403
4 Wijesekera D, Jajodia S. A propositional policy algebra for access control. ACM Transactions on Information and System Security, 2003, 6(2): 286–325
https://doi.org/10.1145/762476.762481
5 Shu C C, Yang E Y, Arenas A E. Detecting conflicts in ABAC policies with rule-reduction and binary-search techniques. In: Proceedings of IEEE International Symposium on Policies for Distributed Systems and Networks. 2009, 182–185
https://doi.org/10.1109/policy.2009.22
6 Liu J, Zhang H Q, Dai X D, Wang Y G. A static ABAC policy conflict resolution algorithm. In: Proceedings of International Conference on Multimedia Information Networking and Security. 2012, 83–86
https://doi.org/10.1109/mines.2012.48
7 Zou J S, Zhang Y S. Research of policy conflict detection and resolution in ABAC. Journal of Computational Information Systems, 2014, 10(12): 5237–5244
8 Yan D F, Huang J L, Tian Y, Zhao Y, Yang F C. Policy conflict detection in composite web services with RBAC. In: Proceeding of IEEE International Conference on Web Services. 2014, 534–541
https://doi.org/10.1109/icws.2014.81
9 Yan D F, Tian Y. Privacy policy composition of privacy-aware RBAC model for composite web services. In: Proceedings of IEEE International Broadband Network and Multimedia Technology. 2013, 312–316
https://doi.org/10.1109/icbnmt.2013.6823964
10 Kabir M E, Wang H. Conditional purpose based access control model for privacy protection. In: Proceedings of Australasian Database Conference. 2009, 135–142
11 Begum B A, Thakur R K, Patra P K. Security policy integration and conflict reconciliation for data integration across data sharing services in ubiquitous computing environments. In: Proceedings of IEEE International Conference on Computer and Communication Technology. 2010, 1–6
https://doi.org/10.1109/iccct.2010.5640395
12 Yuan E, Tong J. Attributed based access control for web services. In: Proceedings of IEEE International Conference on Web Service. 2005, 561–569
https://doi.org/10.1109/ICWS.2005.25
13 Ahn G J, Hu H X, Lee J, Meng Y S. Representing and reasoning about Web access control policies. In: Proceedings of IEEE Conference on Computer Software and Applications. 2012, 137–146
14 Bryans J. Reasoning about XACML policies using CSP. In: Proceedings of Workshop on Secure Web Services. 2005, 28–35
https://doi.org/10.1145/1103022.1103028
15 Hughes G, Bultan T. Automated verification of access control policies. Journal on Software Tools for Technology Transfer, 2008, 6(10): 503–520
https://doi.org/10.1007/s10009-008-0087-9
16 Fisler K, Krishnamurthi S, Meyerovich L A, Tschantz M C. Verification and change-impact analysis of access control policies. In: Proceedings of International Conference on Software Engineering. 2005, 196–205
https://doi.org/10.1109/icse.2005.1553562
17 Kolovski V, Hendler J, Parsia B. Analyzing web access ontrol policies. In: Proceedings of the 16th International Conference on World Wide Web. 2007, 677–686
https://doi.org/10.1145/1242572.1242664
18 Mazzoleni P, Crispo B, Sivasubramanian S, Bertino E. XACML policy integration algorithms. ACM Transactions on Information and System Security, 2008, 11(1): 1–23
https://doi.org/10.1145/1330295.1330299
19 Rath A, Colin J N. Modeling and expressing purpose validation policy for privacy-aware usage control in distributed environment. In: Proceedings of the 8th ACM International Conference on Ubiquitous Information Management and Communication. 2014, 104–111
https://doi.org/10.1145/2557977.2557991
20 Madylova A, Oguducu S G. A taxonomy based semantic similarity of documents using the cosine measure. In: Proceeding of International Symposium on Computer and Information Sciences. 2009, 129–134
https://doi.org/10.1109/iscis.2009.5291865
21 Fan B B, Liang X Y, Luo Y, Bo Y, Xia C H. Conflict detection model of access control policy in collaborative environment. In: Proceedings of International Conference on Computational and Information sciences. 2011, 377–381
https://doi.org/10.1109/iccis.2011.112
[1] Han Yao HUANG, Kyung Tae KIM, Hee Yong YOUN. Determining node duty cycle using Q-learning and linear regression for WSN[J]. Front. Comput. Sci., 2021, 15(1): 151101-.
[2] Yan CAO, Zhiqiu HUANG, Yaoshen YU, Changbo KE, Zihao WANG. A topology and risk-aware access control framework for cyber-physical space[J]. Front. Comput. Sci., 2020, 14(4): 144805-.
[3] Yi LIU, Tian SONG, Lejian LIAO. TPII: tracking personally identifiable information via user behaviors in HTTP traffic[J]. Front. Comput. Sci., 2020, 14(3): 143801-.
[4] Xingyue CHEN, Tao SHANG, Feng ZHANG, Jianwei LIU, Zhenyu GUAN. Dynamic data auditing scheme for big data storage[J]. Front. Comput. Sci., 2020, 14(1): 219-229.
[5] Xuan LI, Jin LI, Siuming YIU, Chongzhi GAO, Jinbo XIONG. Privacy-preserving edge-assisted image retrieval and classification in IoT[J]. Front. Comput. Sci., 2019, 13(5): 1136-1147.
[6] Ning WANG, Yu GU, Jia XU, Fangfang LI, Ge YU. Differentially private high-dimensional data publication via grouping and truncating techniques[J]. Front. Comput. Sci., 2019, 13(2): 382-395.
[7] Xianxian LI, Peipei SUI, Yan BAI, Li-E WANG. M-generalization for multipurpose transactional data publication[J]. Front. Comput. Sci., 2018, 12(6): 1241-1254.
[8] Chen LUO, Fei HE. SMT-based query tracking for differentially private data analytics systems[J]. Front. Comput. Sci., 2018, 12(6): 1192-1207.
[9] Qiong ZUO, Meiyi XIE, Guanqiu QI, Hong ZHU. Tenant-based access control model for multi-tenancy and sub-tenancy architecture in Software-as-a-Service[J]. Front. Comput. Sci., 2017, 11(3): 465-484.
[10] Xiao PAN,Weizhang CHEN,Lei WU,Chunhui PIAO,Zhaojun HU. Protecting personalized privacy against sensitivity homogeneity attacks over road networks in mobile services[J]. Front. Comput. Sci., 2016, 10(2): 370-386.
[11] Rahat MASOOD,Muhammad Awais SHIBLI,Yumna GHAZI,Ayesha KANWAL,Arshad ALI. Cloud authorization: exploring techniques and approach towards effective access control framework[J]. Front. Comput. Sci., 2015, 9(2): 297-321.
[12] Xiaojian ZHANG,Xiaofeng MENG. Discovering top-k patterns with differential privacy–an accurate approach[J]. Front. Comput. Sci., 2014, 8(5): 816-827.
[13] Solomon Guadie WORKU,Chunxiang XU,Jining ZHAO. Cloud data auditing with designated verifier[J]. Front. Comput. Sci., 2014, 8(3): 503-512.
[14] Xiao PAN, Xiaofeng MENG. Preserving location privacy without exact locations in mobile services[J]. Front Comput Sci, 2013, 7(3): 317-340.
[15] Xiaoming WANG, Guoxiang YAO. Access control scheme with tracing for outsourced databases[J]. Front Comput Sci, 2012, 6(6): 677-685.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed