1-4hit |
Jianfeng LU Ruixuan LI Jinwei HU Dewu XU
Separation-of-Duty (SoD) is a fundamental security principle for prevention of fraud and errors in computer security. It has been studied extensively in traditional access control models. However, the research of SoD policy in the recently proposed usage control (UCON) model has not been well studied. This paper formulates and studies the fundamental problem of static enforcement of static SoD (SSoD) policies in the context of UCONA, a sub-model of UCON only considering authorizations. Firstly, we define a set-based specification of SSoD policies, and the safety checking problem for SSoD in UCONA. Secondly, we study the problem of determining whether an SSoD policy is enforceable. Thirdly, we show that it is intractable (coNP-complete) to direct statically enforce SSoD policies in UCONA, while checking whether a UCONA state satisfies a set of static mutually exclusive attribute (SMEA) constraints is efficient, which provides a justification for using SMEA constraints to enforce SSoD policies. Finally, we introduce a indirect static enforcement for SSoD policies in UCONA. We show how to generate the least restrictive SMEA constraints for enforcing SSoD policies in UCONA, by using the attribute-level SSoD requirement as an intermediate step. The results are fundamental to understanding SSoD policies in UCON.
Jianfeng LU Zheng WANG Dewu XU Changbing TANG Jianmin HAN
The user authorization query (UAQ) problem determines whether there exists an optimum set of roles to be activated to provide a set of permissions requested by a user. It has been deemed as a key issue for efficiently handling user's access requests in role-based access control (RBAC). Unfortunately, the weight is a value attached to a permission/role representing its importance, should be introduced to UAQ, has been ignored. In this paper, we propose a comprehensive definition of the weighted UAQ (WUAQ) problem with the role-weighted-cardinality and permission-weighted-cardinality constraints. Moreover, we study the computational complexity of different subcases of WUAQ, and show that many instances in each subcase are intractable. In particular, inspired by the idea of the genetic algorithm, we propose an algorithm to approximate solve an intractable subcase of the WUAQ problem. An important observation is that this algorithm can be efficiently modified to handle the other subcases of the WUAQ problem. The experimental results show the advantage of the proposed algorithm, which is especially fit for the case that the computational overhead is even more important than the accuracy in a large-scale RBAC system.
Juan YU Peizhong LU Jianmin HAN Jianfeng LU
Traffic signal phase and timing (TSPaT) information is valuable for various applications, such as velocity advisory systems, navigation systems, collision warning systems, and so forth. In this paper, we focus on learning baseline timing cycle lengths for fixed-time traffic signals. The cycle length is the most important parameter among all timing parameters, such as green lengths. We formulate the cycle length learning problem as a period estimation problem using a sparse set of noisy observations, and propose the most frequent approximate greatest common divisor (MFAGCD) algorithms to solve the problem. The accuracy performance of our proposed algorithms is experimentally evaluated on both simulation data and the real taxi GPS trajectory data collected in Shanghai, China. Experimental results show that the MFAGCD algorithms have better sparsity and outliers tolerant capabilities than existing cycle length estimation algorithms.
Ruixuan LI Jianfeng LU Zhengding LU Xiaopu MA
The safety and availability policies are very important in an access control system for ensuring security and success when performing a certain task. However, conflicts may arise between safety and availability policies due to their opposite focuses. In this paper, we address the problem of consistency checking for safety and availability policies, especially for the co-existence of static separation-of-duty (SSoD) policies with availability policies, which determines whether there exists an access control state that satisfies all of these policies. We present criteria for determining consistency with a number of special cases, and show that the general case and partial subcases of the problem are intractable (NP-hard) and in the Polynomial Hierarchy NPNP. We design an algorithm to efficiently solve the nontrivial size instances for the intractable cases of the problem. The running example shows the validity of the proposed algorithm. The investigation will help the security officer to specify reasonable access control policies when both safety and availability policies coexist.