research-article

Semantic context aware security policy deployment

Authors:

Stere Preda,

Frédéric Cuppens,

Nora Cuppens-Boulahia,

Joaquin G. Alfaro,

Laurent Toutain,

Yehia ElrakaibyAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 251 - 261

https://doi.org/10.1145/1533057.1533092

Published: 10 March 2009 Publication History

Get Access

Abstract

The successful deployment of a security policy is closely related not only to the complexity of the security requirements but also to the capabilities/functionalities of the security devices. The complexity of the security requirements is additionally increased when contextual constraints are taken into account. Such situations appear when addressing the dynamism of some security requirements or when searching a finer granularity for the security rules. The context denotes those specific conditions in which the security requirements are to be met. (Re)deploying a contextual security policy depends on the security device functionalities: either (1) the devices include all functionalities necessary to deal with a context and the policy is consequently deployed for ensuring its automatic changes or (2) the devices do not have the right functionalities to entirely interpret a contextual requirement. We present a solution to cope with this issue: the (re)deployment of access control policies in a system that lacks the necessary functionalities to deal with contexts.

References

[1]

Abou el Kalam, A., Baida, R. E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., and Trouessin, G. Organization Based Access Control. In IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 120--131, Lake Come, Italy, 2003.

Digital Library

Google Scholar

[2]

Autrel, F., Cuppens, F., Cuppens-Boulahia, N., and Coma, C. MotOrBAC 2: A security policy tool. In 3rd Joint Conference on Security in Network Architectures (SAR) and Security of Information Systems (SSI), Loctudy, France, Octobre 2008.

Google Scholar

[3]

Alfaro, J. G., Cuppens, F., and Cuppens-Boulahia, N. Analysis of Policy Anomalies on Distributed Network Security Setups. In European Symposium On Research In Computer Security (Esorics), Lecture Notes in Computer Science, 4189, pp. 496--511, Hamburg, Germany, September, 2006.

Digital Library

Google Scholar

[4]

Alfaro, J. G., Boulahia-Cuppens, N., and Cuppens, F. Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies. In International Journal of Information Security, 7(2):103--122, April 2008.

Digital Library

Google Scholar

[5]

Baral, C., and Lobo, J. Formal characterization of active databases. In International Workshop on Logic in Databases (LID'96), Italy 1996.

Digital Library

Google Scholar

[6]

Baral, C., Lobo, J., and Trajcevski, G. Formal characterization of active databases: part II. In 5th International Conf. on Deductive and Object-Oriented Databases, 1997.

Digital Library

Google Scholar

[7]

Bartal, Y., Mayer, A., Nissim, K., and Wool, A. Firmato: A novel firewall management toolkit. In 20th IEEE Symposium on Security and Privacy, Oakland, California, 1999.

Crossref

Google Scholar

[8]

Bertino, E., Bonatti, P. A. and Ferrari, E. TRBAC: A temporal role-based access control model. In ACM TIS-SEC, 4(3):191233, 2001.

Digital Library

Google Scholar

[9]

Bertino, E., Catania, B., Damiani, M. L. and Perlasca, P. Geo-rbac: a spatially aware rbac. In 10th ACM Symposium on Access control Models and Technologies, June 2005.

Digital Library

Google Scholar

[10]

Cholewka, D. G., Botha, R. A., and Eloff, J. H. P. A Context-sensitive Access Control Model and Prototype Implementation. In IFIP TC 11 16th Annual Working Conference on Information Security, Beijing, China, 2000.

Digital Library

Google Scholar

[11]

Clemente, F., Lopez, G., Martinez, G., and Gomez-Skarmeta, A. Deployment of a Policy-Based Management System for the Dynamic Provision of IPsec-Based VPNs in IPv6 Networks. In 2005 Symposium on Applications and the Internet Workshops, pp. 10--13, 2005.

Digital Library

Google Scholar

[12]

Cuppens, F. and Cuppens-Boulahia, N. Modeling contextual security policies. In International Journal of Information Security, 7(4): 285--305, 2008.

Digital Library

Google Scholar

[13]

Cuppens, F., Cuppens-Boulahia, N., Sans, T. and Miege, A. A formal approach to specify and deploy a network security policy. In 2nd Workshop on Formal Aspects in Security and Trust, pp. 203--218, Toulouse, France, 2004.

Google Scholar

[14]

Cuppens-Boulahia, N., Cuppens, F., Abi Haidar, D. and Debar H. Negotiation of Prohibition: An Approach Based on Policy Rewriting. In 23rd International Information Security Conference (SEC 2008), Italy, September 2008.

Google Scholar

[15]

Debar, H., Thomas, Y., Cuppens, F. and Cuppens-Boulahia, N. Enabling Automated Threat Response through the Use of a Dynamic Security Policy. In Journal in Computer Virology (JCV), 3(3):195--210, 2007.

Google Scholar

[16]

Debar, H., Thomas, Y., Cuppens, F. and Cuppens-Boulahia, N. Using contextual security policies for threat response. In Third GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Berlin, Germany, 2006.

Digital Library

Google Scholar

[17]

Franco, T., Lima, W., Silvestrin, G., Pereira, R. C., Almeida, M. J. B, Tarouco, L. M. R., Granville, L. Z., Beller, A., Jamhour, E., and Fonseca, M. Substituting COPS-PR: An Evaluation of NETCONF and SOAP for Policy Provisioning. In 7th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), pp. 195--204, USA, 2006.

Digital Library

Google Scholar

[18]

Hwang, K. and Gangadhran, M. Micro-Firewalls for Dynamic Network Security with Distributed Intrusion Detection. In International Symp. on Network Computing and Applications, 2001.

Digital Library

Google Scholar

[19]

IETF Netconf Working Group. {On-line}. Available from: http://www.ops.ietf.org/netconf/.

Google Scholar

[20]

McDaniel, P. On Context in Authorization Policy. In 8th ACM Symposium On Access Control Models and Technologies (SACMAT 2003), Como, Italy, June 2003.

Digital Library

Google Scholar

[21]

Permis project. {On-line}. Available from: http://sec.cs.kent.ac.uk/permis/.

Google Scholar

[22]

Preda, S., Cuppens, F., Cuppens-Boulahia, N., Alfaro, J. G., and Toutain, L. Reliable Process for Security Policy Deployment. In International Conf. on Security and Cryptography, Spain, 2007.

Google Scholar

[23]

Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. Role-Based Access Control Models. In IEEE Computer, 29(2):38--47, 1996.

Digital Library

Google Scholar

[24]

Shibboleth system. {On-line}. Available from: http://shibboleth.internet2.edu/.

Google Scholar

[25]

Strassner, C. J. Policy-based Network Management, Solutions for the Next Generation. Elsevier, Morgan Kaufmann Publishers 2004. ISBN: 1-55860-859-1.

Digital Library

Google Scholar

[26]

Xian, F., Jin, H., Liu, K. and Han, Z. A Mobile-Agent based Distributed Dynamic μFirewall Architecture. In 9th International Conf. on Parallel and Distributed Systems, pp. 431--436, 2002.

Digital Library

Google Scholar

[27]

YencaP, a Netconf agent for Linux. {On-line}. Available from: http://ensuite.sourceforge.net/.

Google Scholar

Cited By

View all

Alenezi MKhan F(2019)Context-Sensitive Case-Based Software Security Management SystemIntelligent Systems Applications in Software Engineering10.1007/978-3-030-30329-7_13(135-141)Online publication date: 20-Sep-2019
https://doi.org/10.1007/978-3-030-30329-7_13
Chaisiri SKo R(2016)From Reactionary to Proactive Security: Context-Aware Security Policy Management and Optimization under Uncertainty2016 IEEE Trustcom/BigDataSE/ISPA10.1109/TrustCom.2016.0107(535-543)Online publication date: Aug-2016
https://doi.org/10.1109/TrustCom.2016.0107
Wu SLiu CStefanov A(2014)Distributed specification-based firewalls for power grid substationsIEEE PES Innovative Smart Grid Technologies, Europe10.1109/ISGTEurope.2014.7028739(1-6)Online publication date: Oct-2014
https://doi.org/10.1109/ISGTEurope.2014.7028739
Show More Cited By

Index Terms

Semantic context aware security policy deployment
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

An advanced policy based authorisation infrastructure
DIM '09: Proceedings of the 5th ACM workshop on Digital identity management

We describe a more advanced authorisation infrastructure for identity management systems which in addition to the traditional Policy Enforcement Point (PEP) and Policy Decision Point (PDP) has an application independent policy enforcement point (AIPEP), ...
A Dynamic and Self-Adaptive Network Security Policy Realization Mechanism
NPC '08: Proceedings of the 2008 IFIP International Conference on Network and Parallel Computing

Using high-level security policy rules to regulate low-level system, the security management system with a high level of expansibility and flexibility was made. For purpose of managing network security policy duly and flexibly in the complex network ...
Access control enforcement testing
AST '13: Proceedings of the 8th International Workshop on Automation of Software Test

A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access ...

Reviews

Reviewer: Sithu D. Sudarsan

In the emerging global intranet-based organizational structure, implementing security policies across a multitude of devices is a major challenge. Researchers are trying to address this issue using many techniques. This paper discusses one such technique. It uses context-aware security policy deployment, by translating security policies into either context-specific or device-specific rules. The authors explicitly define the policy decision point (PDP) and policy enforcement point (PEP), and a defined policy PDP-PEP architecture to generate the rules needed at enforcement points. Firewalls and intrusion detection systems (IDS) are typical of these points. While such an approach is needed in the current complex scenarios of operations, their approach is too simple and does not scale. Their paper uses simple Netfilter-based PEPs. Their proposal needs to be reexamined, as performance with 10,000 rules or more is a serious problem. The paper fails to mention the need for scaling, or the complexity and diversity of policies that led to the generation of the rules. From their sample template statement, provided from the iptables context, the performance results do not scale to a realistic architecture that involves firewalls and intrusion prevention systems. More realistic setups that involve intrusion prevention systems, proxy servers, anti-virus software, and so on would need more diversified rules. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

POLUX

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
698
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)2

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alenezi MKhan F(2019)Context-Sensitive Case-Based Software Security Management SystemIntelligent Systems Applications in Software Engineering10.1007/978-3-030-30329-7_13(135-141)Online publication date: 20-Sep-2019
https://doi.org/10.1007/978-3-030-30329-7_13
Chaisiri SKo R(2016)From Reactionary to Proactive Security: Context-Aware Security Policy Management and Optimization under Uncertainty2016 IEEE Trustcom/BigDataSE/ISPA10.1109/TrustCom.2016.0107(535-543)Online publication date: Aug-2016
https://doi.org/10.1109/TrustCom.2016.0107
Wu SLiu CStefanov A(2014)Distributed specification-based firewalls for power grid substationsIEEE PES Innovative Smart Grid Technologies, Europe10.1109/ISGTEurope.2014.7028739(1-6)Online publication date: Oct-2014
https://doi.org/10.1109/ISGTEurope.2014.7028739
Karadsheh LAlhawari S(2013)Applying Security Policies in Small Business Utilizing Cloud Computing TechnologiesCloud Computing Advancements in Design, Implementation, and Technologies10.4018/978-1-4666-1879-4.ch008(112-124)Online publication date: 2013
https://doi.org/10.4018/978-1-4666-1879-4.ch008
Anand VSaniie JOruklu E(2012)Security Policy Management Process within Six Sigma FrameworkJournal of Information Security10.4236/jis.2012.3100603:01(49-58)Online publication date: 2012
https://doi.org/10.4236/jis.2012.31006
Karadsheh LAlhawari S(2011)Applying Security Policies in Small Business Utilizing Cloud Computing TechnologiesInternational Journal of Cloud Applications and Computing10.4018/ijcac.20110401031:2(29-40)Online publication date: Apr-2011
https://doi.org/10.4018/ijcac.2011040103
Batyuk LScheel CCamtepe SAlbayrak SMüller-Schloer CSchmeck HUngerer T(2011)Context-aware device self-configuration using self-organizing mapsProceedings of the 2011 workshop on Organic computing10.1145/1998642.1998647(13-22)Online publication date: 18-Jun-2011
https://dl.acm.org/doi/10.1145/1998642.1998647
Garcia-Alfaro JCuppens FCuppens-Boulahia NPreda S(2011)MIRAGE: A Management Tool for the Analysis and Deployment of Network Security PoliciesData Privacy Management and Autonomous Spontaneous Security10.1007/978-3-642-19348-4_15(203-215)Online publication date: 2011
https://doi.org/10.1007/978-3-642-19348-4_15
Garcia-Alfaro JCuppens FCuppens-Boulahia NPreda S(2010)MIRAGEProceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security10.5555/1964419.1964437(203-215)Online publication date: 23-Sep-2010
https://dl.acm.org/doi/10.5555/1964419.1964437
Kanoun WCuppens-Boulahia NCuppens FDubus S(2010)Risk-Aware Framework for Activating and Deactivating Policy-Based ResponseProceedings of the 2010 Fourth International Conference on Network and System Security10.1109/NSS.2010.80(207-215)Online publication date: 1-Sep-2010
https://dl.acm.org/doi/10.1109/NSS.2010.80
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

An advanced policy based authorisation infrastructure

A Dynamic and Self-Adaptive Network Security Policy Realization Mechanism

Access control enforcement testing

Reviews

Access critical reviews of Computing literature here