Securing access to data in location-based services and mobile applications requires the definition of spatially aware access control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to cope with spatial aspects in real mobile applications, is still missing. In this paper, we make one step towards this direction and we present GEO-RBAC, an extension of the RBAC model to deal with spatial and location-based information. In GEO-RBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device independent position, representing the feature (the road, the town, the region) in which they are located. To make the model more flexible and re-usable, we also introduce the concept of role schema, specifying the name of the role as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to cope with hierarchies, modeling permission, user, and activation inheritance, and separation of duty constraints. The proposed classes of constraints extend traditional ones to deal with different granularities (schema/instance level) and spatial information. They represent an attempt to define a suitable class of constraints for spatially-aware applications. The paper is concluded with the investigation of several properties concerning the resulting model.

Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Amongst them is the requirement for a context-aware access control specification and a processing model to apply fine-grained access control on various components of a Web service. In this paper, we address these two requirements and present a policy-based authorization system that leverages an emerging Web service policy processing model, WS-Policy, and integrates it with X-GTRBAC, an XML-based access control model to allow specification and processing of fine-grained, context-aware authorization policies in dynamic Web services environments. The architecture is designed to support the WS-Policy Attachment specification, which allows attaching, retrieving and combining policies associated with various components of a Web service in the WSDL document. Consequently, we present an algorithm to compute the effective access control policy of a Web service based on its description. The effective policy, represented as a normalized WS-Policy document, is then used by the X-GTRBAC system to evaluate an incoming access request. We have prototyped our architecture, and implemented it as a loosely coupled Web service, with logically distinct, heterogeneous modules acting as Policy Enforcement Point (PEP) and Policy Decision Point (PDP). Our prototype demonstrates the true promise of the decentralized Web services architecture, and incorporates SAML-based single sign-on communication between multiple system modules.

The design of context-aware access control models with spatial constraints is still far from satisfactory in a very important respect, vis-

The problem of key management in an access hierarchy has elicited much interest in the literature. The hierarchy is modeled as a set of partially ordered classes (represented as a directed graph), and a user who obtains access (i.e., a key) to a certain class can also obtain access to all descendant classes of her class through key derivation. Our solution to the above problem has the following properties: (i) only hash functions are used for a node to derive a descendant’s key from its own key; (ii) the space complexity of the public information is the same as that of storing the hierarchy; (iii) the private information at a class consists of a single key associated with that class; (iv) updates (revocations, additions, etc.) are handled locally in the hierarchy; (v) the scheme is provably secure against collusion; and (vi) key derivation by a node of its descendant’s key is bounded by the number of bit operations linear in the length of the path between the nodes. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. Moreover, for trees (and other “recursively decomposable” hierarchies), we are the first to achieve a worst- and average-case number of bit operations for key derivation that is exponentially better than the depth of a balanced hierarchy (double-exponentially better if the hierarchy is unbalanced, i.e., “tall and skinny”); this is achieved with only a constant increase in the space for the hierarchy. We also show how with simple modifications our scheme can handle extensions proposed by Crampton of the standard hierarchies to “limited depth” and reverse inheritance. The security of our scheme relies only on the use of pseudo-random functions.

In this thesis we present a solution to the problem of identification of significant sets of episodes in event sequences. In order to determine the significance of an episode in a monitored event sequence, we compare its observed frequency to its frequency in a reference sequence. The reference sequence in our work is represented by a variable-length Markov model of generating symbols in the reference sequence. An episode is significant if the probability that it would have a given frequency by chance, in the reference sequence, is very small. In order to identify significant episodes we first show how to select the sliding window size to ensure that a discovered episode is meaningful and then we show how to compute a lower threshold for under-represented and an upper threshold for overrepresented significant episodes. The frequency of occurrence alone is not enough to determine significance, i.e., an infrequent episode can be more significant than a frequent one, and the significance depends on the structure of the episode and on probabilistic characteristics of the reference and monitored event streams. As an extension, we propose a novel method for providing approximate answers, with probabilistic guarantees, to a class of ad hoc sliding window queries referencing past data in data streams. The queries in that class compute the frequency of past windows that satisfy given join conditions among tuples in a window comprising multiple streams. To represent the join conditions consisting of intra-stream and inter-stream constraints between tuples in the window we introduce a concept of a 2D-episode.

We present a theory for comparing the expressive power of access control models. Our theory is based on reductions that preserve the results of security analysis. Security analysis is an approach to the verification of security policies in access control systems. We demonstrate the effectiveness of the theory by applying it in several cases. Also, we present related results on safety analysis in Discretionary Access Control (DAC) and security analysis in Role-Based Access Control (RBAC).

Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume aWeb service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web service

Code injection attacks are a top threat to today