Professor Vijay Varadharajan

© 2010 by World Scientific Publishing Co. Pte. Ltd. All Rights Reserved. Security is paramount in mobile ad hoc networks (MANETs) since a MANET is neither conducive to centralized authorities nor suitable for inheriting the solutions that have been proposed for wired networks. Given that end-to-end communication between applications relies on the self-organized characteristics of MANETs, most if not all the proposed security solutions concentrate on securing communication through multi-hop trustworthy nodes. In this chapter, we present state-of-the-art security in MANETs and the survey comprises MANET-based secure routing, key management, and trust management systems. However, we confine ourselves to a few well-regarded proposals due to the exhaustive list of proposals available in each of the above-mentioned categories. First, we discuss the features inherent in MANETs and their impact on the design of security mechanisms, in addition to the threats and attacks that are common in MANETs. Second, we describe a few well-known solutions in the area of secure routing and key management to demonstrate their role as a prevention system. We then discuss the limitations of those systems such as their inability to react to dynamically changing attack patterns and their assumption that nodes will cooperate for routing and network management. Finally, we address the recent advancements in security systems, where a defense-in-depth approach is adopted to incorporate trust management systems as the second layer of defense to prevention systems. Trust management systems complement prevention systems by measuring the trustworthiness of nodes and promptly react to dynamically changing attack patterns. We then detail the limitations of trust management systems and discuss possible research directions to address those limitations.

In this chapter we discuss Distributed Denial of Service (DDoS) attacks in networks such as the Internet, which have become significantly prevalent over the recent years. We explain how DDoS attacks are performed and consider the ideal solution characteristics for defending against the DDoS attacks in the Internet. Then we present different research directions and thoroughly analyse some of the important techniques that have been recently proposed. Our analysis confirms that none of the proposed techniques can efficiently and completely counteract the DDoS attacks. Furthermore, as networks become more complex, they become even more vulnerable to DoS attacks when some of the proposed techniques are deployed in the Internet. The gap between the tools that can generate DDoS attacks and the tools that can detect or prevent DDoS attacks continues to increase. Finally, we briefly outline some best practices that the users are urged to follow to minimise the DoS attacks in the Internet. © 2009, IGI Global.

In this chapter, we provide a formal definition of trust relationship with a strict mathematical structure that can reflect many of the commonly used notions of trust. Based on this formal definition, we propose a unified taxonomy framework of trust. Under the taxonomy framework, we discuss classification of trust. In particular, we address the base level authentication trust at the lower layer and a hierarchy of trust relationships at a higher level. We provide a set of definitions, propositions, and operations based on the relations of trust relationships. Then we define and discuss properties of trust direction and trust symmetry. We define the trust scope label in order to describe the scope and diversity of trust relationship. All the definitions about the properties of trust become elements of the unified taxonomy framework of trust. Some example scenarios are provided to illustrate the concepts in the taxonomy framework. The taxonomy framework of trust will provide accurate terms and useful tools for enabling the analysis, design, and implementation of trust. The taxonomy framework of trust is first part of research for the overall methodology of trust relationships and trust management in distributed systems. © 2007, Idea Group Inc.

IEEE In this paper, we propose a Virtual Machine Introspection-based security architecture design for fine granular monitoring of the Tenant Virtual Machines (TVMs) in the cloud. We have developed techniques for monitoring the TVMs at the process level and system call level to detect known and zero-day attacks such as those based on malicious hidden processes, attacks that disable security tools in the TVMs as well as those that alter the behaviour of the legitimate applications. Our architecture, VMGuard, utilizes the introspection feature at the VMM-layer to analyze system call traces of programs running in the monitored TVM. VMGuard applies the software breakpoint injection technique which is OS agnostic and used to trap the execution of programs running in a TVM. VMGuard provides ‘Bag of n-grams’ approach integrated with Term Frequency-Inverse Document Frequency method, to extract and select features of normal and attack traces. It then applies the Random Forest statistical learning technique to produce a generic behavior for different categories of intrusions of the monitored TVM. We have implemented a prototype and the results obtained seem to be very promising and demonstrate the applicability of the VMGuard. We compare VMGuard with existing techniques and discuss the advantages.

IEEE As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

© 2015, Vaclav Skala Union Agency. All rights reserved. We introduce Feature Dependent Kernel Entropy Component Analysis (FDKECA) as a new extension to Kernel Entropy Component Analysis (KECA) for data transformation and dimensionality reduction in Image-based recognition systems such as face and finger vein recognition. FD- KECA reveals structure related to a new mapping space, where the most optimized feature vectors are obtained and used for feature extraction and dimensionality reduction. Indeed, the proposed method uses a new space, which is feature wisely dependent and related to the input data space, to obtain significant PCA axes. We show that FDKECA produces strikingly different transformed data sets compared to KECA and PCA. Furthermore a new spectral clustering algorithm utilizing FDKECA is developed which has positive results compared to the previously used ones. More precisely, FDKECA clustering algorithm has both more time efficiency and higher accuracy rate than previously used methods. Finally, we compared our method with three well-known data transformation methods, namely Principal Component Analysis (PCA), Kernel Principal Component Analysis (KPCA), and Kernel Entropy Component Analysis (KECA) confirming that it outperforms all these direct competitors and as a result, it is revealed that FDKECA can be considered a useful alternative for PCA-based recognition algorithms.

Cloud Computing has become a well-known primitive nowadays; many researchers and companies are embracing this fascinating technology with feverish haste. In the meantime, security and privacy challenges are brought forward while the number of cloud storage user increases expeditiously. In this work, we conduct an in-depth survey on recent research activities of cloud storage security in association with cloud computing. After an overview of the cloud storage system and its security problem, we focus on the key security requirement triad, i.e., data integrity, data confidentiality, and availability. For each of the three security objectives, we discuss the new unique challenges faced by the cloud storage services, summarize key issues discussed in the current literature, examine, and compare the existing and emerging approaches proposed to meet those new challenges, and point out possible extensions and futuristic research opportunities. The goal of our paper is to provide a state-of-the-art knowledge to new researchers who would like to join this exciting new field. © The Authors, 2014.

Radio frequency identification (RFID) tag privacy is an important issue to RFID security. To date, there have been several attempts to achieve the wide-strong privacy by using zero-knowledge protocols. In this paper, we launch an attack on the recent zero-knowledge based identification protocol for RFID, which was claimed to capture wide-strong privacy, and show that this protocol is flawed. Subsequently, we propose two zero-knowledge based tag authentication protocols and prove that they offer wide-strong privacy. © 2013 The authors and IOS Press. All rights reserved.

In practical applications, the owner of an RFID-tagged item canchange. In this paper, we propose a new RFID ownership transfer protocol using elliptic-curve cryptography. The paper first considers security and privacy requirements in the ownership transfer process. Then the paper provides a detailed description of our ownership transfer scheme outlining various protocol phases. Key features of the proposed scheme are that it allows controlled delegation and authorisation recovery, and the ownership transfer is achieved without a trusted third party. We describe a security analysis of the proposed scheme and demonstrate that it meets the desired security and privacy requirements. We also illustrate the performance results and show that our scheme is feasible for lightweight RFID tags. © 2013 The authors and IOS Press. All rights reserved.

In service-oriented computing (SOC) environments, service clients interact with service providers for services or transactions. From the point view of service clients, the trust status of a service provider is a critical issue to consider, particularly when the service provider is unknown to them. Typically, the trust evaluation is based on the feedback on the service quality provided by service clients. In this paper, we first present a trust management framework that is event-driven and rule-based. In this framework, trust computation is based on formulae. But rules are defined to determine which formula to use and what arguments to use, according to the event occurred during the transaction or service. In addition, we propose some trust evaluation metrics and a formula for trust computation. The formula is designed to be adaptable to different application domains by setting suitable arguments. Particularly, the proposed model addresses the incremental characteristics of trust establishment process. Furthermore, we propose a fuzzy logic based approach for determining reputation ranks that particularly differentiates new service providers and old (long-existing) ones. This is further incentive to new service providers and penalize poor quality services from service providers. Finally, a set of empirical studies has been conducted to study the properties of the proposed approaches, and the method to control the trust changes in both trust increment and decrement cases. The proposed framework is adaptable for different domains and complex trust evaluation systems. © 2008 Springer-Verlag London Limited.

This paper proposes an authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorisation of web services as well as the support for the management of authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has been implemented and integrated within the .NET framework. The authorisation architecture for web services is demonstrated using a case study in the healthcare domain. The proposed architecture has several benefits. First and foremost, the architecture supports multiple access control models and mechanisms; it supports legacy applications exposed as web services as well as new web service-based applications built to leverage the benefits offered by the Service-Oriented Architecture; it is decentralised and distributed and provides flexible management and administration of web services and related authorisation information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to web services deployed on those platforms. © 2007 Inderscience Enterprises Ltd.

This paper presents a Security and Trust Enhanced Mobile Agent (SATEMA) architecture. It investigates some of the design decisions encountered during the development of the architecture and its implementation. In particular, we consider design issues such as security and trust policy management, support for multiple applications as well as with single- and multiple-hop scenarios using the proposed architecture. We discuss the design choices and describe the solutions that have been adopted in the architecture. We have implemented two applications, namely, a travel application and an auction application using this proposed SATEMA architecture. © 2007 Inderscience Enterprises Ltd.

Earlier, we have proposed an automated model to minimise DDoS attacks in single ISP domain and extended the model to multiple ISP domains. Our approach has several advanced features to minimise DDoS attacks in the internet. The focus of this paper is twofold: firstly, to present a detailed description of the design and implementation of the proposed model and second to discuss and analyse the extensive set of results obtained from the implementation and simulations. We describe the prototype implementation of our automated model using NetProwler network intrusion detection system and HP OpenView Network Node Manager. We will also discuss the performance analysis of our model on a large scale using NS2 tool. Both prototype and simulation test results confirm that our approach offers a promising solution against DDoS problem in the internet and the model can be implemented in real time with minor modifications to the existing tools. Copyright © 2007 Inderscience Enterprises Ltd.

In this paper, we discuss a general methodology for analysis and modeling of trust relationships in distributed computing. We discuss the classification of trust relationships, categorize trust relationships into two layers and provide a hierarchy of trust relationships based on a formal definition of trust relationship. We provide guidelines for the analysis and modeling of trust relationships. We review operations on trust relationships and relative types of trust relationships in our previous work. We provide a set of definitions for the properties of direction and symmetry of trust relationships. In order to analyze and model the scope and diversity of trust relationship, we define trust scope label. We provide some example scenarios to illustrate the proposed definitions about properties of trust relationship. All the definitions about the properties of trust relationships are elements of the taxonomy framework of trust relationships. We discuss the lifecycle of trust relationships that includes the analysis and modeling of trust relationships, trust relationships at runtime, and change management of trust relationships. We propose a trust management architecture at high level to place the analysis and modeling of trust relationships under the background of trust management. © 2006 ACADEMY PUBLISHER.

In this paper, we discuss the design issues for an authorization framework for Web Services. In particular, we describe the features required for an authorization policy language for Web Services. We briefly introduce the authorization service provided by Microsoft .NET MyServices and describe our extended authorization model that proposes extensions to the .NET MyServices authorization service to support a range of authorization policies required in commercial systems. We discuss the application of the extended authorization model to a health care system built using Web Services. We use the XML Access Control Language (XACL) in our implementation to demonstrate our extended authorization model. This also enables us to evaluate the range of authorization policies that XACL supports. Copyright © 2005, Idea Group Inc.

In [2, 3], we proposed a model-based approach to specify the transformation of authorizations based on the principle of minimal change [1] and its application in database systems. Nevertheless, there were some limitations in this approach. Firstly, we could not represent a sequence of transformations. Secondly, default authorizations could not be expressed. In this paper, we propose two high-level formal languages, Lsand Lsd, to specify a sequence of authorization transformations and default authorizations. Our work starts with Ls, a simple, but expressive, language to specify certain sequence of authorization transformations. Furthermore, Lsdhas more powerful expressiveness than Lsin the sense that constraints, causal and inherited authorizations, and general default authorizations can be specified. © Springer-Verlag 2005.

XML has been widely used for representation and storage of documents and their exchange over the internet. Security mechanisms for the protection of XML document sources and their distribution are essential. In this paper, we present a novel scheme for securing XML documents and their distribution over the internet. The proposed scheme has some distinct features. It requires only one private key for each user. Therefore, when a user leaves or joins the system, keys of all the other existing users in the system remain unchanged. This makes the proposed scheme more attractive, and hence particularly suitable for the dynamic distribution of documents over the internet. © 2005 Inderscience Enterprises Ltd.

This paper proposes a fair trading protocol. The fair trading protocol provides an overall solution for a trading process with offline anonymous credit card payments. With the exploding growth of electronic commerce on the Internet, the issue of fairness1,2is becoming increasingly more important. Fair exchange protocols have already been broadly used for applications such as electronic transactions,3,4electronic mails,5,6and contract signing.7Fairness is one of the critical issues in online transactions and related electronic payment systems. Many electronic payment systems have been proposed for providing different levels of security to financial transactions, such as iKP,8SET,9NetBill,10and NetCheque.11In a normal electronic commerce transaction, there is always a payer and a payee to exchange money for goods or services. At least one financial institution, normally a bank, should be present in the payment system. The financial institution plays the role of issuer for the payer and the role of acquirer for the payee. An electronic payment system must enable an honest payer to convince the payee of a legitimate payment and prevent a dishonest payer from using other unsuitable behavior. At the same time, some additional security requirements may be addressed based on the nature of trading processes and trust assumptions of the system. Payer, payee, and the financial institution have different interests and the trust between two parties should be as little as possible. In electronic commerce, the payment happens over an open network, such as the Internet, and the issue of fairness must be carefully addressed. There is no fairness for involved parties in the existing popular payment protocols. One target of this article is to address the fairness issue in the credit card payment process. In the existing credit card protocols, the financial institution that provides the credit card service plays the role of online authority and is actively involved in a payment. To avoid the involvement of financial institutions in normal transactions and to reduce running costs, some credit card-based schemes with offline financial authority have been proposed.12Another target of this article is to avoid the online financial institution for credit card service in normal transactions. © 2004 Taylor & Francis.

We propose a Controller-Agent model that would greatly minimize distributed denial-of-servicfe (DDoS) attacks on the Internet. We introduce a new packet marking technique and agent design that enables us to identify the approximate source of attack (nearest router) with a single packet even in the case of attacks with spoofed source addresses. Our model is invoked only during attack times, and is able to process the victims traffic separately without disturbing other traffic, it is also able to establish different attack signatures for different attacking sources and can prevent the attack traffic at the nearest router to the attacking system. It is simple in its implementation, it has fast response for any changes in attack traffic pattern, and can be incrementally deployed. Hence we believe that the model proposed in this paper seems to be a promising approach to prevent distributed denial-of-service attacks.

In this paper, we first discuss some drawbacks of the existing conflict authorization resolution methods when access rights are delegated, and then propose a flexible authorization model to deal with the conflict resolution problem with delegation. In our model, conflicts are classified into comparable and incomparable ones. With comparable conflicts, the conflicts come from the grantors that have grant connectivity relationship with each other, and the predecessor¿s authorizations will always take precedence over the successor¿s. In this way, the access rights can be delegated but the delegation can still be controlled. With incomparable conflicts, the conflicts come from the grantors that do not have grant connectivity relationship with each other. Multiple resolution policies are provided so that users can select the specific one that best suits their requirements. In addition, the overridden authorizations are still preserved in the system and they can be reactivated when other related authorizations are revoked or the policy for resolving conflicts is changed. We give a formal description of our model and describe in detail the algorithms to implement the model. Our model is represented using labelled digraphs, which provides a formal basis for proving the semantic correctness of our model. © 2002 Springer-Verlag Berlin Heidelberg.

Traditional group signature schemes reflect only one side of the spectrum of public cryptography, i.e., signing, where the group public key is used for a sole purpose: verification of group signatures. This paper describes a new group cryptographic system that presents a promise for both signing and encryption. That is, besides verifications, a sole group public key can be also used for encryption and the associated decryption can be implemented by any member in the designated group. The proposed system meets all key features for an ideal group cryptography.

The fifth Asia-Pacific Network Operations and Management Symposium, APNOMS 2001, held in Australia provided an important platform to advance all aspects of telecommunications management. The theme for this symposium was 'Management for eBusiness in the New Millenium' which included customer information and relationship management as crucial elements. The symposium provided forum for specific regional experiences in managing eBusiness such as exceptional growth of mobile communications. The tutorial on 'Information Security Technology for eBusiness' described different security solutions, strategies, models, functionalities, applications and research trends for security in electronic commerce.

The Access Matrix is a useful model for understanding the behaviour and properties of access control systems. While the matrix is rarely implemented, access control in real systems is usually based on access control mechanisms, such as access control lists or capabilities, that have clear relationships with the matrix model. In recent times a great deal of interest has been shown in Role Based Access Control (RBAC) models. However, the relationship between RBAC models and the Access Matrix is not clear. In this paper we present a model of RBAC based on the Access Matrix which makes the relationships between the two explicit. In the process of constructing this model, some fundamental similarities between certain capability models and RBAC are revealed.

There is a considerable interest in the area of mobility with the advent of powerful portable computing devices such as laptops and other information appliances. These enable a user to access a service from anywhere at any time. Such nomadic computing poses several challenges in multicasting and security. We first consider a framework that has been proposed by Acharya et al. [Acharya, A., Bakre, A. and Badrinath, B. R. IP multicast extension for mobile internet working, Rutger DCS Technical Report, LCSR-TR_243.] for multicasting in mobile IP networks. In this paper, we extend this framework to support a secure multicasting service. We describe secure schemes for a mobile host to initiate, join and leave a multicast group. We also discuss the secure movement of mobile hosts in intra and inter campus environments.

In this paper we propose the use of Boolean permutations to design public key cryptosystems. The security of the cryptosystems is based on the difficulty of inverting Boolean permutations. Using two Boolean permutations for which the inverses are easy to find, one can construct a composite Boolean permutation which is hard to invert. The paper proposes three such Boolean permutation based public key systems. The paper also consider applications of a Boolean permutation based public key system to digital signatures and shared signatures.

The authors describe a language based approach to the specification of authorisation policies that can be used to support the range of access control policies in commercial object systems. They discuss the issues involved in the design of a language for role based access control systems. The notion of roles is used as a primitive construct within the language. The basic constructs of the language are discussed and the language is used to specify several access control policies such as role based access control; static and dynamic separation of duty delegation and joint action based access policies. The language is flexible and is able to capture meta-level operations, and it is often these features which are significant when it comes to the applicability of an access control system to practical real situations. © IEE, 2000.

There has been an increasing interest in the design and use of key escrow schemes in recent times. This paper proposes a new key escrow protocol based on Boolean permutations and analyses its properties. It shows that the verification of the shares of key escrow agencies is easy and secure. In addition this protocol provides forward security as well as the capability to fully disclose the escrowed private keys in the case of guilty users. The paper also proposes methods for constructing practical trapdoor Boolean permutations with a low storage complexity. Apart from the proposal of the key escrow protocol itself, this paper describes some of the key properties of Boolean permutations which make them suitable for their use in the design of cryptosystems.

Electronic cash is arguably one of the most important applications of modern cryptology. There have been two types of electronic cash schemes namely on-line and off-line. In general off-line schemes are more efficient than on-line ones. The two fundamental issues with any off-line electronic cash scheme have been the detection of double spending and provision of anonymity. These issues make the design of secure off-line electronic cash schemes not an easy task. Cut-and-choose technology was one of the first techniques that was introduced to address the issue of double spending in an off-line scheme. However, this technique is not very efficient. Subsequently, other techniques had been proposed to achieve both double spending and client anonymity without using the cut and choose method. These include the works of Brands based on the discrete logarithm and that of Ferguson based on RSA and polynomial secret sharing scheme. In this paper, we propose an improved version of off-line electronic cash scheme based on the Ferguson's protocol. This scheme improves the efficiency by making some of the parameters used in the protocol to be reusable and removes the risk of framing by the bank by hiding the client's identity. © 1999 Elsevier Science B.V. All rights reserved.

This paper considers the design of a security model for mobile agent based computing systems. The security model proposes the notion of a security enhanced agent that captures a variety of security information needed in the provision of security services. It defines the privileges of the agent required to perform the actions, the rights that other principals can have over the agent as well as delegation of privileges. The security model identifies security management and policy base components in agent enabled hosts which interpret the privileges and rights of agents and enforce the security controls.

© 2017 Association for Computing Machinery. The Internet of Things (IoT) is facilitating the development of novel and cost-effective applications that promise to deliver efficient and improved medical facilities to patients and health organisations. This includes the use of smart ¿things¿ as medical sensors attached to patients to deliver real-time data. However, the security of patient data is an ever-present concern in the healthcare arena. In the wider deployment of IoT-enabled smart healthcare systems one particular issue is the need to protect smart ¿things¿ from unauthorised access. Commonly used access control approaches e.g. Attribute Based Access Control (ABAC), Role Based Access Control (RBAC) and capability based access control do not, in isolation, provide a complete solution for securing access to IoT-enabled smart healthcare devices. They may, for example, require an overly-centralised solution or an unmanageably large policy base. To address these issues we propose a novel access control architecture which improves policy management by reducing the required number of authentication policies in a large-scale healthcare system while providing fine-grained access control. We devise a hybrid access control model employing attributes, roles and capabilities. We apply attributes for role-membership assignment and in permission evaluation. Membership of roles grants capabilities. The capabilities which are issued may be parameterised based on further attributes of the user and are then used to access specific services provided by IoT ¿things¿. We also provide a formal specification of the model and a description of its implementation and demonstrate its application through different use-case scenarios. Evaluation results of core functionality of our architecture are provided.

© 2016 ACM. In this paper, we propose new types of cascading attacks against smart grid that use control command disaggregation and core smart grid services. Although there have been tremendous research efforts in injection attacks against the smart grid, to our knowledge most studies focus on false meter data injection, and false command and false feedback injection attacks have been scarcely investigated. In addition, control command disaggregation has not been addressed from a security point of view, in spite of the fact that it is becoming one of core concepts in the smart grid and hence analysing its security implications is crucial to the smart grid security. Our cascading attacks use false control command, false feedback or false meter data injection, and cascade the effects of such injections throughout the smart grid subsystems and components. Our analysis and evaluation results show that the proposed attacks can cause serious service disruptions in the smart grid. The evaluation has been performed on a widely used smart grid simulation platform.

© 2016 ACM. Software Defined Network(SDN) is a promising technological advancement in the networking world. It is still evolving and security is a major concern for SDN. In this paper we proposed policy based security architecture for securing the SDN domains. Our architecture enables the administrator to enforce different types of policies such as based on the devices, users, location and path for securing the communication in SDN domain. Our architecture is developed as an application that can be run on any of the SDN Controllers. We have implemented our architecture using the POX Controller and Raspberry Pi 2 switches. We will present different case scenarios to demonstrate fine granular security policy enforcement with our architecture.

© IFIP International Federation for Information Processing 2016. In this talk I will begin with a brief look at current trends in the technology scenery and some of the key security challenges that are impacting on business and society. In particular, on the one hand there have been tremendous developments in cyber technologies such as cloud, Big Data and Internet of Technologies. Then we will consider security and trust issues in cloud services and cloud data. In this talk, we will focus on policy based access to encrypted data in the cloud. We will present a new technique, Role based Encryption (RBE), which integrates cryptographic techniques with role based access control. The RBE scheme allows policies defined by data owners to be enforced on the encrypted data stored in public clouds. The cloud provider will not be able to see the data content if the provider is not given the appropriate role by the data owner. We will present a practical secure RBE based hybrid cloud storage architecture, which allows an organisation to store data securely in a public cloud, while maintaining the sensitive information related to the organisation¿s structure in a private cloud. Then we will consider trust issues in RBE based secure cloud data systems. We will discuss two types of trust models that assist (i) the data owners/users to evaluate the trust on the roles/role managers in the system as well as (ii) the role managers to evaluate the trust on the data owners/users for when deciding on role memberships. These models will take into account the impact of role hierarchy and inheritance on the trustworthiness of the roles and users. We will also consider practical application of the trust models and illustrate how the trust evaluations can help to reduce the risks and enhance the quality of decision making by data owners and role managers of the cloud storage services.

© 2016 IEEE. In this paper, we introduce an integrated security architecture that combines TPM based trust management with hypervisor level access control and intrusion detection system to provide a holistic approach for securing services hosted in virtualised environments. We describe the implementation of the security architecture in detail and demonstrate the functionality of the proposed architecture for different attack scenarios. Our architecture is able to perform dynamic attack detection and update the security policies to protect the services from the identified threats. The proposed integrated security architecture can be easily adopted to be used in cloud and distributed virtualised environments.

© 2014 IEEE. Hadoop has two components which are HDFS and MapReduce. HDFS is a distributed file system for storing data for users of Hadoop and MapReduce is the framework that executes jobs from users. Hadoop stores user data based on space utilization of data nodes on the cluster rather than the processing capability of the data nodes. Furthermore Hadoop runs in a heterogeneous environment as all data nodes may not be homogeneous. For these reasons, workload imbalances will occur when Hadoop runs resulting in poor performance. In this paper, we propose a dynamic algorithm to balance the workload between different racks on a Hadoop cluster based on information obtained from analyzing the log files of Hadoop. Moving tasks from the busiest rack to another rack improves the performance of Hadoop MapReduce by reducing the running time of jobs. Our simulations indicate that using our algorithm, we can decrease by more than 50% the remaining time of the tasks belonged to a job running on the busiest rack.

© 2015, Australian Computer Society, Inc. The botnet is a group of hijacked computers, which are employed under command and control mechanism administered by a botmaster. Botnet evolved from IRC based centralized botnet to employing common protocols such as HTTP with decentralized architectures and then peer-to-peer designs. As Botnets have become more sophisticated, the need for advanced techniques and research against botnets has grown. In this paper, we propose techniques to detect botnets by analysing network traffic flows. We developed templates for capturing traffic flows with more relevant attributes for botnet detection. Also we make use of the IPFIX standard for the specification of the templates. Hence our techniques can be used to detect different bot families with lesser overheads and are vendor neutral.

© 2015, Australian Computer Society, Inc. In this paper, we introduce a new method of data transformation for finger vein recognition system. Our proposed method uses kernel mapping functions to map the data before performing Principal Component Analysis. Kernel Principal Component Analysis (KPCA) is a well-known extension of PCA which is suitable for finding nonlinear patterns as it maps the data nonlinearly. In this work we develop an extension of KPCA which is both faster and more appropriate than KPCA for finger vein recognition system. The proposed method is called Feature Dependent Kernel Principal Component Analysis (FDKPCA). In FDKPCA the data is mapped differently from KPCA resulting in lower-dimension feature space where more important and valuable features are selected and extracted. Furthermore, extensive experiments reveal the significance of the proposed method for finger vein recognition systems.

Web based applications are very common nowadays where almost every software can be accessible through a web browser in one form or the other. This paper proposes techniques to detect diffierent threats related to web applications by using a hypervisorbased security architecture. The proposed architecture leverages the hypervisor's visibility of the virtual machines' runtime state and traffic ows for securing the web application. The unique feature of the proposed architecture is that it is capable of doing fine granular detection of web application attacks, i.e. to the specific web page level, and protecting the application against zero-day attacks. © 2015, Australian Computer Society, Inc.

Copyright © 2015 ACM. Yoking-proofs show an interesting application in Radio Frequency Identification (RFID) that a verifier can check whether two tags are simultaneously scanned by a reader. We consider a scenario that multi-group of tags can be proved to be scanned simultaneously. Grouping-proof, which is an extension of yoking-proofs, allows multiple tags to be proved together, while existing protocols cannot support multiple groups. In this paper, we introduce a novel concept called "yoking-group proofs". Additionally, we propose an anonymous yoking-proof protocol and an anonymous yoking-group proof protocol and prove their security in Universal Composability framework.

There are several challenges for monitoring the patients with specific requirements such as people with dementia. For example, vascular dementia which is caused generally after stroke could result in serious conditions and change of behaviour such as wandering, loss of vision and speech. Although the nursing staff make sincere effort for taking care and monitoring of the patients, it is rare that a nursing staff is allocated to each patient. Hence even a minor lack of attention can lead to havoc situation if any of the patient is found to be missing. This results in high stress for the nursing staff and the hospital management. The aim of this work is to develop techniques for secure monitoring of dementia patients in hospital environments. Our model tracks the patients in real time and can generate alarms if the location of the patients is found to be suspicious. Furthermore, our model makes use of the existing infrastructures to minimize the cost of deployment. Copyright 2014 ACM.

Domain Name System (DNS) is one of the critical services in the current Internet infrastructure. However DNS is vulnerable to a range of attacks. One of the fundamental weaknesses with the existing DNS protocols is that the request and response messages are transmitted on the network as plain text. This paper addresses important threats related to Doman Name System (DNS) using a hypervisor based security architecture. The proposed architecture leverages the hypervisor visibility of the virtual machines' traffic flows to monitor and utilise Virtual Machine Introspection (VMI) techniques to inspect and restore data. It also uses inbuilt snapshot/restore capabilities of the hypervisor to completely restore virtual machines if required. Objective of the proposed architecture is not to actively prevent attacks, but provide a means of identifying different attacks by passively monitoring DNS related conversations coming in and out of virtualised system hosting the DNS. Our model can alert the external monitoring agent(s) or security administrator and actively restore the system if the attack has already compromised the DNS. © 2014, Australian Computer Society, Inc.

Embedded systems are increasingly pervasive, interdependent and in many cases critical to our every day life and safety. Tiny devices that cannot afford sophisticated hardware security mechanisms are embedded in complex control infrastructures, medical support systems and entertainment products [51]. As such devices are increasingly subject to attacks, new hardware protection mechanisms are needed to provide the required resilience and dependency at low cost. In this work, we present the TrustLite security architecture for flexible, hardware-enforced isolation of software modules. We describe mechanisms for secure exception handling and communication between protected modules, enabling seamless interoperability with untrusted operating systems and tasks. TrustLite scales from providing a simple protected firmware runtime to advanced functionality such as attestation and trusted execution of userspace tasks. Our FPGA prototype shows that these capabilities are achievable even on low-cost embedded systems. Copyright © 2007 by the Association for Computing Machinery, Inc.

An RFID tag could change hands many times during its lifetime. In a retail chain, the ownership of the tag is instituted by the supplier who initially owns the tag. In the view of a buyer, the validity of the current tag ownership and the originality of supplier are most important. In typical RFID ownership transfer protocols, the knowledge of the tag's authentication key proves the ownership. However, it is insufficient against an active attacker, since tags are usually lack of tamper-proof protections. Ownership transfer relies on a successful verification of tag's supplier and current ownership. In this paper, we formally define the security model of ownership transfer protocols and propose a secure ownership transfer protocol. In our scheme, current owner provides a new owner with the evidence of transfer and a proof of tag origin. Key management becomes easy in our system, since the one asymmetric verification key of the owner can be used to verify multiple tags that belong to the owner. © 2013 Springer-Verlag.

The Cloud Security Alliance (CSA) provides a framework for cloud platform providers that manages standardized self assessments regarding security controls. The framework as it stands does not allow consumers to specify and check their own requirements, nor does it contain any means for verifying the capabilities claimed by the providers. From a customer perspective, both these aspects are essential for evaluating the trustworthiness of cloud providers and for making an informed decision. We propose a novel concept for verifying the capabilities captured in the CSA's framework, plus a decision model that checks consumer requirements against the verification results. Our capability verification combines hard trust based on rigid validation with soft trust based on evidence about past behaviour. Elaborate formal methods are applied in both fields and combined into a single concept. Copyright 2013 ACM.

We propose a new encryption primitive called Membership Encryption. Let P(G) be a privacy-preserving token on a group attribute/identity G, such that given P(G) it is hard to know the attributes in G. In this membership encryption, if an encryption takes as input an attribute A and the token P(G), the decryption requires holding the membership A ¿ G, i.e., A belongs to this group attribute. Membership encryption is applicable in constructing membership proof A ¿ P(G) with privacy preserving on group attribute and the membership. Membership encryption can be also utilized to construct an efficient two-round K-out-of-N oblivious transfer protocol. In this paper, we construct a provably secure membership encryption where the group token P(G) is constant-size with maximum number accountability on attributes. Using our scheme, the proposed oblivious transfer protocol exhibits the nice feature of O(1) communication cost for any K from receiver to sender, and O(N) communication cost from sender to receiver. © 2013 Springer-Verlag.

Many wireless sensor networks (WSNs) consist of a large number of distributed sensor nodes that are batteries powered, vulnerable to tampering, and equipped with limited computational capabilities and memory. These characteristics render WSNs facing many security threats, which require cryptographic security mechanisms for secure communication, key revocation and management of security issues arising from the addition of new nodes. In this paper, we propose a key management scheme to meet the security requirements of wireless sensor networks. The scheme relies on the theory of random graph to build a fully secure connectivity for distributed sensor nodes. It uses heterogeneous structure to limit ranges of attacks, and utilizes hash chains to realize authentication of pool keys and broadcast messages of auxiliary nodes. The security and network connectivity characteristics supported by the key management scheme are discussed and simulation experiments are presented. © 2012 IEEE.

Today, cloud computing is one of the popular technologies. In addition to this, most of the hardware that is being shipped today is equipped with the TPM which can be used for realization of trusted platforms. Recently several TPM attestation techniques such as binary attestation and property based attestation techniques have been proposed but there are some fundamental issues that need to be addressed for using these techniques in practice. In this paper we consider an architecture where different services are hosted on the cloud infrastructure by multiple cloud customers (tenants). Then we consider an attacker model that is specific to the cloud and some of the challenges with the current TPM based attestation techniques. We will also propose a novel trust enhanced security model for cloud which overcomes the challenges with the current TPM based attestation techniques and efficiently deals with the attacks in the cloud. In our model, the cloud service provider is used as the Certification Authority (CA) for the tenant virtual machines. The CA only certifies the basic security properties which are the assurance on the traffic originating from the tenant virtual machine and validation of the tenant virtual machine transactions. The components of the CA monitor the interactions of the tenant virtual machine for the certified properties. Since the tenant virtual machines are running on the cloud service provider infrastructure, it is aware of the dynamic changes to the tenant virtual machine. The CA can terminate the ongoing transactions and/or dynamically isolate the tenant virtual machine if there is a variation in the behaviour of the tenant virtual machine from the certified properties. Hence our model can be used to address the challenges with the current TPM based attestation techniques and efficiently deal with the attacks in the cloud. We will present implementation of our model on Xen and how it deals with the attacks in different attack case scenarios. We will also show that our model is beneficial for the cloud service providers, tenants and tenant customers. © 2012 IEEE.

There has been an increasing trend towards outsourcing data to the cloud to cope with the massive increase in the amount of data. Hence trusted enforcement of access control policies on outsourced data in the cloud has become a significant issue. In this paper we address trusted administration and enforcement of role-based access control policies on data stored in the cloud. Role-based access control (RBAC) simplifies the management of access control policies by creating two mappings; roles to permissions and users to roles. Recently crypto-based RBAC (C-RBAC) schemes have been developed which combine cryptographic techniques and access control to secured data in an outsourced environment. In such schemes, data is encrypted before outsourcing it and the ciphertext data is stored in the untrusted cloud. This ciphertext can only be decrypted by those users who satisfy the role-based access control policies. However such schemes assume the existence of a trusted administrator managing all the users and roles in the system. Such an assumption is not realistic in large-scale systems as it is impractical for a single administrator to manage the entire system. Though administrative models for RBAC systems have been proposed decentralize the administration tasks associated with the roles, these administrative models cannot be used in the C-RBAC schemes, as the administrative policies cannot be enforced in an untrusted distributed cloud environment. In this paper, we propose a trusted administrative model AdC-RBAC to manage and enforce role-based access policies for C-RBAC schemes in large-scale cloud systems. The AdC-RBAC model uses cryptographic techniques to ensure that the administrative tasks such as user, permission and role management are performed only by authorized administrative roles. Our proposed model uses role-based encryption techniques to ensure that only administrators who have the permissions to manage a role can add/revoke users to/from the role and owners can verify that a role is created by qualified administrators before giving out their data. We show how the proposed model can be used in an untrusted cloud while guaranteeing its security using cryptographic and trusted access control enforcement techniques. © 2012 IEEE.

The First International Symposium on Privacy and Security in Cloud and Social Networks (PriSecCSN2012) is co-located with the Second International Conference on Cloud and Green Computing (CGC2012) held on November 1-3, 2012, Xiangtan, Hunan, China. Social network analysis and cloud computing are two of the most exciting new trends in the recent developments of information technology. As the new generation computing paradigm, cloud enables computing resources to be provided as IT services in a pay-as-you-go fashion with high efficiency and effectiveness. With the popularity of social software as well as the fast development of cloud and other high-performance computing infrastructures, the outcome of social network analysis is becoming more and more attractive. However, information privacy and security issues are major challenges in both these areas. This symposium aims at providing a forum for researchers, practitioners and developers from different background areas such as distributed computing, social computing, information security and privacy protection areas to exchange the latest experience, research ideas and synergic research and development on fundamental issues and applications about security and privacy issues in cloud environments and social networks. The symposium solicits high quality research results in all related areas. PriSecCSN2012 contains 3 papers. Each of them was peer reviewed by at least three program committee members. The symposium covers a broad range of topics in the field of Privacy and Security in Cloud and Social Networks such as Security and privacy in Big Data management, Application of modern cryptography in cloud and social networks, Emerging threats in cloud-based services, Multi-tenancy related security/privacy issues, Vulnerabilities in cloud infrastructure, Security modelling and threats in cloud computing, Security/privacy in hybrid cloud, User authentication in cloud services, Information hiding, Trust and policy management in cloud, Remote data integrity protection, Securing distributed data storage in the cloud, Security and privacy in mobile cloud, Malware propagation in social networks, Information leakage via social networks, Trust and reputation in social networks, Security configuration based on social contexts groups, Online social footprints, Multi-faceted privacy preservation. © 2012 IEEE.

The rapidly increasing data usage and overload in mobile broadband networks has driven mobile network providers to actively detect and bill customers who tether tablets and laptops to their mobile phone for mobile Internet access. However, users may not be willing to pay additional fees only because they use their bandwidth differently, and may consider tethering detection as violation of their privacy. Furthermore, accurate tethering detection is becoming harder for providers as many modern smartphones are under full control of the user, running customized, complex software and applications similar to desktop systems. In this work, we analyze the network characteristics available to network providers to detect tethering customers. We present and categorize possible detection mechanisms and derive cost factors based on how well the approach scales with large customer bases. For those characteristics that appear most reasonable and practical to deploy by large providers, we present elimination or obfuscation mechanisms and substantiate our design with a prototype Android App.

Passive RFID tags have limited rewritable memory for data storage and limited computation power, which pose difficulties to implement security protection on RFID tags. It has been shown that strong security and privacy protections for RFID require utilizing public-key cryptography. Unfortunately, the implementation of public key cryptography is infeasible in low-cost passive tags. With this issue in mind, in this work, we propose a pre-computable signature scheme with a very efficient signature verification algorithm for RFID applications. Our signature scheme is provably secure under the DDH assumption and a variant of q-SDH assumption. With pre-computations, no exponentiation is required in our signature verification. Our research shows that it is feasible for low-cost RFID tags to verify signatures with the basic modular multiplication only (if they have a small amount of writable memory). © 2012 Springer-Verlag.

Sensor networks offer economically viable solutions for a wide variety of monitoring applications. In surveillance of critical infrastructure such as airports by sensor networks, security becomes a major concern. To resist against malicious attacks, secure communication between severely resource-constrained sensor nodes is necessary while maintaining scalability and flexibility to topology changes. A robust security solution for such networks must facilitate authentication of sensor nodes and the establishment of secret keys among nodes In this paper, we propose a decentralized authentication and key management framework for hierarchical ad hoc sensor networks. This scheme is light weight and energy aware and reduces the communication overhead. © 2012 Springer-Verlag Berlin Heidelberg.

Security and trust issues have been catapulted to the forefront with the dramatic developments in technologies such as web applications, cloud computing, mobile devices and social networking. Though trust has always been a foundational stone of security, the greater dependency of society and economy on information technology have increased the need to consider trust issues more explicitly and systematically. This talk will address some of the key challenges in security and trust in the distributed information infrastructures. The talk will start with a brief look at some of the recent developments in the threat scenery. Then I will consider the notion of trust in the security world and see how trust issues arise in current ubiquitous computing systems context. Then we will consider a hybrid approach which combines the "hard" attestation based trust with the "soft" social and reputation based trust. Such a hybrid approach can help to improve the detection of malicious entities which in turn can enhance the quality of secure decision making. I will conclude the talk by demonstrating such a trust enhanced security approach using some examples from systems that we have been developing during recent years. © 2012 Springer-Verlag Berlin Heidelberg.

Virtual Private Networks (VPNs) are increasingly used to build logically isolated networks. However, existing VPN designs and deployments neglect the problem of traffic analysis and covert channels. Hence, there are many ways to infer information from VPN traffic without decrypting it. Many proposals were made to mitigate network covert channels, but previous works remained largely theoretical or resulted in prohibitively high padding overhead and performance penalties. In this work, we (1) analyse the impact of covert channels in IPsec, (2) present several improved and novel approaches for covert channel mitigation in IPsec, (3) propose and implement a system for dynamic performance trade-offs, and (4) implement our design in the Linux IPsec stack and evaluate its performance for different types of traffic and mitigation policies. At only 24% overhead, our prototype enforces tight information-theoretic bounds on all information leakage. © 2012 Springer-Verlag.

Significant developments in the recent times have led to an increasing use of mobile devices such as smart phones in accessing Internet services and applications over wireless networks. In this paper, we propose a security architecture for counteracting denial of service attacks in Beyond 3G (B3G) network architecture with mobile nodes. We describe the system architecture and discuss the different cases of attack scenarios involving the mobility of the attacking and victim nodes. Our proposed solution takes into account practical issues such as limited resources of the mobile nodes. It has distinct advantages such as monitoring of the traffic to the victim node and the attack traffic being dropped before reaching the victim; the ability to traceback the attacking node and prevent the attack at the home agent or foreign agent that is closer to the attacking node; and the ability to deal with dynamic changes in attack traffic patterns. We also present an analysis of our proposed architecture as well as simulation results. © 2011 IEEE.

Virtualisation is one of the important technologies for the realisation of cloud computing. A Virtual Machine Monitor (VMM) is an additional software layer which has complete control on the physical resources and enables to run multiple operating systems on a scalable computer. Recently some of the techniques have been proposed to develop Trusted Virtual domains. A trusted virtual domain (TVD) enables grouping of related virtual machines running on separate physical machine into a single network domain with a unified security policy. In this paper we analyze the security issues related to TVD and propose security techniques to deal with the attacks in TVD. © 2011 IEEE.

Today, cloud computing is one of the increasingly popular technology where the customer can use the resources of the cloud services providers to perform their tasks and only pay for the resources they use. The customer virtual machines in the cloud are vulnerable to different types of attacks. In this paper we propose techniques for securing customer virtual machines from different types of attacks in the Infrastructure as a Service cloud and describe how this can be achieved in practice. Our model enables to differentiate attack traffic originating from each virtual machine even if multiple virtual machines on a VMM are sharing a single IP address. © 2011 IEEE.

In this paper we propose comprehensive security architecture called VICTOR to deal with different types of attacks on virtual machines. Our model takes into account the specific characteristics of operating system and applications running in each virtual machine (VM) at a fine granular level to deal with the attacks. Our architecture has several components such as entity validation, intrusion detection engine and dynamic analyzer. The entity validation component is used in the detection of attack traffic with spoofed source address, secure logging, and capturing information of the operating system and applications running in the virtual machines. The intrusion detection engine component is used for detection of known attacks and suspicious behaviour by monitoring the incoming and outgoing traffic of virtual machines. The dynamic analyzer is used for detection and validation of suspicious processes, detection of zero day attacks and fine granular isolation of malicious process or application that is generating the attack traffic. © 2011 IEEE.

The security protocols for WLAN such as WEP have fundamental weakness which can be exploited by the attacker to obtain unauthorized access to the wireless networks and generate attacks. In this paper, we propose a security architecture for counteracting denial of service attacks in wireless based network architecture with mobile nodes. We describe the system model and discuss the different cases of attack scenarios involving the mobility of the attacking and victim nodes. We describe how mobile IP protocol in conjunction with our model can be used to deal efficiently with the attacks on mobile nodes. © 2011 ACM.

This paper proposes a logic based framework that supports dynamic delegation for role based access control systems in a decentralised environment. It allows delegation of administrative privileges for both roles and access rights between roles. We have introduced the notion of trust in delegation and have shown how extended logic programs can be used to express and reason about roles and their delegations with trust degrees, roles' privileges and their propagations, delegation depth as well as conflict resolution. Furthermore, our framework is able to enforce various role constraints such as separation of duties, role composition and cardinality constraints. The proposed framework is flexible and provides a sound basis for specifying and evaluating sophisticated role based access control policies in decentralised environments. © 2011 Springer-Verlag.

© Springer-Verlag Berlin Heidelberg 2011. The evaluation of the trustworthiness of complex systems is a challenge in current IT research. We contribute to this field by providing a novel model for the evaluation of propositional logic terms under uncertainty that is compliant with the standard probabilistic approach and subjective logic. Furthermore, we present a use case to demonstrate how this approach can be applied to the evaluation of the trustworthiness of a system based on the knowledge about its components and subsystems.

There have been trends in using spread spectrum channel accessing techniques in wireless sensor networks to mitigate the effect of potential collisions in concurrent transmissions and to increase the throughput as well as countering jamming-like noises. Overhearing of the data has been previously analyzed in cellular CDMA networks as this technique was first introduced for mobile communications with multiple transmitting users sending their data to a single base station which controls their transmission power. But sensor (and ad hoc) networks are usually devoid of any coordinating devices and the transmission is usually done toward different local destinations using distributed power controlling methods. This paper provides a systematic analysis of overhearing performance in low-traffic sensor networks especially when the sensing point is located somewhere at the middle of the network which is not necessarily near the sink. The distributed code assignment which is a key issue in infrastructureless CDMA networks has been taken into account in the development of a theoretical model. The result of this analysis shows that the higher the number of used codes, the higher is the gain of overhearing. Thus using this parameter, the network designer has statistical control over the amount of potential overheard data. We have also developed simulations of the proposed model and the results support the predictions of the theoretical model. © 2010 IEEE.

In this paper, we present a trust establishment and management framework for hierarchical wireless sensor networks. The wireless sensor network architecture we consider consists of a collection of sensor nodes, cluster heads and a base station arranged hierarchically. The framework encompasses schemes for establishing and managing trust between these different entities. We demonstrate that the proposed framework helps to minimize the memory, computation and communication overheads involved in trust management in wireless sensor networks. Our framework takes into account direct and indirect (group) trust in trust evaluation as well as the energy associated with sensor nodes in service selection. It also considers the dynamic aspect of trust by introducing a trust varying function which could be adjusted to give greater weight to the most recently obtained trust values in the trust calculation. The architecture also has the ability to deal with the inter-cluster movement of sensor nodes using a combination of certificate based trust and behaviour based trust. © 2010 IEEE.

Binary attestation in trusted computing platforms provide the ability to reason about the state of a system using hash measurements. Property based attestation on the other hand enables more meaningful attestation by abstracting low level binary values to high level security properties or functions of systems. In this paper, we try to understand the kind of security properties that trusted platforms can attest. We propose that security properties can have different levels of granularity and provide a pyramid model that classifies properties at four different levels. We leverage the Common Criteria framework for security requirements to provide examples of such properties. The model is then implemented in the context of authorisation for Web services. © 2010 IEEE.

A trusted virtual domain (TVD) enables grouping of related virtual machines running on separate physical machine into a single network domain with a unified security policy. Since the virtual machines can be running different operating systems and applications, the attacker can generate attacks in the TVD by exploiting a single vulnerability in any of the operating systems or applications. Our aim in this paper is to consider the design choices and develop an intrusion detection architecture that would enable efficient detection and prevention of different types of attacks in such a TVD based distributed environments. The proposed architecture can capture the knowledge of the operating systems and applications at fine granular level and isolate the malicious entities that are generating the attack traffic. Our model takes into account the security policies that are specific to the virtual machine as well as security policies of the trusted virtual domains to deal with the attacks efficiently. © 2010 IEEE.

This paper studies logic based methods for representing and evaluating complex access control policies needed by modern database applications. In our framework, authorization and delegation rules are specified in a Weighted Delegatable Authorization Program (WDAP) which is an extended logic program. We show how extended logic programs can be used to specify complex security policies which support weighted administrative privilege delegation, weighted positive and negative authorizations, and weighted authorization propagations. We also propose a conflict resolution method that enables flexible delegation control by considering priorities of authorization grantors and weights of authorizations. A number of rules are provided to achieve delegation depth control, conflict resolution, and authorization and delegation propagations. © 2009 Springer Berlin Heidelberg.

Trust has been recognized as an important aspect for mobile agent security. In this paper, we develop a logic based trust model which enables the capturing of a comprehensive set of trust relationships to enhance the security of conventional access control mechanisms in a mobile based applications. We first discuss the notion of trust and its relevance to mobile agent security. Next we define a logic program based language to facilitate the modelling process. To enforce the security related trustworthy behaviours, we then define a set of general rules to capture the semantics. Finally, the language is applied in a mobile agent context to demonstrate how the trust can be explicitly modelled and reasoned about to support better security decisions for the mobile agent based systems. © 2009 Springer Berlin Heidelberg.

Ensuring secure interoperation in multidomain environments based on role based access control (RBAC) has drawn considerable research works in the past. However, RBAC primarily consider static authorization decisions based on subjects' permissions on target objects, and there is no further enforcement during the access. Recently proposed usage control (UCON) can address these requirements of access policy representation for temporal and time-consuming problems. In this paper, we propose a framework to facilitate the establishment of secure interoperability in multidomain environments employing Usage Control (UCON) policies. In particular, we propose an attribute mapping technique to establish secure context in multidomain environments. A key challenge in the establishment of secure interoperability is to guarantee security of individual domains in presence of interoperation. We study how conflicts arise and show that it is efficient to resolve the security violations of cyclic inheritance and separation of duty. © 2009 Springer Berlin Heidelberg.

Mobile Ad hoc Networks (MANETs) are self-organizing and adaptive, and securing such networks is non-trivial. Most security schemes suggested for MANETs tend to build upon some fundamental assumptions regarding the trustworthiness of the participating hosts and the underlying networking systems without presenting any definite scheme for trust establishment. If MANET is to achieve the same level of acceptance as traditional wired and wireless network, then a formal specification of trust and a framework for trust management must become an intrinsic part of its infrastructure. The goal of this paper is to highlight issues relating to trust in MANETs and describe a context-aware, reputation-based approach for establishing trust that assesses the trustworthiness of the participating nodes in a dynamic and uncertain MANET environment. © 2009 IEEE.

In multi-agent-based e-commerce environments, like a social network, it is critical for buying agents to build trust with the selling agents in the virtual E-marketplaces so as to mitigate the possible harm inflicted by any dishonest sellers. However, traditional approaches for establishing trust in the physical world can no longer be used. This paper introduces a graphical representation approach to uncover the existing social trust network in the virtual E-marketplaces. Firstly, it presents some notations of the graphical description approach. Secondly it discusses how to reconstruct the trust network in terms of the trust commonsense in people's daily life. © 2009 IEEE.

In these uncertain economic times, two key ingredients which are in short supply are trust and confidence. The concept of trust has been around for many decades (if not for centuries) in different disciplines such as business, psychology, philosophy as well as in security technology. The current financial climate gives a particularly prescient example. As financial journalist Walter Bagehot wrote some 135 years ago, "after a great calamity, everybody is suspicious of everybody" and "credit, the disposition of one man to trust another, is singularly varying." The problem, as Bagehot observed it, was trust, or rather the lack of it, and it's as true today as it was in his time. Financial mechanisms aren't the only entities that must deal with trust-today's social networking communities such as Facebook, Wikipedia, and other online communities have to constantly reconcile trust issues, from searching and locating credible information, to conveying and protecting personal information. Furthermore with ever increasing reliance on digital economy, most business and government activities today depend on networked information systems for their operations. In this talk, we'll take a short journey through the concept and evolution of trust in the secure computing technology world, and examine some of the challenges involved in trusted computing today.

Denial of service (DoS) attacks are one of the complex problems in the current Internet. In this paper, we propose a system, DoSTRACK, that can efficiently deal with the TCP SYN and reflection Distributed Denial of Service (DDoS) attacks. We also describe a prototype implementation of our model with HP OpenView Network Node Manager (NNM) and discuss how our model can be beneficial to the DDoS victim and the ISP. Copyright 2009 ACM.

In this paper, we propose a comprehensive trust management approach for web services that covers the analysis/modelling of trust relationships and the development of trust management layer in a consistent manner. The specific characteristics of trust relationships in web services are discussed. We introduce a separated trust management layer for web services that can hold computing components for trust management tasks. A trust management architecture for web services is proposed for building up the trust management layer. The proposed trust management architecture for web services deals with trust requirements, trust evaluation, and trust consumption in web services under a unified umbrella and it provides a solid foundation upon which may evolve the trust management layer for web services. © 2008 Crown Copyright.

In last five years, several trust models have been proposed to enhance the security of Mobile Ad hoc Networks (MANET). Nevertheless, these trust models fail to express the notion of ignorance during the establishment of trust relationships between mobile nodes. Furthermore, they lack a well-defined approach to defend against the issues resulting from recommendations. In this paper, we propose a novel subjective logic based trust model that enables mobile nodes to explicitly represent and manage ignorance as uncertainty during the establishment of trust relationships with other nodes. Our model defines additional operators to subjective logic in order to address the ignorance introduced between mobile nodes (which have already established trust relationships) as a result of mobility-induced separation. Second, we demonstrate on how mobile nodes formulate their opinions for other nodes based on the evidence collected from the benign and malicious behaviors of those nodes. We then describe on how mobile nodes establish trust relationships with other nodes using the opinions held for those nodes. Depending on the policies defined, these relationships are then used by our model to enhance the security of mobile communications. Third, we propose a novel approach to communicate recommendations by which no explicit packets or additional headers are disseminated as recommendations. This allows our model to defend against recommendation related issues such as free-riding, honest-elicitation, and recommender's bias. Finally, we demonstrate the performance of our model through NS2 simulations. Copyright © 2008 ACM.

Recently several techniques that provide different degree of anonymity have been proposed for wired and wireless communication. Although, the recently proposed techniques are successful in achieving high degree of anonymity, there are some disadvantages associated with the proposed techniques. In this paper we analyze the flooding and packet drop attacks in mobile ad hoc networks that support anonymous communication. Then we propose a novel technique to deal with the flooding attacks. Our approach can efficiently identify and isolate the malicious node that floods the network. In addition, our technique provides a mechanism to identify the benign behavior of an expelled node and rejoins the expelled node back into the network. Furthermore, our approach does not require any additional packets to communicate the behavior of the flooding node and hence does not incur any additional overhead. Finally we validate the performance analysis of our technique through NS2 simulations. © 2007 IEEE.

Web services specification provides an open standard for the distributed service oriented architecture. It is widely used in Internet and pervasive networks supporting wireless mobile devices. A mobile agent is a composition of computer software and data which is able to migrate from one host to another autonomously and continue its execution on the destination host. Mobile agent technology can reduce the bandwidth requirement and tolerate the network faults - able to operate without an active connection between clients and server. Hence, the applications of the combination of mobile agents and web service have been widely investigated in recent years. However, the security issue is still of a major concern. In this paper, we propose a novel agent-based web service security scheme. This scheme provides a new authentication protocol without using the username/password pair, which is infeasible for mobile agent, and gives an alternative method to current security mechanism without using Certification Authorities (CA) based public key infrastructure. With this scheme, we can simplify the key management and reduce the computation particularly for group-oriented web services. © 2007 IEEE.

In recent years, several secure routing protocols have been proposed to secure communications among nodes in mobile ad hoc networks. However, they are not tailored to defend against Denial of Service (DoS) attacks such as flooding and packet drop attacks. This has led to the development of models that target cooperation among nodes. These models either fail to protect against flooding attacks or only defend against greedy nodes that drop packets to save battery resources. The main shortcoming of cooperation models is that they fail to evaluate the trustworthiness for other nodes. In this paper, we propose a Trust Integrated Cooperation Architecture which consists of an obligation-based cooperation model known as fellowship to defend against both flooding and packet drop attacks. In our architecture, fellowship enhances its security decisions through a trust model known as Secure MANET Routing with Trust Intrigue (SMRTI). In comparison with related models, SMRTI deploys a novel approach to communicate recommendations such that the deployed approach is free from well-known issues such as honest elicitation, free riding, bias of a recommender, and additional overhead. © 2007 IEEE.

Security is paramount in Mobile Ad-hoc Networks (MANET) as they are not conducive to centralized trusted authorities. Several solutions have been proposed for MANET in the areas of key management, secure routing, nodal cooperation, and trust management. Nevertheless, MANET lacks a unified architecture to take advantage of the deployed security models. In this paper, we propose Trust Enhanced security Architecture for MANET (TEAM), in which a trust model is overlaid on the following security models - key management mechanism, secure routing protocol, and cooperation model. We briefly present the operation of our architecture and then we detail the system operation of our novel trust and cooperation model, which we call as Secure MANET Routing with Trust Intrigue (SMRTI) and fellowship respectively. SMRTI captures the evidence of trustworthiness for other nodes from the security models, and in return assists them to make better security decisions. Unlike related trust models, SMRTI captures recommendations in such a way that it eliminates both freeriding and honest-elicitation problems. In comparison with related cooperation models, fellowship model defends against both flooding and packet drop attacks. It can efficiently identify and isolate both malicious and selfish nodes that fail to share the communication channel or forward packets for other nodes. Furthermore, our models do not rely on any centralized authority or tamper-proof hardware. Simulation results confirm that our models enhance the performance of TEAM. © 2007 IEEE.

Recently several trust and reputation models have been proposed to enhance the security of mobile ad hoc networks. In these models, recommendations are circulated by forwarding explicit messages or introducing extra message headers. Apart from incurring additional overhead, the recommendations are prone to issues such as recommender's bias, honest-elicitation, and free-riding. In this paper, we propose a trust model to enhance the security of mobile ad hoc networks and to address the issues related to recommendations. The model uses only trusted routes for communication, and isolates malicious nodes depending on the evidence collected from direct interactions and recommendations. It deploys a novel approach for communicating recommendations such that they are free from recommender's bias, honest-elicitation, and free-riding. Simulation results confirm the effectiveness of our model. © 2007 IEEE.

Scalable multi-service oriented group key management addresses issues relating to situations where dynamic group users have different privileges for accessing different sets of services. In this paper, we propose a new flexible group key management scheme based on an ID-based distribution encryption algorithm. This scheme has several advantages over existing multi-service oriented schemes. We show that the proposed scheme has some unique scalability properties, less storage, less communication overhead and inherent traitor tracing and stateless properties than previously known schemes. We believe the proposed scheme can be used to provide a secure information distribution method for many multi-service group-oriented applications. © 2006 IEEE.

The mobile agent computing model violates some of the fundamental assumptions of conventional security techniques. Consequently, this has rendered many of the existing conventional security countermeasures less effective for mobile agents. In this paper, we propose a new philosophy of trust enhanced security, which advocates a paradigm shift for mobile agent security solutions: from security-centric to trust-centric with the aim of providing improved security and performance of mobile agents. We first examine the problem of uncertainty in behavior induced by the security assumption violations by mobile agents; we then propose a trust enhanced security approach and argue for the need for a paradigm shift to trust-centric solutions. Next we identify a list of general design requirements for the trust-centric solutions and outline the new architectural design which supports the new trust enhanced security philosophy in practice. Finally we discuss the emergent properties of the new architecture and introduce the experimental results for validating the properties. ©2006 IEEE.

Today's Internet is extremely vulnerable to Distributed Denial of service (DDoS) attacks. There is tremendous pressure on the sites performing online business and ISP's to protect their networks from DDoS attacks. Recently, several novel traceback techniques have been proposed to trace the approximate spoofed source of attack. Each proposed traceback technique has some unique advantages and disadvantages over the others. In this paper we will consider some of the novel traceback techniques and focus our discussion i) to raise some of the real time issues that can be addressed in the further research and ii) from the attackers perspective on how to generate DDoS attacks and remain untraced even if any of the traceback technique is deployed in the Internet. We will also demonstrate how attacks can be further amplified if ICMP traceback technique is deployed in the Internet and discuss techniques to minimise the additional attack traffic. We believe that the networks tend to become complex and more vulnerable to DDoS attacks if some of the proposed traceback techniques are deployed in the Internet. © 2006, Australian Computer Society, Inc.

Zhao et al proposed an efficient mental poker protocol which did not require using a Trusted Third Party(TTP). The protocol is efficient and suitable for any number of players but it introduces a security flaw. In this paper, we propose two mental poker protocols based on Zhao's previous work. The security flaw has been removed and the additional computing cost is small. © 2005 IEEE.

Requirements analysis is not only the most important stage of information systems development but also a complex and time-consuming process. Tools play an important role in supporting and automating software requirements analysis. They become indispensable in dealing with large and complex systems. This paper first introduces a business-processes-oriented requirements analysis model. And a business-process-oriented Software Requirements Automatic Generator (SRAG) is herein presented, alongside the design of a prototype. © 2005 IEEE.

© 2005 IEEE. Middleware has greatly promoted the 3-tie mode of application systems. But as application software requirements become more complex and more frequently changing, the development cycle of middleware is demanded shorter and shorter. Within a middleware, once a component is amended, the middleware must be compiled and integrated into an application in a reliable, controlled manner. However, can the middleware directly be integrated and operated into an application without being recompiled after it is amended? To address this issue, this paper proposes a middleware-based script language (M-script) that can be used directly to update the middleware in order to adapt the new business requirements. An application example of the M-script is presented, and the result demonstrates that it simplifies the middleware redevelopment process, as well as enables rapid implementation of new business requirements.

SLA is becoming crucial in competitive ICT environment as one of key differentiations and in future demand where customer participated/centric operations are essential. SLA should be reached through the negotiation between customers and service providers. However current discussion of SLA is too much focused on QoS related features, most of them are not familiar with end users and also customers are forced to accept/select SLAs which are defined /announced by service providers. In the panel, the following issues will be discussed: (1) What is "Services"? Operations services are becoming more important. (2) "Level" should be defined by qualitative/quantitative way? (3) SLA features should be customer perceptible/visible features and QoS should be translated by customer language. (4) Mechanism to reach "Agreement" by customers/service providers negotiation. (5) SLA negotiation process in service providers business processes.

While there are several efforts underway to provide security for the Service Oriented Architecture (SOA), there is no specification or standard defined to provide authorization services for the SOA. The SOA comprises of Web services and business process workflows built using Web services. Based on our analysis of existing authorization frameworks and policy specification models for the SOA, we envisage an authorization framework for the SOA to provide extensions to both the security layers of Web services and business processes separately. Also the Web services Description and Messaging layers must be extended to support authorization services designed for the SOA. In this paper, we lay out the core design principles for authorization services in each of these layers to achieve a comprehensive design of an authorization framework for the SOA.

In this paper, we consider the modelling of trust relationships in distributed systems based on a formal mathematical structure. We discuss different forms of trust. In particular, we address the base level authentication trust at the lower layer with a hierarchy of trust relationships at a higher level. Then we define and discuss trust direction and symmetric characteristics of trust for collaborative interactions in distributed environments. We define the trust scope label in order to describe the scope and diversity of trust relationship under our taxonomy framework. We illustrate the proposed definitions and properties of the trust relationships using example scenarios. The discussed trust types and properties will form part of an overall trust taxonomy framework and they can be used in the overall methodology of life cycle of trust relationships in distributed information systems that is currently in the process of development.

This paper proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The paper also describes authorization algorithms required to authorize a Web service client. The architecture is currently being implemented within the .NET framework.

This paper presents a new perspective for mobile agent security - trust enhanced security and develops MobileTrust - a novel trust management architecture to support the trust enhanced security solutions for mobile agents. Based on this new perspective we go beyond traditional security mechanism based architectural design by incorporating a trust model into the underlying security architecture. Such an approach enables explicit management of security related trust relationships and it integrates trust into security decision making process to achieve trust enhanced security, which is impossible with the traditional security models. The proposed architecture provides several desirable emergent properties: increased level of security for mobile agent and host, improved flexibility, and scalability of the underlying security system, which are only made possible by this new trust management based approach.

This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The proposed architecture has several benefits. It is able to support legacy applications exposed as Web services as well as new Web service based applications built to leverage the benefits offered by the service oriented architecture; it can support multiple access control models and mechanisms and is decentralized and distributed and provides flexible management and administration of Web services and related authorization information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to exposed Web services. The architecture is currently being implemented within the .NET framework. © IFIP International Federation for Information Processing 2005.

Peer-to-peer (P2P) file sharing systems have become popular as a new paradigm for information exchange. However, the decentralized and anonymous characteristics of P2P environments make the task of controlling access to sharing information more difficult, which cannot be done by traditional access control methods. In this paper, we identify access control requirements in such environments and propose a trust based access control framework for P2P file-sharing systems. The framework integrates aspects of trust and recommendation models, fairness based participation schemes and access control schemes, and applies them to P2P file-sharing systems. We believe that the proposed scheme is realistic and argue that our approach preserves P2P decentralized structure and peers' autonomy property whist enabling collaboration between peers.

Recently, trust has been recognized as an important factor for Grid computing security. In this paper, we develop a trust management architecture for trust enhanced Grid security incorporating a novel trust model which is capable of capturing various types of trust relationships that exist in a Grid system and providing mechanisms for trust evaluation, recommendations and update for trust decisions. The outcomes of the trust decisions can then be employed by the Grid security system to formulate trust enhanced security solutions. We design several algorithms to demonstrate how one can derive the trust enhanced security solutions for both user and resource provider protection with the proposed trust management architecture. Leveraging on trust knowledge and forming it as part of the security decisions, the proposed architecture possesses several desirable emerging properties that enable it to provide an improved level of security for Grid computing systems.

© Springer-Verlag Berlin Heidelberg 2004. In decentralized environments, such as P2P, as lack of central management, the trust issue is prominently important for interactions between unfamiliar peers. This paper first presents a probabilistic approach for evaluating the interaction trust of unfamiliar peers according to their interaction history. In addition, after an interaction, peers can evaluate each other and modify the trust status. Based on it, this paper presents an approach for trust value modification after interactions.

We propose in this paper a new approach to channel key management in the architecture S -SSM, we designed to secure SSM communication. S -SSM defines two mechanisms for access control and content protection. The first one is carried out through subscriber authentication and access permission. The second is realized through the management of a unique key, called the channel key, kch, shared among the sender and subscribers. The management kchis based on a novel distributed encryption scheme that enables an entity to efficiently add and remove a subscriber without affecting other subscribers.

Data protection is a significant issue in any secure information system. In this paper, we develop a decentralized authorization delegation model in which users can be delegated, granted or forbidden some access rights. This security model is formulated as an extended logic program which allows both negation as failure and classical negation. The stable model semantics is used to decide the users' access rights on data items. Under the proposed framework, conflicting problem is addressed and a promising resolution method is presented based on the underlying delegation relations and hierarchical structures of subjects, objects and access rights. The authorization inheritance are also supported in our model. Finally, as an application, we show how this framework can support different electronic consent models within the context of health care.

Existing routing algorithms treat Quality of Service (QoS) parameters and secure routing as completely separate entities requiring separate algorithms. In this paper we propose secure QoS Distance Vector and secure Bellman-Ford-Moore routing algorithms that meet QoS requirements and satisfy security concerns. Security is achieved by placing filters in the network. The routing algorithms generate routes through these filters to meet the specified QoS requirements. Simulation results indicate that secure QoS Distance Vector algorithm performs the better of the two algorithms. Moreover, the density of filters and the placement strategy of filters affect the length of the route generated.

In this paper we discuss techniques to prevent Distributed Denial of Service (DDoS) attacks within the ISP domain and extend the scheme to prevent the attack in multiple ISP domains. With a new packet marking technique and agent design, our model is able to identify the approximate source of attack with a single packet and has many features to minimise DDoS attacks. © 2003 by Springer Science+Business Media Dordrecht.

In this paper, we propose a logic program based formulation that supports delegatable authorizations, where negation as failure, classical negation and rules inheritance are allowable. A conflict resolution policy has been developed in our approach that can be used to support the controlled delegation and exception. In our framework, authorization rules are specified in a Delegatable Authorization Program (DAP) which is an extended logic program associated with different types of partial orderings on the domain, and these orderings specify various inheritance relationships among subjects, objects and access rights in the domain. The semantics of a DAP is defined based on the well-known stable model and the conflict resolution is achieved in the process of model generation for the underlying DAP. Our framework provides users a feasible way to express complex security policies. © Springer-Verlag Berlin Heidelberg 2002.

© 2001 IEEE. We present a logic of modeling the dynamics of beliefs in cryptographic protocols. Differently from previous proposals, our logic is situation based, in which a protocol is viewed as a finite sequence of actions performed by various principals at different situations, and each action is a primitive term in the language. Therefore, it becomes possible to model the dynamic change of each principal's beliefs at each step of the protocol within the logic system. Our logic has a precise semantics and is sound with respect to the underlying automatic system.

© Springer-Verlag Berlin Heidelberg 2001. A language for specifying role-based access control (RBAC) policies is presented. The language is designed to support the range of access control policies of commercial object systems. The basic structures of RBAC, such as role, users and permission, are present in the language as basic constructs. Examples are given in the language of access control situations, such as static and dynamic separation of duty, delegation and joint action based access policies. The language is flexible and is able to capture meta-level operations. The language also provides a mechanism for tracking actions and basing access control decisions on past events.

© Springer-Verlag Berlin Heidelberg 2001. This paper proposes a new Internet bidding system that offers anonymity of bidders and fairness to both bidders and the auction server. Our scheme satisfies all the basic security requirements for a sealed-bid auction system, without requiring multiple servers.

© Springer-Verlag Berlin Heidelberg 2001. In this paper we show how fair exchange of digital signatures can be made possible without a separate verifiable encryption. This means that the fair exchange protocol can be established based on an existing signature algorithm without modification, except that the users need to get a ticket from an off-line trusted third party to enable the fair exchange. The trusted third party is needed to make a judgment only when there is a dispute. Explicit protocols based on different digital signature algorithms are proposed.

© Springer-Verlag Berlin Heidelberg 2001. Web based services and applications have increased the availability and accessibility of information. XML (eXtensible Markup Language) has recently emerged as an important standard in the area of information representation. XML documents can represent information at different levels of sensitivity. Access control for XML document stores must recognise the fine-grained nature of the document structure. In this paper we present an approach to access control for XML document stores. This framework is based on RBAC and includes a syntax for specifying access control policies for the store.

Virtual team provider is an emerging business on the Internet. It allows people to work together distributed across space, time and organization. Tools like BSCW or SourceForge allow an organization to host virtual teams. Although, these tools deliver functionalities, they lack required features (e.g. security, dependability and quality of service) to make them commercially acceptable. In this paper, we describe underlying effort needed at the network services level to make virtual team software commercially viable.

© Springer-Verlag Berlin Heidelberg 2001. This paper describes a secure Pay TV protocol based on a public-key distributed encryption scheme that enables the Pay TV broadcaster to robustly add or remove any subscriber without changing private decryption keys of other subscribers. In other words, the updating process is transparent to the subscribers. This feature exhibits a distinct advantage over a symmetric key based system where all subscribers share a single key and therefore it is impossible to dynamically remove a subscriber from the system.

With the increasing growth in mobile computing devices and wireless networks, users are able to access information from anywhere and at anytime. In such situations, the issues of location management for mobile hosts are becoming increasingly significant. Different location management schemes such as Columbia University's mobile IP scheme and IETF mobile IP have been proposed. In this paper, we propose a new distributed location management scheme and discuss the advantages of the proposed scheme over the others. The paper then considers the issues of multicasting in the proposed architecture.

This paper describes a security model for mobile agent based systems. The model defines the notion of a security-enhanced agent and outlines security management components in agent platform bases and considers secure migration of agents from one base to another. The security enhanced agent carries a passport that contains its security credentials and some related security code. Then we describe how authentication, integrity and confidentiality, and access control are achieved using the agent's passport and the security infrastructure in the agent bases. We also consider the types of access control policies that can be specified using the security enhanced agents and the policy base in the agent platforms. We discuss the application of the security model in roaming mobile agents and consider a simple scenario involving security auditing in networks.

© 2000 IEEE. The Schematic Protection Model (SPM) allows us to specify the protection structure of an object-oriented database and provides an algorithm to reason about the transmission of privileges. In this paper, we extend the SPM model to support multiple access policies, by introducing the concept of groups and the negation of authorisation.

© 2000 IEEE. This paper proposes a fair electronic gambling scheme for the Internet. The proposed scheme provides a unique link between payment and gambling outcome so that the winner can be ensured to get the payment. Since an optimal fair exchange method is used in gambling message exchange the proposed system guarantees that no one can successfully cheat during a gambling process. Our system requires an off-line Trusted Third Party (TTP). If a cheating occurs, the TTP can resolve the problem and make the gambling process fair.

© Springer-Verlag Berlin Heidelberg 2000. This paper proposes a distributed encryption scheme, where any party can ¿signcrypt¿ a message and distribute it to a designated group and any member in the receiving group can ¿de-signcrypt¿ the message. We also propose a group signcryption, where, given a designated group, any member in the group can signcrypt a message on the group¿s behalf. A group signcrypted message can be distributed to another group. The proposed schemes have potential applicability in electronic commerce.

© Springer-Verlag Berlin Heidelberg 2000. A designated confirmer signature allows the signer to prove to the signature's recipient that the designated confirmer can confirm the signature without the signer. In this paper we propose a fail-stop confirmer signature scheme based on the concept of fail-stop knowledge proofs and signature knowledge proofs on discrete logarithms. We also develop a blinded version of the confirmer scheme. The new confirmer signatures have enhanced security against forgery from powerful adversaries.

© Springer-Verlag Berlin Heidelberg 2000. We consider the problem of on-line database reorganization. The types of reorganization that we discuss are restoration of clustering, purging of old data, creation of a backup copy, compaction, and construction of indexes. The contributions of this paper are both of theoretical and of experimental nature.

© 1999 IEEE. Chinese Remainder Theorem has been used for hundreds of years and has been applied to many domains such as integers and polynomials. An assumption made is that the component moduli are pairwise co-prime. In this paper, first we remove this assumption; then we give an algorithm to find whether a given system of congruent equations has a solution, and if so, how to find the solution in an efficient manner. Further we apply the modified Chinese Remainder Theorem to design proxy signatures.

© Springer-Verlag Berlin Heidelberg 1999. Access control in real systems is implemented using one or more abstractions based on the access control matrix (ACM). The most common abstractions are access control lists (ACLs) and capabilities. In this paper, we consider an extended Harrison-Ruzzo-Ullman (HRU) model to make some formal observations about capability systems versus access control list based systems. This analysis makes the characteristics of these types of access control mechanisms more explicit and is intended to provide a better understanding of their use. A combined model providing the flexibility of capabilities with the simplicity of the ACL and its relation to other models proposed earlier (e.g.[10,6]) are discussed.

© Springer-Verlag Berlin Heidelberg 1999. A divertible protocol is a protocol between three parties in which one party is able to divert another party¿s proof of some facts to prove some other facts to the other party. This paper presents a divertible protocol to prove multi-variant polynomial relations. Its direct application to blind group signature is also shown.

© Springer-Verlag Berlin Heidelberg 1999. Formal specification on authorization in object oriented databases is becoming increasingly significant. However most of the work in this field suffers a lack of formal logic semantics to characterize different types of inheritance properties of authorization policies among complex data objects. In this paper, we propose a logic formalization specify object oriented databases together with authorization policies. Our formalization has a high level language structure to specify object oriented databases and allows various types of authorizations to be associated with.

© Springer-Verlag Berlin Heidelberg 1999. In this paper we present a secure communication scheme for multiagent systems. First, we briefly introduce an architecture for multiagent systems, and discuss security problems with such systems. We then present the communication scheme in detail, including the mathematical principle and the cryptographic protocol. To further demonstrate how our communication scheme works, we present an example with which we show how a piece of plaintext message is encrypted and decrypted between two agents within a multiagent system in accordance with our communication scheme. In evaluation we show that, compared with other encryption systems such as RSA, our scheme is more simple and suitable for implementation on computers used in multiagent systems. Importantly, it remains as secure as other systems as long as the plaintext is not too short. In conclusion, we discuss issues about the management of secret keys and the suitability of the communication scheme.

© Springer-Verlag Berlin Heidelberg 1999. In a multi-user, information-sharing computer systems, authorization policy is needed to ensure that the information flows in the desired way and to prevent illegal access to the system resource. Usually such policy has a temporal property. That is, it needs to be updated to capture the changing requirements of applications, systems and users. These updates are implemented via transformation of authorization policies. In this paper, we propose two high-level formal languages L and L d to specify the transformation of authorizations in secure computer systems. L is a simple language that can be used to specify a sequence of authorization transformations. Though it has a simple syntax and semantics, we show that L is expressive enough to specify some well-known examples of authorization transformations. Language L d is an augmentation ofL which includes default propositions within the domain description of authorization policies. However, the semantics of L d is not just a simple extension of the semantics of L. We show that L d is more expressive than L in that constraints, causal and inherited authorizations, and general default authorizations can be specified.

© Springer-Verlag Berlin Heidelberg 1999. The problem of proving a number is of a given arithmetic format with some prime elements, is raised in RSA undeniable signature, group signature and many other cryptographic protocols. So far, there have been several studies in literature on this topic. However, except the scheme of Camenisch and Michels, other works are only limited to some special forms of arithmetic format with prime elements. In Camenisch and Michels's scheme, the main building block is a protocol to prove a committed number to be prime based on algebraic primality testing algorithms. In this paper, we propose a new protocol to prove a committed number to be prime. Our protocol is O(t) times more efficient than Camenisch and Michels's protocol, where t is the security parameter. This results in O(t) time improvement for the overall scheme.

© Springer-Verlag Berlin Heidelberg 1999. In this paper, we describe a language based approach to the specification of authorisation policies that can be used to support the range of access control policies in commercial object systems. We discuss the issues involved in the design of a language for role based access control systems. The notion of roles is used as a primitive construct within the language. This paper describes the basic constructs of the language and the language is used to specify several access control policies such as role based access control, static and dynamic separation of duty, delegation as well as joint action based access policies. The language is flexible and is able to capture meta-level operations and it is often these features which are significant when it comes to the applicability of an access control system to practical real situations.

© Springer-Verlag Berlin Heidelberg 1999. Demonstrating in zero-knowledge the possession of digital signatures has many cryptographic applications such as anonymous authentication, identity escrow, publicly verifiable secret sharing and group signature. This paper presents a general construction of zero-knowledge proof of possession of digital signatures. An implementation is shown for discrete logarithm settings. It includes protocols of proving exponentiation and modulo operators, which are the most interesting operators in digital signatures. The proposed construction is applicable for ElGamal signature scheme and its variations. The construction also works for the RSA signature scheme. In discrete logarithm settings, our technique is O(l) times more efficient than previously known methods.

© Springer-Verlag Berlin Heidelberg 1999. In undeniable signature, a signature can only be verified with cooperation of the signer. If the signer refuses to cooperate, it is infea-sible to check the validity of a signature. This problem is eliminated in confirmer signature schemes where the verification capacity is given to a confirmer rather than the signer. In this paper, we present a variation of confirmer signature, called undeniable confirmer signature in that both the signer and a confirmer can verify the validity of a signature. The scheme provides a better flexibility for the signer and the user as well as reduces the involvement of designated confirmers, who are usually trusted in practice. Furthermore, we show that our scheme is divertible, i.e., our signature can be blindly issued. This is essential in some applications such as subscription payment system, which is also shown.

© Springer-Verlag Berlin Heidelberg 1999. This paper proposes a new public key based system that enables us to have a single public key with one or more decryption keys and a unique signing key. One straightforward application for our system is in delegated or proxy based decryption. The proxy based decryption requires that the decryption authority can be delegated to another party (proxy) without revealing the signing key information. This suggests that the proxy who has the legitimate right for decryption cannot sign on behalf of the public key owner; only the legitimate signer can be the owner of the public key.

There has been a considerable interest shown in the area of mobility. With the advent of powerful portable devices such as laptop and palmtop there is a growing trend amongst users to go the nomadic way. This implies that a user can get access to any service at any time without any interruption. Such nomadic computing poses several challenges in multicasting and security. We first consider a framework that has been proposed by [1] for multicasting in mobile IP networks. In this paper, we extend this framework to support a secure multicasting service. We describe secure schemes for a mobile host to initiate, join and leave a multicast group. We also discuss the secure movement of mobile hosts in intra and inter campus environments.

We present in this paper an extended object model for software system modelling and design. The extended object model was developed from ontological research into the nature and the generality of intelligent systems. The extension was made by attaching domains, states and categories to variables, and adding three types of constraints into the ordinary object model: identity constraints are for maintaining the identity and integrity of objects; trigger constraints are for enabling agents to act in objects autonomously; and goal constraints are for guiding agents to act in desired direction. We first introduce the theoretical background of the object model in brief. We then present the models in detail. We also discuss the advantages of our extended object model in software system modelling and design. In conclusion we summarise the main results we have achieved, and discuss some ongoing works that are relevant.

© Springer-Verlag Berlin Heidelberg 1998. We propose a new untraceable digital cash scheme using blind Nyberg-Rueppel digital signature. The scheme provides security features such as client anonymity, coin forgery prevention and double spending detection. The proposed scheme is also more efficient than previously proposed schemes by Chaum and Brands.

© Springer-Verlag Berlin Heidelberg 1998. A formal language to specify general access control policies and their sequences of transformations has been proposed in [1]. The access control policy was specified by a domain description which consisted of a finite set of initial policy propositions, policy transformation propositions and default propositions. Usually, access control models are falls into two conventional categories: discretionary access control(DAC) and mandatory access control(MAC). Traditional DAC models basically enumerate all the subjects and objects in a system and regulate the access to the object based on the identity of the subject. It can be best represented by the HRU's access control matrix [4]. While on the other hand, MAC models are lattice based models, in the sense that each subject and object is associated with a sensitivity level which forms a lattice [3]. In this paper, we intend to demonstrate that both a DAC-like model and a MAC-like model can be realized by an approach using our formal language. We also discuss some other related works.