Scalable model‐based configuration management of security services in complex enterprise networks

Security administrators face the challenge of designing, deploying and maintaining a variety of configuration files related to security systems, especially in large‐scale networks. These files have heterogeneous syntaxes and follow differing semantic concepts. Nevertheless, they are interdependent due to security services having to cooperate and their configuration to be consistent with each other, so that global security policies are completely and correctly enforced. To tackle this problem, our approach supports a comfortable definition of an abstract high‐level security policy and provides an automated derivation of the desired configuration files. It is an extension of policy‐based management and policy hierarchies, combining model‐based management (MBM) with system modularization. MBM employs an object‐oriented model of the managed system to obtain the details needed for automated policy refinement. The modularization into abstract subsystems (ASs) segment the system—and the model—into units which more closely encapsulate related system components and provide focused abstract views. As a result, scalability is achieved and even comprehensive IT systems can be modelled in a unified manner. The associated tool MoBaSeC (Model‐Based‐Service‐Configuration) supports interactive graphical modelling, automated model analysis and policy refinement with the derivation of configuration files. We describe the MBM and AS approaches, outline the tool functions and exemplify their applications and results obtained. Copyright © 2010 John Wiley & Sons, Ltd.     

Offline reinforcement learning with task hierarchies

In this work, we build upon the observation that offline reinforcement learning (RL) is synergistic with task hierarchies that decompose large Markov decision processes (MDPs). Task hierarchies can allow more efficient sample collection from large MDPs, while offline algorithms can learn better policies than the so-called “recursively optimal” or even hierarchically optimal policies learned by standard hierarchical RL algorithms. To enable this synergy, we study sample collection strategies for offline RL that are consistent with a provided task hierarchy while still providing good exploration of the state-action space. We show that naïve extensions of uniform random sampling do not work well in this case and design a strategy that has provably good convergence properties. We also augment the initial set of samples using additional information from the task hierarchy, such as state abstraction. We use the augmented set of samples to learn a policy offline. Given a capable offline RL algorithm, this policy is then guaranteed to have a value greater than or equal to the value of the hierarchically optimal policy. We evaluate our approach on several domains and show that samples generated using a task hierarchy with a suitable strategy allow significantly more sample-efficient convergence than standard offline RL. Further, our approach also shows more sample-efficient convergence to policies with value greater than or equal to hierarchically optimal policies found through an online hierarchical RL approach.     

The use of data-derived label hierarchies in multi-label classification

Instead of traditional (multi-class) learning approaches that assume label independency, multi-label learning approaches must deal with the existing label dependencies and relations. Many approaches try to model these dependencies in the process of learning and integrate them in the final predictive model, without making a clear difference between the learning process and the process of modeling the label dependencies. Also, the label relations incorporated in the learned model are not directly visible and can not be (re)used in conjunction with other learning approaches. In this paper, we investigate the use of label hierarchies in multi-label classification, constructed in a data-driven manner. We first consider flat label sets and construct label hierarchies from the label sets that appear in the annotations of the training data by using a hierarchical clustering approach. The obtained hierarchies are then used in conjunction with hierarchical multi-label classification (HMC) approaches (two local model approaches for HMC, based on SVMs and PCTs, and two global model approaches, based on PCTs for HMC and ensembles thereof). The experimental results reveal that the use of the data-derived label hierarchy can significantly improve the performance of single predictive models in multi-label classification as compared to the use of a flat label set, while this is not preserved for the ensemble models.     

Evolutionary Development of Hierarchical Learning Structures

Hierarchical reinforcement learning (RL) algorithms can learn a policy faster than standard RL algorithms. However, the applicability of hierarchical RL algorithms is limited by the fact that the task decomposition has to be performed in advance by the human designer. We propose a Lamarckian evolutionary approach for automatic development of the learning structure in hierarchical RL. The proposed method combines the MAXQ hierarchical RL method and genetic programming (GP). In the MAXQ framework, a subtask can optimize the policy independently of its parent task's policy, which makes it possible to reuse learned policies of the subtasks. In the proposed method, the MAXQ method learns the policy based on the task hierarchies obtained by GP, while the GP explores the appropriate hierarchies using the result of the MAXQ method. To show the validity of the proposed method, we have performed simulation experiments for a foraging task in three different environmental settings. The results show strong interconnection between the obtained learning structures and the given task environments. The main conclusion of the experiments is that the GP can find a minimal strategy, i.e., a hierarchy that minimizes the number of primitive subtasks that can be executed for each type of situation. The experimental results for the most challenging environment also show that the policies of the subtasks can continue to improve, even after the structure of the hierarchy has been evolutionary stabilized, as an effect of Lamarckian mechanisms     

Concrete- and abstract-based access control

Access control models allow expressing access control rules (also called policies) stating that certain subjects (or users) have or do not have the right (or privilege) to access certain objects in order to execute certain actions under certain conditions. Several existing models allow expressing rules only for specific subjects, objects and actions. Role-based access control (RBAC) introduced the notion of role, which is an abstraction over subjects. Organization-based access control (OrBAC) generalized further, by allowing specifying rules involving abstract subjects, abstract actions and abstract objects. We propose here a model that allows expressing rules involving any combinations of abstract or concrete subjects, actions and objects, as well as conditions over them. For this reason, our model is called concrete- and abstract-based access control model (CABAC). The semantics of our model is expressed in terms of first order predicate logic. Temporal, spatial, knowledge and historical contexts can be specified and combined. We show how in this model it is possible to express hierarchies of subjects, objects and actions as well as propagation of policies over hierarchies. Further, while in most models subjects, objects and actions, whether concrete or abstract, must be specified statically, it is possible in our model to specify subjects, actions and objects dynamically, i.e., according to conditions that can vary over time. Access control rules can also be explicitly revoked and subjected to different types of constraints, among which are cardinality constraints and separation of duties.     

Automated reasoning on UML conceptual schemas with derived information and queries

ContextIt is critical to ensure the quality of a software system in the initial stages of development, and several approaches have been proposed to ensure that a conceptual schema correctly describes the user’s requirements.ObjectiveThe main goal of this paper is to perform automated reasoning on UML schemas containing arbitrary constraints, derived roles, derived attributes and queries, all of which must be specified by OCL expressions.MethodThe UML/OCL schema is encoded in a first order logic formalisation, and an existing reasoning procedure is used to check whether the schema satisfies a set of desirable properties. Due to the undecidability of reasoning in highly expressive schemas, such as those considered here, we also provide a set of conditions that, if satisfied by the schema, ensure that all properties can be checked in a finite period of time.ResultsThis paper extends our previous work on reasoning on UML conceptual schemas with OCL constraints by considering derived attributes and roles that can participate in the definition of other constraints, queries and derivation rules. Queries formalised in OCL can also be validated to check their satisfiability and to detect possible equivalences between them. We also provide a set of conditions that ensure finite reasoning when they are satisfied by the schema under consideration.ConclusionThis approach improves upon previous work by allowing automated reasoning for more expressive UML/OCL conceptual schemas than those considered so far.     

Calculating upward and downward simulations of state-based specifications

This paper concerns calculational methods of refinement in state-based specification languages. Data refinement is a well-established technique for transforming specifications of abstract data types into ones, which are closer to an eventual implementation. The conditions under which a transformation is a correct refinement are encapsulated into two simulation rules: downward and upward simulations.One approach for refining an abstract system is to specify the concrete data type, and then attempt to verify that it is a valid refinement of the abstract type. An alternative approach is to calculate the concrete specification based upon the abstract specification and a retrieve relation, which links the abstract and concrete states. In this paper we generalise existing calculational methods for downward simulations and derive similar results for upward simulations; we also document their use and application in a particular specification language, namely Z.     

Key hierarchies for hierarchical access control in secure group communications

The problem of hierarchical access control in secure group communications has elicited much interest in the literatures. However, most of the researches to date on hierarchical access control pay more attention to the particular encryption techniques, but considered little about the features of key hierarchies. In hierarchical access control systems, keys are usually organized hierarchically. We analyze the user-based, resource-based and unified key hierarchies in this paper. The first two hierarchies are established from the access matrix. By unifying these two hierarchies, we get the unified key hierarchy. Furthermore, we introduce the explicit accessible set and the explicit dominating set to describe the key distributions for these hierarchies, and prove that the unified key hierarchy can be formed from the explicit dominating sets in the user-based key hierarchy or the explicit accessible sets in the resource-based key hierarchy. To evaluate the efficiency of the described key hierarchies, we combine these hierarchies with the existing key assignment models and analyze their storage and rekey overheads. These overheads can be derived from the access matrix, and the derivation procedure is described. The conclusions of this paper can help to establish a suitable key hierarchy so as to make the key assignment scheme more efficient in practical applications.     

Graph-theoretic method for merging security system specifications

Computer security policies specify conditions for permissions to access various computer resources and information. Merging two security policies is needed when two organizations, together with their computer systems, merge into one entity as in corporate business acquisition. We propose a graph-theoretic method for merging the role/object hierarchies of two security policies. The formulation of merged hierachies is based on the graph minor relation in graph theory. Ideally, the merged role hierarchy should contain both the participating role hierarchies as graph minors, and similarly for the object hierarchy. We show that one can decide in polynomial time whether this ideal case is possible when the participating hierarchies are trees. We also show that in case the merged hierarchy exists, it can be constructed in polynomial time. Algorithms for detecting the feasibility of an ideal merged tree and for constructing the merged tree are presented. Our hierarchy/tree merge method is also applicable to the integration of heterogeneous databases with generalization hierarchies.     

A refinement of the low and high hierarchies

Based on the - and -classes of the polynomial-time hierarchy, Schöning [S1], [S3]introduced low and high hierarchies within NP Several classes of sets have been located in the bottom few levels of these hierarchies [S1], [S3], [KS], [BB], [BS2], [AH]. Most results placing sets in the -levels of the low hierarchy are related to sparse sets, and the proof techniques employed involve deterministic enumeration of sparse sets. Balcàzaret al. [BBS]and Allender and Hemachandra [AH] introduced extended low hierarchies, involving sets outside of NP, based on the - and gD-classes of the polynomial-time hierarchy. Several classes of sets have been located in the -levels of these hierarchies as well, and once again most such results involve sparse sets.In this paper we introduce a refinement of the low and high hierarchies and of the extended low hierarchies. Our refinement is based on the -classes of the polynomial-time hierarchy. We show that almost all of the classes of sets that are known to belong to the -levels of the low and extended low hierarchies actually belong to the newly defined -levels of these hierarchies. Our proofs use Kadin's [K1]technique of computing the census of a sparse set first, followed by a nondeterministic enumeration of the set. This leads to the sharper lowness results.We also consider the optimality of these new lowness results. For sets in the -levels of the low hierarchy we have oracle results indicating that substantially stronger results are not possible through use of Kadin's technique. For sets in the -classes of the extended low hierarchy we have tight absolute lower bounds; that is, lower bounds without oracles. These bounds are slightly stronger than similar bounds appearing in [AH].This work was supported in part by NSF Grant CCR-8909071. The second author's current address is Networking Software Division, IBM Research, Triangle Park, NC 27709, USA.     

基于Event-B 方法的多应用智能卡的建模与开发

Event-B是一种基于集合论和谓词逻辑的形式化系统语言,能够采用精化策略为系统建立逐渐精化的模型。提出了如何将Event B应用到实际工业领域的方法,包括重写需求、建立抽象模型及逐层精化三个步骤。首先从环境、功能、性质三个主要方面重写需求,明确精化策略;然后利用形式化方法建立抽象模型并验证该模型;最后,在正确的抽象模型上按照精化策略添加需求、逐层精化,并对每层模型进行验证,基于满足需求的最后一层模型,可进一步利用工具完成代码自动生成。该方法学采用精化理论,以逐层递增的方式明确被开发系统的需求及性质,并进行形式化建模与验证,确保了模型的正确性。为了说明该方法学的可行性,以真正工业界的多应用智能卡为实例,基于Event-B方法及其工具平台Rodin给出了该方法在实际建模及验证过程中的应用。     

Using automatic process clustering for design recovery anddistributed debugging

Distributed applications written in Hermes typically consist of a large number of sequential processes. The use of a hierarchy of process clusters can facilitate the debugging of such applications. Ideally, such a hierarchy should be derived automatically. This paper discusses two approaches to automatic process clustering, one analyzing runtime information with a statistical approach and one utilizing additional semantic information. Tools realizing these approaches were developed and a quantitative measure to evaluate process clusters is proposed. The results obtained under both approaches are compared, and indicate that the additional semantic information improves the cluster hierarchies derived. We demonstrate the value of automatic process clustering with an example. It is shown how appropriate process clusters reduce the complexity of the understanding process, facilitating program maintenance activities such as debugging     

Policy driven management for distributed systems

Separating management policy from the automated managers which interpret the policy facilitates the dynamic change of behavior of a distributed management system. This permits it to adapt to evolutionary changes in the system being managed and to new application requirements. Changing the behavior of automated managers can be achieved by changing the policy without having to reimplement them—this permits the reuse of the managers in different environments. It is also useful to have a clear specification of the policy applying to human managers in an enterprise. This paper describes the work on policy which has come out of two related ESPRIT funded projects, SysMan and IDSM. Two classes of policy are elaborated—authorization policies define what a manager is permitted to do and obligation policies define what a manager must do. Policies are specified as objects which define a relationship between subjects (managers) and targets (managed objects). Domains are used to group the objects to which a policy applies. Policy objects also have attributes specifying the action to be performed and constraints limiting the applicability of the policy. We show how a number of example policies can be modeled using these objects and briefly mention issues relating to policy hierarchy and conflicts between overlapping policies.     

Cybersecurity policy verification with declarative programming

Cybersecurity is a growing concern in today’s society. Security policies have been developed to ensure that data and assets remain protected for legitimate users, but there must be a mechanism to verify that these policies can be enforced. This paper addresses the verification problem of security policies in role-based access control of enterprise software. Most existing approaches employ traditional logic or procedural programming that tends to involve complex expressions or search with backtrack. These can be time-consuming, and hard to understand, and update, especially for large-scale security verification problems. Declarative programming paradigms such as “Answer Set” programming have been widely used to alleviate these issues by ways of elegant and flexible modeling for complex search problems. However, solving problems using these paradigms can be challenging due to the nature and limitation of the declarative problem solver. This paper presents an approach to automated security policy verification using Answer Set programming. In particular, we investigate how the separation of duty security policy in role-based access control can be verified. Our contribution is a modeling approach that maps this verification problem into a graph-coloring problem to facilitate the use of generate-and-test in a declarative problem-solving paradigm. The paper describes a representation model and rules that drive the Answer Set Solver and illustrates the proposed approach to securing web application software to assist the hiring process in a company.     

Conflicts in policy-based distributed systems management

Modern distributed systems contain a large number of objects and must be capable of evolving, without shutting down the complete system, to cater for changing requirements. There is a need for distributed, automated management agents whose behavior also has to dynamically change to reflect the evolution of the system being managed. Policies are a means of specifying and influencing management behavior within a distributed system, without coding the behavior into the manager agents. Our approach is aimed at specifying implementable policies, although policies may be initially specified at the organizational level and then refined to implementable actions. We are concerned with two types of policies. Authorization policies specify what activities a manager is permitted or forbidden to do to a set of target objects and are similar to security access-control policies. Obligation policies specify what activities a manager must or must not do to a set of target objects and essentially define the duties of a manager. Conflicts can arise in the set of policies. Conflicts may also arise during the refinement process between the high level goals and the implementable policies. The system may have to cater for conflicts such as exceptions to normal authorization policies. The paper reviews policy conflicts, focusing on the problems of conflict detection and resolution. We discuss the various precedence relationships that can be established between policies in order to allow inconsistent policies to coexist within the system and present a conflict analysis tool which forms part of a role based management framework. Software development and medical environments are used as example scenarios     

一种遗留系统中访问控制策略的再工程方法

基于角色的访问控制是目前应用最广泛且先进的安全控制机制.针对它被广泛应用于新软件,却未被遗留系统普遍采用的问题,提出一种访问控制策略的再工程方法.方法定义了描述、操作和评估访问控制策略的面向转换的访问控制策略语言,研究了提取遗留访问控制策略的方法,并给出将角色引入遗留访问控制策略的转换规则和算法.案例分析表明方法是可行的,它能够使用角色和角色层次重组遗留访问控制策略,以改善遗留系统的访问控制机制.     

Security modeling for service-oriented systems using security pattern refinement approach

Security is one of the critical aspects of current systems, which are based on loosely coupled and technology-agnostic service-oriented architectures (SOA). Though SOA is the driving force for enterprises to open their ends for global business collaborations, nevertheless it evolves many challenges for modeling and enforcing security. One of the main problems for designing secure systems is the lack of consistent frameworks and methodologies for modeling security concerns. Traditional approaches consider security at the end of system development, which evolves inflexible and un-configurable systems, which are too difficult to maintain and manage. The other major problem with current approaches is that they assume pre-defined and hard-coded security patterns and mechanisms for secure system design. Whereas, the evolving SOA systems require configurable security to realize different security patterns and security policies in a variety of business scenarios. To solve these problems, it is necessary to model security concerns from the beginning of system modeling in a platform-independent way. This paper proposes a pattern refinement approach for security modeling to achieve configurable and declarative security, based on the principles of abstraction, refinement, separation-of-concerns and maintainability to achieve flexible configurations of SOA security. In the proposed approach, a Domain Expert defines abstract policies using common security vocabulary and a Security Expert models security with patterns and refines them for a target architecture in successive systematic refinements. Furthermore, it facilitates the transformation of abstract security models into executable security policies for the target platforms.