Abstract
Information systems providing interactive access for a huge number of users worldwide are exposed to numerous security threats. One of the most significant threats to this sort of systems is the threat of unauthorized access to system resources, leading to the breach of data confidentiality (privacy), data integrity and to the denial of service. The design and implementation of models and algorithms to reduce the risks of realizing such threats and to ensure the prompt response to the incidents is an important problem. In this article we introduce the chain-relational model of access control (ChRelBAC), which was designed and implemented for a large scientometric system. We describe two software tools for supporting the model. Visualization tool presents access control rules in a user-friendly way. Verification tool for the processes of the model integration with the target information system source code identifies the entry points of the system that are not covered by the model. Finally, we discuss the problem of testing the relational model on the real data sets.
Similar content being viewed by others
References
Nalimov V.V., Mulchenko Z.M.: Scientometrics: study of the scientific advancement as the information process. (In Russian: Naukometriya. Izuchenie razvitiya nauki kak informatsionnogo processa), 192 p. Nauka, Moscow, Russia (1969)
Sadovnichiy, V.A., Vasenin, V.A.: Intellectual system of thematic investigation of scientometrical data: background of creation and methodology of development. Programmnaya Ingeneria 9, 51–58 (2018). (In Russian)
Afonin, S.A., et al.: Intellectual system of thematic investigation of scientific and technical information. (In Russian: Intellektualnaya sistema tematicheskogo analiza nauchno-tekhnicheskoi informatsii), 262 p. Moscow University Press, Moscow, Russia (2014)
Lazouski, Aliaksandr, Martinelli, Fabio, Mori, Paolo: Usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010). https://doi.org/10.1016/j.cosrev.2010.02.002
Karin Höne, J.H.P.: Eloff Information security policy—what do international information security standards say? Comput. Secur. 21(5), 402–409 (2002). https://doi.org/10.1016/S0167-4048(02)00504-7
Vasenin, V., Itkes, A., Shapchenko, K.: On the application of social networking access control models to one class of multi-user content management systems. Programmnaya Ingeneria 4, 10–19 (2015)
Vasenin, V.A., Itkes, A.A., Bukhonov, VYu., Galatenko, A.V.: Access Control Models in Multiuser Scientometric Content Management Systems. Programmnaya Ingeneria 7, 547–558 (2016)
Hicks, D., Wouters, P., Waltman, L., et al.: Bibliometrics: the leiden manifesto for research metrics. Nature 520, 429–431 (2015)
Vasenin, V.A., Itkes, A.A.: Using relation-based access control model within django-based web applications. Programmnaya Ingeneria 9, 195–208 (2018)
Hu V. et.al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special publication 800-162 https://www.nist.gov/publications/guide-attribute-based-access-control-abac-definition-and-considerations (2014). Accessed 15 April 2020
Bogaerts J. et al.: Entity-Based Access Control: supporting more expressive access control policies, In Proc. of the 31st Annual Computer Security Applications Conference (ACSAC 2015), 291-300 (2015)
Giunchiglia F., Zhang R., Crispo B.: RelBAC: relation based access control. In: 2008 Fourth International Conference on Semantics, Knowledge and Grids, pp. 3–11 (2008)
Alexandrov, D.E., Galatenko, A.V.: On the Complexity of Access Control Checking in RelBAC-policies. Intellektualniye sistemy. Teoriya i prilozheniya 20, 189–193 (2016). (In Russian)
Zhang X., Edwards A., Jaeger T.: Using CQUAL for static analysis of authorization hook placement. In: Proceedings of the 11th USENIX Security Symposium, pp. 33–48 (2002)
Naumovich, G., Centonze, P.: Static analysis of role-based access control in J2EE applications. SIGSOFT Softw. Eng. Notes 29(5), 1–10 (2004). https://doi.org/10.1145/1022494.1022530
Sun, F., Xu, L. and Su, Z.: Static detection of access control vulnerabilities in web applications. In: SEC’11: Proceeding of the 20th USENIX Conference on Security (2011)
Centonze P., Flynn R.J., Pistoia M.: Combining static and dynamic analysis for automatic identification of precise access-control policies. In: 23rd Annual Computer Security Applications Conference (ACSAC 2007), pp. 292–303 (2007)
Zhu, J., Chu, B., Lipford, H., Thomas, T.: Mitigating access control vulnerabilities through interactive static analysis. In: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT ’15), pp. 199–209 (2015). https://doi.org/10.1145/2752952.2752976
Kasyanov, V., Kasyanova, E.: Information visualization on the base of graph models. Sci. Vis. 6(1), 31–50 (2014)
Plaksiy Kirill V., Nikiforov Andrey A., Miloslavskaya Natalia G.: Investigation of graph databases suitable for work with big data while detecting money laundering and terrorism financing cases, IT Security (Russia) pp. 3–6, 103–116 (2019)
Kasyanov, V.N., Lisitsyn, I.A.: Hierarchical graph models and visual processing. In: Proceedings of 16th IFIP Congress, pp. 179–182 (2000)
Di Battista, G., Eades, P., Tamassia, R., Tollis, I.G.: Graph Drawing: Algorithms for Vizualization of Graphs. Prentice Hall, Cambridge (1999)
Vaniea, K., Ni, Q., Cranor, L., Bertino, E.: Access control policy analysis and visualization tools for security professionals. In: USM’08: Workshop on Usable IT Security Management (2008)
Anwar, M., Fong, P.W.L.: A visualization tool for evaluating access control policies in facebook-style social network systems. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, pp. 1443–1450 (2012)
Reeder, R.W., Bauer, L., Cranor, L.F., Reiter, M.K., Bacon, K., How, K., Strong, H.: Expandable grids for visualizing and authoring computer security policies. In: CHI ’08, pp. 1473–1482 (2008)
Montemayor, J., Freeman, A., Gersh, J., Llanso, T., Patrone, D.: Information visualization for rule-based resource access control. In: Proceedings of International Symposium on Usable Privacy and Security (2006)
Tamassia, R., Palazzi, B., Papamanthou, C.: Graph drawing for security visualization. LNCS 5417, 2–13 (2009)
Xu, W., Shehab, M., Ahn, G.: Visualization based policy analysis: case study in SELinux. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 165–174 (2008)
Vasenin, V.A., Krivchikov, M.A.: Intermediate representation of programs with type specification based on pattern matching. Program. Comput. Soft 46, 57–66 (2020). https://doi.org/10.1134/S0361768820010077
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Vasenin, V., Itkes, A., Krivchikov, M. et al. ChRelBAC data access control model for large-scale interactive informational-analytical systems. J Comput Virol Hack Tech 16, 313–331 (2020). https://doi.org/10.1007/s11416-020-00365-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-020-00365-9