skip to main content
10.1145/3205977.3206000acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Network Policy Enforcement Using Transactions: The NEUTRON Approach

Published: 07 June 2018 Publication History

Abstract

We propose a tool to capture applications requirements with respect to the enforcement of network security policies in an object-oriented design language. Once a design captures clear, concise, easily understood network requirements new technologies become possible, including network transactions and user-driven policies to remove rarely used network permissions until needed, creating a least privilege in time policy. Existing security enforcement policies represent a model of all allowable behavior. Only modeling allowable behavior requires that any entity that may need a permission, be granted it permanently. Refining the modeling to distinguish between common behavior and rare behavior will increase security. The increased security comes with costs, such as requiring users to strongly authenticate more often. This paper discusses those costs and the complexity of increasing security enforcement models.

References

[1]
Ehab Al-Shaer. 2014. Automated Firewall Analytics - Design, Configuration and Optimization. Springer, USA.
[2]
Kamal Benzekki, Abdeslam El Fergougui, and Abdelbaki Elbelrhiti Elalaoui. 2016. Software-defined networking (SDN): a survey. Security and communication networks Vol. 9, 18 (2016), 5803--5833.
[3]
Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. 2001. TRBAC: A temporal role-based access control model. ACM Transactions on Information and System Security (TISSEC), Vol. 4, 3 (2001), 191--233.
[4]
Lorenzo Bossi, Elisa Bertino, and Syed Rafiul Hussain. 2017. A System for Profiling and Monitoring Database Access Patterns by Application Programs for Anomaly Detection. IEEE Transactions on Software Engineering Vol. 43, 5 (2017), 415--431.
[5]
David F Ferraiolo, Ravi Sandhu, Serban Gavrila, D Richard Kuhn, and Ramaswamy Chandramouli. 2001. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), Vol. 4, 3 (2001), 224--274.
[6]
Kathi Fisler, Shriram Krishnamurthi, Leo A Meyerovich, and Michael Carl Tschantz. 2005. Verification and change-impact analysis of access-control policies Proceedings of the 27th international conference on Software engineering. ACM, New York, NY, USA, 196--205.
[7]
Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review Vol. 38, 2 (2008), 69--74.
[8]
David J Musliner, Jeffrey M Rye, Dan Thomsen, David D McDonald, Mark H Burstein, and Paul Robertson. 2012. Fuzzbuster: A system for self-adaptive immunity from cyber threats Eighth International Conference on Autonomic and Autonomous Systems (ICAS-12). 118--123.
[9]
Fausto Rabitti, Elisa Bertino, Won Kim, and Darrell Woelk. 1991. A model of authorization for next-generation database systems. ACM Transactions on Database Systems (TODS), Vol. 16, 1 (1991), 88--131.
[10]
Dan Thomsen. 2007. Patterns in Security Enforcement Policy Development 18th International Workshop on Database and Expert Systems Applications, 2007. DEXA'07. IEEE, 744--748.
[11]
Dan Thomsen. 2011. Practical policy patterns. In Proceedings of the first ACM conference on Data and application security and privacy. ACM, New York, NYU, USA, 225--230.

Cited By

View all
  • (2022)Removing the Reliance on Perimeters for Security using Network ViewsProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535029(151-162)Online publication date: 7-Jun-2022
  • (2021)Can I Reach You? Do I Need To? New Semantics in Security Policy Specification and TestingProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463558(165-174)Online publication date: 11-Jun-2021
  • (2019)Secure Desktop Computing in the Cloud2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud/EdgeCom.2019.00-10(107-112)Online publication date: Jun-2019
  • Show More Cited By

Index Terms

  1. Network Policy Enforcement Using Transactions: The NEUTRON Approach

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies
    June 2018
    271 pages
    ISBN:9781450356664
    DOI:10.1145/3205977
    • General Chair:
    • Elisa Bertino,
    • Program Chairs:
    • Dan Lin,
    • Jorge Lobo
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 07 June 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. network security
    2. network transactions
    3. policy design
    4. security enforcement policy
    5. user-driven policy

    Qualifiers

    • Research-article

    Funding Sources

    • Air Force Research Lab

    Conference

    SACMAT '18
    Sponsor:

    Acceptance Rates

    SACMAT '18 Paper Acceptance Rate 14 of 50 submissions, 28%;
    Overall Acceptance Rate 177 of 597 submissions, 30%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)6
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 20 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Removing the Reliance on Perimeters for Security using Network ViewsProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535029(151-162)Online publication date: 7-Jun-2022
    • (2021)Can I Reach You? Do I Need To? New Semantics in Security Policy Specification and TestingProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463558(165-174)Online publication date: 11-Jun-2021
    • (2019)Secure Desktop Computing in the Cloud2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)10.1109/CSCloud/EdgeCom.2019.00-10(107-112)Online publication date: Jun-2019
    • (2018)Experiments and Proofs in Web-service Security2018 28th International Telecommunication Networks and Applications Conference (ITNAC)10.1109/ATNAC.2018.8615367(1-6)Online publication date: Nov-2018

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media