by Westphall, Carlos Becker; Brunner, Marcus; Nogueira, José Marcos; Ulema, Mehmet

DOI: 10.1007/s10922-008-9110-4
Online Date: 9/25/2008
Print publication date: 9/1/2008
View article on SpringerLink

by Damiani, Maria Luisa; Bertino, Elisa; Silvestri, Claudio

In the last few years there has been an increasing interest for a novel category of access control models known as location-based or spatially-aware role-based access control (RBAC) models. Those models advance classical RBAC models in that they regulate the access to sensitive resources based on the position of mobile users. An issue that has not yet been investigated is how to administer spatially-aware access control policies. In this paper we introduce GEO-RBAC Admin, the administration model for the location-based GEO-RBAC model. We discuss the concepts underlying such administrative model and present a language for the specification of GEO-RBAC policies.

DOI: 10.1007/s10922-008-9106-0
Online Date: 9/19/2008
Print publication date: 9/1/2008
View article on SpringerLink

by Noel, Steven; Jajodia, Sushil

We optimally place intrusion detection system (IDS) sensors and prioritize IDS alerts using attack graph analysis. We begin by predicting all possible ways of penetrating a network to reach critical assets. The set of all such paths through the network constitutes an attack graph, which we aggregate according to underlying network regularities, reducing the complexity of analysis. We then place IDS sensors to cover the attack graph, using the fewest number of sensors. This minimizes the cost of sensors, including effort of deploying, configuring, and maintaining them, while maintaining complete coverage of potential attack paths. The sensor-placement problem we pose is an instance of the NP-hard minimum set cover problem. We solve this problem through an efficient greedy algorithm, which works well in practice. Once sensors are deployed and alerts are raised, our predictive attack graph allows us to prioritize alerts based on attack graph distance to critical assets.

DOI: 10.1007/s10922-008-9109-x
Online Date: 9/16/2008
Print publication date: 9/1/2008
View article on SpringerLink

by Boutaba, Raouf; Brunner, Marcus; Schmid, Stefan; Granville, Lisandro Zambenedetti

DOI: 10.1007/s10922-008-9103-3
Online Date: 9/14/2008
Print publication date: 9/1/2008
View article on SpringerLink

by Seitz, Ludwig; Selander, Göran; Rissanen, Erik; Ling, Cao; Sadighi, Babak

Configuration management is of great importance for network operators and service providers today. Sharing of resources between business parties with conflicting interests is a reality and raises many issues with respect to configuration management. One issue is access control to configuration data. A network operator or service provider needs appropriate tools, not only to control its networked resources, but also to specify how this control should be exercised. We propose an access control model for the IETF NETCONF network configuration protocol, based on the OASIS XACML access control standard, which allows a flexible and fine-grained control for NETCONF commands. Our approach does not require any additions to the NETCONF protocol and is independent of the configuration’s data-model. Furthermore our approach can easily be extended to cover new NETCONF functionality.

DOI: 10.1007/s10922-008-9111-3
Online Date: 9/11/2008
Print publication date: 9/1/2008
View article on SpringerLink