Content-Based Access ControlSubmitted to the Department of Electrical Engineering and Computer Science and theGraduate Faculty of the University of Kansasin partial fulfillment of the requirements for the degree ofDoctor of PhilosophyDate defended: April 3, 2015The Dissertation Committee for Wenrong Zeng certifiesthat this is the approved version of the following dissertation :Date approved:iiAbstractIn conventional database, the most popular access control model specifies policies explicitlyfor each role of every user against each data object manually. Nowadays, inlarge-scale content-centric data sharing, conventional approaches could be impracticaldue to exponential explosion of the data growth and the sensitivity of data objects.What’s more, conventional database access control policy will not be functional whenthe semantic content of data is expected to play a role in access decisions. Users are oftenover-privileged, and ex post facto auditing is enforced to detect misuse of the privileges.Unfortunately, it is usually difficult to reverse the damage, as (large amount of)data has been disclosed already. In this dissertation, we first introduce Content-BasedAccess Control (CBAC), an innovative access control model for content-centric informationsharing. As a complement to conventional access control models, the CBACmodel makes access control decisions based on the content similarity between usercredentials and data content automatically. In CBAC, each user is allowed by a metaruleto access “a subset” of the designated data objects of a content-centric database,while the boundary of the subset is dynamically determined by the textual contentof data objects. We then present an enforcement mechanism for CBAC that exploitsOracles Virtual Private Database (VPD) to implement a row-wise access control andto prevent data objects from being abused by unnecessary access admission. To furtherimprove the performance of the proposed approach, we introduce a content-basedblocking mechanism to improve the efficiency of CBAC enforcement to further reveala more relevant part of the data objects comparing with only using the user credentialsand data content. We also utilized several tagging mechanisms for more accurate texiiitual content matching for short text snippets (e.g. short VarChar attributes) to extracttopics other than pure word occurrences to represent the content of data. In the taggingmechanism, the similarity of content is calculated not purely dependent on the wordoccurrences but the semantic topics underneath the text content. Experimental resultsshow that CBAC makes accurate access control decisions with a small overhead.ivAcknowledgementsIn this section, I would like to express my gratitude to my advisors, my colleagues, mycommittee members and my family for their encouragement, support and assistancedown along the road of my PhD study.First of all, I would like to thank my advisor Dr. Bo Luo for his valuable guidanceduring my thesis. He was a great advisor to work with. He originally led me to thefield of access control and patiently explained the fundamental background of whatit is, why it is important to database security and its potential impacts on big dataplatform. He has been very supportive, and enthusiastic in all our discussions. Heusually inspires me with his solid background knowledge on database security andkindly provides insights to draw conclusion on experimental results, which help meto push the experiment forwards meanwhile consolidate my work. I would also liketo thank my previous advisor Dr. Xue-wen Chen. When I began my PhD, he led meto machine learning field. He directed me to multi-label learning, which is anothermajor part of my PhD work. The guidance from him led me to explore multi-label applicationsin image analysis with graphical modeling, and theoretical optimization ofmulti-label improvements. I am also very gratefully thankful to my committee members:Dr. Arvin Agah, Dr. Jerzy Grzymala-Busse, Dr. Prasad Kulkarni, and Dr. AlfredTat-kei Ho. They offer me professional suggestion on my proposal and dissertation.They kindly have provided their insights on further directions and experiments withmy work. Without their help, I cannot finish the entire course of my PhD.Secondly, I would like to thank all my colleagues in University of Kansas. They beganas colleagues and ended to be my best friends. They have provided a lot of happiness,vsupports, and assistance in my life and study. Working together with everyone is amemorable moment in the entire course of my study. Dr. Hongliang Fei, Dr. Yi Jia,Dr. Jintao Zhang, and Junyan Li, I have been grateful meeting them in the painful yetrewardful PhD study. When I met problems, they always provide valuable suggestion.Besides, I should owe special thanks to Dr. Jong Cheol Jeong. He is a valuablecolleague to work with, thorough in mind and detail oriented in execution. He iswilling to help me whenever I feel confused and lost in research. His determination inresearch has set him up as my role model always.Last but not least, I want to thank my family. My parents gave me endless courageand love during my PhD stage. They have visited me three times from China, andsupported me with all their assistance in my household. They are the best parents onecould ask. My husband, the one I am super lucky to have, is the most supportive,patient, generous and humorous man in my life, who has brought the happiness andhealed the pain. My baby daughter, Brenda, I would like to thank her for being thebest project I have ever done. Although she does cry a lot, she laughs more. Her smileis the best gift after work.viContents1 Introduction 11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Related Works 62.1 Access Control Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.1.1 Discretionary Access Control . . . . . . . . . . . . . . . . . . . . . . . . 102.1.2 Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 122.1.3 Attribute-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . 172.1.4 Policy-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.5 Risk-Adaptabe Access Control . . . . . . . . . . . . . . . . . . . . . . . . 202.1.6 Access Control Based on Content . . . . . . . . . . . . . . . . . . . . . . 212.2 Oracle Virtual Private Database (VPD) . . . . . . . . . . . . . . . . . . . . . . . . 233 Text Feature Extraction 273.1 TF-IDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.1.1 Stop Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.1.2 Stemming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.2 n-Gram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.3 Topic Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3.1 Latent Dirichlet Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . 323.3.2 Non-negative Matrix Factorization . . . . . . . . . . . . . . . . . . . . . . 33vii3.4 TAGME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Content-Based Access Control Model 374.1 Background and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.2 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394.3 Model Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414.4 Content Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444.5 Top-K Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 CBAC Enforcement 475.1 CBAC On-the-Fly Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . 475.1.1 The Basic CBAC Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 475.1.2 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.2 Offline CBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.2.1 Unsupervised Nearest Neighbor Offline Training . . . . . . . . . . . . . . 565.2.1.1 Brute Force Algorithm . . . . . . . . . . . . . . . . . . . . . . 565.2.1.2 K-D tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.2.1.3 Ball Tree Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 585.2.2 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 CBAC Optimizing Strategies 676.1 Content-Based Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.1.1 Naive k-means Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . 696.1.2 The Advantage of Careful Seeding: k-means++ . . . . . . . . . . . . . . . 706.1.3 Scaled k-means++ with mini-batch Strategy . . . . . . . . . . . . . . . . . 706.1.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716.2 Content-based labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736.2.1 Document labeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736.2.2 Soundness of CBAC Enforcement . . . . . . . . . . . . . . . . . . . . . . 76viii6.2.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Labeling Improvement with Multi-Label Learning (MLL) 867.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867.2 Problem Definition and Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . 877.3 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957.5.1 Preliminary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957.5.2 Objective Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957.5.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977.6 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997.6.1 Data Set Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997.6.2 Comparison Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027.6.3 Evaluation Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1037.6.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1058 Discussions 1078.1 Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078.2 Negative Rules and Conflict Resolution . . . . . . . . . . . . . . . . . . . . . . . 1088.3 CBAC for XML Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099 Conclusion 110A The Top 10 Words of Non-Negative Matrix Factorization 126ixList of Figures2.1 Selected Access Control Models (NIST (2009)) . . . . . . . . . . . . . . . . . . . 72.2 Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.3 Capability List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.4 Role-Based Access Control Model (Sandhu et al. (1996)) . . . . . . . . . . . . . . 162.5 Risk-Adaptable Access Control Notional Process (McGraw (2009)) . . . . . . . . 213.1 Plate Notation of Latent Dirichlet Allocation . . . . . . . . . . . . . . . . . . . . . 343.2 Plate Notation of Smoothed Latent Dirichlet Allocation . . . . . . . . . . . . . . . 343.3 TAGME Annotation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.1 ABAC Efficiency with QUERY1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.2 ABAC Efficiency with QUERY2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.3 Threshold CBAC Efficiency with QUERY1 . . . . . . . . . . . . . . . . . . . . . 585.4 Threshold CBAC Efficiency with QUERY2 . . . . . . . . . . . . . . . . . . . . . 615.5 Threshold CBAC + ABAC Efficiency with QUERY1 . . . . . . . . . . . . . . . . 625.6 Threshold CBAC + ABAC Efficiency with QUERY2 . . . . . . . . . . . . . . . . 635.7 Top-10 CBAC Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.8 2-D K-D Tree Subspace Splits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645.9 K-D Tree Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655.10 Offline Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656.1 Threshold CBAC + Blocking Efficiency with QUERY1 . . . . . . . . . . . . . . . 72x6.2 Threshold CBAC + Blocking Efficiency with QUERY2 . . . . . . . . . . . . . . . 736.3 Threshold CBAC + ABAC + Blocking Efficiency with QUERY1 . . . . . . . . . . 746.4 Threshold CBAC + ABAC + Blocking Efficiency with QUERY2 . . . . . . . . . . 756.5 Top-10 CBAC + Blocking Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . 766.6 Soundness of CBAC Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . 796.7 Threshold CBAC + Labeling Efficiency with QUERY1 . . . . . . . . . . . . . . . 806.8 Threshold CBAC + Labeling Efficiency with QUERY2 . . . . . . . . . . . . . . . 816.9 Threshold CBAC + ABAC + Labeling Efficiency with QUERY1 . . . . . . . . . . 816.10 Threshold CBAC + ABAC + Labeling Efficiency with QUERY2 . . . . . . . . . . 826.11 Top-10 CBAC + Labeling Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . 826.12 Top-10 CBAC + Blocking + Labeling Efficiency . . . . . . . . . . . . . . . . . . . 836.13 Density Fit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836.14 Cumulative Probability Fit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846.15 NMF 100 Density Fit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846.16 NMF 100 Cumulative Probability Fit . . . . . . . . . . . . . . . . . . . . . . . . . 857.1 Scene of Sunset at Sea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937.2 Molecular Function Annotation of P75957 . . . . . . . . . . . . . . . . . . . . . 94xiList of Tables2.1 Access Control Matrix Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 VPD Function Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.3 VPD Policy Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.1 Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515.2 Column Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515.3 CBAC Top-10 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.4 CBAC Threshold Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537.1 Multi-Label Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917.2 Binary Relevance Matrix Example . . . . . . . . . . . . . . . . . . . . . . . . . . 917.3 Label Power-Set Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.4 Label Power-Set Matrix Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.5 Statistics of Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007.6 Imbalance Rate (%) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007.7 Sample Sizes of Data Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017.8 Macro-Averaging F1 Measure (Computer Science作业代写、代写database留学生作业、代做R编程设计作业、R实验作业代写 代写留学生%) ↑ . . . . . . . . . . . . . . . . . . . . . . . . . 1027.9 Micro-Averaging F1 Measurel (%) ↑ . . . . . . . . . . . . . . . . . . . . . . . . . 1037.10 Subset Accuracy (%) ↑ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105A.1 The Top 10 Words of Non-Negative Matrix Factorization with 10 Topics . . . . . . 127A.2 The Top 10 Words of Non-Negative Matrix Factorization with 20 Topics . . . . . . 128xiiA.3 The Top 10 Words of Non-Negative Matrix Factorization with 50 Topics . . . . . . 129A.4 The Top 10 Words of Non-Negative Matrix Factorization with 100 Topics . . . . . 133xiiiChapter 1Introduction1.1 IntroductionSimply put, database access control models and enforcement mechanisms define and enforce whocan access what. Here, who represents a set of users/roles, and what represents a set ofdata objects, e.g. tuples or XML nodes, attributes of SQL databases. In conventional databaseaccess control models, database administrators (DBAs) or data owners/users explicitly specifyaccess rights of each data object for each role by GRANT or REVOKE certain rights from eachrole. However, due to the exponential explosion of data, especially for content-centric data, suchapproaches may not be suitable or even practical. The reason for this is three-folded. Firstly, it isdetermined by the characteristics of content-centric data. Content-centric data usually contains alot of free text. For example, electronic health record (EHR) is a content-centric kind of data. In theEHR, doctors other than list the basic information of patients (eg. name, gender, age, etc.) describethe symptoms of every patient. Instead of choosing exact words to describe the patients’ symptoms,a doctor usually use more descriptive ways to record the symptoms given by the patients. That’swhy EHR data is rather free text kind of data than formatted text kind of data. Free text, asthe example shown, can express the same semantic meaning with different term distributions.Secondly, in content-centric database, the data content is expected to play a role in making the1access control decisions. Let’s continue on the EHR example. Before giving a concluded decisionon what the patient’s problem is, doctors might have needs to review some other patient’s recordwith similar symptoms, especially for unusual diseases. For this kind of situation, it could be verydifficult to explicitly describe access rights for very large amounts of data objects, especially whenthe decisions are based on content – it is too labor-intensive to require a system administrator tomanually examine every record in the database and assign access rights to each user/role. Thirdly,in distributed and dynamic environments, it could be difficult to explicitly define access rightsfor every user from remote peers, e.g., an organization could easily develop new roles withoutnotifying its collaborators, which happens a lot in information sharing. In this case, access controldecisions could be based on remote requestor’s knowledge that is dynamically submitted withevery query. Meanwhile, in distributed information sharing, data owners may only want to sharewith people who contribute similar data which might reveal that they have similar interests due tothe sensitivity of the data content, but they cannot specify access control rules unless they explorethe content of others’ data. To further motivate this research, let us see the following examples:Example 1: A law enforcement agency (e.g. FBI) holds a database of highly sensitive caserecords. A director Bob assigns a case to agent Alice for investigation. Naturally, the director alsoneeds to grant Alice access to all related or similar cases. In this scenario, the concept of “relatedcases” is determined by the semantical content similarity of the records, which could be geological,temporal, motis operandi, or just the similarity in the textual description of the case records.Moreover, when new cases are added to the database, cases that are similar to Alice’s should beautomatically made accessible to Alice, without requiring the director to further intervene. Forexample, that new added related cases could be a crucial key to the case being investigated. Unfortunately,in the existing database access control paradigm, this type of access control descriptionis not supported. Meanwhile, it is too labor-intensive for the director to manually examine everyrecord to grant/revoke access. In practice, the Multi-Level Security (MLS) model is often adoptedand every agent is granted access to a large number of records – everything lower than or equal tohis/her security level. Similarly, many content processing companies (e.g. survey processing and2telemarketing firms) allow every employee to access all the (potentially sensitive) customer recordsin their databases, due to lack of capability to enforce access control based on the textual contentof the records. In all these similar scenarios, information sharing could be either too conservativeor being abused because unnecessary information leakage.Example 2: In traditional subscription systems, users pay for access towards entire periodicals.For instance, a researcher interested in “information security” may subscribe to IEEE Transactionson Knowledge and Data Engineering, though he is only interested in a small portion of the papersin the journal. An alternative approach would be that each user subscribes to a set of tags, andeach paper (as a record in the database) is tagged by keywords. Thus, access control decisionscould be made by matching user’s tags with paper’s tags. However, such approach suffers twoserious drawbacks: (1) tag quality is essential to the approach, but the quality control is a nontrivialproblem; (2) the number of accessible papers could be too small or too large, for instance,a paper carrying a tag may be only slightly related to the tag topic. In a desired solution, thesubscriber is expected to submit his interests as a textual description or identify some seed articles(e.g. his own papers), and then be granted access to articles with similar content. In the idealsolution, the granted access control policies based on content similarity would further improve thework efficiency of users based on qualified selective articles.Example 3: In distributed information sharing scenarios, some data owners will only share theirrecords with peers who contribute relevant data, so that the sharing is mutually beneficial. Forinstance, in a collaborative project with Department of Public Administration studying citizenengagement, surveyees are found to be willing to share their opinions with others who have similaropinions. In this case, opinions are represented by a short paragraph of text. In other scientificresearch domains, we also see investigators sharing research data (in a shared and access-controlledrepository) with colleagues who contributes similar data. Let us revisit Example 1: when FBI3collaborates with other law enforcement agency (say, CIA), they only share “related cases”, whilethe case relationships are accessed by semantical content similarity. Privacy-preserving similardocument matching (Murugesan et al. (2010); Scannapieco et al. (2007)) has been used to identifyand share similar documents. However, in the scenario that FBI is willing to disclose cases that aresimilar to a known CIA case, an alternative solution is to employ database access control to allowCIA to access the “similar cases”.Example 4: Healthcare information sharing is strictly governed by HIPAA. Medical records arewell protected by healthcare providers, and are only shared under very rigorous rules. However,within the facility, users (doctors, nurses, researchers) are often given broader access privileges,while ex post facto auditing is enforced to detect and punish misuse of the privileges (Appari &Johnson (2010); Malin et al. (2007); Boxwala et al. (2011); Rostad & Edsberg (2006)). Anotherthrust of solutions employs the break the glass (BTG) mechanism – to allow users to break accesscontrol rules in a controlled manner in special circumstances (Ferreira et al. (2006)). Additionalauditing will be performed once a user invokes the BTG policy.From the examples, we can see that conventional deterministic database access control modelsfall short in content-centric data sharing scenarios. In such cases, a new access control modelis expected to emerge to meet the needs of generating access decision based on the semanticalcontent similarity of the data. Another desirable capability of such content-based access controlmodel is the similarity of semantical content should be measured as native functions providedby RDBMS, and it only requires minimal intervene from database administrators (DBAs). Inthis dissertation, we present a first attempt towards this endeavor: we present the content-basedaccess control model and enforcement mechanisms, where access rights are granted based on thelexicon similarity between requestor’s credentials and the requested records. The new model, asa complement to existing access control approaches, provides an effective and efficient means ofaccess control that exploits content features in content-rich data sharing, and leads to a first effort to4solve the difficulties in content-centric database access control in big data era. In the dissertation,we explore the new needs of security and privacy in distributed information systems and decideto tackle such issues with innovative designs. Therefore, we formally propose a new data-drivenaccess control model called content-based access control (CBAC) model which exploits the datacontent to achieve more flexible and powerful access control semantics towards conetent-centricdatabases in information sharing in the dissertation. CBAC is the first attempt to create accesscontrol model that introduces the notion of approximate security, and it is capable of dealing withsituations where explicit access control policies are not at all available. In CBAC, we decideto use machine learning methods (i.e. text mining techniques) for access control modeling andenforcement. By introducing these methods, access control principle is translated into algorithmimplementation, and in the sense, we aim to enhance the dynamic properties, automation and“intelligence” into access control models via all these techniques.5Chapter 2Related WorksComputer technology has transformed the way of daily life including education, career life, andentertainment of people. It makes convenience for people to seek information for knowledge, findjobs, enjoy fancy music and films. Meanwhile, computer technology also transformed the wayof running companies including hunting for suppliers to compete their offers, collecting, storingand broadcasting their information of products, and maintaining their close work with clients. Notonly computer technology has improved the efficiency of everyone’s daily life, it has also changedhow information is created, processed, transferred, stored, and concealed. Nowadays, one of themost important security problem is to prevent unauthorized access to information, which preventsunauthorized people have access to credential information he/she is NOT allowed to. The commonrisks from unauthorized access include but not limited to: Unauthorized disclosure of information Disruption of computer services Loss of productivity which delaying normal computer activities in time critical applications Financial loss such as corruption of information or disruption of services Legal implications due to lawsuits from investors, customers, or the public6Figure 2.1: Selected Access Control Models (NIST (2009)) Blackmail intruders extort money from the company by threatening the security systemTo avoid these risks, researchers developed different access control models to paradigm ofwho has the authorities to access what. In this chapter, we select some common access controlmodels for introduction. Figure 2.1 is modified from Figure 1 (NIST (2009)) to show the relationshipamong these models. We follow the list of access control models (NIST (2009)) and add moredetails about models which have concrete mathematical definition.Database access control research could be roughly categorized as access control models andaccess control enforcement. Relational access control models can be classified into: mandatoryaccess control (Jajodia & Sandhu (1991); Sandhu (1993); Sandhu & Chen (1998); Winslett et al.(1994); McCune et al. (2006); Lindqvist (2006); Thuraisingham (2009); Upadhyaya (2011)), discretionaryaccess control (DAC) (Moffett et al. (1990); Thomas et al. (1993); Ahn (2009); Li7(2011); Downs et al. (1985)) and role-based access control (RBAC) (Ferraiolo et al. (2001); Osbornet al. (2000); Sandhu et al. (1996)).Mandatory access control (MAC) emphasizes only the database administrators have the authoritiesto manage the access control policy and usage. These policies and usage cannot be modifiedby any other users other than the administrators. Therefore, MAC is most often used in systemsor databases when the highest priority is placed on confidentiality. The assignment and enforcementof access control policy under MAC models places strict restrictions on users. The dynamicalteration of any access control policy requires detailed investigation of the policy itself purely bydatabase administrators manually. One obvious shortcoming is any update might introduce dilemmasin the entire access control policies. Also frequent database updates will be labor-intensivefor administrators. Another shortcoming of MAC is it can be too protective to unnecessarily overclassifydata through “the high-water mark principle and limit the ability of transfer informationbetween users and databases. On the other hand, most real world RDBMS implement a table/columnlevel DAC or RBAC similar to the one in System R (Griffiths & Wade (1976)).Discretionary Access Control (DAC) is the type of access control where users has completeauthority over all the data they owns. Also they have the authorities to assign GRANT/REVOKEto other users to access or not to their own data. DAC requires the permission assignment betweenusers who hold the data and who want to access the data. Thus, it is commonly known as the“need-to-know model. Compared to MAC, DAC shows an obvious advantage enabling finegrainedcontrol over system or database objects. Data objects can have access control restrictionswith the minimum rights needed. However, security policies are extremely difficult for DAC asthe access control right is owned by users. Compromised users could pass potential threats to thedatabase and further them to other users. Thus, DAC has high potential to insecure problems.Role-based access control (RBAC) is the type of access control model where users are firstlyassigned to different roles due to different job functions in an enterprise, and then the permissionare not directly assigned to users but to roles. The permission in contrast to the above two methodsof access control which GRANT/REVOKE user access on a rigid, object-by-object basis. In8RBAC, users are easily to be granted or revoked accesses due to the change of their work status.In large organizations, to cluster of many users into a single role allows much more convenientmanagement. RBAC also integrates support for least-privilege principle, duty separation, and rolemembership central administration. Although RBAC shows a great advantage over the above twoconventional access control models. Meanwhile it also has its own limitations. In large systems,role membership, hierarch转自:http://www.7daixie.com/2019042217731292.html
网友评论