More Like this

1. Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoT

   Safwa Ameer, James Benson ( October 2022 , IEEE transactions on dependable and secure computing)

   Smart homes are interconnected homes in which a wide variety of digital devices with limited resources communicate with multiple users and among themselves using multiple protocols. The deployment of resource-limited devices and the use of a wide range of technologies expand the attack surface and position the smart home as a target for many potential security threats. Access control is among the top security challenges in smart home IoT. Several access control models have been developed or adapted for IoT in general, with a few specifically designed for the smart home IoT domain. Most of these models are built on the role-based access control (RBAC) model or the attribute-based access control (ABAC) model. However, recently some researchers demonstrated that the need arises for a hybrid model combining ABAC and RBAC, thereby incorporating the benefits of both models to better meet IoT access control challenges in general and smart homes requirements in particular. In this paper, we used two approaches to develop two different hybrid models for smart home IoT. We followed a role-centric approach and an attribute-centric approach to develop HyBAC RC and HyBAC AC , respectively. We formally define these models and illustrate their features through a use case scenario demonstration. We further provide a proof-of-concept implementation for each model in Amazon Web Services (AWS) IoT platform. Finally, we conduct a theoretical comparison between the two models proposed in this paper in addition to the EGRBAC model (RBAC model for smart home IoT) and HABAC model (ABAC model for smart home IoT), which were previously developed to meet smart homes’ challenges. 

   more » « less
2. An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based Approach

   https://doi.org/10.3390/info13020060  

   Ameer, Safwa ; Benson, James ; Sandhu, Ravi ( February 2022 , Information)

   The area of smart homes is one of the most popular for deploying smart connected devices. One of the most vulnerable aspects of smart homes is access control. Recent advances in IoT have led to several access control models being developed or adapted to IoT from other domains, with few specifically designed to meet the challenges of smart homes. Most of these models use role-based access control (RBAC) or attribute-based access control (ABAC) models. As of now, it is not clear what the advantages and disadvantages of ABAC over RBAC are in general, and in the context of smart-home IoT in particular. In this paper, we introduce HABACα, an attribute-based access control model for smart-home IoT. We formally define HABACα and demonstrate its features through two use-case scenarios and a proof-of-concept implementation. Furthermore, we present an analysis of HABACα as compared to the previously published EGRBAC (extended generalized role-based access control) model for smart-home IoT by first describing approaches for constructing HABACα specification from EGRBAC and vice versa in order to compare the theoretical expressiveness power of these models, and second, analyzing HABACα and EGRBAC models against standard criteria for access control models. Our findings suggest that a hybrid model that combines both HABACα and EGRBAC capabilities may be the most suitable for smart-home IoT, and probably more generally. 

   more » « less
3. Access Control in the Era of Big-Data Driven Models and Simulations

   Tall, Anne ; Zou, Cliff ; Wang, Jun ( December 2019 , Interservice/Industry Training, Simulation and Education Conference (I/ITSEC))

   In today's mobile-first, cloud-enabled world, where simulation-enabled training is designed for use anywhere and from multiple different types of devices, new paradigms are needed to control access to sensitive data. Large, distributed data sets sourced from a wide-variety of sensors require advanced approaches to authorizations and access control (AC). Motivated by large-scale, publicized data breaches and data privacy laws, data protection policies and fine-grained AC mechanisms are an imperative in data intensive simulation systems. Although the public may suffer security incident fatigue, there are significant impacts to corporations and government organizations in the form of settlement fees and senior executive dismissal. This paper presents an analysis of the challenges to controlling access to big data sets. Implementation guidelines are provided based upon new attribute-based access control (ABAC) standards. Best practices start with AC for the security of large data sets processed by models and simulations (M&S). Currently widely supported eXtensible Access Control Markup Language (XACML) is the predominant framework for big data ABAC. The more recently developed Next Generation Access Control (NGAC) standard addresses additional areas in securing distributed, multi-owner big data sets. We present a comparison and evaluation of standards and technologies for different simulation data protection requirements. A concrete example is included to illustrate the differences. The example scenario is based upon synthetically generated very sensitive health care data combined with less sensitive data. This model data set is accessed by representative groups with a range of trust from highly-trusted roles to general users. The AC security challenges and approaches to mitigate risk are discussed. 

   more » « less
4. Attributes Aware Relationship-based Access Control for Smart IoT Systems

   Lopamudra Praharaj ; Safwa Ameer ; Maanak Gupta ; Ravi Sandhu ( December 2022 , 2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC))

   The pervasive nature of smart connected devices has intruded on our daily lives and has become an intrinsic part of our world. However, the wide use of the Internet of Things (IoT) in critical application domains has raised concerns for user privacy and security against growing cyber threats. In particular, the implications of cyber exploitation for IoT devices are beyond financial losses and could constitute risks to human life. Most deployed access control solutions for smart IoT systems do not offer policy individualization, the ability to specify or change the policy according to the individual user’s preference. As a result, currently deployed systems are not well suited to specify access control policies in a multi-user environment, where users access the same devices to perform different operations. The system’s security gets tricky when the smart ecosystem involves complicated social relationships, much like in a smart home. Relationship-based access control (ReBAC), widely used in online social networks, offers the ability to consider user relationships in defining access control decisions and supports policy individualization. However, to the best of our knowledge, no such attempt has been made to develop a formal ReBAC model for smart IoT systems. This paper proposes a ReBAC IoT dynamic and fine-grained access control model which considers the social relationships among users along with the attributes to support an attributes-aware relationship-based access control model for smart IoT systems. ReBAC IoT is formally defined, illustrated through different use cases, implemented, and tested. 

   more » « less
5. Attributes Aware Relationship-based Access Control for Smart IoT Systems

   Lopamudra Praharaj ; Safwa Ameer ; Maanak Gupta ; Ravi Sandhu ( December 2022 , 2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC))

   The pervasive nature of smart connected devices has intruded on our daily lives and has become an intrinsic part of our world. However, the wide use of the Internet of Things (IoT) in critical application domains has raised concerns for user privacy and security against growing cyber threats. In particular, the implications of cyber exploitation for IoT devices are beyond financial losses and could constitute risks to human life. Most deployed access control solutions for smart IoT systems do not offer policy individualization, the ability to specify or change the policy according to the individual user’s preference. As a result, currently deployed systems are not well suited to specify access control policies in a multi-user environment, where users access the same devices to perform different operations. The system’s security gets tricky when the smart ecosystem involves complicated social relationships, much like in a smart home. Relationship-based access control (ReBAC), widely used in online social networks, offers the ability to consider user relationships in defining access control decisions and supports policy individualization. However, to the best of our knowledge, no such attempt has been made to develop a formal ReBAC model for smart IoT systems. This paper proposes a ReBAC IoT dynamic and fine-grained access control model which considers the social relationships among users along with the attributes to support an attributes-aware relationship-based access control model for smart IoT systems. ReBAC IoT is formally defined, illustrated through different use cases, implemented, and tested. 

   more » « less