Adaptive Trust Negotiation and Access Control Tatyana Ryutov, et.al. Presented by: Carlos Caicedo.

Slides:

Advertisements

Similar presentations

Internet of Things Security Architecture

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Cryptography and Network Security

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Secure SharePoint mobile connectivity

® Context Aware Firewall Policies Ravi Sahita Priya Rajagopal, Pankaj Parmar Intel Corp. June 8 th 2004 IEEE Policy (Security)

Responding to Policies at Runtime in TrustBuilder Bryan Smith, Kent E. Seamons, and Michael D. Jones Computer Science Department Brigham Young University.

Agenda Trust negotiation frameworks Introduction TrustBuilder Trust-X Laboratory assignment #2 IPSec review IPSec connections and configuration requirements.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

Cryptography and Network Security Chapter 17

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Using Digital Credentials On The World-Wide Web M. Winslett.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authorization.

The Traust Authorization Service A. Lee, M. Winslett, J. Basney, and V. Welch University of Illinois at Urbana-Champaign Goal: A scalable.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

1 Clark Wilson Implementation Shilpa Venkataramana.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Eight.

Lecture 11 Reliability and Security in IT infrastructure.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Chapter 8 Web Security.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

1 Autonomic Computing An Introduction Guenter Kickinger.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.

IT Infrastructure for Business

Computer Science and Engineering 1 Service-Oriented Architecture Security 2.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

Trust-X: A Peer-to-Peer Framework for Trust Establishment Elisa Bertino, et.al. Presented by: Carlos Caicedo.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Advanced Operating Systems Lecture notes Dr.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.

A Security Framework with Trust Management for Sensor Networks Zhiying Yao, Daeyoung Kim, Insun Lee Information and Communication University (ICU) Kiyoung.

1 Web Policy Zeitgeist Kent Seamons Internet Security Research Lab Brigham Young University Panel Presentation The Semantic Web and Policy Workshop (SWPW)

1 Token–based Dynamic Trust Establishment for Web Services Zhengping Wu and Alfred C. Weaver Department of Computer Science University of Virginia March.

4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.

Securing Access to Data Using IPsec Josh Jones Cosc352.

 Abstract  Introduction  Literature Survey  Conclusion on Literature Survey  Threat model and system architecture  Proposed Work  Attack Scenarios.

Securing Information Systems

Cryptography and Network Security

Outline Introduction Characteristics of intrusion detection systems

Securing Information Systems

Cryptography and Network Security

Securing Cloud-Native Applications Jason Schmitt CEO

ISMS Information Security Management System

IS4680 Security Auditing for Compliance

Secure Electronic Transactions (SET)

Protecting Privacy During On-line Trust Negotiation

Protection Mechanisms in Security Management

Cryptography and Network Security

Presentation transcript:

Adaptive Trust Negotiation and Access Control Tatyana Ryutov, et.al. Presented by: Carlos Caicedo

Introduction Electronic business transactions Parties in transaction don’t know each other Attacks can be launched to the transaction (negotiation) infrastructure Trust is required for transaction For buyers: Trust that sellers will provide services No disclosure of private buyer info For Sellers: Trust that buyers will pay for services Meet conditions for buying certain goods (age)

Introduction In an electronic business transaction, participants interact beyond their local security domain. Proposed framework: Adaptive Trust Negotiation and Access Control (ATNAC) Combination of two systems into an access control architecture for electronic business services TrustBuilder: Determines how sensitive information is disclosed GAA-API: For adaptive access control

GAA-API : Generic Authorization and Access-control API Middleware API Fine-grained access control Application level intrusion detection and response Can interact with Intrusion Detection Systems (IDS) to adapt network threat conditions It does not support trust negotiation and protection of sensitive policies.

GAA-API

TrustBuilder Trust negotiation system developed by BYU and UIUC Vulnerable to DoS attacks. Large number of TN sessions sent to server Having the server evaluate a very complex policy Having the server evaluate invalid or irrelevant credentials Attacks aimed at collecting sensitive information

ATNAC Combines an access control and a TN system to avoid the problems that each has on its own. Supports fine-grained adaptive policies Protection based on perceived suspicion level Uses feedback from IDS systems Reduces computational overhead Associates less restrictive policies with lower suspicion levels.

ATNAC (2) GAA-API Access control policies for resources, services and operations Policies are expressed in EACL format TrustBuilder Enforces sensitive security policies Uses X.509v3 digital certificates Uses TPL policies

ATNAC Framework

Suspicion Level Indicates how likely it is that the requester is acting improperly. A separate SL is maintained for each requester of a service. Has three components: S DOS : Indicates probability of a DoS attack from the requester S IL : For sensitive information leakage attempts S o : Indicates other suspicious behavior SL is increased as suspicious events occur and decreased as “positive” events occur.

ATNAC operation The Analyzer identifies requesters that generate unusually high numbers of similar requests and increment S DoS In a trust negotiotion process, credentials sent by client must match credentials requested by the system otherwise S DoS set to 1. If either S DoS, S IL or S o > 0.9, the system will block the requester at the firewall If S Il > threshold. Trust Builder will impose stricter sensitive credential release policies. As S IL increases, GAA-API uses tighter access control policies

ATNAC operation - example

Conclusions ATNAC = framework for protecting sensitive resources in e-commerce Trust negotiation useful for access control and authentication. ATNAC dynamically adjusts security policies based on suspicion level System protects against DoS attacks on the service provider Guards against sensitive information leaks.