Tatyana Ryutov - Academia.edu (original) (raw)

Papers by Tatyana Ryutov

Research paper thumbnail of Access Control Policies for Semantic Networks

As web-based technologies mature, dynamic graphs of interlinked resources are replacing hierarchi... more As web-based technologies mature, dynamic graphs of interlinked resources are replacing hierarchical catalogs as means for storing and organizing information. Such graphs, or semantic networks, often span multiple static and dynamic resources from a variety of sources. It is often highly desirable to give users access only to parts of the semantic network without breaking its logical continuity or consistency. Traditional access control models, such as mandatory, discre-tionary and role-based access controls, are ill-suited for these new resource structures. New models that allow users to specify access rights in terms of semantic relationships between various objects within semantic networks are needed. In this paper we discuss requirements for an access control model for semantic networks and present our approach and an initial implementation. We also describe end user tools for policy specification and assessment.

Research paper thumbnail of A Socio-cognitive Approach to Modeling Policies in Open Environments

The richness of today's electronic communications mirrors physical world: activities such as shop... more The richness of today's electronic communications mirrors physical world: activities such as shopping, business and scientific collaboration are conducted online. Current interactions have become a form of social exchange where participants must deal with complexity, uncertainty and risk.

Research paper thumbnail of The Set and Function Approach to Modeling Authorization in Distributed Systems

We present a new model that provides clear and precise semantics for authorization. The semantics... more We present a new model that provides clear and precise semantics for authorization. The semantics is independent from underling security mechanisms and is separate from implementation. The model is capable of representing existing access control mechanisms. Our approach is based on set and function formalism. We focus our attention on identifying issues and use our model as a general basis to investigate the issues.

Research paper thumbnail of The Specification and Enforcement of Advanced Security Policies

In a distributed multi-user environment, the security policy must not only specify legitimate use... more In a distributed multi-user environment, the security policy must not only specify legitimate user privileges but also aid in the detection of the abuse of the privileges and adapt to perceived system threat conditions. This paper advocates extending authorization policy evaluation mechanisms with a means for generating audit data allowing immediate notification of suspicious application level activity. It additionally suggests that the evaluation of the policies themselves adapt to perceived network threat conditions, possibly affected by the receipt of such audit data by other processes.

Research paper thumbnail of An authorization framework for metacomputing applications

Cluster Computing, 1999

To span administrative boundaries, metacomputing systems require the integration of strong authen... more To span administrative boundaries, metacomputing systems require the integration of strong authentication and authorization methods. The problem is complicated because different components of the system may have different security policies. This paper presents a distributed model for authorization that we have integrated with the Prospero Resource Manager, a metacomputing resource allocation system developed at USC. The integration of authorization with PRM was accomplished through the specification of a policy language and the use of a Generic Authorization and Access-control API (GAA API). The language supports the specification of diverse authorization policies including ACLs, capabilities and lattice-based access controls. The GAA API provides a uniform authorization service interface for facilitating access control decisions and requesting authorization information about a particular resource. We describe a prototype of our system.

Research paper thumbnail of Gaps in Pediatric Disaster Preparedness in a Hospital Network

Journal of Surgical Research, 2010

Research paper thumbnail of Establishing agreements in dynamic virtual organizations

We present a framework that introduces key concepts relevant to agreement negotiation in Virtual ... more We present a framework that introduces key concepts relevant to agreement negotiation in Virtual Organizations (VO). The framework serves as a foundation for implementing an automated system that facilitates the establishment of VO agreements, considerably reduces the effort for setting up a VO and consequently reduces the VO's time for operation. The framework captures the relationship between the initial participants' behaviors, expectations, obligations and agreements, making sure that in implementing a system, one does not overlook the important aspects of the agreement structure and negotiation. The framework can be used to validate a negotiation, ensure validity of the achieved agreement and form strategies for future negotiations. A novel aspect of the initial trust establishment described in this paper is the consideration of the effects of the participants' behaviors during the negotiation process on mutual trust. We use the concepts to describe our work-in-progress for specification and negotiation of the agreements that govern the behavior of VO entities.

Research paper thumbnail of Authorization for Metacomputing Applications

One of the most difficult problems to be solved by metacomputing systems is to ensure strong auth... more One of the most difficult problems to be solved by metacomputing systems is to ensure strong authentication and authorization. The problem is complicated since the hosts involved in a metacomputing environment often span multiple administrative domains, each with its own security policy. This paper presents a distributed authorization model used by our resource allocation system, the Prospero Resource Manager . The main components of our design are Extended Access Control Lists, EACLs, and a General Authorization and Access API, GAA API. EACLs extend conventional ACLs to allow conditional restrictions on access rights. In the case of the Prospero Resource Manager, specific restrictions include limits on the computational resources to be consumed and on the characteristics of the applications to be executed by the system, such as name, version or endorser. The GAA API provides a general framework for applications to access the EACLs. We have built a prototype of the system.

Research paper thumbnail of Representation and evaluation of security policies (poster session

Operating Systems Review, 2000

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Access control framework for distributed applications

Research paper thumbnail of Integrated Access Control and Intrusion Detection for Web Servers

IEEE Transactions on Parallel and Distributed Systems, 2003

Current intrusion detection systems work in isolation from access control for the application the... more Current intrusion detection systems work in isolation from access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server. The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

Research paper thumbnail of Integrated Access Control and Intrusion Detection (IACID) Framework for Secure Grid Computing

Traditional Intrusion Detection Systems (IDSs) work in isolation from access control for the appl... more Traditional Intrusion Detection Systems (IDSs) work in isolation from access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting sophisticated attacks and responding to ongoing attacks in real time, before they cause damage. Another disadvantage is a large number of false positives. Reports of attacks can trigger response actions (e.g., termination of the offending connections). Thus an inaccurate IDS decision may result in disruption of service to legitimate users. Therefore, successful intrusion detection requires accurate and efficient models for analyzing application, system and network audit data and real time response to the attacks.

Research paper thumbnail of Representation and evaluation of security policies

Operating Systems Review, 2000

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Integrated access control and intrusion detection for Web Servers

Current intrusion detection systems work in isolation front access control for the application th... more Current intrusion detection systems work in isolation front access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

Research paper thumbnail of Representation and evaluation of security policies for distributed system services

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Public key cryptography for cross-realm authentication in Kerberos

Research paper thumbnail of Dynamic Authorization and Intrusion Response in Distributed Systems

This paper¢ presents an authorization framework for supporting fine-grained access control polici... more This paper¢ presents an authorization framework for supporting fine-grained access control policies enhanced with light-weight intrusion/misuse detectors and response capabilities. The framework intercepts and analyzes access requests and dynamically adjusts security policies to prevent attackers from exploiting application level vulnerabilities.

Research paper thumbnail of Adaptive trust negotiation and access control for grids

Electronic transactions regularly occur between business partners in separate security domains. T... more Electronic transactions regularly occur between business partners in separate security domains. Trust negotiation is an approach that provides an open authentication and access-control environment for such transactions, but it is vulnerable to malicious attacks leading to denial of service or leakage of sensitive information. This paper introduces an Adaptive Trust Negotiation and Access Control (ATNAC) framework to solve these problems. The framework combines two existing systems, TrustBuilder and GAA-API, to create a system with more flexibility and responsiveness to attack than either system currently provides.

Research paper thumbnail of 2008 IEEE International Conference on Technologies for Homeland Security SFINKS: Secure Focused Information, News, and Knowledge Sharing

Cross-agency collaboration and sharing of digital data is critical to respond to or prevent threa... more Cross-agency collaboration and sharing of digital data is critical to respond to or prevent threats to U.S. interests. While traditional hierarchical information sharing approaches ensure that only relevant information is delivered to authorized nodes, the resulting organizational overhead severely impedes timely sharing of critical information. Although alternative approaches to secure data release have previously been proposed, they all have had severe practical limitations. Initial SFINKS implementation is deployed within Risk Analysis Workbench -a collaborative information sharing environment.

Research paper thumbnail of Planning to Discover and Counteract Attacks

Informatica (slovenia), 2010

A major function of a security analyst is to analyze collected intelligence looking for plans, as... more A major function of a security analyst is to analyze collected intelligence looking for plans, associated events, or other evidence that may identify an adversary's intent. Armed with this knowledge, the analyst then develops potential responses (e.g., countermeasures) to deter the discovered plan or plans, weighs their strengths and weaknesses (e.g., collateral damage) and then makes a recommendation for action. Unfortunately, the collected intelligence is typically sparse and it is not possible for the analyst to initially discover the adversary's specific intent. Under these circumstances, the analyst is forced to look at the range of possible plans/actions an adversary may take. The full range of potential attack scenarios is too rich to generate manually. Its complexity also bars direct analysis and evaluation of the potential impact of alternative actions and countermeasures. To address these issues, we are developing a set of tools that exhibit the following features/capabilities:  Using available partial plan segments (referred to as snippets), construct multiple feasible scenarios/pathways that an adversary may take to reach an identifiable end goal  Provide visual tools for exploring sets of possible scenarios under various observables, importance, and likelihood conditions, helping the analyst generate information probes, actions and countermeasures  Compare the potential impact of alternative data probes, actions and countermeasures on an adversary's actions by assessing their discrimination/attack mitigation potential and possible sideeffects  Automatically suggest potential data probes, actions and countermeasures based on partial understanding of the adversary's plan and given observable activity These tools can provide decision support for many different domains, including terrorist activity recognition and network intrusion detection.

Research paper thumbnail of Access Control Policies for Semantic Networks

As web-based technologies mature, dynamic graphs of interlinked resources are replacing hierarchi... more As web-based technologies mature, dynamic graphs of interlinked resources are replacing hierarchical catalogs as means for storing and organizing information. Such graphs, or semantic networks, often span multiple static and dynamic resources from a variety of sources. It is often highly desirable to give users access only to parts of the semantic network without breaking its logical continuity or consistency. Traditional access control models, such as mandatory, discre-tionary and role-based access controls, are ill-suited for these new resource structures. New models that allow users to specify access rights in terms of semantic relationships between various objects within semantic networks are needed. In this paper we discuss requirements for an access control model for semantic networks and present our approach and an initial implementation. We also describe end user tools for policy specification and assessment.

Research paper thumbnail of A Socio-cognitive Approach to Modeling Policies in Open Environments

The richness of today's electronic communications mirrors physical world: activities such as shop... more The richness of today's electronic communications mirrors physical world: activities such as shopping, business and scientific collaboration are conducted online. Current interactions have become a form of social exchange where participants must deal with complexity, uncertainty and risk.

Research paper thumbnail of The Set and Function Approach to Modeling Authorization in Distributed Systems

We present a new model that provides clear and precise semantics for authorization. The semantics... more We present a new model that provides clear and precise semantics for authorization. The semantics is independent from underling security mechanisms and is separate from implementation. The model is capable of representing existing access control mechanisms. Our approach is based on set and function formalism. We focus our attention on identifying issues and use our model as a general basis to investigate the issues.

Research paper thumbnail of The Specification and Enforcement of Advanced Security Policies

In a distributed multi-user environment, the security policy must not only specify legitimate use... more In a distributed multi-user environment, the security policy must not only specify legitimate user privileges but also aid in the detection of the abuse of the privileges and adapt to perceived system threat conditions. This paper advocates extending authorization policy evaluation mechanisms with a means for generating audit data allowing immediate notification of suspicious application level activity. It additionally suggests that the evaluation of the policies themselves adapt to perceived network threat conditions, possibly affected by the receipt of such audit data by other processes.

Research paper thumbnail of An authorization framework for metacomputing applications

Cluster Computing, 1999

To span administrative boundaries, metacomputing systems require the integration of strong authen... more To span administrative boundaries, metacomputing systems require the integration of strong authentication and authorization methods. The problem is complicated because different components of the system may have different security policies. This paper presents a distributed model for authorization that we have integrated with the Prospero Resource Manager, a metacomputing resource allocation system developed at USC. The integration of authorization with PRM was accomplished through the specification of a policy language and the use of a Generic Authorization and Access-control API (GAA API). The language supports the specification of diverse authorization policies including ACLs, capabilities and lattice-based access controls. The GAA API provides a uniform authorization service interface for facilitating access control decisions and requesting authorization information about a particular resource. We describe a prototype of our system.

Research paper thumbnail of Gaps in Pediatric Disaster Preparedness in a Hospital Network

Journal of Surgical Research, 2010

Research paper thumbnail of Establishing agreements in dynamic virtual organizations

We present a framework that introduces key concepts relevant to agreement negotiation in Virtual ... more We present a framework that introduces key concepts relevant to agreement negotiation in Virtual Organizations (VO). The framework serves as a foundation for implementing an automated system that facilitates the establishment of VO agreements, considerably reduces the effort for setting up a VO and consequently reduces the VO's time for operation. The framework captures the relationship between the initial participants' behaviors, expectations, obligations and agreements, making sure that in implementing a system, one does not overlook the important aspects of the agreement structure and negotiation. The framework can be used to validate a negotiation, ensure validity of the achieved agreement and form strategies for future negotiations. A novel aspect of the initial trust establishment described in this paper is the consideration of the effects of the participants' behaviors during the negotiation process on mutual trust. We use the concepts to describe our work-in-progress for specification and negotiation of the agreements that govern the behavior of VO entities.

Research paper thumbnail of Authorization for Metacomputing Applications

One of the most difficult problems to be solved by metacomputing systems is to ensure strong auth... more One of the most difficult problems to be solved by metacomputing systems is to ensure strong authentication and authorization. The problem is complicated since the hosts involved in a metacomputing environment often span multiple administrative domains, each with its own security policy. This paper presents a distributed authorization model used by our resource allocation system, the Prospero Resource Manager . The main components of our design are Extended Access Control Lists, EACLs, and a General Authorization and Access API, GAA API. EACLs extend conventional ACLs to allow conditional restrictions on access rights. In the case of the Prospero Resource Manager, specific restrictions include limits on the computational resources to be consumed and on the characteristics of the applications to be executed by the system, such as name, version or endorser. The GAA API provides a general framework for applications to access the EACLs. We have built a prototype of the system.

Research paper thumbnail of Representation and evaluation of security policies (poster session

Operating Systems Review, 2000

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Access control framework for distributed applications

Research paper thumbnail of Integrated Access Control and Intrusion Detection for Web Servers

IEEE Transactions on Parallel and Distributed Systems, 2003

Current intrusion detection systems work in isolation from access control for the application the... more Current intrusion detection systems work in isolation from access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server. The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

Research paper thumbnail of Integrated Access Control and Intrusion Detection (IACID) Framework for Secure Grid Computing

Traditional Intrusion Detection Systems (IDSs) work in isolation from access control for the appl... more Traditional Intrusion Detection Systems (IDSs) work in isolation from access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting sophisticated attacks and responding to ongoing attacks in real time, before they cause damage. Another disadvantage is a large number of false positives. Reports of attacks can trigger response actions (e.g., termination of the offending connections). Thus an inaccurate IDS decision may result in disruption of service to legitimate users. Therefore, successful intrusion detection requires accurate and efficient models for analyzing application, system and network audit data and real time response to the attacks.

Research paper thumbnail of Representation and evaluation of security policies

Operating Systems Review, 2000

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Integrated access control and intrusion detection for Web Servers

Current intrusion detection systems work in isolation front access control for the application th... more Current intrusion detection systems work in isolation front access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

Research paper thumbnail of Representation and evaluation of security policies for distributed system services

We present a new model for authorization that integrates both local and distributed access contro... more We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The Generic Authorization and Access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero Resource Manager and Globus Security Infrastructure. © eacl entry eacl entry ::= access id © access id pos access rights © condition © pos access rights © condition | access id © access id neg access rights access id ::= © condition © pos access rights © condiction grantor id ::=

Research paper thumbnail of Public key cryptography for cross-realm authentication in Kerberos

Research paper thumbnail of Dynamic Authorization and Intrusion Response in Distributed Systems

This paper¢ presents an authorization framework for supporting fine-grained access control polici... more This paper¢ presents an authorization framework for supporting fine-grained access control policies enhanced with light-weight intrusion/misuse detectors and response capabilities. The framework intercepts and analyzes access requests and dynamically adjusts security policies to prevent attackers from exploiting application level vulnerabilities.

Research paper thumbnail of Adaptive trust negotiation and access control for grids

Electronic transactions regularly occur between business partners in separate security domains. T... more Electronic transactions regularly occur between business partners in separate security domains. Trust negotiation is an approach that provides an open authentication and access-control environment for such transactions, but it is vulnerable to malicious attacks leading to denial of service or leakage of sensitive information. This paper introduces an Adaptive Trust Negotiation and Access Control (ATNAC) framework to solve these problems. The framework combines two existing systems, TrustBuilder and GAA-API, to create a system with more flexibility and responsiveness to attack than either system currently provides.

Research paper thumbnail of 2008 IEEE International Conference on Technologies for Homeland Security SFINKS: Secure Focused Information, News, and Knowledge Sharing

Cross-agency collaboration and sharing of digital data is critical to respond to or prevent threa... more Cross-agency collaboration and sharing of digital data is critical to respond to or prevent threats to U.S. interests. While traditional hierarchical information sharing approaches ensure that only relevant information is delivered to authorized nodes, the resulting organizational overhead severely impedes timely sharing of critical information. Although alternative approaches to secure data release have previously been proposed, they all have had severe practical limitations. Initial SFINKS implementation is deployed within Risk Analysis Workbench -a collaborative information sharing environment.

Research paper thumbnail of Planning to Discover and Counteract Attacks

Informatica (slovenia), 2010

A major function of a security analyst is to analyze collected intelligence looking for plans, as... more A major function of a security analyst is to analyze collected intelligence looking for plans, associated events, or other evidence that may identify an adversary's intent. Armed with this knowledge, the analyst then develops potential responses (e.g., countermeasures) to deter the discovered plan or plans, weighs their strengths and weaknesses (e.g., collateral damage) and then makes a recommendation for action. Unfortunately, the collected intelligence is typically sparse and it is not possible for the analyst to initially discover the adversary's specific intent. Under these circumstances, the analyst is forced to look at the range of possible plans/actions an adversary may take. The full range of potential attack scenarios is too rich to generate manually. Its complexity also bars direct analysis and evaluation of the potential impact of alternative actions and countermeasures. To address these issues, we are developing a set of tools that exhibit the following features/capabilities:  Using available partial plan segments (referred to as snippets), construct multiple feasible scenarios/pathways that an adversary may take to reach an identifiable end goal  Provide visual tools for exploring sets of possible scenarios under various observables, importance, and likelihood conditions, helping the analyst generate information probes, actions and countermeasures  Compare the potential impact of alternative data probes, actions and countermeasures on an adversary's actions by assessing their discrimination/attack mitigation potential and possible sideeffects  Automatically suggest potential data probes, actions and countermeasures based on partial understanding of the adversary's plan and given observable activity These tools can provide decision support for many different domains, including terrorist activity recognition and network intrusion detection.