Enhancing Usage Control for Performance: An Architecture for Systems of Systems

  • Vasileios GkioulosEmail author
  • Athanasios RizosEmail author
  • Christina MichailidouEmail author
  • Paolo Mori
  • Andrea Saracino
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11387)


The distributiveness and heterogeneity of today’s systems of systems, such as the Internet of Things (IoT), on-line banking systems, and contemporary emergency information systems, require the integration of access and usage control mechanisms, for managing the right of access both to the corresponding services, and the plethora of information that is generated in a daily basis. Usage Control (UCON) is such a mechanism, allowing the fine-grained policy based management of system resources, based on dynamic monitoring and evaluation of object, subject, and environmental attributes. Yet, as we presented in an earlier article, a number of improvements can be introduced to the standard model regarding its resilience on active attacks, the simplification of the policy writing, but also in terms of run-time efficiency and scalability. In this article, we present an enhanced usage control architecture, that was developed for tackling the aforementioned issues. In order to achieve that, a dynamic role allocation system will be added to the existing architecture, alongside with a service grouping functionality which will be based on attribute aggregation. This is structured in accordance to a risk-based framework, which has been developed in order to aggregate the risk values that the individual attributes encapsulate into a unified risk value. These architectural enhancements are utilized in order to improve the resilience, scalability, and run-time efficiency of the existing model.


Access control Internet of Things Security architecture Systems of systems Usage control 



This work has been partially funded by EU Funded project H2020 NeCS, GA #675320.


  1. 1.
    Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: Desprez, F., Getov, V., Priol, T., Yahyapour, R. (eds.) Grids, P2P and Services Computing, pp. 133–146. Springer, Boston (2010). Scholar
  2. 2.
    De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Bhalla, S. (ed.) DNIS 2005. LNCS, vol. 3433, pp. 225–237. Springer, Heidelberg (2005). Scholar
  3. 3.
    Gkioulos, V., Rizos, A., Michailidou, C., Martinelli, F., Mori, P.: Enhancing usage control for performance: a proposal for systems of systems. In: The International Conference on High Performance Computing and Simulation, HPCS 2018 (2018, To Appear)Google Scholar
  4. 4.
    Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations. National Institute of Standards and Technology (NIST) Special Publication, 800(162) (2013)Google Scholar
  5. 5.
    La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Improving MQTT by inclusion of usage control. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 545–560. Springer, Cham (2017). Scholar
  6. 6.
    Lazouski, A., Martinelli, F., Mori, P.: Survey: usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010)CrossRefGoogle Scholar
  7. 7.
    Lazouski, A., Martinelli, F., Mori, P., Saracino, A.: Stateful data usage control for android mobile devices. Int. J. Inf. Secur. 16(4), 1–25 (2016)Google Scholar
  8. 8.
    Martinelli, F., Michailidou, C., Mori, P., Saracino, A.: Too long, did not enforce: a qualitative hierarchical risk-aware data usage control model for complex policies in distributed environments. In: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, CPSS@AsiaCCS 2018, 04–08 June 2018, Incheon, Republic of Korea, pp. 27–37 (2018)Google Scholar
  9. 9.
    Moore, B., Ellesson, E., Strassner, J., Westerinen, A.: RFC 3060: Policy Core Information Model - Version 1 Specification, February 2001Google Scholar
  10. 10.
    O’Connor, A.C., Loomis, R.J.: 2010 economic analysis of role-based access control. NIST, Gaithersburg, MD (2010)Google Scholar
  11. 11.
    Park, J., Sandhu, R.: The UCONabc usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  12. 12.
    Saaty, R.W.: The analytic hierarchy process - what it is and how it is used. Math. Model. 9(3), 161–176 (1987)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). Scholar
  14. 14.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  15. 15.
    Shirey, R.: RFC 4949: Internet Security Glossary - Version 2, August 2007Google Scholar
  16. 16.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Information Security and Communication TechnologyNorwegian University of Science and TechnologyGjøvikNorway
  2. 2.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly
  3. 3.University of PisaPisaItaly

Personalised recommendations