Time-Continuous Authorization of Network Resources Based on Usage Control

  • Barbara Martini
  • Paolo Mori
  • Fabio Martinelli
  • Aliaksandr Lazouski
  • Piero Castoldi


Authorization systems regulate the access to network resources, e.g., bandwidth-guaranteed circuits traversing nodes and links and shared among different media streams, assuring that only admitted data streams use the assigned resources. Traditional access control models were not designed to cope with changes that may occur in the attributes of the user, of the resource or of the environment after the access has been granted. However, in order to prevent misuse and fraud, it is important to extend the control on these attributes after the authorization decision is taken, i.e, during the actual usage of such resources. This control is particularly crucial for network resources because an abuse might cause the degradation of QoS performance for lawful admitted media streams and expose the network to Denial of Service attacks. This paper integrates an authorization system based on the Usage Control model (UCON) in the network service provisioning scenario, to enhance the evaluation of access rights during the actual usage of network resources. The relevant application scenario and architectural design as well as an example of a security policy that implements usage control are described. Finally we outline some open issues and research trends in the applicability of usage control models in networking area.


Network access models Access control QoS 


  1. 1.
    Park, F.S., Patnaik, D., Amrutkar, C., Hunter, M.T.: A security evaluation of IMS deployments. 2nd International Conference on Internet Multimedia Services Architecture and Applications (IMSAA 2008), pp. 1–6, 10–12 (2008)Google Scholar
  2. 2.
    Sandhu, R., Samarati, P.: Access control: principle and practice. Commun. Mag. IEEE 32(9), 40–48 (1994)CrossRefGoogle Scholar
  3. 3.
    Sandhu, R.: Mandatory controls for database integrity. In: Database Security III: Status and Prospects, pp. 143–150, (1989)Google Scholar
  4. 4.
    Sandhu, R., Coyne, E.J., Feistein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)Google Scholar
  5. 5.
    Martinelli, F., Mori, P.: A model for usage control in grid systems. In: Proceedings of the First International Workshop on Security, Trust and Privacy in Grid Systems (GRID-STP07), IEEE Press (2007)Google Scholar
  6. 6.
    Martinelli, F., Mori, P., Vaccarelli, A.: Towards continuous usage control on grid computational services. In: Proceedings of International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services 2005, IEEE Computer Society, p. 82 (2005)Google Scholar
  7. 7.
    Sandhu, R., Park, J.: The UCON\(_{{ABC}}\) usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  8. 8.
    Lazouski, A., Colombo, M., Martinelli, F., Mori, P.: On usage control for GRID services. In: Proceedings of the 2009 IEEE International Workshop on HPC and Grid Applications (IWHGA2009) (2009)Google Scholar
  9. 9.
    Martinelli, F., Mori, P.: On usage control for GRID systems. Future Gener. Comput. Syst. Elsevier Sci. 26(7), 1032–1042 (2010)Google Scholar
  10. 10.
    Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: A usage-based authorization framework for collaborative computing systems. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT ’06), pp. 180–189 (2006)Google Scholar
  11. 11.
    Castrucci, A., Martinelli, F., Mori, P., Roperti, F.: Enhancing Java ME security support with resource usage monitoring. In: Proceedings of the 10th International Conference on Information and Communications Security (ICICS08). Lecture Notes in Computer Science, vol. 5308, pp. 256–266. Springer, Berlin (2008)Google Scholar
  12. 12.
    Stihler, M., Santin, A.O., Calsavara, A., Marcon, A.L. Jr.: Distributed usage control architecture for business coalitions. In: Proceedings of IEEE International Conference on Communications 2009 (ICC 2009) (2009)Google Scholar
  13. 13.
    Silva, E., Santin, A.O., Jamhour, E., Maziero, C., Toktar, E.: Applying quorum role in network management. In: Proceedings of IFIP/IEEE International Symposium on Integrated Network Management 2009 (IM2009) (2009)Google Scholar
  14. 14.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 351–387 (2005)CrossRefGoogle Scholar
  15. 15.
    Hamer, L.N., Gage, B., Shieh, H.: Framework for session set-up with media authorization, IETF RFC 3521, April 2003Google Scholar
  16. 16.
    Yavatkar, R., Pendarakis, D., Guerin, R.: A framework for policy-based admission control. IETF RFC 2753, January 2000Google Scholar
  17. 17.
    Zhi, L., Jing, W., Xiao-su, C., Lian-xing, J.: Research on policy-based access control model. International conference on networks security, wireless communications and trusted computing, vol. 2, pp. 164–167 (2009)Google Scholar
  18. 18.
    Rensing, C., Karsten, M., Stiller, B.: AAA: A survey and a policy-based architecture and framework. IEEE Netw. 16(6), 22–27 (2002)CrossRefGoogle Scholar
  19. 19.
    Demchenko, Y.: XACML authorization interoperability profile for network resource provisioning. Phosphorus WP 4 (2008)Google Scholar
  20. 20.
    Lazouski, A., Colombo, M., Martinelli, F., Mori, P.: A proposal on enchancing XACML with continuous usage control features. In: Proceedings of CoreGrid ERCIM Working Group Workshop on Grids, P2P and Service Computing (2009)Google Scholar

Copyright information

© Springer-Verlag Italia Srl 2011

Authors and Affiliations

  • Barbara Martini
    • 1
  • Paolo Mori
    • 2
  • Fabio Martinelli
    • 2
  • Aliaksandr Lazouski
    • 2
  • Piero Castoldi
    • 3
  1. 1.Consorzio Nazionale Interuniversitario per le TelecomunicazioniPisaItaly
  2. 2.Istituto di Informatica e Telematica Consiglio Nazionale delle RicerchePisaItaly
  3. 3.

Personalised recommendations