50 (IJCNS) International Journal of Computer and Network Security,

Vol. 2, No. 4, April 2010

A Method of Access in a Dynamic Context Aware

Role Based Access Control Model for Wireless
Networks 1
Dr. A.K. Santra, 2Nagarajan S
1
Director and Professor, MCA Department, Bannari Amman Institute of Technology, Sathayamangalam, TamilNadu.
2
Research Scholar, Bharathiar University, Coimbatore and Selection Grade Lecturer, Alliance Business Academy, Bangalore, Karnataka.

Abstract: This paper address security in dynamic context
aware systems. Context awareness is a emerging as an
important element in wireless systems. Security challenges in
context aware systems include integrity, confidentiality and
availability of context information as well as end user’s privacy.
The paper addresses the dynamic changes happening in the
mapping between the roles and permissions depending on
context information. The paper presents a access control
method using artificial neural networks. It represents the data in
terms of bits to express the roles and permissions which helps in
reducing the data transmission and is a good fit for wireless
networks with lower bandwidth. It also introduces a novel
method for storing the information in a reduced format. Instead
of accessing the access control tables the machine is learning it,
which in turn reduces the time required to access the tables.
Being dynamic in nature there is no requirement for changes,
any change is taken care by the machine learning itself.
Further, the algorithm is simple and easy to implement in
wireless networks.
Keywords: Dynamic Context, Wireless Networks.
1. Introduction
It has been proved that Dynamic Role Based Access Control
can manage Access Control and security, more and more
mobile devices are incorporating this feature. Pervasive
communication technology is becoming a everyday feature
and it is changing the way of communicating with the
external world. This type of DRBAC requires the following
tables: 1. User Location Table 2. User Role Table 3. Role –
Permission Table and 4. Mutual Exclusive role table.
Each time anybody accesses the system the first three tables
are searched.
Further, there is a very complex mapping of Location, users,
roles and permissions. It has been observed that frequently
searching the tables reduces the efficiency of access control.
An disadvantage of wireless devices are that they have less
power, storage, computing and transmission abilities.
Hence, performing access control in wireless environments
is actually more complex than that I wired environments.
Therefore, any approach to access control must be relatively
simple and very efficient.
This paper addresses the following points:
It gives a access control algorithm and storage is reduced
using the EAR decomposition and is retrieved accordingly.
It also uses a ANN to train the system so that this procedure
is learnt by the system, rather than searching the tables.
This algorithm assigns the user with different permissions
in different sessions depending on the context aware data
available at that point of time. This reduces the data storage
and transmission for using only the bits making it very
much easy to complement in networks where the bandwidth
of the network is very low.
The anytime, anywhere access infrastructures is to enable a
new generation of applications that can leverage
continuously manage, adapt and finally optimization is
required.
The major challenge faced in Wireless applications is
managing the security of the system using Access Control
Lists. ACL's is a very common mechanism used in Access
Control. It has been observed that the ACL's are used to
check for permission to access resources or services.
Another point to be noted at this juncture is such type of
approach is very inadequate for wireless applications, since
most proposed models do not take care of context
information into consideration.
There is a need for giving control in a dynamic way as the
context changes according to location, time, system
resources, network security configuration etc., Therefore,
access control mechanism that changes the permission of a
user dynamically based on context information is very much
essential.
In this direction [3] have proposed a GRBAC Model and
representing the system using State Machines. Using this
model, It is representing the information for the new
algorithm proposed and show how it can be stored and
retrieved. Then finally, show how this can be used to train
the system without accessing the matrix.
2. Background
Location, User, Role and Permission are the major
components of a DRBAC which are represented as follows:
L = {L1, L2, ........................Li}
U = {U1, U2, .......................Ui}
R = {R1, R2, .......................Ri}
P = {P1, P2, ........................Pi}
T = {T1, T2, T3}
The permission only directly maps to one role. In case many
roles want to own the same permission, this need to be done
using role inheritance. Since conflicted permissions also
needs to be addressed.
 (IJCNS) International Journal of Computer and Network Security, 51
Vol. 2, No. 4, April 2010

3. Dynamic Context Aware Role Based Access L1 = Campuses Abroad

Control L2 = Campuses coming under the home country
L3 = Campuses in each City
DRBAC addresses the dynamic requirement of applications L4 = Campuses within the city
in pervasive environments. It extends the traditional RBAC L5 = Residence
model to use dynamic context information while making Time
access control decisions. The DRBAC addresses the T1 = 8:00 AM to 8:00 PM (Office Hours)
following: T2 = 5:30 AM to 7:59 AM (Morning)
1. A user's access privileges must change when the T3 = 8:01 PM to 5:29 AM (Night)
Roles
user's context changes.
For Time T1
R1 = Professor
2. A resource must adjust its access permission when
R2 = Associate Professor
its system information changes. R3 = Assistant Professor
R4 = Teaching Assistant
R5 = Professor Remote
4. DRBAC Definitions R6 = Associate Professor Remote
R7 = Assistant Professor Remote
The DRBAC definitions are taken from the RBAC R8 = Teaching Assistant Remote
formalisms presented in [3] and [4] For Time T2
USER: A user is an entity whose access is being controlled. R9 = Professor
USERS represents a set of users. R10 = Associate Professor
ROLES: A role is a job function within the context of an R11 = Assistant Professor
organization with some associated semantics regarding the R12 = Teaching Assistant
authority and responsibility conferred on the user assigned R13 = Professor Remote
to the role. ROLES represents a set of roles. R14 = Associate Professor Remote
PERMS: A permission is an approval to access one or more R15 = Assistant Professor Remote
RBAC protected resources. PERMS represents a set of R16 = Teaching Assistant Remote
permissions. For Time T3
LOCATIONS: Locations is the set of points from where the R17 = Professor
user accesses the resources. LOCATIONS is the set of points R18 = Associate Professor
of access. R19 = Assistant Professor
TIMES: Times is the time at which the user access the R20 = Teaching Assistant
resources. Times is the set of time at which the user has the R21 = Professor Remote
access. R22 = Associate Professor Remote
SESSIONS: A session is a set of interactions between R23 = Assistant Professor Remote
subjects and objects. A user is assigned a set of roles during R24 = Teaching Assistant Remote
each session. The active role will be changes dynamically Permission
among the assigned roles for each interaction. SESSIONS P1 = Append
represents a set of sessions. P2 = Create.
UA : UA is the mapping that assigns a role to a user. In the P3 = Execute.
session, each user is assigned a set of roles, the context P4 = Get attribute.
information is used to decide which role is active. The user P5 = I/O Control.
will access the resource with the active role. P6 = Link.
PA : PA is the mapping that assigns permissions to a role. P7 = Lock.
Every role that has a privilege to access the resource is P8 = Read.
assigned a set of permissions, and the context information is P9 = Rename.
used to decide which permission is active for that role. P10 = Unlink.
Definition of the Agent: A Central Authority checks for the P11 == Write.
user's access rights. And gives the privileges that are active The Access Control Algorithm for wireless applications.
for him in that session. For the sake of this study it is considered that static IP
addresses are used. The wireless infrastructure
5. Explanation of the DRBAC Model implementing a WLAN is used for the logins inside the
campus; While Broadband wireless internet is used to login
The environment considered is an educational institute. The remotely.
designations are Professor, Associate Professor, Assistant Step 1: Using IPSec Labeling the process of authentication
Professor and Teaching Assistant. At office they will have is done as described in [5].
both read and write permissions. For this we represent the Step 2: Using the IP address associated with the user the
locations, roles and Time in the following way: location of the user is determined.
Step 3: Depending on the user's location a role is assigned
Locations which is further associated with permissions.
52 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 4, April 2010

Using the following information we try to ascertain whether Based on the permission rights for that user the access is
a user is permitted to login from a particular location or not allowed. These two matrix are represented in the form of a
using matrix1. If the said user has access rights from that graph and then use the open ear decomposition technique to
location the step 2 of the algorithm is executed i.e., is reduce this information and store it.
mapping the IP address to a role else the access right is
denied. 6. Performance test of the algorithm
Matrix1 The test bed was created as a kernel program in SeLinux. It
L1 L2 L3 L4 L5 is allowed to run with the same modules that Se Linux has
U1 1 1 1 1 1 in addition to the modules created for this purpose.
Whenever somebody logins into the system it uses the
U2 0 1 1 1 1 authentication methods presently provided by the operating
U3 0 1 1 1 1 system. Using this to our advantage we put our static
U4 0 0 0 1 0 addresses specific to the location based on the labeling of
IPSec object called labeled IPSec. This particular feature is
. 0 0 0 1 0 available in mainline Linux version 2.6.16 itself. This does
U5 1 1 1 1 1 the authorization process as described in [5] and also we use
the same information to determine the location of the user.
The function of the second matrix defines the relationship Once the user's location is ascertained the next step is to
between the Location and roles for the time the user logs in. look out for the time at which this login has been requested.
Depending on the time the user logs in the roles are This is done with the help of the system clock. With this
assigned. This is used to check whether a role has access context information that is generated, access roles are
rights at various locations are not. Further, the permission accordingly assigned.
for the roles are defined during the time the role is created. The SELinux user identities are different from UNIX
If the role column in the matrix is 1 it means that role can identities. Here, for experimentation the normal roles
be provided access for that location and further step 3 of the defined are R1, R2, R3, R4, ............R24 and the
algorithm is executed else the access to that role is denied. corresponding Selinux roles defined are R1_r, R2_r, R3_r,
R4_r, ......R24_r. These roles are associated with the user.
Matrix2 The normal user are U1, U2, U3, U4, ........Un and the
For Time T1 corresponding Selinux users defined are U1_u, U2_u, U3_u,
U4_u, ........... Un_u.
R1 R2 R3 R4 R5 R6 R7 R8
Here _r identifies the roles while _u identifies the user.
L1 1 0 0 0 0 0 0 0 SELinux user identities are different from UNIX identities.
L2 1 1 1 0 0 0 0 0 They are applied as part of the security
label and can be changed in real time under limited
L3 1 1 1 0 0 0 0 0 conditions. SELinux identities are not primarily
L4 1 1 1 1 0 0 0 0 used in the targeted policy. In the targeted policy, processes
and objects are system_u, and the default
L5 1 1 1 0 1 1 1 0 for Linux users is user_u. When identities are part of the
policy scheme, they are usually identical to
For Time T2 the Linux account name (UID), and are compiled into the
R9 R10 R11 R12 R13 R14 R15 R16 policy. In such a strict policy, some system
accounts may run under a generic, unprivileged user_u
L1 1 0 0 0 0 0 0 0 identity, while other accounts have direct
L2 1 1 1 0 0 0 0 0 identities in the policy database
L3 1 1 1 0 0 0 0 0 _t identifies type. SELINUX_SRC/rbac is the place in which
roles are allowed to attain which other roles.
L4 1 1 1 1 0 0 0 0 Types are the primary security attribute Selinux uses in
L5 1 1 1 0 1 1 1 0 making authorization decisions as defined in permissions
above. This is defined in /etc/security/selinux/src/policy.
For Time T3 Depending on this roles can be assigned.
R17 R18 R19 R20 R21 R22 R23 R24 7. Representation of the Matrix and
decomposition / retrieval
L1 1 0 0 0 0 0 0 0
Using the three Matrix defined in the above method, the
L2 1 1 1 0 0 0 0 0 next step is to apply the well known Hungarian Algorithm
L3 1 1 1 0 0 0 0 0 to represent the matrix in the form of a graph. The Steps in
the Hungarian Algorithm is as follows:
L4 1 1 1 1 0 0 0 0
L5 1 1 1 0 1 1 1 0
 (IJCNS) International Journal of Computer and Network Security, 53
Vol. 2, No. 4, April 2010

Step 1 Similarly, the graphs for the other two matrix is drawn and
Generate initial labeling L and matching M in EL. reduced as shown.
Now, using the two graphs we apply the path ear
Step 2 decomposition algorithm. The steps of the path Ear
If M perfect, stop. decomposition algorithm is as follows:
Otherwise pick free vertex U such that it belongs to X. An ear decomposition D = [ P0 , P1 , P2 , ………., Pr-1 ] of an
Set S = { U } , T = Null. undirected graph G = (V, E) is a partition of E into an
ordered collection of edge-disjoint simple paths P0 , P1 , P2 ,
Step 3 ………., Pr-1 such that P0 is an edge, P0 U P1 is a simple
cycle, and each end point of Pi , for i > 1, is contained in
If NL (S) = T, Update labels (forcing NL(S) ≠ T) some Pj , j < i, and none of the internal vertices of Pj are
contained in any Pj , j < i. The paths in D are called ears. An
αl = mins € S, y does not belong to T. ear is open if it is non-cyclic and is closed otherwise. A
trivial ear is an ear containing a single edge. D is an open
l(v) – αl if v € S ear decomposition if all ears are open.
l’(v) = l(v) + αl if v € T Let D = [ P0 , P1 , P2 , ………., Pr-1 ] be an ear
l(v) otherwise decomposition for a graph G = (V, E). For a vertex v in V,
we denote by ear(v), the index of the lowest numbered ear
that contains v; for an edge e = (x,y) in E, we denote by
Step 4 ear(e) (or ear(x,y)), the index of the unique ear that contains
If Nl (S) ≠ T, Pick y € Nl (S) – T e. A vertex v belongs to Pear(v).
If y free, u – y is the augmenting path, The path ear decomposition algorithm:
Then Augment M and Go to step 2. Input: A connected graph G = (V, E) with a root r € V, and
Else with V = n.
If y matched, say to z, extend alternating tree: Output : A depth first search tree of G, together with a label
Such that, S = Su { z }, T = T U { y } on each edge in E, indicating its ear number.
Go to step 3. Set T of edges; integer count;
Procedure df s(vertex v);
Matrix1 and its graph representation G1 { * This is a recursive procedure. The call df s(v) of the
main program constructs a depth first search tree T of G
rooted at r; the recursive call df s(w) constructs the sub tree
of T rooted at w. The depth first search tree is constructed
by placing the tree edges in the set T and labeling the
vertices in the sub tree rooted at vertex v in pre-order
numbering, starting with count. The procedure assigns ear
labels to the edges of G while constructing the depth first
search tree. An edge that does not belong to any ear is given
the label (∞, ∞). Initially, all vertices are unmarked. * }
Vertex w;
‘mark’ v;
Pre-order(v) := count; count := count + 1; low(v) := n;
ear(v) := (n,n);
For each vertex w adjacent to v
{ * This for loop performs a depth forth search of each child
of v in turn and assigns ear labels to the tree and non tree
Matrix2 and its graph representation G2
edges incident on vertices in the sub trees rooted at the
children of v. * }
If w is not marked
Add (v,w) to T; parent(w) : = v; df s(w);

If low(w) ≥ pre-order(w)
ear(parent
(w), w) := (∞, ∞)
Low(w) < pre-order(w) ear(parent(w),w) := ear(w)
Fi;
Low(v) := min(low(v), low(w));
Ear(v) := lexmin(ear(v), ear(w))

If w is marked
If w ≠ parent (v)
Low(v) := min(low(v), pre-order(w));
54 (IJCNS) International Journal of Computer and Network Security,
Ear (w, v):= (pre-order(w), pre-order(v))
Ear (v) := lexmin(ear(v), ear(w,v));
Fi
Fi
Rof
End df s;
{* Main program *}
T: = Null set; count: = 0; df s(r);
Sort the ear labels of the edges in lexicographically non-
decreasing order and relabel distinct labels (expect labels
(∞, ∞)) in a order as 1,2,3,,4,………;
Relabel the non tree edge with label 1 as 0
End.
Using the algorithm the graph G1, G2 and G3 reduces to
G11, G21 and G31 respectively.
Graph G1 reduced to the form G11
P1 = { < U1, L1 > < U5, L1 > }
P2 = { < U1, L2 > < U5, L2> }
P3 = { < U1, L3 > < U5, L3 >}
P4 = { < U1, L4 > < U5, L4 >}
P5 = { < U1, L5 > < U5, L5}
P6 = { < U2, L2 > U3, L2 > < U3, L3 > }
P7 = { < U2, L3 > }
P8 = { < U3, L4 > < U4, L4 > }
P9 = { < U3, L5 > }
P10 = { <U4, L4 > }
Therefore, G11 = { P1, P2, P3, P4, P5, P6, P7, P8, P9, P10}
Graph G2 reduced to the form G21
P1 = { < L1, R1> < L2, R1 > < L2, R2 > < L3, R3 > < L4,
R3 > < L4, R4 >}
P2 = { < L2, R3 > < L5, R3 > < L5, R5 > }
P3 = { < L5, R6 > < L5, R7 > }
Therefore, G21 = { P1, P2, P3}
Similar operation is performed on the other two graphs.
G11 and G21 are referred to as the partition matrix and can
be called partition path matrix. The path decomposition is
edge disjoint one Whence the union of the path reduced will
give the entire graph G1 and G2.
8. Conclusion
It has been observed that any dynamic context aware system
needs to search relative tables to get the user permissions.
This paper is presenting a dynamic context aware algorithm
using SElinux where the number of tables are reduced. It
also shows a way to store it and retrieve. Executing our
module the roles are assigned according to the location and
time. Hence it can be implemented with ease in a wireless
networked environment.
Acknowledgements
We Would like to thank Prof. K. A Venkatesh, HOD
Department of Computer Applications, Alliance Business
Academy for all his support and discussions. We would also
like to thank Mr. Mahesh M S for the experimental support
provided in the lab during the preparation of this algorithm
and module.
Vol. 2, No. 4, April 2010
References
[1] Efficient Access Control in Wireless Networks, Kun
Wang, Zhenguo Ding, Lihua Zhou, Proceedings of
IEEE/WIC/ACM International Conference on Web
Intelligence and Intelligent Agent Technology. 85-88,
ISBN:0-7695-2749-3, 2006.
[2] Fast Access Control algorithm in Wireless Network,
Kun Wang, Zhixin Ma, This paper appears in: Grid
and Pervasive Computing Workshops, 2008. GPC
Workshops '08. The 3rd International Conference on,
ISBN 978-0-7695-3177-9, 347p – 351p, 25-28 May
2008.
[3] Context-Aware Dynamic Access Control for Pervasive
Applications,. G. Zhang and M. Parashar, Proceedings
of the Communication Networks and Distributed
Systems Modeling and Simulation Conference (CNDS
2004), 2004 Western MultiConference (WMC), pp.
219 . 225, January 2004.
[4] Supporting relationships in access control using role
based access control. K. Beznosov, J Barkley and J
Uppal, Symposium on Access Control Models and
Technologies, Proceedings of the fourth ACM
workshop on Role-based access control, Fairfax,
Virginia, United States, 55p – 65p, ISBN:1-58113-
180-1 1999.
[5] Leveraging IPsec for Distributed Authorization, Trent
Jaeger, David King, Kevin Butler, Jonathan McCune,
Ramon Caceres, Serge Hallyn, Joy Latten, Reiner
Sailer and Xiolan Zhang.
nsrc.cse.psu.edu/tech_report/NAS-TR-0037-2006.pdf,
2006
Authors Profile
Dr. A.K.Santra is presently working as
the Director (Computer Applications), at
the Bannari Amman Institute of
Technology in Sathyamangalam. He has
close to 40 years of experience both in
the industry and Teaching. He published
17 papers in various International
Journals and conferences. He is presently guiding a number
of students for their Ph. D. degrees. He is on the board and
a reviewer in various International Journals.
Mr. Nagarajan S is presently working
as Selection Grade Lecturer, at the
Alliance Business Academy, Bangalore.
He is also a Research Scholar at
Bharathiar University at Coimbatore. He
has nearly about 13 years of Industry and
teaching experience. He has published
one international paper in an
International Journal and 5 in various conferences.