Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs.

Published byRafe Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs."— Presentation transcript:

1 Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs

2 Agenda What we are doing – Generalized framework for attribution – Policy negotiation a key part of this – Benefits Discussion – Questions – Answers?

3 Caution Terminology varies among projects – So we’ll define ours next (One goal of our project is an ontology of the terminology to make life easier!)

4 Definition the association of data with an entity This is a high-level view! – Approach has benefits Attribution (dictionary definition): – the ascribing of a work (as of literature or art) to a particular author or artist – an ascribed quality, character, or right – determining the identity or location of an attacker or an attacker’s intermediary 4

5 Real-Life Example: Competing/Ambiguous Needs “First Origin” policy – Technical context: net admins can track botnets to point of distribution; generally considered good – Political context: repressive gov’ts can track messages of dissent to point of origin; generally considered bad Is privacy good or bad? – Consider the circumstances Result: different networks with different levels of attribution 5

6 How We Think About It Level of attribution – Perfect non-attribution, false attribution, etc. Target of attribution – Person, IP address, organization Confidence in attribution – Attribution assurance, level of assurance (LoA) Adequacy of attribution – Depends on purpose Composition of attribution – Sender, receiver policies may vary 6

7 Attribution Framework Set of actors What is being attributed Assurance of attribution Policy negotiation system perfect non-attribution false attribution randomized false attribution imprecise attribution perfect non-attribution perfect attribution perfect selective attribution sender non-attribution recipient non-attribution unconcern 7

8 Generalized Attribution System Policy specification: usually implicit Transaction: what you actually do DD Policy Specification Transaction (eg. Message M ) Senderintermediaryreceiver Policy defines what data is tied to what entity and who has access to that data. It is determined by negotiation or agreed upon rules Follows policy specified

9 Goals of Work Provide a unified view of attributes and attribution – Code to manage attributes – Code to help specify policy negotiation (but understanding that humans will be involved in this) – Ontology of terminology to help mediate and reconcile different work

10 Benefits Make assumptions explicit – Users of the services understand exactly what you are offering – You don't get criticized for not meeting what you weren't trying to do, but others thought you were Extensibility – Can adapt your services with minimal effort to work with other services and to provide higher or lower levels of authentication/identity/authorization/etc. when new folks come on line and need them Support your services, experiments – Attribution framework provides ways to negotiate policies, manage attributes Consistent ontology – So meaning of terms is clear

11 Other Work GENI projects related to attribution – ABAC (authorization for GENI) – NetKarma (provenance) – Shibboleth (identity management) – ORCA (trust structure) – May be others …

12 Questions What are the entities that you need or want attribution for? What sort of policies do you need for your experiments and/or services? – What organizational agreements are needed? What attributes do you need? – What level of assurance do you need?

13 Questions Can this view of attribution support your framework? – If not, what elements of an attribution framework that would help you are missing? – What would encourage developers to use this framework? – What types of attribution will be most useful to you (individual, host, organization, ISP, etc)?

14 Backup Slides

15 Shibboleth Authentication of User by Local Institution Authorization for Resource Access by Service Provider Policy Specification Transaction Local Institution Authenticates User Defines local identity or access management for user Service Provider Authorizes User Defines P(1) P(1) specifies attributes A(1) required to determine authorization to access resource R(1) P(1) Authenticates U Provides attributes A(1, U) required by P(1) A(1, U) Authorizes U Access to R(1) according to P(1) Receives A(1,U)

16 ABAC Attribute Based Access Control Attributes can be assigned or delegated DD BB Policy Specification Transaction Principal: entity assigned attributes Attribute: what a principal is authorized to do (or what determines what a principal is authorized to do?) Credentials: used to assign attributes and create delegation rules BBNAdmin now has access and administrator rights to a slice credential GENI.CTFaccessGENI.CTFad min BBNADMIN Negotiation is out of band Principals not involved in transaction

17 NetKarma Provenance-Based Record of Experiment Attributes can be assigned or delegated DD Policy Specification Transaction Workflow of GENI slice creation Data collected in experiments Negotiation is out of band ExperimentNetKarma record Policy pre-specified

Download ppt "Attribution for GENI Jeffrey Hunker, JHA LLC Matt Bishop, UC Davis Carrie Gates, CA Labs."

Similar presentations

Report on the Workshop on GENI and Security or, What Happens When the GENI Leaves the Bottle? Matt Bishop Department of Computer Science University of.

Report on the Workshop on GENI and Security or, What Happens When the GENI Leaves the Bottle? Matt Bishop Department of Computer Science University of.
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Electronic Submission of Medical Documentation (esMD) for Medicare FFS Presentation to HITSC Provenance Workgroup January 16, 2015.

Electronic Submission of Medical Documentation (esMD) for Medicare FFS Presentation to HITSC Provenance Workgroup January 16, 2015.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
United Nations Statistics Division Principles and concepts of classifications.

United Nations Statistics Division Principles and concepts of classifications.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.

1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google