Non-zero-sum cooperative access control game model with user trust and permission risk

Cooperative access control game model based on trust and risk is established.Different solutions are presented for the access control game with or without trust.Risky permission set problem is handled by solving the finite multi-stage game.Risk estimation method based on user trust and costs of permission is proposed. In access control, there exists a game between an application system and its user, in which both the system and the user try to maximize their own utility. Establishing a reasonable, general purpose access control game model of cost-benefit analysis is a non-trivial research issue. Considering the practical existence and involvement of user trust and permission risk, we construct a non-zero-sum game model for access control, choosing trust, and risk or cost as metrics in players payoff functions. We analyze the optimal strategies for the application system, the user, and also the Pareto efficient strategy from the viewpoint of both the application system and the user. A Nash equilibrium emerges that improves the rationality of access control decision-making under uncertain situations. In addition, we propose a proper risk estimation method. We also solve the risky permission set problem originated from access control constraints by utilizing optimal strategy in a finite multi-stage game.

[1]  Etienne J. Khayat,et al.  Risk Based Security Analysis of Permissions in RBAC , 2004, WOSIS.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  Jingsha He,et al.  An Access Control Model for Mobile Networks based on the Non-zero-sum Game Theory , 2015 .

[4]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[5]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[6]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[7]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[8]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[9]  Rasool Jalili,et al.  TIRIAC: A trust-driven risk-aware access control framework for Grid environments , 2016, Future Gener. Comput. Syst..

[10]  Matjaz Perc,et al.  Statistical physics of crime: A review , 2014, Physics of life reviews.

[11]  Heejo Lee,et al.  Contextual Risk-Based Access Control , 2007, Security and Management.

[12]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[13]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[14]  Wei-Tsong Lee,et al.  Base on Game Theory Model to Improve Trust Access Control in Cloud File-Sharing System , 2014, 2014 Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[15]  Audun Jøsang,et al.  Analysing the Relationship between Risk and Trust , 2004, iTrust.

[16]  Steven Tadelis Game theory : an introduction , 2013 .

[17]  Andreas Roos,et al.  Trust Level Based Data Storage and Data Access Control in a Distributed Storage Environment , 2015, 2015 3rd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering.

[18]  Ziming Zhao,et al.  Game theoretic analysis of multiparty access control in online social networks , 2014, SACMAT '14.

[19]  Antonio F. Gómez-Skarmeta,et al.  TACIoT: multidimensional trust-aware access control system for the Internet of Things , 2016, Soft Comput..

[20]  Nurmamat Helil,et al.  Attribute based access control constraint based on subject similarity , 2014, 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA).

[21]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[22]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[23]  Daniel Díaz-López,et al.  Dynamic counter-measures for risk-based access control systems , 2016 .

[24]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Alessandro Armando,et al.  Balancing Trust and Risk in Access Control , 2015, OTM Conferences.

[26]  Ariel Rubinstein,et al.  A Course in Game Theory , 1995 .

[27]  Indrajit Ray,et al.  A Trust-Based Access Control Model for Pervasive Computing Applications , 2009, DBSec.

[28]  Elisa Bertino,et al.  A trust-based context-aware access control model for Web-services , 2004 .

[29]  William H. Sanders,et al.  RRE: A Game-Theoretic Intrusion Response and Recovery Engine , 2014, IEEE Trans. Parallel Distributed Syst..

[30]  Lin Chuang,et al.  Research on User Behavior Trust in Trustworthy Network , 2008 .

[31]  Neeli R. Prasad,et al.  A fuzzy approach to trust based access control in internet of things , 2013, Wireless VITAE 2013.

[32]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[33]  Dawei Zhao,et al.  Statistical physics of vaccination , 2016, ArXiv.

[34]  Yang Xiao,et al.  Game Theory for Network Security , 2013, IEEE Communications Surveys & Tutorials.

[35]  Matjaž Perc,et al.  Phase transitions in models of human cooperation , 2016 .

[36]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[37]  Mucheol Kim,et al.  Trust and Risk based Access Control and Access Control Constraints , 2011, KSII Trans. Internet Inf. Syst..

[38]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .