Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT

The Internet of Things (IoT) is becoming the future of the Internet with a large number of connected devices that are predicted to reach about 50 billion by 2020. With proliferation of IoT devices and need to increase information sharing in IoT applications, risk-based access control model has become the best candidate for both academic and commercial organizations to address access control issues. This model carries out a security risk analysis on the access request by using IoT contextual information to provide access decisions dynamically. This model solves challenges related to flexibility and scalability of the IoT system. Therefore, we propose an adaptive risk-based access control model for the IoT. This model uses real-time contextual information associated with the requesting user to calculate the security risk regarding each access request. It uses user attributes while making the access request, action severity, resource sensitivity and user risk history as inputs to analyze and calculate the risk value to determine the access decision. To detect abnormal and malicious actions, smart contracts are used to track and monitor user activities during the access session to detect and prevent potential security violations. In addition, as the risk estimation process is the essential stage to build a risk-based model, this paper provides a discussion of common risk estimation methods and then proposes the fuzzy inference system with expert judgment as to be the optimal approach to handle risk estimation process of the proposed risk-based model in the IoT system.

[1]  Kevin Ashton,et al.  That ‘Internet of Things’ Thing , 1999 .

[2]  Stroie Elena Ramona Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches , 2011 .

[3]  Thierry Meyer,et al.  Expert Judgements in Risk Analysis: a Strategy to Overcome Uncertainities , 2013 .

[4]  Jin Li,et al.  Secure attribute-based data sharing for resource-limited users in cloud computing , 2018, Comput. Secur..

[5]  Gary B. Wills,et al.  XACML for Building Access Control Policies in Internet of Things , 2018, IoTBDS.

[6]  Jian Shen,et al.  An ID-Based Linearly Homomorphic Signature Scheme and Its Application in Blockchain , 2018, IEEE Access.

[7]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[8]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[9]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[10]  Hongxia Jin,et al.  Quantified risk-adaptive access control for patient privacy protection in health information systems , 2011, ASIACCS '11.

[11]  Laurence Tianruo Yang,et al.  Fuzzy Logic with Engineering Applications , 1999 .

[12]  Antonio F. Gómez-Skarmeta,et al.  Distributed Capability-based Access Control for the Internet of Things , 2013, J. Internet Serv. Inf. Secur..

[13]  Gary B. Wills,et al.  Integration of Cloud Computing with Internet of Things: Challenges and Open Issues , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[14]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Kamel Adi,et al.  Dynamic risk-based decision methods for access control systems , 2012, Comput. Secur..

[16]  A Jones,et al.  Conducting a research interview. , 1997, NT learning curve.

[17]  B. Farroha,et al.  Challenges of “operationalizing” dynamic system access control: Transitioning from ABAC to RAdAC , 2012, 2012 IEEE International Systems Conference SysCon 2012.

[18]  Juraj Vaculík,et al.  FUZZY APPROACH TO RISK ANALYSIS AND ITS ADVANTAGES AGAINST THE QUALITATIVE APPROACH , 2012 .

[19]  Ken Binmore,et al.  Applying game theory to automated negotiation , 1999 .

[20]  Lirong Dai,et al.  Using Risk in Access Control for Cloud-Assisted eHealth , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[21]  Hao Wang,et al.  New directly revocable attribute-based encryption scheme and its application in cloud storage environment , 2016, Cluster Computing.

[22]  Imane Bouij-Pasquier,et al.  Security analysis and proposal of new access control model in the Internet of Thing , 2015, 2015 International Conference on Electrical and Information Technologies (ICEIT).

[23]  Yan Bai,et al.  A Fuzzy Modeling Approach for Risk-Based Access Control in eHealth Cloud , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[24]  Jaroslava Kádárová,et al.  Verification of the Risk Assessment Model through an Expert Judgment , 2012 .

[25]  Yan Li,et al.  Using Trust and Risk in Access Control for Grid Environment , 2008, 2008 International Conference on Security Technology.

[26]  Jian Shen,et al.  Anonymous and Traceable Group Data Sharing in Cloud Computing , 2018, IEEE Transactions on Information Forensics and Security.

[27]  Wolfgang Leister,et al.  Context-Aware Authentication for the Internet of Things , 2015, ICAS 2015.

[28]  Lotfi A. Zadeh,et al.  The concept of a linguistic variable and its application to approximate reasoning-III , 1975, Inf. Sci..

[29]  Mahmoud Elkhodr,et al.  The Internet of Things: Vision & challenges , 2013, IEEE 2013 Tencon - Spring.

[30]  Amanda Bolderston,et al.  Conducting a Research Interview. , 2012, Journal of medical imaging and radiation sciences.

[31]  Joseph K. Liu,et al.  Fine-Grained Two-Factor Access Control for Web-Based Cloud Computing Services , 2016, IEEE Transactions on Information Forensics and Security.

[32]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[33]  Carla Merkle Westphall,et al.  A dynamic risk-based access control architecture for cloud computing , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[34]  Utku Kose Fundamentals of Fuzzy Logic with an Easy-to-use, Interactive Fuzzy Control Application , 2012 .

[35]  Arnold F. Shapiro,et al.  Risk Assessment Applications of Fuzzy Logic , 2015 .

[36]  Maik Moeller Managing Information Security Risks The Octave Approach , 2016 .

[37]  Kailan Shang,et al.  Applying Fuzzy Logic to Risk Assessment and Decision-Making Sponsored by CAS/CIA/SOA Joint Risk Management Section , 2013 .

[38]  Gary B. Wills,et al.  An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things , 2017, IoTBDS.

[39]  Timothy J. Ross,et al.  Fuzzy Logic with Engineering Applications: Ross/Fuzzy Logic with Engineering Applications , 2010 .

[40]  L. A. ZADEH,et al.  The concept of a linguistic variable and its application to approximate reasoning - I , 1975, Inf. Sci..

[41]  Zhou Cheng,et al.  Overview of the Internet of Things , 2011 .

[42]  Robert John Walters,et al.  Fog Computing and the Internet of Things: A Review , 2018, Big Data Cogn. Comput..

[43]  Jin Li,et al.  Securely Outsourcing Attribute-Based Encryption with Checkability , 2014, IEEE Transactions on Parallel and Distributed Systems.

[44]  Ching-Hsien Hsu,et al.  A Vertical Handoff Method via Self-Selection Decision Tree for Internet of Vehicles , 2016, IEEE Systems Journal.

[45]  Hiroki Watanabe,et al.  Blockchain contract: Securing a blockchain applied to smart contracts , 2016, 2016 IEEE International Conference on Consumer Electronics (ICCE).

[46]  Sushil Jajodia,et al.  Toward information sharing: benefit and risk access control (BARAC) , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[47]  Jin Li,et al.  Hierarchical and Shared Access Control , 2016, IEEE Transactions on Information Forensics and Security.

[48]  Lisa Rajbhandari,et al.  Using Game Theory to Analyze Risk to Privacy: An Initial Insight , 2010, PrimeLife.

[49]  Mohamed Hamdi,et al.  Game-based adaptive security in the Internet of Things for eHealth , 2014, 2014 IEEE International Conference on Communications (ICC).

[50]  Heejo Lee,et al.  Enforcing Access Control Using Risk Assessment , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[51]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[52]  Xiaolan Zhang,et al.  On Estimating the Security Risks of Composite Software Services , 2006 .

[53]  Ying Bai,et al.  Fundamentals of Fuzzy Logic Control — Fuzzy Sets, Fuzzy Rules and Defuzzifications , 2006 .

[54]  Kamel Adi,et al.  A framework for risk assessment in access control systems , 2013, Comput. Secur..