An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system

Many efforts in the area of computer security have been drawn to attribute-based access control (ABAC). Compared to other adopted models, ABAC provides more granularity, scalability, and flexibility. This makes it a valuable access control system candidate for securing platforms and environments used for coordination and cooperation among organizations and communities, especially over open networks such as the Internet. On the other hand, the basic ABAC model lacks provisions for context, trust and privacy issues, all of which are becoming increasingly critical, particularly in high performance distributed collaboration environments. This paper presents an extended access control model based on attributes associated with objects and subjects. It incorporates trust and privacy issues in order to make access control decisions sensitive to the cross-organizational collaboration context. Several aspects of the proposed model are implemented and illustrated by a case study that shows realistic ABAC policies in the domain of distributed multiple organizations crisis management systems. Furthermore, the paper shows a collaborative graphical tool that enables the actors in the emergency management system to make better decisions. The prototype shows how it guarantees the privacy of object's attributes, taking into account the trust of the subjects. This tool incorporates a decision engine that relies on attribute based policies and dynamic trust and privacy evaluation. The resulting platform demonstrates the integration of the ABAC model, the evolving context, and the attributes of actors and resources.

[1]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[2]  Fatos Xhafa,et al.  The Big Picture, from Grids and Clouds to Crowds: A Data Collective Computational Intelligence Case Proposal for Managing Disasters , 2010, 2010 International Conference on P2P, Parallel, Grid, Cloud and Internet Computing.

[3]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[4]  Ninghui Li,et al.  Comparing the expressive power of access control models , 2004, CCS '04.

[5]  James H. Martin,et al.  A vision for technology-mediated support for public participation & assistance in mass emergencies & disasters , 2010 .

[6]  J. H. Davis,et al.  An Integrative Model Of Organizational Trust , 1995 .

[7]  Ana R. Cavalli,et al.  Interoperability of Context Based System Policies Using O2O Contract , 2008, 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems.

[8]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[9]  Ruth Breu,et al.  Living Security - Collaborative Security Management in a Changing World , 2011 .

[10]  Jian Zhu,et al.  Trust and privacy in attribute based access control for collaboration environments , 2009, iiWAS.

[11]  Manoj R. Sastry,et al.  A Contextual Attribute-Based Access Control Model , 2006, OTM Workshops.

[12]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Otto Lerbinger The Crisis Manager: Facing Risk and Responsibility , 1997 .

[14]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[15]  N.J. Davis,et al.  Toward a decentralized trust-based access control system for dynamic collaboration , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[16]  Heejo Lee,et al.  A Flexible Trust-Based Access Control Mechanism for Security and Privacy Enhancement in Ubiquitous Systems , 2007, 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07).

[17]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[18]  Anand R. Tripathi,et al.  Static verification of security requirements in role based CSCW systems , 2003, SACMAT '03.

[19]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[20]  Nora Cuppens-Boulahia,et al.  O2O: Virtual Private Organizations to Manage Security Policy Interoperability , 2006, ICISS.

[21]  Raph Levien,et al.  Attack-Resistant Trust Metrics , 2009, Computing with Social Trust.

[22]  Waleed W. Smari,et al.  Sensors integration in a grid-based architecture for emergency management systems , 2010, 4th IEEE International Conference on Digital Ecosystems and Technologies.

[23]  J. H. Davis,et al.  An integrative model of organizational trust, Academy of Management Review, : . , 1995 .

[24]  John D. Lee,et al.  Trust in Automation: Designing for Appropriate Reliance , 2004 .

[25]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[26]  Jian Zhu,et al.  Attribute Based Access Control and Security for Collaboration Environments , 2008, 2008 IEEE National Aerospace and Electronics Conference.

[27]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[28]  Hidehito Gomi An Authentication Trust Metric for Federated Identity Management Systems , 2010, STM.

[29]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[30]  B. Nick Rossiter,et al.  A task-based security model to facilitate collaboration in trusted multi-agency networks , 2002, SAC '02.

[31]  D. Richard Kuhn,et al.  Role-Based Access Controls , 2009, ArXiv.

[32]  Jian Zhu,et al.  Security and Access Control for a Human-centric Collaborative Commerce System , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[33]  Rajeev Sharma,et al.  Enabling GeoCollaborative crisis management through advanced geoinformation technologies , 2005, DG.O.

[34]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007 .

[35]  Amanda Lee Hughes,et al.  Collective Intelligence in Disaster: Examination of the Phenomenon in the Aftermath of the 2007 Virginia Tech Shooting , 2008 .

[36]  Geoff Coulson,et al.  Free Riding on Gnutella Revisited: The Bell Tolls? , 2005, IEEE Distributed Syst. Online.

[37]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[38]  Rajeev Sharma,et al.  Enabling collaborative geoinformation access and decision‐making through a natural, multimodal interface , 2005, Int. J. Geogr. Inf. Sci..

[39]  Ravi S. Sandhu,et al.  Conceptual foundations for a model of task-based authorizations , 1994, Proceedings The Computer Security Foundations Workshop VII.

[40]  Vijayalakshmi Atluri,et al.  SecureFlow: a secure Web-enabled workflow management system , 1999, RBAC '99.

[41]  Frédéric Cuppens,et al.  Administration Model for Or-BAC , 2003, OTM Workshops.

[42]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[43]  E. Damiani,et al.  New paradigms for access control in open environments , 2005, Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005..

[44]  Ruby B. Lee,et al.  Securing the Dissemination of Emergency Response Data with an Integrated Hardware-Software Architecture , 2009, TRUST.

[45]  Frédéric Cuppens,et al.  AdOrBAC: an administration model for Or-BAC , 2004, Comput. Syst. Sci. Eng..

[46]  Tiziana Catarci,et al.  WORKPAD: an Adaptive Peer-to-Peer Software Infrastructure for Supporting Collaborative Work of Human Operators in Emergency/Disaster Scenarios , 2006, International Symposium on Collaborative Technologies and Systems (CTS'06).

[47]  Weisong Shi,et al.  PET: A PErsonalized Trust Model with Reputation and Risk Evaluation for P2P Resource Sharing , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[48]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[49]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[50]  Anand R. Tripathi,et al.  Specification of secure distributed collaboration systems , 2003, The Sixth International Symposium on Autonomous Decentralized Systems, 2003. ISADS 2003..

[51]  Tim French Collaborative virtual organisation trust measurement: Leveraging Corporate Governance metrics , 2010, 2010 International Conference on Information Society.

[52]  Nik Bessis,et al.  A High-Level Semiotic Trust Agent Scoring Model for Collaborative Virtual Organsations , 2010, 2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops.

[53]  Elisa Bertino,et al.  Secure knowledge management: confidentiality, trust, and privacy , 2006, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[54]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[55]  Paolo Massa,et al.  Trustlet, Open Research on Trust Metrics , 2001, BIS.

[56]  Rajeev Sharma,et al.  GeoCollaborative crisis management: designing technologies to meet real-world needs , 2006, DG.O.

[57]  Sarah Underwood,et al.  Improving disaster management , 2010, Commun. ACM.

[58]  Audun Jøsang,et al.  Trust and Reputation Systems , 2007, FOSAD.

[59]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[60]  Miriam A. M. Capretz,et al.  Trust Metrics for Services and Service Providers , 2011, ICIW 2011.

[61]  Achim D. Brucker,et al.  A Framework for Managing and Analyzing Changes of Security Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[62]  Rakesh Bobba,et al.  Using Attribute-Based Access Control to Enable Attribute-Based Messaging , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[63]  Ravi S. Sandhu,et al.  A general design towards secure ad-hoc collaboration , 2006, ASIACCS '06.

[64]  Elisa Bertino,et al.  Context-Dependent Authentication and Access Control , 2009, iNetSeC.

[65]  Achim D. Brucker,et al.  Attribute-Based Encryption with Break-Glass , 2010, WISTP.

[66]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[67]  Patrice Clemente,et al.  A Multi-Agent and Multi-Level Architecture to Secure Distributed Systems , 2006 .

[68]  Konstantin Beznosov Requirements for access control: US Healthcare domain , 1998, RBAC '98.

[69]  Yichun Liu,et al.  Trust-Based Access Control for Collaborative System , 2008, 2008 ISECS International Colloquium on Computing, Communication, Control, and Management.

[70]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[71]  John P. Lewis,et al.  The DEFACTO System: Training Tool for Incident Commanders , 2005, AAAI.

[72]  Joseph P. Macker,et al.  Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations , 1999, RFC.

[73]  Fatos Xhafa,et al.  A next generation emerging technologies roadmap for enabling collective computational intelligence in disaster management , 2011, Int. J. Space Based Situated Comput..

[74]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[75]  Ling Liu,et al.  PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities , 2004, IEEE Transactions on Knowledge and Data Engineering.

[76]  Yuefeng Li,et al.  The state-of-the-art in personalized recommender systems for social networking , 2012, Artificial Intelligence Review.

[77]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[78]  Roshan K. Thomas,et al.  Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments , 1997, RBAC '97.

[79]  Günther Pernul,et al.  A Privacy-Enhanced Attribute-Based Access Control System , 2007, DBSec.

[80]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[81]  Fabio Paternò,et al.  CTTE: Support for Developing and Analyzing Task Models for Interactive System Design , 2002, IEEE Trans. Software Eng..

[82]  Paul Resnick,et al.  Reputation systems , 2000, CACM.

[83]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[84]  K. Anagnostakis,et al.  On the Impact of Practical P2p Incentive Mechanisms on User Behavior , 2006 .

[85]  Jérémy Briffaut,et al.  Team­-Based MAC Policy over Security-­Enhanced Linux , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[86]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[87]  Maarten van Someren,et al.  Task-Adaptive Information Distribution for Dynamic Collaborative Emergency Response , 2006 .