Sentient-based Access Control model: A mitigation technique for Advanced Persistent Threats in Smartphones

Abstract This research sheds light on the nature of an advanced persistent threat (APT) on smartphones by analysing real APT attack cases targeting smartphone users. Based on the research, context-aware access control is the best technique to minimise APT instigated by social engineering attacks in smartphones. Therefore, this research proposes an access control model known as sentient-based access control model (SENSATE), which combines role- and attribute-based and multi-level security to maintain information integrity and confidentiality that can be infringed through social engineering attacks. The implementation of existing smartphone sensors in the design of SENSATE is a novel approach in the fight against smartphone cybercrimes, such as APT.

[1]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[2]  Ram Krishnan,et al.  Integrating Attributes into Role-Based Access Control , 2015, DBSec.

[3]  Mauro Conti,et al.  MOSES: Supporting and Enforcing Security Profiles on Smartphones , 2014, IEEE Transactions on Dependable and Secure Computing.

[4]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[5]  Elisa Bertino,et al.  Location-based access control systems for mobile users: concepts and research directions , 2011, SPRINGL '11.

[6]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[7]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[8]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[9]  Christoforos Ntantogian,et al.  An advanced persistent threat in 3G networks: Attacking the home network from roaming networks , 2014, Comput. Secur..

[10]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[11]  Elisa Bertino,et al.  Context-Based Access Control Systems for Mobile Devices , 2015, IEEE Transactions on Dependable and Secure Computing.

[12]  Joseph K. Liu,et al.  Privacy-preserving personal data operation on mobile cloud - Chances and challenges over advanced persistent threat , 2018, Future Gener. Comput. Syst..

[13]  Edward J. Coyne,et al.  ABAC and RBAC: Scalable, Flexible, and Auditable Access Management , 2013, IT Professional.

[14]  Hajar Mousannif,et al.  Access control in the Internet of Things: Big challenges and new opportunities , 2017, Comput. Networks.

[15]  Lidong Wang,et al.  Big Data in Distributed Analytics, Cybersecurity, Cyber Warfare and Digital Forensics , 2015 .

[16]  Michael J. Butler,et al.  ProB: an automated analysis toolset for the B method , 2008, International Journal on Software Tools for Technology Transfer.

[17]  Jong Hyuk Park,et al.  MLDS: Multi-Layer Defense System for Preventing Advanced Persistent Threats , 2014, Symmetry.

[18]  Azman Samsudin,et al.  Typosquat Cyber Crime Attack Detection via Smartphone , 2017 .

[19]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[20]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[21]  Jong Hyuk Park,et al.  DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks , 2015, The Journal of Supercomputing.

[22]  Rahim Tafazolli,et al.  A survey on smartphone-based systems for opportunistic user context recognition , 2013, CSUR.

[23]  Lubomir T. Chitkushev,et al.  DR BACA: dynamic role based access control for Android , 2013, ACSAC.

[24]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.

[25]  Manmeet Mahinderjit Singh,et al.  Advanced Persistent Threat Mitigation Using Multi Level Security - Access Control Framework , 2015, ICCSA.

[26]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[27]  Xin Jin,et al.  RABAC: Role-Centric Attribute-Based Access Control , 2012, MMM-ACNS.