Self-Generation of Access Control Policies

Access control for information has primarily focused on access statically granted to subjects by administrators usually in the context of a specific system. Even if mechanisms are available for access revocation, revocations must still be executed manually by an administrator. However, as physical devices become increasingly embedded and interconnected, access control needs to become an integral part of the resource being protected and be generated dynamically by resources depending on the context in which the resource is being used. In this paper, we discuss a set of scenarios for access control needed in current and future systems and use that to argue that an approach for resources to generate and manage their access control policies dynamically on their own is needed. We discuss some approaches for generating such access control policies that may address the requirements of the scenarios.

[1]  Gian Luigi Ferrari,et al.  Model Checking Usage Policies , 2008, TGC.

[2]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[3]  Elisa Bertino,et al.  Botnets and Internet of Things Security , 2017, Computer.

[4]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[5]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Srdjan Marinovic,et al.  Teleo-Reactive policies for managing human-centric pervasive services , 2010, 2010 International Conference on Network and Service Management.

[7]  Elisa Bertino,et al.  Community-based self generation of policies and processes for assets: Concepts and research directions , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[8]  Jie Wu,et al.  Hierarchical attribute-based encryption for fine-grained access control in cloud storage services , 2010, CCS '10.

[9]  Michael W. Grieves,et al.  Digital Twin: Mitigating Unpredictable, Undesirable Emergent Behavior in Complex Systems , 2017 .

[10]  Morris Sloman,et al.  AMUSE: autonomic management of ubiquitous e-Health systems , 2008 .

[11]  Ahmad-Reza Sadeghi,et al.  IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT , 2016, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[12]  Anna Cinzia Squicciarini,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Collective Privacy Management in Social Networks , 2022 .

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Russell J. Clark,et al.  Resonance: dynamic access control for enterprise networks , 2009, WREN '09.

[15]  Vijay Karamcheti,et al.  dRBAC: distributed role-based access control for dynamic coalition environments , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[16]  Maja J. Matarić,et al.  Designing emergent behaviors: from local interactions to collective intelligence , 1993 .

[17]  Elisa Bertino,et al.  Research challenges in dynamic policy-based autonomous security , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[18]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[19]  Jorge Lobo,et al.  Automating role-based provisioning by learning from examples , 2009, SACMAT '09.

[20]  Elisa Bertino,et al.  Prox-RBAC: a proximity-based spatially aware RBAC , 2011, GIS.

[21]  Konstantin Knorr,et al.  Dynamic access control through Petri net workflows , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).