Enhancing Role-Based Access Control Model through Fuzzy Relations

Role-Based Access Control (RBAC) model is naturally suitable to organizations where users are assigned organizational roles with well-defined privileges. However, due to the large number of users in nowadays online services of organizations and enterprises, assigning users to roles is a tiresome task and maintaining user-role assignment up- to-date is costly and error-prone. Additionally, with the increasing number of users, RBAC may have problems in prohibiting cheat and changing roles of users. In order to categorize information and formulate security policies, human decision making is required which is naturally fuzzy in the real world. This leads using a fuzzy approach to address the issue in order to provide a more practical solution. In this paper, applicability of fuzzy set theory to RBAC has been investigated by identifying access control building blocks which are fuzzy in essence. An existing RBAC model is extended to allow imprecise access control policies, using the concept of trustworthiness which is fuzzy in nature. We call the extended model as Fuzzy RBAC. Applicability of the extended model has been evaluated through some case studies.

[1]  Min Wu,et al.  Forensic analysis of nonlinear collusion attacks for multimedia fingerprinting , 2005, IEEE Transactions on Image Processing.

[2]  K. J. Ray Liu,et al.  Fingerprint multicast in secure video streaming , 2006, IEEE Transactions on Image Processing.

[3]  Dan Boneh,et al.  Collusion-Secure Fingerprinting for Digital Data , 1998, IEEE Trans. Inf. Theory.

[4]  André de Korvin,et al.  Reinforcing Access Control Using Fuzzy Relation Equations , 2006, Security and Management.

[5]  André de Korvin,et al.  Applying fuzzy relation equations to threat analysis , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Min Wu,et al.  Anti-collusion forensics of multimedia fingerprinting using orthogonal modulation , 2005, IEEE Transactions on Image Processing.

[8]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[9]  Kaoru Kurosawa,et al.  Nonperfect Secret Sharing Schemes and Matroids , 1994, EUROCRYPT.

[10]  Morteza Amini,et al.  Trust-Based User-Role Assignment in Role-Based Access Control , 2007, 2007 IEEE/ACS International Conference on Computer Systems and Applications.

[11]  Tharam S. Dillon,et al.  Fuzzy nature of trust and dynamic trust modeling in service oriented environments , 2005, SWS '05.

[12]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Sergei Ovchinnikov,et al.  Fuzzy Sets and Secure Computer Systems , 1994, Proceedings New Security Paradigms Workshop.

[14]  Deepa Kundur,et al.  Video fingerprinting and encryption principles for digital rights management , 2004, Proceedings of the IEEE.

[15]  Hilary H. Hosmer,et al.  Using fuzzy logic to represent security policies in the multipolicy paradigm , 1992, SGSC.

[16]  Ravi Sandhu,et al.  Rule-based RBAC with negative authorization , 2004, 20th Annual Computer Security Applications Conference.

[17]  Mustaque Ahamad,et al.  Generalized role-based access control , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[18]  Hilary H. Hosmer,et al.  Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm , 1993, NSPW '92-93.

[19]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[20]  Min Wu,et al.  Anti-collusion fingerprinting for multimedia , 2003, IEEE Trans. Signal Process..

[21]  Abraham Kandel Fuzzy Statistics and Policy Analysis , 1980 .