Self-adaptive federated authorization infrastructures

Authorization infrastructures are an integral part of any network where resources need to be protected. As networks expand and organizations start to federate access to their resources, authorization infrastructures become increasingly difficult to manage. In this paper, we explore the automatic adaptation of authorization assets (policies and subject access rights) in order to manage federated authorization infrastructures. We demonstrate adaptation through a Self-Adaptive Authorization Framework (SAAF) controller that is capable of managing policy based federated role/attribute access control authorization infrastructures. The SAAF controller implements a feedback loop to monitor the authorization infrastructure in terms of authorization assets and subject behavior, analyze potential adaptations for handling malicious behavior, and act upon authorization assets to control future authorization decisions. We evaluate a prototype of the SAAF controller by simulating malicious behavior within a deployed federated authorization infrastructure (federation), demonstrating the escalation of adaptation, along with a comparison of SAAF to current technology.

[1]  Tom Fawcett,et al.  Adaptive Fraud Detection , 1997, Data Mining and Knowledge Discovery.

[2]  David W. Chadwick,et al.  PERMIS: a modular authorization infrastructure , 2008 .

[3]  Dawn M. Cappelli,et al.  A Preliminary Model of Insider Theft of Intellectual Property , 2011 .

[4]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[5]  David W. Chadwick,et al.  Enabling the Autonomic Management of Federated Identity Providers , 2013, AIMS.

[6]  Stefano Bistarelli,et al.  A Formal Framework for Trust Policy Negotiation in Autonomic Systems: Abduction with Soft Constraints , 2010, ATC.

[7]  David W. Chadwick,et al.  Adding support to XACML for multi-domain user to user dynamic delegation of authority , 2009, International Journal of Information Security.

[8]  David W. Chadwick,et al.  Self-Adaptive Authorization Framework for Policy Based RBAC/ABAC Models , 2011, 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing.

[9]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[10]  Mary Shaw,et al.  Engineering Self-Adaptive Systems through Feedback Loops , 2009, Software Engineering for Self-Adaptive Systems.

[11]  Margo I. Seltzer,et al.  Berkeley DB , 1999, USENIX Annual Technical Conference, FREENIX Track.

[12]  Matt Bishop,et al.  Supporting reconfigurable security policies for mobile programs , 2000, Comput. Networks.

[13]  David W. Chadwick,et al.  A controlled natural language interface for authoring access control policies , 2011, SAC.

[14]  Martin Serrano,et al.  Trust and Reputation Policy-Based Mechanisms for Self-protection in Autonomic Communications , 2009, ATC.

[15]  David Garlan,et al.  Stitch: A language for architecture-based self-adaptation , 2012, J. Syst. Softw..

[16]  Klemens Böhm,et al.  A Flexible Architecture for Privacy-Aware Trust Management , 2010, J. Theor. Appl. Electron. Commer. Res..

[17]  Krzysztof Czarnecki,et al.  Feature-based survey of model transformation approaches , 2006, IBM Syst. J..

[18]  Jeffrey O. Kephart,et al.  The Vision of Autonomic Computing , 2003, Computer.

[19]  David Garlan,et al.  Rainbow: architecture-based self-adaptation with reusable infrastructure , 2004 .

[20]  Athena Vakali,et al.  LDAP: Framework, Practices, and Trends , 2004, IEEE Internet Comput..

[21]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[22]  Rogério de Lemos,et al.  Dynamic plans for integration testing of self-adaptive software systems , 2011, SEAMS '11.

[23]  Rajarshi Das,et al.  Achieving Self-Management via Utility Functions , 2007, IEEE Internet Computing.

[24]  Ken Klingenstein,et al.  Federated Security: The Shibboleth Approach , 2004 .

[25]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[26]  E. F. Michiels,et al.  ISO/IEC 10181-4:1995 Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiation framework , 1996 .