Towards Indeterminacy-Tolerant Access Control in IoT

The ultimate goal of any access control system is to assign precisely the necessary level of access (i.e., no more and no less) to each subject. Meeting this goal is challenging in an environment that is inherently scalable, heterogeneous and dynamic as the Internet of Things (IoT). This holds true as the volume, velocity and variety of data produced by wireless sensors, RFID tags and other enabling technologies in IoT introduce new challenges for data access. Traditional access control methods that rely on static, pre-defined access policies do not offer flexibility in dealing with the new challenges of the dynamic environment of IoT, which has been extensively studied in the relevant literature. This work, defines and studies the indeterminacy challenge for access control in the context of IoT, which to the best of our knowledge has not been studied in the relevant literature. The current access control models, even those that introduce some form of resiliency into the access decision process, cannot make a correct access decision in unpredicted scenarios, which are typically found in IoT due to its inherent characteristics that amplify indeterminacy. Therefore, this work stresses the need for a scalable, heterogeneous, and dynamic access control model that is able cope with indeterminate data access scenarios. To this end, this work proposes a conceptual framework for indeterminacy-tolerant access control in IoT.

[1]  Patrice Clemente,et al.  An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system , 2014, Future Gener. Comput. Syst..

[2]  Arkady B. Zaslavsky,et al.  Context Aware Computing for The Internet of Things: A Survey , 2013, IEEE Communications Surveys & Tutorials.

[3]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  Robert Green,et al.  Communication security in internet of thing: preventive measure and avoid DDoS attack over IoT network , 2015, SpringSim.

[5]  Rasool Jalili,et al.  TIRIAC: A trust-driven risk-aware access control framework for Grid environments , 2016, Future Gener. Comput. Syst..

[6]  Enrico Zio,et al.  A Model-Based Reliability Metric Considering Aleatory and Epistemic Uncertainty , 2017, IEEE Access.

[7]  M. Hossein Ahmadzadegan,et al.  Security challenges in internet of things: survey , 2017, 2017 IEEE Conference on Wireless Sensors (ICWiSe).

[8]  Athanasios V. Vasilakos,et al.  Flexible Data Access Control Based on Trust and Reputation in Cloud Computing , 2017, IEEE Transactions on Cloud Computing.

[9]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[10]  Ravi Sandhu,et al.  Attribute Transformation for Attribute-Based Access Control , 2017, ABAC '17.

[11]  Bashar Nuseibeh,et al.  Requirements-driven adaptive security: Protecting variable assets at runtime , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[12]  Yasuhiro Sakai,et al.  J. M. Keynes on probability versus F. H. Knight on uncertainty: reflections on the miracle year of 1921 , 2016 .

[13]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[14]  Min Lei,et al.  MTBAC: A mutual trust based access control model in Cloud computing , 2014, China Communications.

[15]  Farrukh Aslam Khan,et al.  Anticipating Advanced Persistent Threat (APT) countermeasures using collaborative security mechanisms , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[16]  Arthur P. Dempster,et al.  Upper and Lower Probabilities Induced by a Multivalued Mapping , 1967, Classic Works of the Dempster-Shafer Theory of Belief Functions.

[17]  Nick B. Firoozye,et al.  Managing Uncertainty, Mitigating Risk , 2016 .

[18]  Dean Povey Optimistic security: a new access control paradigm , 1999, NSPW '99.

[19]  Ruoyu Wu,et al.  Risk-Aware Mitigation for MANET Routing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[20]  Sergey Savinov A Dynamic Risk-Based Access Control Approach: Model and Implementation , 2017 .

[21]  Elisa Bertino,et al.  Internet of Things (IoT) , 2016, ACM Trans. Internet Techn..

[22]  Trent Jaeger,et al.  Leveraging "choice" to automate authorization hook placement , 2012, CCS '12.

[23]  Fabio Martinelli,et al.  Usage control in computer security: A survey , 2010, Comput. Sci. Rev..

[24]  Gary B. Wills,et al.  Developing an Adaptive Risk-Based Access Control Model for the Internet of Things , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[25]  Yin Lihua,et al.  Attribute-Role-Based Hybrid Access Control in the Internet of Things , 2014, APWeb 2014.

[26]  Dieter Gollmann,et al.  Computer security , 2010, Worlwide series in computer cience.

[27]  Philip W. L. Fong,et al.  Interoperability of Relationship- and Role-Based Access Control , 2016, CODASPY.

[28]  J. Barnes,et al.  The Complete Works of Aristotle the Revised Oxford Translation , 1984 .

[29]  Tommaso Melodia,et al.  Securing the Internet of Things in the Age of Machine Learning and Software-Defined Networking , 2018, IEEE Internet of Things Journal.

[30]  Didier Dubois,et al.  Practical representations of incomplete probabilistic knowledge , 2006, Comput. Stat. Data Anal..

[31]  Trent Jaeger,et al.  On Risk in Access Control Enforcement , 2017, SACMAT.

[32]  Raffaele Giaffreda,et al.  A pragmatic approach to solving IoT interoperability and security problems in an eHealth context , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[33]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[34]  Raouf Boutaba,et al.  Reputation-Based Trust Management in Peer-to-Peer Systems: Taxonomy and Anatomy , 2010 .

[35]  Vijay Varadharajan,et al.  Trust Enhanced Cryptographic Role-Based Access Control for Secure Cloud Data Storage , 2015, IEEE Transactions on Information Forensics and Security.

[36]  Maria Grazia Fugini,et al.  A web-based cooperative tool for risk management with adaptive security , 2016, Future Gener. Comput. Syst..

[37]  Bruce Christianson,et al.  BTG-AC: Break-the-Glass Access Control Model for Medical Data in Wireless Sensor Networks , 2016, IEEE Journal of Biomedical and Health Informatics.

[38]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[39]  Farzad Salim,et al.  Approaches to access control under uncertainty , 2012 .

[40]  Ming Wang,et al.  Situation-Aware Dynamic Service Coordination in an IoT Environment , 2017, IEEE/ACM Transactions on Networking.

[41]  Hajar Mousannif,et al.  Access control in the Internet of Things: Big challenges and new opportunities , 2017, Comput. Networks.

[42]  Enrico Zio,et al.  Some considerations on the treatment of uncertainties in risk assessment for practical decision making , 2011, Reliab. Eng. Syst. Saf..

[43]  Amy Nordrum,et al.  The internet of fewer things [News] , 2016 .

[44]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[45]  Mark Strembeck,et al.  Generic support for RBAC break-glass policies in process-aware information systems , 2013, SAC '13.

[46]  Hanna Bogucka,et al.  Location privacy attacks and defenses in cloud-enabled internet of vehicles , 2016, IEEE Wireless Communications.

[47]  Ravi S. Sandhu,et al.  A framework for risk-aware role based access control , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[48]  Giannis F. Marias,et al.  Roles and security in a publish/subscribe network architecture , 2010, The IEEE symposium on Computers and Communications.

[49]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[50]  Ed Dawson,et al.  An Approach to Access Control under Uncertainty , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[51]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[52]  Dimitris Gritzalis,et al.  Exiting the Risk Assessment Maze , 2018, ACM Comput. Surv..

[53]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[54]  Vilém Novák,et al.  Insight into Fuzzy Modeling: Novák/Insight into Fuzzy Modeling , 2016 .

[55]  Yanping Li,et al.  Secure and Efficient V2V Communications for Heterogeneous Vehicle Ad Hoc Networks , 2017, 2017 International Conference on Networking and Network Applications (NaNA).

[56]  Martin Schanzenbach,et al.  A Survey on Authorization in Distributed Systems: Information Storage, Data Retrieval and Trust Evaluation , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[57]  Ravi S. Sandhu,et al.  Toward a Usage-Based Security Framework for Collaborative Computing Systems , 2008, TSEC.

[58]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[59]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[60]  Vivy Suhendra A Survey on Access Control Deployment , 2011, FGIT-SecTech.

[61]  Peng Liu,et al.  The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved , 2018, IEEE Internet of Things Journal.

[62]  Ramjee Prasad,et al.  Securing communication in inter domains Internet of Things using identity-based cryptography , 2017, 2017 International Workshop on Big Data and Information Security (IWBIS).

[63]  Lawrie Brown,et al.  Computer Security: Principles and Practice , 2007 .

[64]  Ji Li,et al.  Fundamental Challenges Toward Making the IoT a Reachable Reality , 2017, ACM Trans. Design Autom. Electr. Syst..

[65]  Kamel Adi,et al.  A framework for risk assessment in access control systems , 2013, Comput. Secur..

[66]  Akash K Singh Role Based Trust Management Security Policy Analysis , 2012 .

[67]  Srdjan Marinovic,et al.  Rumpole: a flexible break-glass access control model , 2011, SACMAT '11.

[68]  Quan Z. Sheng,et al.  Managing Uncertainties in RFID Applications - A Survey , 2014, 2014 IEEE 11th International Conference on e-Business Engineering.

[69]  Trent Jaeger,et al.  Integrity walls: finding attack surfaces from mandatory access control policies , 2012, ASIACCS '12.