R2Q: A Risk Quantification Framework to Authorize Requests in Web-based Collaborations

Web-based collaboration provides a platform which allows users from different domains to share and access information. In such an environment, mitigating threats from insider attacks is challenging, particularly if state-of-the-art token-based access control is used to authorize (permit or deny) requests. This entails the need for an additional layer of authorization based on soft-security factors such as the reputation of the requesters, risks involved in requests, and so on to make the final decision. In this paper, we propose a novel risk quantification framework, called $R2Q$, which exploits a weighted regression approach to compute the expected threat related to a collaboration request. Our model combines the shared object's sensitivity, access mode of the request, requester's security level and reputation, and maps the expected threat to a risk score using the prospect theory (PT) inspired value functions to actualize decision making under uncertainty of economic outcomes (loss or gain). Simulation-based performance evaluation validates the efficacy of our framework and demonstrates that it can classify requesters based on their past behaviours, and also enables the collaboration platform to achieve higher rates of successful authorization.

[1]  Pramodita Sharma 2012 , 2013, Les 25 ans de l’OMC: Une rétrospective en photos.

[2]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[3]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[4]  Youki Kadobayashi,et al.  Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing , 2016, J. Inf. Process..

[5]  Sajal K. Das,et al.  QnQ: A reputation model to secure mobile crowdsourcing applications from incentive losses , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[6]  C. Martin 2015 , 2015, Les 25 ans de l’OMC: Une rétrospective en photos.

[7]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Kamel Adi,et al.  Dynamic risk-based decision methods for access control systems , 2012, Comput. Secur..

[9]  Karim Djemame,et al.  A Risk Assessment Framework for Cloud Computing , 2016, IEEE Transactions on Cloud Computing.

[10]  James B. D. Joshi,et al.  Beyond accountability: using obligations to reduce risk exposure and deter insider attacks , 2013, SACMAT '13.

[11]  Lionel Brunie,et al.  Trust management and reputation systems in mobile participatory sensing applications: A survey , 2015, Comput. Networks.

[12]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[13]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[14]  A. Tversky,et al.  Prospect theory: analysis of decision under risk , 1979 .

[15]  Thomas B. L. Kirkwood,et al.  Deciphering death: a commentary on Gompertz (1825) ‘On the nature of the function expressive of the law of human mortality, and on a new mode of determining the value of life contingencies’ , 2015, Philosophical Transactions of the Royal Society B: Biological Sciences.

[16]  Lirong Dai,et al.  Using Risk in Access Control for Cloud-Assisted eHealth , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[17]  A. Tversky,et al.  Prospect theory: an analysis of decision under risk — Source link , 2007 .

[18]  Carla Merkle Westphall,et al.  A dynamic risk-based access control architecture for cloud computing , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[19]  Carla Merkle Westphall,et al.  A framework and risk assessment approaches for risk-based access control in the cloud , 2016, J. Netw. Comput. Appl..

[20]  M. Gribaudo,et al.  2002 , 2001, Cell and Tissue Research.

[21]  Matt Bishop,et al.  The Art and Science of Computer Security , 2002 .

[22]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[23]  Fang Liu,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.