Influence of Attribute Freshness on Decision Making in Usage Control

The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several entities and reside outside the system domain. Thus, the access decisions about a usage session are made under uncertainties, while existing usage control approaches are based on the assumption that all attributes are up-to-date. In this paper we propose an approach which helps to make a rational access decision even if some uncertainty presents. The proposed approach uses the continuous-time Markov chains (CTMC) in order to compute the probability of unnoticed changes of attributes and risk analysis for making a decision.

[1]  Yan Li,et al.  Using Trust and Risk in Access Control for Grid Environment , 2008, 2008 International Conference on Security Technology.

[2]  Yannis C. Stamatiou,et al.  Model-based risk assessment – the CORAS approach , 2002 .

[3]  Fabio Martinelli,et al.  Risk-Based Usage Control for Service Oriented Architecture , 2010, 2010 18th Euromicro Conference on Parallel, Distributed and Network-based Processing.

[4]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources: A Cost-Benefit Analysis , 2005 .

[5]  Xinwen Zhang,et al.  Remote Attestation of Attribute Updates and Information Flows in a UCON System , 2009, TRUST.

[6]  Henk C. Tijms,et al.  A First Course in Stochastic Models: Tijms/Stochastic Models , 2003 .

[7]  S. Hansson Decision Theory a Brief Introduction Contents , 1994 .

[8]  H. Tijms A First Course in Stochastic Models , 2003 .

[9]  Sushil Jajodia,et al.  Toward information sharing: benefit and risk access control (BARAC) , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[10]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[11]  Y. Hori,et al.  Security Policy Pre-evaluation towards Risk Analysis , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[12]  Verónika Peralta,et al.  A framework for analysis of data freshness , 2004, IQIS '04.

[13]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Oliver C. Ibe,et al.  Markov processes for stochastic modeling , 2008 .

[15]  Lawrence A. Gordon,et al.  Managing Cybersecurity Resources (The Mcgraw-Hill Homeland Security Series) , 2005 .

[16]  Fabio Martinelli,et al.  Risk-Aware Usage Decision Making in Highly Dynamic Systems , 2010, 2010 Fifth International Conference on Internet Monitoring and Protection.

[17]  Benjamin Aziz,et al.  Reconfiguring Role Based Access Control policies using risk semantics , 2006, J. High Speed Networks.

[18]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[19]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[20]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[21]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[22]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[23]  Heejo Lee,et al.  Enforcing Access Control Using Risk Assessment , 2007, Fourth European Conference on Universal Multiservice Networks (ECUMN'07).

[24]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[25]  Fabio Martinelli,et al.  Towards Continuous Usage Control on Grid Computational Services , 2005, Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services - (icas-isns'05).

[26]  Aaron Weiss Trusted computing , 2006, NTWK.

[27]  Xiaoyang Sean Wang,et al.  Risk management for distributed authorization , 2007, J. Comput. Secur..

[28]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.