Known unknowns: Indeterminacy in authentication in IoT

Abstract The Internet of Things (IoT), comprising a plethora of heterogeneous devices, is an enabling technology that can improve the quality of our daily lives, for instance by measuring parameters from the environment (e.g., humidity, temperature, weather, energy consumption, traffic, and others) or our bodies (e.g., health data). However, as with any technology, IoT has introduced a number of security and privacy challenges. Indeed, IoT devices create, process, transfer and store data, which are often sensitive, and which must be protected from unauthorized access. Similarly, the infrastructure that links with IoT, as well as the IoT devices themselves, is an asset that needs to be protected. The focus of this work is examining authentication in IoT. In particular, in this work we conducted a state-of-the-art review of the access control models that have been proposed, including both traditional access control models and emerging models that have recently been proposed and are tailored for IoT. We identified that the existing models cannot cope with indeterminacy, an inherent characteristic of IoT, which hinders authentication decisions. In this context, we studied the two known components of indeterminacy, i.e., uncertainty and ambiguity, and proposed a new model that handles indeterminacy in authentication in IoT environments.

[1]  Ramjee Prasad,et al.  Secure Access Control and Authority Delegation Based on Capability and Context Awareness for Federated IoT , 2013 .

[2]  Vilém Novák,et al.  Towards Fuzzy Type Theory with Partial Functions , 2017, EUSFLAT/IWIFSGN.

[3]  Imane Bouij-Pasquier,et al.  Security analysis and proposal of new access control model in the Internet of Thing , 2015, 2015 International Conference on Electrical and Information Technologies (ICEIT).

[4]  Hajar Mousannif,et al.  Access control in the Internet of Things: Big challenges and new opportunities , 2017, Comput. Networks.

[5]  Yin Lihua,et al.  Attribute-Role-Based Hybrid Access Control in the Internet of Things , 2014, APWeb 2014.

[6]  Baoding Liu,et al.  Uncertainty Theory - A Branch of Mathematics for Modeling Human Uncertainty , 2011, Studies in Computational Intelligence.

[7]  Rasool Jalili,et al.  TIRIAC: A trust-driven risk-aware access control framework for Grid environments , 2016, Future Gener. Comput. Syst..

[8]  Robert Green,et al.  Communication security in internet of thing: preventive measure and avoid DDoS attack over IoT network , 2015, SpringSim.

[9]  Enrico Zio,et al.  A Model-Based Reliability Metric Considering Aleatory and Epistemic Uncertainty , 2017, IEEE Access.

[10]  Subhas Chandra Mukhopadhyay,et al.  An Internet-of-Things Enabled Smart Sensing System for Nitrate Monitoring , 2018, IEEE Internet of Things Journal.

[11]  Sadie Creese,et al.  Security Risk Assessment in Internet of Things Systems , 2017, IT Professional.

[12]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[13]  Yacine Atif,et al.  Securing the Web of Things with Role-Based Access Control , 2015, C2SI.

[14]  Vilém Novák,et al.  What is Fuzzy Modeling , 2016 .

[15]  Chunhua Jin,et al.  Practical access control for sensor networks in the context of the Internet of Things , 2016, Comput. Commun..

[16]  Ravi S. Sandhu,et al.  A framework for risk-aware role based access control , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[17]  Giancarlo Fortino,et al.  Evaluating Critical Security Issues of the IoT World: Present and Future Challenges , 2018, IEEE Internet of Things Journal.

[18]  Farzad Salim,et al.  Approaches to access control under uncertainty , 2012 .

[19]  Tommaso Melodia,et al.  Securing the Internet of Things in the Age of Machine Learning and Software-Defined Networking , 2018, IEEE Internet of Things Journal.

[20]  M. Hossein Ahmadzadegan,et al.  Security challenges in internet of things: survey , 2017, 2017 IEEE Conference on Wireless Sensors (ICWiSe).

[21]  Giuseppe Piro,et al.  OAuth-IoT: An access control framework for the Internet of Things based on open standards , 2017, 2017 IEEE Symposium on Computers and Communications (ISCC).

[22]  Subhas Mukhopadhyay,et al.  Long-range wireless technologies for IoT applications: A review , 2017, 2017 Eleventh International Conference on Sensing Technology (ICST).

[23]  Yasuhiro Sakai,et al.  J. M. Keynes on probability versus F. H. Knight on uncertainty: reflections on the miracle year of 1921 , 2016 .

[24]  David W. Chadwick,et al.  How to Break Access Control in a Controlled Manner , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[25]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[26]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[27]  Mark Strembeck,et al.  Generic support for RBAC break-glass policies in process-aware information systems , 2013, SAC '13.

[28]  Patrice Clemente,et al.  An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system , 2014, Future Gener. Comput. Syst..

[29]  Domenico Rotondi,et al.  A capability-based security approach to manage access control in the Internet of Things , 2013, Math. Comput. Model..

[30]  Gary B. Wills,et al.  Developing an Adaptive Risk-Based Access Control Model for the Internet of Things , 2017, 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData).

[31]  Kamel Adi,et al.  A framework for risk assessment in access control systems , 2013, Comput. Secur..

[32]  Didier Dubois,et al.  Practical representations of incomplete probabilistic knowledge , 2006, Comput. Stat. Data Anal..

[33]  Mohammad Heydari,et al.  Towards Indeterminacy-Tolerant Access Control in IoT , 2019, Handbook of Big Data and IoT Security.

[34]  Vladimir A. Oleshchuk,et al.  Attribute based access control scheme with controlled access delegation for collaborative E-health environments , 2017, J. Inf. Secur. Appl..

[35]  Peng Liu,et al.  The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved , 2018, IEEE Internet of Things Journal.

[36]  Jing Liu,et al.  Authentication and Access Control in the Internet of Things , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[37]  Dhiren R. Patel,et al.  Energy efficient integrated authentication and access control mechanisms for Internet of Things , 2016, 2016 International Conference on Internet of Things and Applications (IOTA).

[38]  Cheng Cheng,et al.  Access Control Method for Web of Things Based on Role and SNS , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[39]  Carla Merkle Westphall,et al.  A framework and risk assessment approaches for risk-based access control in the cloud , 2016, J. Netw. Comput. Appl..

[40]  Elisa Bertino,et al.  Internet of Things (IoT) , 2016, ACM Trans. Internet Techn..

[41]  Ravi S. Sandhu,et al.  Risk-Aware RBAC Sessions , 2012, ICISS.

[42]  Sergey Savinov A Dynamic Risk-Based Access Control Approach: Model and Implementation , 2017 .

[43]  Carla Merkle Westphall,et al.  Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation , 2013, SECURWARE 2013.

[44]  Khaled Salah,et al.  Using Blockchain for IOT Access Control and Authentication Management , 2018, ICIOT.

[45]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[46]  Pei-Yu Chiang,et al.  Cloud-Based Fine-Grained Health Information Access Control Framework for LightweightIoT Devices with Dynamic Auditing andAttribute Revocation , 2018, IEEE Transactions on Cloud Computing.

[47]  Carla Merkle Westphall,et al.  A dynamic risk-based access control architecture for cloud computing , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[48]  Ruoyu Wu,et al.  Risk-Aware Mitigation for MANET Routing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[49]  An Braeken,et al.  Anonymous Lightweight Proxy Based Key Agreement for IoT (ALPKA) , 2019, Wirel. Pers. Commun..

[50]  James B. D. Joshi,et al.  An adaptive risk management and access control framework to mitigate insider threats , 2013, Comput. Secur..

[51]  Liang Chen,et al.  Risk-Aware Role-Based Access Control , 2011, STM.

[52]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[53]  Gwen Adshead Tolerance of Uncertainty , 2015, British Journal of Psychiatry.

[54]  Anca D. Jurcut,et al.  A Novel Security Protocol Attack Detection Logic with Unique Fault Discovery Capability for Freshness Attacks and Interleaving Session Attacks , 2019, IEEE Transactions on Dependable and Secure Computing.