TY - JOUR
T1 - Dynamic risk-based decision methods for access control systems
AU - Shaikh, Riaz Ahmed
AU - Adi, Kamel
AU - Logrippo, Luigi
N1 - Funding Information:
The work reported in this article was partially supported by the Natural Sciences and Engineering Research Council of Canada, PROMPT Quebec, and CA Technologies. We thank Hemanth Khambhammettu, and Serge Mankovski for useful discussions. We are also thankful to the anonymous referees for comments that have led to improvements in the paper.
PY - 2012/6
Y1 - 2012/6
N2 - In traditional multi-level security systems, trust and risk values are pre-computed. Any change in these values requires manual intervention of an administrator. In many dynamic environments, however, these values should be auto-adaptive, and auto-tunable according to the usage history of the users. Moreover, occasional exceptions on resource needs, which are common in dynamic environments like healthcare, should be allowed if the subjects show a positive record of use toward resources they acquired in the past. Conversely, access of authorized users, who have negative record, should be restricted. These requirements are not taken into consideration in existing risk-based access control systems. In order to overcome these shortcomings and to meet different sensitivity requirements of various applications, we propose two dynamic risk-based decision methods for access control systems. We provide theoretical and simulation-based analysis and evaluation of both schemes. Also, we analytically prove that the proposed methods, not only allow exceptions under certain controlled conditions, but uniquely restrict legitimate access of bad authorized users.
AB - In traditional multi-level security systems, trust and risk values are pre-computed. Any change in these values requires manual intervention of an administrator. In many dynamic environments, however, these values should be auto-adaptive, and auto-tunable according to the usage history of the users. Moreover, occasional exceptions on resource needs, which are common in dynamic environments like healthcare, should be allowed if the subjects show a positive record of use toward resources they acquired in the past. Conversely, access of authorized users, who have negative record, should be restricted. These requirements are not taken into consideration in existing risk-based access control systems. In order to overcome these shortcomings and to meet different sensitivity requirements of various applications, we propose two dynamic risk-based decision methods for access control systems. We provide theoretical and simulation-based analysis and evaluation of both schemes. Also, we analytically prove that the proposed methods, not only allow exceptions under certain controlled conditions, but uniquely restrict legitimate access of bad authorized users.
KW - Access control
KW - Policy
KW - Risk
KW - Security
KW - Trust
UR - http://www.scopus.com/inward/record.url?scp=84861100364&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2012.02.006
DO - 10.1016/j.cose.2012.02.006
M3 - Article
AN - SCOPUS:84861100364
VL - 31
SP - 447
EP - 464
JO - Computers & Security
JF - Computers & Security
SN - 0167-4048
IS - 4
ER -