Dynamic risk-based decision methods for access control systems

Riaz Ahmed Shaikh, Kamel Adi, Luigi Logrippo

Research output: Contribution to journalArticlepeer-review

56 Citations (Scopus)

Abstract

In traditional multi-level security systems, trust and risk values are pre-computed. Any change in these values requires manual intervention of an administrator. In many dynamic environments, however, these values should be auto-adaptive, and auto-tunable according to the usage history of the users. Moreover, occasional exceptions on resource needs, which are common in dynamic environments like healthcare, should be allowed if the subjects show a positive record of use toward resources they acquired in the past. Conversely, access of authorized users, who have negative record, should be restricted. These requirements are not taken into consideration in existing risk-based access control systems. In order to overcome these shortcomings and to meet different sensitivity requirements of various applications, we propose two dynamic risk-based decision methods for access control systems. We provide theoretical and simulation-based analysis and evaluation of both schemes. Also, we analytically prove that the proposed methods, not only allow exceptions under certain controlled conditions, but uniquely restrict legitimate access of bad authorized users.

Original languageEnglish
Pages (from-to)447-464
Number of pages18
JournalComputers and Security
Volume31
Issue number4
DOIs
Publication statusPublished - Jun 2012

Keywords

  • Access control
  • Policy
  • Risk
  • Security
  • Trust

Cite this