Towards Indeterminacy-Tolerant Access Control in IoT

  • Mohammad Heydari
  • Alexios Mylonas
  • Vasileios Katos
  • Dimitris GritzalisEmail author


The ultimate goal of any access control system is to assign precisely the necessary level of access (i.e., no more and no less) to each subject. Meeting this goal is challenging in an environment that is inherently scalable, heterogeneous and dynamic as the Internet of Things (IoT). This holds true as the volume, velocity and variety of data produced by wireless sensors, RFID tags and other enabling technologies in IoT introduce new challenges for data access. Traditional access control methods that rely on static, pre-defined access policies do not offer flexibility in dealing with the new challenges of the dynamic environment of IoT, which has been extensively studied in the relevant literature. This work, defines and studies the indeterminacy challenge for access control in the context of IoT, which to the best of our knowledge has not been studied in the relevant literature. The current access control models, even those that introduce some form of resiliency into the access decision process, cannot make a correct access decision in unpredicted scenarios, which are typically found in IoT due to its inherent characteristics that amplify indeterminacy. Therefore, this work stresses the need for a scalable, heterogeneous, and dynamic access control model that is able cope with indeterminate data access scenarios. To this end, this work proposes a conceptual framework for indeterminacy-tolerant access control in IoT.


IoT Internet of things Access control 


  1. 1.
    C. Perera, A. Zaslavsky, P. Christen, and D. Georgakopoulos, “Context aware computing for the Internet of Things: A survey”, IEEE Communication surveys and tutorials, vol. 16, no. 1, 2014.Google Scholar
  2. 2.
    Wei Zhou, Yan Jia, Anni Peng, Yuqing Zhang, and Peng Liu, “The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved,” IEEE Internet of Things Journal, pp. 1–11, 2018.Google Scholar
  3. 3.
    Elisa Bertino, Kim-Kwang Raymond Choo, Dimitrios Georgakopolous, Surya Nepal, “Internet of Things (IoT): Smart and Secure Service Delivery,” ACM Transactions on Internet Technology,, vol. 16, no. 4, pp. 22–29, 2016.Google Scholar
  4. 4.
    Francesco Restuccia, Salvatore D’Oro and Tommaso Melodia, “Securing the Internet of Things in the Age of Machine Learning and Software-defined Networking,” IEEE Internet of Things, vol. 1, no. 1, p. IEEE Early Access Service, 2018.Google Scholar
  5. 5.
    H. Reza Ghorbani; M. Hossein Ahmadzadegan, “Security challenges in internet of things: survey,” in IEEE Conference on Wireless Sensors (ICWiSe), 2017.Google Scholar
  6. 6.
    Mario Frustaci; Pasquale Pace; Gianluca Aloi; Giancarlo Fortino, “Evaluating critical security issues of the IoT world: Present and Future challenges,” IEEE Internet of Things Journal, pp. 2327–4662, 2017.Google Scholar
  7. 7.
    C. Zhang and R. Green, “Communication Security in Internet of Thing: Preventive measure and avoid DDoS attack over IoT network,” in IEEE Symposium on Communications & Networking, 2015.Google Scholar
  8. 8.
    A. Nordrum, “The Internet of Fewer Things,” IEEE Spectrum, vol. 10, pp. 12–13, 2016.Google Scholar
  9. 9.
    Yuankun Xue, Ji Li, Shahin Nazarian, and Paul Bogdan, “Fundamental Challenges Toward Making the IoT a Reachable Reality: A Model-Centric Investigation,” ACM Transactions on Design Automation of Electronic Systems, vol. 22, no. 3, 2017.Google Scholar
  10. 10.
    Raffaele Giaffreda; Luca Capra; Fabio Antonelli, “A pragmatic approach to solving IoT interoperability and security problems in an eHealth context,” in Internet of Things (WF-IoT), 2016 IEEE 3rd World Forum on, 2016.Google Scholar
  11. 11.
    Yanping Li; Yanjiao Qi; Laifeng Lu, “Secure and Efficient V2V Communications for Heterogeneous Vehicle Ad Hoc Networks,” in International Conference on Networking and Network Applications (NaNA), 2017.Google Scholar
  12. 12.
    Bo Cheng, Member, IEEE, Ming Wang, Shuai Zhao, Zhongyi Zhai, Da Zhu, and Junliang Chen, “Situation-Aware Dynamic Service Coordination in an IoT Environment,” IEEE/ACM Transactions On Networking, vol. 25, no. 4, pp. 2082–2095, 2017.Google Scholar
  13. 13.
    Sadegh Dorri, Rasool Jalili, “TIRIAC: A trust-driven risk-aware acces control framework for Grid enviroments,” Future Generation Computer Systems, vol. 55, pp. 238–254, 2016.Google Scholar
  14. 14.
    Jiawen Kang, Rong Yu, Xumin Huang, Magnus Jonsson, Hanna Bogucka, Stein Gjessing, and Yan Zhang, “Location Privacy Attacks and Defenses in Cloud-Enabled Internet of Vehicles,” IEEE Wireless Communications, pp. 52–59, 2016.Google Scholar
  15. 15.
    Vilem Novák, Irina Perfilieva, Antonin Dvorak, “What is fuzzy modelling?,” in Insight into Fuzzy Modeling, Wiley, 2016, pp. 3–9.Google Scholar
  16. 16.
    Dong Xie, Yongrui Qin, Quan Z. Sheng, “Managing Uncertainties in RFID Applications: A Survey,” in 11th IEEE International Conference on e-Business Engineering, 2014.Google Scholar
  17. 17.
    “Information on RFC 4949,” IETF, 1 1 2018. [Online]. Available: [Accessed 1 1 2018].
  18. 18.
    William Stallings, “Access Control,” in Computer Security, principles and practice, Pearson, 2017.Google Scholar
  19. 19.
    D. Gollmann, “Access Control,” in Computer Security, Wiley, 2011.Google Scholar
  20. 20.
    Aafaf Ouaddah, Hajar Mousannif, Anas Abou Elkalam, Abdellah Ait Ouahman, “Access control in the Internet of Things: Big challenges and new opportunities,” Elsevier Computer Networks, vol. 112, pp. 237–262, 2017.Google Scholar
  21. 21.
    William Stallings, Lawrie Brown, “Access Control,” in Computer Security: Principles and Practice, 3rd Edition, Pearson, 2015, pp. 113–154.Google Scholar
  22. 22.
    D. Gollmann, “Chapter 5: Access Control,” in Computer Security, John Wiley & Sons, 2011.Google Scholar
  23. 23.
    Jin, X., Krishnan, R., & Sandhu, R., “A Unified Attribute-Based Access Control Model Covering DAC, MAC And RBAC,” Springer Lecture Notes in Computer Science: Data and Applications Security and Privacy, vol. 7371, pp. 41–55, 2012.Google Scholar
  24. 24.
    R.S. Sandhu and P. Samarati, “Access control: Principle and practice,” IEEE Communication Magazine, vol. 32, pp. 40–48, 1994.Google Scholar
  25. 25.
    Vijayakumar, H., Jakka, G., Rueda, S., Schiffman, J., & Jaeger, T., “Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, 2012.Google Scholar
  26. 26.
    K. J. Biba, “Integrity consideration for secure computer systems. Technical Report,” The MITRE Corporation, Bedford, MA, 1977.Google Scholar
  27. 27.
    D. Clark, and D. Wilson, “A comparison of commercial and military computer security policy,” in IEEE Symposium on Security and Privacy, 1987.Google Scholar
  28. 28.
    D. F. C. Brewer and M. J. Nash., “The Chinese Wall security policy.,” in In Proceedings of 1989 IEEE symposium on Security and Privacy, 1989.Google Scholar
  29. 29.
    D. K. Ferraiolo, D. Kuhn, “Role Based Access Control,” in 15Th International Computer Security Conference, 1992.Google Scholar
  30. 30.
    V. Suhendra, “A Survey on Access Control Deployment,” in International Conference on Security Technology (FGIT), 2014.Google Scholar
  31. 31.
    Lagutin, D., Visala, K., Zahemszky, A., Burbridge, T., & Marias, G. F, “Roles and Security in a Publish/Subscribe Network Architecture,” in IEEE Symposium on Computers and Communications (ISCC), 2012.Google Scholar
  32. 32.
    A. Singh, “Role Based Trust Management Security Policy Analysis,” in International Journal of Engineering Research and Applications (IJERA), 2012.Google Scholar
  33. 33.
    W.W. Smari, P. Clemente, J.-F. Lalande, “An extended attribute based ac- cess control model with trust and privacy: application to a collabora- tive crisis management system,” Future Generation of Computer System, vol. 31, pp. 147–168, 2014.Google Scholar
  34. 34.
    Li, J., Chen, X., Li, J., Jia, C., Ma, J., & Lou, W, “Fine-Grained Access Control System Based on Outsourced Attribute-Based Encryption,” Springer Computer Security, vol. 8134, pp. 592–602, 2014.Google Scholar
  35. 35.
    J.B. Dennis, E.C. Van Horn, “Programming semantics for multiprogrammed computations,” ACM Communication, vol. 3, pp. 143–155, 1966.Google Scholar
  36. 36.
    A. Lazouski, F. Martinelli, P. Mori, “Usage control in computer security: a survey,” Elsevier Journal of Computer Science, vol. 4, 2010.Google Scholar
  37. 37.
    X. Zhang, M. Nakae, M.J. Covington, R. Sandhu,, “Toward a usage-based security framework for collaborative computing systems,” ACM Transaction on Information system security, vol. 11, 2008.Google Scholar
  38. 38.
    A. Kalam, R. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miege, C. Saurel, G. Trouessin, “Organization based access control,” in IEEE 4th International Workshop on Policies for Distributed Systems and Networks, 2003.Google Scholar
  39. 39.
    Srdjan Marinovic, Robert Craven, Jiefei Ma, “Rumpole: A Flexible Break-glass Access Control Model,” in The ACM Symposium on Access Control Models and Technologies (SACMAT), Austria, 2011.Google Scholar
  40. 40.
    Syed Zain R. Rizvi Philip W. L. Fong, “Interoperability of Relationship- and Role-Based Access Model,” in Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, 2016.Google Scholar
  41. 41.
    Sun Kaiwen Yin Lihua, “Attribute-Role-Based Hybrid Access Control in the Internet of Things,” in Web Technologies and Applications, Springer, 2014.Google Scholar
  42. 42.
    Sun Kaiwen Yin Lihua, “Attribute-Role-Based Hybrid Access Control in the Internet of Things,” in International Conference on Web Technologies and Applications. APWeb, 2014.Google Scholar
  43. 43.
    Prosunjit Biswas, Ravi Sandhu, Ram Krishnan, “Attribute Transformation for Attribute-Based Access Control,” in Proceedings of the 2nd ACM International Workshop on Attribute-Based Access Control, 2017.Google Scholar
  44. 44.
    Bayu Anggorojati; Ramjee Prasad, “Securing communication in inter domains Internet of Things using identity-based cryptography,” in International Workshop on Big Data and Information Security (IWBIS), 2017.Google Scholar
  45. 45.
    Y. Sakai, “J. M. Keynes on probability versus F. H. Knight on uncertainty: reflections on the miracle year of 1921,” Springer Japan Association for Evolutionary Economics, 2016.Google Scholar
  46. 46.
    Zhiguo Zeng, Rui Kang, Meilin Wen and Enrico Zio, “A Model-Based Reliability Metric Considering Aleatory and Epistemic Uncertainty,” IEEE Access Journal, vol. 5, 2017.Google Scholar
  47. 47.
    T. Aven and E. Zio, “Some considerations on the treatment of uncertainties in risk assessment for practical decision making,” Reliability Engineering & System Safety, vol. 96, no. 1, pp. 64–74, 2011.Google Scholar
  48. 48.
    A. P. Dempster, “Upper and Lower Probabilities Induced by a Multivalued Mapping,” The Annals of Mathematical Statistics, vol. 38, no. 2, pp. 325–339, 1967.Google Scholar
  49. 49.
    G. Shafer, A mathematical theory of evidence, Princeton University, 1976.Google Scholar
  50. 50.
    Baudrit, C. and Dubois, D., “Practical representations of incomplete probabilistic knowledge,” Elsevier Journal of Computational Statistics & Data Analysis, vol. 51, no. 1, 2006.Google Scholar
  51. 51.
    L. B, Uncertainty Theory, Springer, 2017.Google Scholar
  52. 52.
    Mirza, N. A. S., Abbas, H., Khan, F., & Al Muhtadi, “Anticipating Advanced Persistent Threat (APT) countermeasures using collaborative security mechanisms,” in IEEE International Symposium on Biometrics and Security Technologies (ISBAST), 2014.Google Scholar
  53. 53.
    S. Savinov, “A Dynamic Risk-Based Access Control Approach: Model and Implementation,” PhD Thesis, University of Waterloo, 2017.Google Scholar
  54. 54.
    F. Salim, “Approaches to Access Control Under Uncertainty,” PhD Thesis, Queensland University of Technology, 2012.Google Scholar
  55. 55.
    A. Ferreira, R. Cruz-Correia and L. Antunes, “How to Break Access Control in a Controlled Manner,” in 19th IEEE International Symposium on Computer-Based Medical Systems, 2006.Google Scholar
  56. 56.
    Htoo Aung Maw, Hannan Xiao, Bruce Christianson, and James A. Malcolm, “BTG-AC: Break-the-Glass Access Control Model for Medical Data in Wireless Sensor Networks,” IEEE Journal Of Biomedical And Health Informatics, , vol. 20, no. 3, pp. 763–774, 2016.Google Scholar
  57. 57.
    Schefer-Wenzl, S., & Strembeck, M., “Generic Support for RBAC Break-Glass Policies in Process-Aware Information Systems,” in 28Th Annual ACM Symposium on Applied Computing, 2013.Google Scholar
  58. 58.
    D. Povey, “Optimistic Security: A New Access Control Paradigm,” in ACM workshop on New security paradigms, 1999.Google Scholar
  59. 59.
    Patrick D. Gallagher, “NISP SP800-30 Guide for Conducting Risk Assesment,” NIST, 2012.Google Scholar
  60. 60.
    Molloy, I., Dickens, L., Morisset, C., Cheng, P. C., Lobo, J., & Russo, A., “Risk-Based Security Decisions under Uncertainty,” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy, 2012.Google Scholar
  61. 61.
    Fugini, M., Teimourikia, M., & Hadjichristofi, G., “A web-based cooperative tool for risk management with adaptive security,” Elsevier Journal of Future Generation Computer Systems, 2015.Google Scholar
  62. 62.
    Molloy, I., Dickens, L., Morisset, C., Cheng, P. C., Lobo, J., & Russo, A., “Risk-Based Security Decisions under Uncertainty,” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy, 2012.Google Scholar
  63. 63.
    Hany F. Atlam, Ahmed Alenezi, Robert J. Walters, Gary B. Wills, Joshua Daniel, “Developing an adaptive Risk-based access control model for the Internet of Things,” in IEEE International Conference on Internet of Things (iThings), 2017.Google Scholar
  64. 64.
    Hemanth Khambhammettu, Sofiene Boulares, Kamel Adi, Luigi Logrippo, “A framework for risk assessment in access control systems,” Elsevier Computers and Security, vol. 39, pp. 86–103, 2013.Google Scholar
  65. 65.
    Gritzalis D., Giulia Iseppi, Alexios Mylonas and Vasilis Stavrou, “Exiting the Risk Assessment maze: A meta-survey,” ACM Computing Surveys, 2018.Google Scholar
  66. 66.
    Khalid Zaman Bijon, Ram Krishnan, Ravi Sandhu, “A framework for risk-aware role based access control,” in IEEE Conference on Communications and Network Security (CNS), 2013.Google Scholar
  67. 67.
    Giuseppe Petracca, Frank Capobianco, Christian Skalka, Trent Jaeger, “On Risk in Access Control Enforcement,” in Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies, Indianapolis, Indiana, USA, 2017.Google Scholar
  68. 68.
    Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy, “Leveraging “Choice” to Automate Authorization Hook Placement.,” in ACM Conference on Computer and Communications Security, 2012.Google Scholar
  69. 69.
    Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov, “Fix Me Up: Repairinging Access-Control Bugs in Web Applications,” in Proceedings of the 20th Annual Network and Distributed System Security Symposium., 2013.Google Scholar
  70. 70.
    Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., & Nuseibeh, B., “Requirements-driven adaptive security: Protecting variable assets at runtime,” in 20th IEEE International Conference on Requirements Engineering Conference (RE), 2012.Google Scholar
  71. 71.
    Zhao, Z., Hu, H., Ahn, G. J., & Wu, R., “Risk-aware mitigation for MANET routing attacks.,” IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 2, pp. 250–260, 2012.Google Scholar
  72. 72.
    Nick Firoozye, Fauzian Arrif, Managing Uncertainty Mitigation Risk, Springer, 2016.Google Scholar
  73. 73.
    J. Bancroft, Tolerance of Uncertainty, Author House, 2014.Google Scholar
  74. 74.
    J. Barnes, The Complete Works of Aristotle: The Revised Oxford Translation, Princeton, 1984.Google Scholar
  75. 75.
    “Towards Fuzzy Type Theory with Partial Functions,” Springer Journal of Advances in Fuzzy Logic and Technology, 2018.Google Scholar
  76. 76.
    L.A. Zadeh, “Fuzzy sets,” Information and Control, vol. 8, no. 3, 1965.Google Scholar
  77. 77.
    Ava Ahadipour, Martin Schanzenbach, “A Survey on Authorization in Distributed Systems: Information Storage, Data Retrieval and Trust Evaluation,” in The 16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (IEEE TrustCom-17), 2017.Google Scholar
  78. 78.
    Loubna Mekouar, Youssef Iraqi, Raouf Boutaba, “Reputation-Based Trust Management in Peer-to-Peer Systems: Taxonomy and Anatomy,” in Handbook of Peer-to-Peer Networking, Springer, 2009, pp. 689–732.Google Scholar
  79. 79.
    “CASTRA: Seamless and Unobtrusive Authentication of Users to Diverse Mobile Services,” IEEE Internet of Things Journal, vol. Early Access, pp. 1–16, 2018.Google Scholar
  80. 80.
    Guoyuan Lin; Danru Wang; Yuyu Bie; Min Lei, “MTBAC: A mutual trust based access control model in Cloud computing,” IEEE Communication, vol. 11, no. 4, 2014.Google Scholar
  81. 81.
    Zheng Yan, Xueyun Li, Mingjun Wang and Athanasios V. Vasilakos, “Flexible Data Access Control Based on Trust and Reputation in Cloud Computing,” IEEE TRANSACTIONS ON CLOUD COMPUTING, vol. 5, no. 3, pp. 485–498, 2017.Google Scholar
  82. 82.
    Lan Zhou, Vijay Varadharajan, and Michael Hitchens, “Trust Enhanced Cryptographic Role-Based Access Control for Secure Cloud Data Storage,” IEEE Transactions On Information Forensics And Security, vol. 10, no. 11, pp. 2381–2395, 2015.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Mohammad Heydari
    • 1
  • Alexios Mylonas
    • 1
  • Vasileios Katos
    • 1
  • Dimitris Gritzalis
    • 2
    Email author
  1. 1.Department of Computing and InformaticsBournemouth UniversityPooleUK
  2. 2.Department of InformaticsAthens University of Economics and BusinessAthensGreece

Personalised recommendations