Abstract
The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several entities and reside outside the system domain. Thus, the access decisions about a usage session are made under uncertainties, while existing usage control approaches are based on the assumption that all attributes are up-to-date.
In this paper we propose an approach which helps to make a rational access decision even if some uncertainty presents. The proposed approach uses the continuous-time Markov chains (CTMC) in order to compute the probability of unnoticed changes of attributes and risk analysis for making a decision.
This work was partly supported by EU-FP7-ICT CONSEQUENCE and EU-FP7-ICT NESSoS projects.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alberts, C.J., Dorofee, A.J.: OCTAVE Criteria. Technical Report CMU/SEI-2001-TR-016, CERT (December 2001)
Aziz, A.B., Foley, A.S., Herbert, A.J., Swart, A.G.: Reconfiguring role based access control policies using risk semantics. Journal of High Speed Networks 15(3), 261–273 (2006)
Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)
Bouzeghoub, M., Peralta, V.: A framework for analysis of data freshness. In: Proceedings of the International Workshop on Information Quality in Information Systems, pp. 59–67 (2004)
Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering (ICSE 2002), pp. 232–240. ACM Press, New York (2002)
Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 222–230. IEEE Computer Society, Washington, DC, USA (2007)
Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing access control using risk assessment. In: Proceedings of the Fourth European Conference on Universal Multiservice Networks (ECUMN 2007), pp. 419–424. IEEE Computer Society, Washington, DC, USA (2007)
Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 156–162. ACM, New York (2004)
Gordon, L.A., Loeb, M.P.: Managing Cybersecurity Resources: a Cost-Benefit Analysis. McGraw Hill, New York (2006)
Han, Y., Hori, Y., Sakurai, K.: Security policy pre-evaluation towards risk analysis. In: Proceedings of the 2008 International Conference on Information Security and Assurance (ISA 2008), pp. 415–420. IEEE Computer Society, Washington, DC, USA (2008)
Hanson, S.O.: Decision theory: A brief introduction (August 1994)
Ibe, O.C.: Markov processes for stochastic modeling. Academic Press, London (2009)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Risk-aware usage decision making in highly dynamic systems. In: Proceedings of the The Fifth International Conference on Internet Monitoring and Protection, Barcelona, Spain (May 2010)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Risk-based usage control for service oriented architecture. In: Proceedings of the 18th Euromicro Conference on Parallel, Distributed and Network-Based Processing. IEEE Computer Society Press, Los Alamitos (2010)
Li, Y., Sun, H., Chen, Z., Ren, J., Luo, H.: Using trust and risk in access control for grid environment. In: Proceedings of the 2008 International Conference on Security Technology, pp. 13–16. IEEE Computer Society, Washington, DC, USA (2008)
Martinelli, F., Mori, P., Vaccarelli, A.: Towards continuous usage control on grid computational services. In: Proceedings of the Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services, ICAS/ICNS 2005 (2005)
McGraw, R.W.: Risk-adaptable access control (radac) (6/08/09), http://csrc.nist.gov/news_events/privilege_management_workshop/radac-Paper0001.pdf
Nauman, M., Alam, M., Zhang, X., Ali, T.: Remote attestation of attribute updates and information flows in a ucon system. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 63–80. Springer, Heidelberg (2009)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 250–260. ACM, New York (2010)
Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, pp. 57–64. ACM, New York (2002)
Skalka, C., Wang, X.S., Chapin, P.: Risk management for distributed authorization. J. Comput. Secur. 15(4), 447–489 (2007)
Stolen, K., den Braber, F., Dimitrakos, T., Fredriksen, R., Gran, B.A., Houmb, S.-H., Lund, M.S., Stamatiou, Y., Aagedal, J.O.: Model-based risk assessment - the coras approach. In: Proceedings of the Norsk Informatikkkonferanse, Tapir, pp. 239–249 (2002)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Technical Report 800-30, National Institute of Standards and Technology (2001), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (13/05/2009)
Tijms, H.C.: A First Course in Stochastic Models. Wiley, Chichester (2003)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: Proceedings of the 2004 ACM workshop on Formal methods in security engineering (FMSE 2004), pp. 45–55. ACM, New York (2004)
Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (barac). In: Proceedings of the 7th International Workshop on Policies for Distributed Systems and Networks, pp. 45–53. IEEE Computer Society, Washington, DC, USA (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A. (2011). Influence of Attribute Freshness on Decision Making in Usage Control. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds) Security and Trust Management. STM 2010. Lecture Notes in Computer Science, vol 6710. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22444-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-22444-7_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22443-0
Online ISBN: 978-3-642-22444-7
eBook Packages: Computer ScienceComputer Science (R0)