Risk based access control using classification

Nazia Badar; Jaideep Vaidya; Vijayalakshmi Atluri; Basit Shafiq

doi:https://doi.org/10.1007/978-3-319-01433-3_5

Risk based access control using classification

Nazia Badar, Jaideep Vaidya, Vijayalakshmi Atluri, Basit Shafiq

Mgmt Science & Info Systems

Rutgers, The State University

Research output: Chapter in Book/Report/Conference proceeding › Chapter

3 Scopus citations

Abstract

Traditional access control operates under the principle that a user's request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the 'need to share', and in some cases, because of the 'responsibility to provide' information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.

Original language	English (US)
Title of host publication	Automated Security Management
Publisher	Springer International Publishing
Pages	79-95
Number of pages	17
ISBN (Electronic)	9783319014333
ISBN (Print)	9783319014326
DOIs	https://doi.org/10.1007/978-3-319-01433-3_5
State	Published - Jan 1 2013

ASJC Scopus subject areas

Computer Science(all)

Access to Document

https://doi.org/10.1007/978-3-319-01433-3_5

Cite this

@inbook{5e2f7d86f3d34d1abdee808b0d16f2c4,

title = "Risk based access control using classification",

abstract = "Traditional access control operates under the principle that a user's request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the 'need to share', and in some cases, because of the 'responsibility to provide' information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.",

author = "Nazia Badar and Jaideep Vaidya and Vijayalakshmi Atluri and Basit Shafiq",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2013.",

year = "2013",

month = jan,

day = "1",

doi = "https://doi.org/10.1007/978-3-319-01433-3_5",

language = "English (US)",

isbn = "9783319014326",

pages = "79--95",

booktitle = "Automated Security Management",

publisher = "Springer International Publishing",

}

TY - CHAP

T1 - Risk based access control using classification

AU - Badar, Nazia

AU - Vaidya, Jaideep

AU - Atluri, Vijayalakshmi

AU - Shafiq, Basit

PY - 2013/1/1

Y1 - 2013/1/1

N2 - Traditional access control operates under the principle that a user's request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the 'need to share', and in some cases, because of the 'responsibility to provide' information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.

AB - Traditional access control operates under the principle that a user's request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the 'need to share', and in some cases, because of the 'responsibility to provide' information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.

UR - http://www.scopus.com/inward/record.url?scp=84948122645&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84948122645&partnerID=8YFLogxK

U2 - https://doi.org/10.1007/978-3-319-01433-3_5

DO - https://doi.org/10.1007/978-3-319-01433-3_5

M3 - Chapter

SN - 9783319014326

SP - 79

EP - 95

BT - Automated Security Management

PB - Springer International Publishing

ER -

Risk based access control using classification

Abstract

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this