research-article

Too Long, did not Enforce: A Qualitative Hierarchical Risk-Aware Data Usage Control Model for Complex Policies in Distributed Environments

Authors:

Fabio Martinelli,

Christina Michailidou,

Andrea SaracinoAuthors Info & Claims

CPSS '18: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security

Pages 27 - 37

https://doi.org/10.1145/3198458.3198463

Published: 22 May 2018 Publication History

Abstract

Distributed environments such as Internet of Things, have an increasing need of introducing access and usage control mechanisms, to manage the rights to perform specific operations and regulate the access to the plethora of information daily generated by these devices. Defining policies which are specific to these distributed environments could be a challenging and tedious task, mainly due to the large set of attributes that should be considered, hence the upcoming of unforeseen conflicts or unconsidered conditions. In this paper we propose a qualitative risk-based usage control model, aimed at enabling a framework where is possible to define and enforce policies at different levels of granularity. In particular, the proposed framework exploits the Analytic Hierarchy Process (AHP) to coalesce the risk value assigned to different attributes in relation to a specific operation, in a single risk value, to be used as unique attribute of usage control policies. Two sets of experiments that show the benefits both in policy definition and in performance, validate the proposed model, demonstrating the equivalence of enforcement among standard policies and the derived single-attributed policies.

References

[1]

Benjamin Aziz, Simon N. Foley, John Herbert, and Garret Swart. 2006. Reconfiguring Role Based Access Control Policies Using Risk Semantics. J. High Speed Netw. 15, 3 (July 2006), 261--273. http://dl.acm.org/citation.cfm?id=2692141.2692146

Digital Library

[2]

Enrico Carniani, Davide D'Arenzo, Aliaksandr Lazouski, Fabio Martinelli, and Paolo Mori. 2016. Usage Control on Cloud systems. Future Generation Comp. Syst. 63 (2016), 37--55.

Digital Library

[3]

Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A Karger, Grant M Wagner, and Angela Schuett Reninger. 2007. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In Proceedings of the IEEE Symposium on Security and Privacy, 2007. SP'07. IEEE, 222--230.

Digital Library

[4]

Department of Defense Standard CSC-STD-001--83. 1985. Department of Defense Trusted Computer System Evaluation Criteria. DoD Computer Security Center. (Dec. 1985).

[5]

Gianluca Dini, Fabio Martinelli, Ilaria Matteucci, Marinella Petrocchi, Andrea Saracino, and Daniele Sgandurra. 2016. Risk analysis of Android applications: A user-centric solution. Future Generation Computer Systems (2016).

Digital Library

[6]

V. C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. 2013. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication, vol. 800, pp. 162,. (2013).

[7]

Wenbo Jiang and Huaqi Chai. 2015. A risk management methodology for R&D Project risk based on AHP and fuzzy comprehensive evaluation method. In Proceedings of IEEE International Conference on Industrial Engineering and Engineering Management (IEEM). IEEE, 320--324.

[8]

L. Jiawei. 2011. Risk assessment of accounting information system based on AHP and fuzzy comprehensive evaluation method. In Proceedings of the 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT). 905--908.

[9]

Leanid Krautsevich, Aliaksandr Lazouski, Fabio Martinelli, Paolo Mori, and Artsiom Yautsiukhin. 2010. Usage control, risk and trust. In Proceedings of the International Conference on Trust, Privacy and Security in Digital Business. Springer, 1--12.

Digital Library

[10]

L. Krautsevich, A. Lazouski, F. Martinelli, and A. Yautsiukhin. 2010. Risk-Aware Usage Decision Making in Highly Dynamic Systems. In Proceedings of the 5th International Conference on Internet Monitoring and Protection. 29--34.

Digital Library

[11]

L. Krautsevich, A. Lazouski, F. Martinelli, and A. Yautsiukhin. 2010. Risk-Based Usage Control for Service Oriented Architecture. In Proceedings of the 18th Euromicro Conference on Parallel, Distributed and Network-based Processing. 641--648.

Digital Library

[12]

L. Krautsevich, A. Lazouski, F. Martinelli, and A. Yautsiukhin. 2011. Cost-effective enforcement of UCONA policies. In Proceedings of the 6th International Conference on Risks and Security of Internet and Systems (CRiSIS). 1--8.

Digital Library

[13]

A. Lazouski, G. Mancini, F. Martinelli, and P. Mori. 2012. Usage control in cloud systems. In The 7th International Conference for Internet Technology And Secured Transactions,(ICITST-2012). 202--207.

[14]

A. L. Marra, F. Martinelli, P. Mori, and A. Saracino. 2017. Implementing Usage Control in Internet of Things: A Smart Home Use Case. In 2017 IEEE Trustcom/BigDataSE/ICESS. 1056--1063.

[15]

Jaehong Park and Ravi Sandhu. 2002. Towards Usage Control Models: Beyond Traditional Access Control. In Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies (SACMAT '02). ACM, New York, NY, USA, 57--64.

Digital Library

[16]

J. Park and R. Sandhu. 2004. The U CO N ABC usage control model. ACM Transactions on Information and System Security 7, 1 (2004), 128--174.

Digital Library

[17]

J. Park, X. Zhang, and R. Sandhu. 2004. Attribute Mutability in Usage Control. In Research Directions in Data and Applications Security XVIII, IFIP TC11/WG 11.3 Eighteenth Annual Conference on Data and Applications Security. 15--29.

[18]

A. Pretschner, M. Hilty, and D.A. Basin. 2006. Distributed usage control. Commun. ACM 49, 9 (2006), 39--44.

Digital Library

[19]

R.W. Saaty. 1987. The analytic hierarchy process - what it is and how it is used. Mathematical Modelling 9, 3 (1987), 161 -- 176.

[20]

Ravi S Sandhu, Edward J Coyne, Hal L Feinstein, and Charles E Youman. 1996. Role-based access control models. Computer 29, 2 (1996), 38-- 47. https://www.dropbox.com/s/cjcf96zo863e4qc/1.Role-Based%20Access%20Control%20Models.pdf?dl=0

Digital Library

[21]

Riaz Ahmed Shaikh, Kamel Adi, and Luigi Logrippo. 2012. Dynamic risk-based decision methods for access control systems. computers &security 31, 4 (2012), 447--464.

Digital Library

[22]

Qihua Wang and Hongxia Jin. 2011. Quantified Risk-adaptive Access Control for Patient Privacy Protection in Health Information Systems. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS '11). ACM, New York, NY, USA, 406--410.

Digital Library

[23]

Lei Zhang, Alexander Brodsky, and Sushil Jajodia. 2006. Toward information sharing: Benefit and risk access control (barac). In Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, 2006. Policy 2006. IEEE, 9--pp.

Digital Library

[24]

Xinwen Zhang, Francesco Parisi-Presicce, Ravi Sandhu, and Jaehong Park. 2005. Formal Model and Policy Specification of Usage Control. ACM Transactions on Information and System Security 8, 4 (2005), 351--387.

Digital Library

Cited By

Ameer SBenson JSandhu R(2023)Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321629720:5(4032-4051)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3216297
Calvo MBeltrán M(2023)Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metricsInformation & Computer Security10.1108/ICS-03-2023-004332:2(133-158)Online publication date: 16-Oct-2023
https://doi.org/10.1108/ICS-03-2023-0043
Ameer SBenson JSandhu R(2022)An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based ApproachInformation10.3390/info1302006013:2(60)Online publication date: 25-Jan-2022
https://doi.org/10.3390/info13020060
Show More Cited By

Index Terms

Too Long, did not Enforce: A Qualitative Hierarchical Risk-Aware Data Usage Control Model for Complex Policies in Distributed Environments
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

An Integrated Approach for the Enforcement of Contextual Permissions and Pre-Obligations

Pre-obligations denote actions that may be required before access is granted. The successful fulfillment of pre-obligations leads to the authorization of the requested access. Pre-obligations enable a more flexible enforcement of authorization policies. ...
Obligation Management Framework for Usage Control
SACMAT 2024: Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

Obligations were introduced in access and usage control as a mechanism to specify mandatory actions to be fulfilled as part of authorization. In this paper, we address challenges related to obligation management in access and usage control, focusing on ...
Specification and Enforcement of Static Separation-of-Duty Policies in Usage Control
ISC '09: Proceedings of the 12th International Conference on Information Security

Separation-of-Duty (SoD) policy is a fundamental security principle for prevention of fraud and errors in computer security. The research of static SoD (SSoD) policy in recently presented usage control (UCON) model has not been explored. Consequently, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPSS '18: Proceedings of the 4th ACM Workshop on Cyber-Physical System Security

May 2018

79 pages

ISBN:9781450357555

DOI:10.1145/3198458

Program Chairs:
Dieter Gollmann
Hamburg University of Technology, Germany &NTU, Singapore
,
Jianying Zhou
SUTD, Singapore

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

H2020 Security

Conference

ASIA CCS '18

Sponsor:

SIGSAC

ASIA CCS '18: ACM Asia Conference on Computer and Communications Security

June 4, 2018

Incheon, Republic of Korea

Acceptance Rates

CPSS '18 Paper Acceptance Rate 6 of 24 submissions, 25%;

Overall Acceptance Rate 43 of 135 submissions, 32%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
207
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ameer SBenson JSandhu R(2023)Hybrid Approaches (ABAC and RBAC) Toward Secure Access Control in Smart Home IoTIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321629720:5(4032-4051)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3216297
Calvo MBeltrán M(2023)Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metricsInformation & Computer Security10.1108/ICS-03-2023-004332:2(133-158)Online publication date: 16-Oct-2023
https://doi.org/10.1108/ICS-03-2023-0043
Ameer SBenson JSandhu R(2022)An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based ApproachInformation10.3390/info1302006013:2(60)Online publication date: 25-Jan-2022
https://doi.org/10.3390/info13020060
Ameer SGupta MBhatt SSandhu RDietrich SChowdhury OTakabi D(2022)BlueSkyProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535020(235-244)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535020
Praharaj LAmeer SGupta MSandhu R(2022)Attributes Aware Relationship-based Access Control for Smart IoT Systems2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC56439.2022.00021(72-81)Online publication date: Dec-2022
https://doi.org/10.1109/CIC56439.2022.00021
Ameer SSandhu RGupta MAbdelsalam MMittal S(2021)The HABAC Model for Smart Home IoT and Comparison to EGRBACProceedings of the 2021 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3445969.3450428(39-48)Online publication date: 28-Apr-2021
https://dl.acm.org/doi/10.1145/3445969.3450428
Michailidou CGkioulos VShalaginov ARizos ASaracino A(2020)RESPOnSE—A Framework for Enforcing Risk-Aware Security Policies in Constrained Dynamic EnvironmentsSensors10.3390/s2010296020:10(2960)Online publication date: 23-May-2020
https://doi.org/10.3390/s20102960
Ameer SBenson JSandhu R(2020)The EGRBAC Model for Smart Home IoT2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI)10.1109/IRI49571.2020.00076(457-462)Online publication date: Aug-2020
https://doi.org/10.1109/IRI49571.2020.00076
Gkioulos VRizos AMichailidou CMori PSaracino A(2019)Enhancing Usage Control for Performance: An Architecture for Systems of SystemsComputer Security10.1007/978-3-030-12786-2_5(69-84)Online publication date: 31-Jan-2019
https://doi.org/10.1007/978-3-030-12786-2_5
Gkioulos VRizos AMichailidou CMartinelli FMori P(2018)Enhancing Usage Control for Performance: A Proposal for Systems of Systems (Research Poster)2018 International Conference on High Performance Computing & Simulation (HPCS)10.1109/HPCS.2018.00169(1061-1062)Online publication date: Jul-2018
https://doi.org/10.1109/HPCS.2018.00169

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents