RISK BASED ACCESS CONTROL WITH UNCERTAIN AND TIME-DEPENDENT SENSITIVITY

John A. Clark, Juan E. Tapiador, John McDermid, Pau-Chen Cheng, Dakshi Agrawal, Natalie Ivanic, Dave Slogget

Abstract

In traditional multi-level security (MLS) models, object labels are fixed assessments of sensitivity. In practice there will inevitably be some uncertainty about the damage that might be caused if a document falls into the wrong hands. Furthermore, unless specific management action is taken to regrade the label on an object, it does not change. This does not reflect the operational reality of many modern systems where there is clearly a temporal element to the actual sensitivity of information. Tactical information may be highly sensitive right now but comparatively irrelevant tomorrow whilst strategic secrets may need to be maintained for many years, decades, or even longer. In this paper we propose to model both security labels and clearances as probability distributions. We provide practical templates to model both uncertainty and temporally characterized dependencies, and show how these features can be naturally integrated into a recently proposed access control framework based on quantified risk.

References

  1. Bishop, M. (2002). Computer Security: Art and Science. Addison-Wesley.
  2. Brands, S. and Chaum, D. (1993). Distance-bounding protocols. In EUROCRYPT'93, pages 344-359. SpringerVerlag. LNCS 765.
  3. Chen, P.-C. and Karger, P. (2008). Risk modulating factors in risk-based access control for information in a manet. Technical report, IBM.
  4. Chen, P.-C., Rohatgi, P., Keser, C., Karger, P., Wagner, G., and Reninger, A. (2007a). Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In IEEE Symposium on Security and Privacy, pages 222-230. IEEE Press.
  5. Chen, P.-C., Rohatgi, P., Keser, C., Karger, P., Wagner, G., and Reninger, A. (2007b). Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. Technical report, IBM.
  6. Denning, D. and MacDoran, P. (1996). Location-based authentication: Grounding cyberspace for better security. Computer Fraud & Security, 2:12-16.
  7. Diep, N., Hung, L., Zhung, Y., Lee, S., Lee, Y.-K., and Lee, H. (2007). Enforcing access control using risk assessment. In Proc. 4th European Conference on Universal Multiservice Networks, pages 419-424.
  8. Dimmock, N. (2003). How much is 'enough'? risk in trustbased access control. In IEEE Int. Workshops on Enabling Technologies: Infrastructur for Collaborative Entreprises - Enterprise Security, pages 281-282.
  9. Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., and Moody, K. (2004). How much is 'enough'? risk in trust-based access control. In SACMAT'04, pages 156-162.
  10. MITRE (2004). Horizontal integration: Broader access models for realizing information dominance. Technical report, The MITRE Corporation, JASON Program Office, Mclean, Virginia. http://www.fas.org/irp/agency/dod/jason/classpol.pdf.
  11. Navy (May 2007). Navy maritime domain awareness concept. Technical report, Department of the Navy. http://www.navy.mil/navydata/cno/Navy Maritime Domain Awareness Concept FINAL 2007 .pdf.
  12. Sastry, N., Shankar, U., and Wagner, D. (2003). Secure verification of location claims. In ACM Workshop on Wireless Security.
  13. Tuptuk, N. and Lupu, E. (2007). Risk based authorisation for mobile ad hoc networks. In AIMS, pages 188-191. Springer-Verlag. LNCS 4543.
Download


Paper Citation


in Harvard Style

A. Clark J., E. Tapiador J., McDermid J., Cheng P., Agrawal D., Ivanic N. and Slogget D. (2010). RISK BASED ACCESS CONTROL WITH UNCERTAIN AND TIME-DEPENDENT SENSITIVITY . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 5-13. DOI: 10.5220/0002935200050013


in Bibtex Style

@conference{secrypt10,
author={John A. Clark and Juan E. Tapiador and John McDermid and Pau-Chen Cheng and Dakshi Agrawal and Natalie Ivanic and Dave Slogget},
title={RISK BASED ACCESS CONTROL WITH UNCERTAIN AND TIME-DEPENDENT SENSITIVITY},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={5-13},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002935200050013},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - RISK BASED ACCESS CONTROL WITH UNCERTAIN AND TIME-DEPENDENT SENSITIVITY
SN - 978-989-8425-18-8
AU - A. Clark J.
AU - E. Tapiador J.
AU - McDermid J.
AU - Cheng P.
AU - Agrawal D.
AU - Ivanic N.
AU - Slogget D.
PY - 2010
SP - 5
EP - 13
DO - 10.5220/0002935200050013