An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things

Hany F. Atlam, Ahmed Alenezi, Robert J. Walters, Gary B. Wills

Abstract

The Internet of Things (IoT) represents a modern approach where boundaries between real and digital domains are progressively eliminated by changing over consistently every physical device to smart object ready to provide valuable services. These services provide a vital role in different life domains but at the same time create new challenges particularly in security and privacy. Authentication and access control models are considered as the essential elements to address these security and privacy challenges. Risk-based access control model is one of the dynamic access control models that provides more flexibility in accessing system resources. This model performs a risk analysis to estimate the security risk associated with each access request and uses the estimated risk to make the access decision. One of the essential elements in this model is the risk estimation process. Estimating risk is a complex operation that requires the consideration of a variety of factors in the access control environment. Moreover, the interpretation and estimation of the risk might vary depending on the working domain. This paper presents a review of different risk estimation techniques. Existing risk-based access control models are discussed and compared in terms of the risk estimation technique, risk factors, and the evaluation domain. Requirements for choosing the appropriate risk estimation technique for the IoT system are also demonstrated.

References

  1. Abul-Haggag, O.Y. & Barakat, W., 2013. Application of Fuzzy Logic for Risk Assessment using Risk Matrix. International Journal of Emerging Technology and Advanced Engineering, 3(1), pp.49-54.
  2. Adda, M. et al., 2015. Toward an Access Control Model for IOTCollab. The 6th International Conference on Ambient Systems, Networks and Technologies, 52(Ant), pp.428-435.
  3. Chen, P. et al., 2007. Fuzzy Multi - Level Security?: An Experiment on Quantified Risk - Adaptive Access Control. 2007 IEEE Symposium on Security and Privacy(SP'07), pp.222-227.
  4. Diep, N.N. et al., 2007. Enforcing Access Control Using Risk Assessment. the Fourth European Conference on Universal Multiservice Networks, pp.419-424.
  5. Fremantle, P. et al., 2014. Federated Identity and Access Management for the Internet of Things. 2014 International Workshop on Secure Internet of Things (SIoT), pp.10-17.
  6. Goerdin, S.A. V, Smit, J.J. & Mehairjan, R.P.Y., 2015a. Monte Carlo simulation applied to support risk-based decision making in electricity distribution networks. 2015 IEEE Eindhoven PowerTech, PowerTech 2015.
  7. Goerdin, S.A. V, Smit, J.J. & Mehairjan, R.P.Y., 2015b. Monte Carlo simulation applied to support risk-based decision making in electricity distribution networks. 2015 IEEE Eindhoven PowerTech.
  8. Habib, K. & Leister, W., 2015. Context-Aware Authentication for the Internet of Things. The Eleventh International Conference on Autonomic and Autonomous Systems fined, pp.134-139.
  9. Hamdi, M. & Abie, H., 2014. Game-based adaptive security in the Internet of Things for eHealth. 2014 IEEE International Conference on Communications, ICC 2014, pp.920-925.
  10. Kahneman, D., Slovic, P. & Tversky, A., 1974. Judgment under uncertainty: heuristics and biases. Science, 185(4157), pp.1124-1131.
  11. Khambhammettu, H. et al., 2013. A framework for risk assessment in access control systems. Computers & Security, 39(Sec 2012), pp.86-103.
  12. Kulk, G.P., Peters, R.J. & Verhoef, C., 2009. Quantifying IT estimation risks. Science of Computer Programming, 74(11-12), pp.900-933.
  13. Langaliya, C. & Aluvalu, R., 2015. Enhancing Cloud Security through Access Control Models?: A Survey. International Journal of Computer Applications, 112(7), pp.8-12.
  14. Li, J., Bai, Y. & Zaman, N., 2013. A fuzzy modeling approach for risk-based access control in eHealth cloud. Proceedings - 12th IEEE International Conference on Trust, Security, and Privacy in Computing and Communications, TrustCom 2013, pp.17-23.
  15. Liu, J., Xiao, Y. & Chen, C.L.P., 2012. Authentication and access control in the Internet of things. Proceedings - 32nd IEEE International Conference on Distributed Computing Systems Workshops, ICDCSW 2012, pp.588-592.
  16. Ni, Q., Bertino, E. & Lobo, J., 2010. Risk-based access control systems built on fuzzy inferences. in Proceedings of the 5th ACM Symposium on Information, Computer, and Communications Security, ser. ASIACCS 10. New York, NY, USA: ACM, pp.250- 260.
  17. Pluess, D., Groso, A. & Meyer, T., 2013. Expert Judfgement in Risk Analysis: A Strategy to Overcome Uncertainities. Chemical Engineering Transactions, 31, pp.307-312.
  18. Pokorádi, L., 2002. Fuzzy logic-based risk assessment. Academic and Applied Research in Military Science, 1(1), pp.63-73.
  19. Rajbhandari, L. & Snekkenes, E.A., 2011. Using game theory to analyze risk to privacy: An initial insight. Privacy and Identity Management for Life, Springer Berlin Heidelberg, pp.41-51.
  20. Ricardo dos Santos, D., Westphall, C.M. & Westphall, C.B., 2013. Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation. Proceedings of the Seventh International Conference on Emerging Security Information, Systems and Technologies (SECUREWARE 2013), pp.8-13.
  21. Dos Santos, D.R., Westphall, C.M. & Westphall, C.B., 2014. A dynamic risk-based access control architecture for cloud computing. IEEE/IFIP NOMS 2014 - IEEE/IFIP Network Operations and Management Symposium: Management in a Software Defined World, pp.1-9.
  22. Shaikh, R.A., Adi, K. & Logrippo, L., 2012. Dynamic riskbased decision methods for access control systems. Computers and Security, 31(4), pp.447-464.
  23. Shanbhag, R. & Shankarmani, R., 2015. Architecture for Internet of Things to minimize human intervention. 2015 International Conference on Advances in Computing, Communications, and Informatics, ICACCI 2015, pp.2348-2353.
  24. Shang, K. & Hossen, Z., 2013. Applying Fuzzy Logic to Risk Assessment and Decision-Making. Casualty Actuarial Society, Canadian Institute of Actuaries, Society of Actuaries, pp.1-59.
  25. Stoneburner, G., Goguen, A. & Feringa, A., 2002. Risk Management Guide for Information Technology Systems. Nist Special Publication Sp, 30(30).
  26. Stoneburner, G., Goguen, A. & Feringa, A., 2002. Risk Management Guide for Information Technology Systems. Nist Special Publication, 19, p.58.
  27. Wang, S. et al., 2016. A Vertical Handoff Method via SelfSelection Decision Tree for Internet of Vehicles. IEEE Systems Journal, 10(3), pp.1183-1192.
  28. Ye, N. et al., 2014. An efficient authentication and access control scheme for perception layer of internet of things. Applied Mathematics and Information Sciences, 8(4), pp.1617-1624.
  29. Yin, J. et al., 2006. On estimating the security risks of composite software services. In First Program Analysis for Security and Safety Workshop Discussion (PASSWORD 2006).
  30. Zhi, L., Jing, W. & Xiao-su, C., 2009. Research on Policybased Access Control Model. , (1), pp.164-167.
Download


Paper Citation


in Harvard Style

Atlam H., Alenezi A., Walters R. and Wills G. (2017). An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS, ISBN 978-989-758-245-5, pages 254-260. DOI: 10.5220/0006292602540260


in Bibtex Style

@conference{iotbds17,
author={Hany F. Atlam and Ahmed Alenezi and Robert J. Walters and Gary B. Wills},
title={An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,},
year={2017},
pages={254-260},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006292602540260},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,
TI - An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things
SN - 978-989-758-245-5
AU - Atlam H.
AU - Alenezi A.
AU - Walters R.
AU - Wills G.
PY - 2017
SP - 254
EP - 260
DO - 10.5220/0006292602540260