A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies

Faouzi Jaidi, Faten Labbene Ayachi

2015

Abstract

The considerable increase of the risk associated to inner threats has motivated researches in risk assessment for access control systems. Two main approaches were adapted: (i) a risk mitigation approach via features such as constraints, and (ii) a risk quantification approach that manages access based on a quantified risk. Evaluating the risk associated to the evolutions of an access control policy is an important theme that allows monitoring the conformity of the policy in terms of risk. Unfortunately, no work has been defined in this context. We propose in this paper, a quantified risk-assessment approach for monitoring the compliance of concrete RBAC-based policies. We formalize the proposal and illustrate its application via a case of study.

References

  1. Aziz, B., Foley, S. N., Herbert, J., Swart, G., 2006. Reconfiguring role based access control policies using risk semantics. In Journal of High Speed Networks.
  2. Deng, J. L., 1982. Control problems of grey system. System and Control Letters, 1, 288-294.
  3. Jang, J.S., Sun, C.T., Mizutani, E., 1997. Neuro-Fuzzy and Soft Computing, Prentice-Hall, New Jersey.
  4. Baracaldo, N., Joshi, J., 2012. A trust-and-risk aware rbac framework: tackling insider threat. In: SACMAT 2012, pp. 167-176, ACM, New York.
  5. Bijon, K. Z., Krishnan, R., Sandhu, R., 2013. A framework for risk-aware role based access control. In Communications and Network Security, pp. 462-469.
  6. Lai, H.-H., Lin, Y.-C., Yeh, C.-H., 2005. Form design of product image using grey relational analysis and neural network models. Computers and Operations Research, 32, 2689-2711.
  7. Lin, Y.-C., Chen, C.-C., Yeh, C.-H., 2014. Intelligent decision support for new product development: A consumer-oriented approach. Applied Mathematics and Information Sciences, 8, 2761-2768.
  8. Bijon, K. Z., Krishnan, R., Sandhu, R., 2012. Risk-aware RBAC sessions. In Information Systems Security, pp. 59-74, Springer.
  9. Chakraborty, S., Ray, I., 2006. Trustbac: integrating trust relationships into the rbac model for access control in open systems. In Proc. of the 11th ACM symposium on Access control models and technologies, SACMAT 7806, pp. 49-58, USA.
  10. Lin, Y.-C., Wie, C.-C., 2014. The QTT1-based TOPSIS decision support model to fragrance form design. Proceedings of IS3C2014, 1291-1294.
  11. Negnevitsky, M., 2002. Artificial Intelligence, AddisonWesley, New York.
  12. Chen, L., Crampton, J., 2011. Risk-aware role-based access control. In Proc. of the 7th International Workshop on Security and Trust Management.
  13. Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S, 2007. Fuzzy multilevel security: an experiment on quantified riskadaptive access control. In Security and Privacy, pp. 222 -230.
  14. Shiizuka, H., 2011. Kansei/Affective engineering and decision making. Invited session summary of KES IIMSS 2011.
  15. Wang, K.-C., 2011. A hybrid Kansei engineering design expert system based on grey system theory and support vector regression. Expert Systems with Applications, 38, 8738-8750.
  16. Feng, F., Lin, C., Peng, D., Li, J., 2008. A trust and context based access control model for distributed systems. In Proc. of the 10th IEEE International Conference on High Performance Computing and Communications, HPCC 7808, pp. 629-634, USA.
  17. Jaeger, T., 1999. On the increasing importance of constraints. In fourth ACM workshop on Role-based access control, pp. 33-42.
  18. Wei, C.-C., Ma, M.-Y., Lin, Y.-C., 2011. Applying kansei engineering to decision making in fragrance form design. Smart Innovation, Systems and Technologies, 10, 85-94.
  19. Yang, C.-C., 2011. Constructing a hybrid kansei engineering system based on multiple affective responses: Application to product form design. Computers and Industrial Engineering, 60, 760-768.
  20. Jaidi, F., Labbene Ayachi, F., 2014. An approach to formally validate and verify the compliance of low level access control policies. The 13th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN 2014).
  21. Jaidi, F., Labbene Ayachi, F., 2015. A formal system for detecting anomalies of non-conformity in concrete RBAC-based policies. International Conference on Computer Information Systems WCCAIS-2015- ICCIS.
  22. Jaidi, F., Labbene Ayachi, F., 2015. The problem of integrity in RBAC-based policies within relational databases: synthesis and problem study. The 9th International Conference on Ubiquitous Information Management and Communication ACM IMCOM.
  23. Jaidi, F., Labbene Ayachi, F., 2015. To summarize the problem of non-conformity in concrete RBAC-based policies: synthesis, system proposal and future directives. In NNGT International Journal of Information Security, vol. 2, pp. 1-12.
  24. Jaidi, F., Labbene Ayachi, F., 2015. A formal approach based on verification and validation techniques for enhancing the integrity of concrete role based access control policies. In 8th International Conference on Computational Intelligence in Security for Information Systems, CISIS 2015.
  25. Ma, J., 2012. A formal approach for risk assessment in RBAC systems. Journal of Universal Computer Science, vol. 18, pp. 2432-2451.
  26. Ma, J., Adi, K., Mejri, M., Logrippo, L., 2010. Risk analysis in access control systems. In Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 160-166.
  27. Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A., 2012. Risk-based security decisions under uncertainty. CODASPY 7812.
  28. Ni, Q., Bertino, E., Lobo, J., 2010. Risk-based access control systems built on fuzzy inferences. ASIACCS'10, pp. 250-260, USA.
  29. Nissanke, N., Khayat, E. J., 2004. Risk based security analysis of permissions in rbac. In Proc. of the 2nd International Workshop on Security in Information Systems, pp. 332-341, INSTICC Press.
  30. Simon, T. R., Zurko, M. E., 1997. Separation of duty in role based environments. In Computer Security Foundations Workshop, pp. 183-194.
Download


Paper Citation


in Harvard Style

Jaidi F. and Labbene Ayachi F. (2015). A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 454-459. DOI: 10.5220/0005577304540459


in Bibtex Style

@conference{secrypt15,
author={Faouzi Jaidi and Faten Labbene Ayachi},
title={A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={454-459},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005577304540459},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - A Risk Awareness Approach for Monitoring the Compliance of RBAC-based Policies
SN - 978-989-758-117-5
AU - Jaidi F.
AU - Labbene Ayachi F.
PY - 2015
SP - 454
EP - 459
DO - 10.5220/0005577304540459