Abstract
Traditional access control operates under the principle that a user’s request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the ‘need to share’, and in some cases, because of the ‘responsibility to provide’ information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, R., Srikant, R.: Fast algorithms for mining association rules. In: Proceedings of the 20th International Conference Very Large Data Bases, VLDB, Santiago (1994)
Breiman, L.: Random forests. Mach. Learn. 45, 5–32 (2001)
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: SACMAT, Stresa (2009)
Cendowska, J.: Prism: an algorithm for inducing modular rules. Int. J. Man Mach. Stud. 27, 349–370 (1987)
Cheng, P., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, Berkeley, pp. 222–230 (2007)
Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13, 21–27 (1967)
Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed nist standard for role-based access control. TISSEC 4, 224–274 (2001)
Ferrira, A., Chadwick, D., Farinha, P., Correia, R., Zao, G., Chilro, R.: How to securely break into rbac: the btg-rbac model. In: Annual Computer Security Application Conference, Honolulu (2009)
Geiger, D., Friedman, N., Goldszmidt, M.: Bayesian network classifiers. Mach. Learn. 29, 131 (1997)
Hsu, W., Liu, B., Ma, Y.: Integrating classification and association rule mining. In: Knowledge Discovery and Data Mining Integrating, New York City (1998)
Imirlinksi, T., Agrawal, R., Swami, A.: Mining association rules between sets of items in large databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, Washington, DC (1993)
Ishibuchi, H., Nozaki, K., Tanaka, H.: Adaptive fuzzy rule-based classification systems. Fuzzy Syst. IEEE 4, 238–250 (1996)
Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Availability, Reliability and Security (ARES), Vienna (2011)
Marinovic, S., Craven, R., Ma, J., Dulay, N.: Rumpole: a flexible break glass access control model. In: SACMAT, Innsbruck (2011)
Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., Lobo, J.: Evaluating role mining algorithms. In: Carminati, B., Joshi, J. (eds.) SACMAT, Stresa, pp. 95–104. ACM (2009)
Ni, Q., Bertino, E., Lobo, J.: Risk based access control systems built on fuzzy inferences. In: ASIAACCS, Beijing (2010)
Nissanke, N., Khayat, E.J.: Risk based security analysis of permissions in rbac. In: International Workshop on Security in Information Systems, Porto (2004)
Prabhakar, S., Qin, B., Xia, Y., Tu, Y.: A rule-based classification algorithm for uncertain data. In: IEEE International Conference on Data Engineering, Shanghai (2009)
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1, 81–106 (1986)
Quinlan, J.R.: C4.5 Programs for Machine Learning. Morgan Kaufmann, San Mateo (1993)
Vaidya, J., Atluri, V., Warner, J., Guo, Q.: Role engineering via prioritized subset enumeration. IEEE Trans. Dependable Secur. Comput. 7, 300–314 (2010)
Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques with Java Implementations. Morgan Kaufmann, San Francisco (1999)
Yuan, Y., Shaw, M.J.: Induction of fuzzy decision trees. Fuzzy Sets Syst. 69, 125–139 (1995)
Zhang, G.: Neural networks for classification: a survey. IEEE Trans. Syst. Man Cybern. C 30, 451–462 (2000)
Zhang, L., Brodsky, A., Jajodia, S.: Towards information sharing: benefit and risk access control (barac). In: IEEE, International Workshop on Policies for Distributed Systems and Networks, London (2006)
Acknowledgements
This work is partially supported by the National Science Foundation under grant numbers CNS-0746943 and CNS-1018414.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Badar, N., Vaidya, J., Atluri, V., Shafiq, B. (2013). Risk Based Access Control Using Classification. In: Al-Shaer, E., Ou, X., Xie, G. (eds) Automated Security Management. Springer, Cham. https://doi.org/10.1007/978-3-319-01433-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-01433-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-01432-6
Online ISBN: 978-3-319-01433-3
eBook Packages: Computer ScienceComputer Science (R0)