Dynamic risk-based decision methods for access control systems

Shaikh, Riaz Ahmed; Adi, Kamel; Logrippo, Luigi

doi:10.1016/j.cose.2012.02.006

Cited by 57 publications

(33 citation statements)

References 7 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Throughout their paper, they proposed successful instances of their proposal. Shaikh et al [18] proposed two methods of risk aware access control based on trust and risk. The formulation of trust and risk depends on rewards and penalties which are updated either positively (rewards) or negatively (penalties) after an access request decision is made (allow or deny, respectively).…”

Section: Related Workmentioning

confidence: 99%

Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing

Fall

Okuda

Kadobayashi

et al. 2016

Journal of Information Processing

View full text Add to dashboard Cite

Cloud computing provides many advantages for both the cloud service provider and the clients. It is also infamous for being highly dynamic and for having numerous security issues. The dynamicity of cloud computing implies that dynamic security mechanisms are being employed to enforce its security, especially in regards to access decisions. However, this is surprisingly not the case. Static traditional authorization mechanisms are being used in cloud environments, leading to legitimate doubts on their ability to fulfill the security needs of the cloud. We propose a risk adaptive authorization mechanism (RAdAM) for a simple cloud deployment, collaboration in cloud computing and federation in cloud computing. We use a fuzzy inference system to demonstrate the practicability of RAdAM. We complement RAdAM with a Vulnerability Based Authorization Mechanism (VBAM) which is a real-time authorization model based on the average vulnerability scores of the objects present in the cloud. We demonstrated the usefulness of VBAM in a use case featuring OpenStack.

show abstract

Section: Related Workmentioning

confidence: 99%

Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing

Fall

Okuda

Kadobayashi

et al. 2016

Journal of Information Processing

View full text Add to dashboard Cite

show abstract

“…To augment the existing access control schemes with risk awareness, dynamic Risk-based decision methods which add trust value and risk value to access control decision point such that it becomes dynamic with the 'history of use' recorded for each user is proposed in [20]. When access is granted, the formula is consulted to add reward or penalty points to the user which will further assess in making future access decisions.…”

Section: Risk-aware Access Control Modelsmentioning

confidence: 99%

Privacy Preserving Risk Mitigation Approach for Healthcare Domain

Aqeeli¹,

Al-Rodhaan²,

Tian³

et al. 2018

ETSN

View full text Add to dashboard Cite

In the healthcare domain, protecting the electronic health record (EHR) is crucial for preserving the privacy of the patient. To help protect the sensitive data, access control mechanisms can be utilized to restrict access to only legitimate users. However, an issue arises when the authorized users abuse their access privileges and violate privacy preferences of the patients. While traditional access control schemes fall short of defending against the misbehavior of authorized users, risk-aware access control models can provide adaptable access to the system resources based on assessing the risk of an access request. When an access request is deemed risky, but within acceptable thresholds, risk mitigation strategies can be exploited to minimize the risk calculated. This paper proposes a risk-aware, privacy-preserving risk mitigation approach that can be utilized in the healthcare domain. The risk mitigation approach controls the patient's medical data that can be exposed to healthcare professionals, according to their trust level as well as the risk incurred of such data exposure, by developing a novel Risk Measure formula. The developed Risk Measure is proven to manage the risk effectively. Furthermore, Risk Mitigation Data Disclosure algorithms, RIMIDI 0 and RIMIDI 1 , which utilize the developed risk measures, are proposed. Experimental results show the feasibility and effectiveness of the proposed method in preserving the privacy preferences of the patient. Since the proposed approach exposes the patient's data that are relevant to the undergoing medical procedure while preserving the privacy preferences, positive outcomes can be realized, which will ultimately bring forth quality healthcare services.

show abstract

“…Features that can be taken into account in dynamic access control models can include risk, need, benefit, trust and context. The dynamic nature of the access control is implemented in these models because access decisions vary according to contextual information and features that are evaluated at the time of the access request [31], [32].…”

Section: Access Control In the Iotmentioning

confidence: 99%

Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

Atlam¹,

Alenezi²,

Hussein³

et al. 2018

IJCNIS

View full text Add to dashboard Cite

Abstract-The Internet of Things (IoT) has spread into multiple dimensions that incorporate different physical and virtual things. These things are connected together using different communication technologies to provide unlimited services. These services help not only to improve the quality of our daily lives, but also to provide a communication platform for increasing object collaboration and information sharing. Like all new technologies, the IoT has many security challenges that stand as a barrier to the successful implementation of IoT applications. These challenges are more complicated due to the dynamic and heterogeneous nature of IoT systems. However, authentication and access control models can be used to address the security issue in the IoT. To increase information sharing and availability, the IoT requires a dynamic access control model that takes not only access policies but also real-time contextual information into account when making access decisions. One of the dynamic features is the security risk. This paper proposes an Adaptive Risk-Based Access Control (AdRBAC) model for the IoT and discusses its validation using expert reviews. The proposed AdRBAC model conducts a risk analysis to estimate the security risk value associated with each access request when making an access decision. This model has four inputs/risk factors: user context, resource sensitivity, action severity and risk history. These risk factors are used to estimate a risk value associated with the access request to make the access decision. To provide the adaptive features, smart contracts will be used to monitor the user behaviour during access sessions to detect any malicious actions from the granted users. To validate and refine the proposed model, twenty IoT security experts from inside and outside the UK were interviewed. The experts have suggested valuable information that will help to specify the appropriate risk factors and risk estimation technique for implantation of the AdRBAC model.

show abstract

Dynamic risk-based decision methods for access control systems

Cited by 57 publications

References 7 publications

Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing

Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing

Privacy Preserving Risk Mitigation Approach for Healthcare Domain

Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

Contact Info

Product

Resources

About