1

Contextual Risk-based Access Control Mechanism

NGUYEN NGOC DIEP Master Fellow – uSec Group

2

AGENDA

1 – Introduction

2 – Access Control Model

3 – Risk Assessment

4 – Related Work

5 – Conclusion

3

Introduction- Background

In the new environment, security problems are much more complex since ubiquitous environment is more dynamic, more distributed, more invisible and heterogeneous. Therefore, we need to view security problems in a new paradigm and explore them thoroughly under the above effects.

Information security can be broadly categorized into three types: confidentiality, integrity and availability. Access Control is critical to preserve the confidentiality and integrity of information.

Autonomous decision-making is an increasingly popular application for security, including access control in ubiquitous computing

4

Introduction- Motivation

Current research about Access Control is mostly based on the context and role. Some recently research used trust as the fundamental component.

Risk Assessment is an effective tool using in decision-making and is an important factor in economics, but is not applied well in security, especially in access control

Context is not used in an effective way in decision-making process

5

Introduction- Problem Statement

Risk in Access Control in Ubiquitous Computing Environment is a new problem. In this work, we will present a contextual risk-based Access Control model.

Applying risk assessment to make decisions, based on context parameters.

6

Access Control Model

Access Control

Manager

Request (principle,credentials)

Decision

Risk Assessment

Context Retrieval

actions, outcomes

cost, outcomes

Context values

(time,space,network state)

Context values

7

Access Control Model

- A request by principle p (user or process) to Access Control Manager

- Risk Assessment module calculate risk based on the credentials, sort of actions and the current context (risk context)

- The risk value is compared with the threshold, then return the decision

We call the period doing action is session

8

Access Control Model

Factors in the access control model:

• Principle (p): admin, staff, professor, guest• Set of Actions (a), i.e. : read, write, delete, modify• Set of Outcomes (o): confidentiality, availability,

integrity• Set of Context (c): time (night, daytime,…), location

(in-building, in-office, outside), network state • Consequence function: shows the cost of each

outcome in a specific context• Risk function: calculates risk of the action in

current context.

10

Risk Assessment

Definition: “Risk is often evaluated based on the probability of the threat and the potential impact”

3 factors: loss of availability, loss of confidentiality and loss of integrity.

The parameters:

- Principle context

- Environment context

- Resource context

- List of outcomes of the action

11

Risk AssessmentMulti Factor Evaluation Process: In reality, we have many decision-making problems that need

to consider many factors. We can use Multi Factor Evaluation Process (MFEP)

In MFEP, decision maker subjectively identify important factors in a given decision situation and assign a weight for each factor. The weight presents the relative importance of each factor in making the decision

Secondly, identify alternatives (solutions) available to decision maker.

Thirdly, factor evaluation: for each alternative, all factors are evaluated and a weight is assigned to each.

A weighted evaluation is then computed for each alternative as the sum of product of factors weights and factors evaluations.

12

Risk AssessmentMulti Factor Evaluation Process:

Step 1: List all factors and give to factor i a value weight Fwi (0 < Fwi < 1). Fwi expresses the important of factor i in comparative.

Step 2: Factor Evaluation

With each factor i, we assess solution j by giving it a coefficient FEij (called evaluation of solution j under factor i)

Step 3: Total Weighted Evaluation

choose solution j0 if we have Max TWEj with j = j0

13

Risk AssessmentMFEP example:

Problems: A graduate student wants to find a work. The important factors in this situation is salary, position of office, partners, kind of works, other benefits, … He need to find a best decision.

- Solution: Assuming that after considering, he found that 3 most important factors is: Salary, Promotion, Position of office and the relative importance of each factor is respectively 0.3, 0.6, 0.1. (Table 1)

- There are 3 companies A, B, C that accepts him. For each company, he evaluates according to 3 above factors and has evaluation table (table 2)

14

Risk Assessment Step 1:

Step 2: Evaluate FEij

Factor i Factor weight Fwi

Salary 0.3

Promotion 0.6

Position of office 0.1

Solution j A B C

Factor i

Salary 0.7 0.8 0.9

Promotion 0.9 0.7 0.6

Position of office 0.6 0.8 0.9

15

Risk Assessment

Step 3: Total Weight Evaluation (TWE)

TWE(A) = 0.3*0.7+0.6*0.9+0.1*0.6 = 0.81

TWE(B) = 0.3*0.8+0.7*0.7+0.1*0.8 = 0.74

TWE(C) = 0.3*0.9+0.6*0.6+0.1*0.9 = 0.72

choose company A

16

A case study –Access control management in a hospital Access control system to manage accesses to

patient‘s records in a hospital. Data is stored in database and can be accessed

through remote terminal. The records can be text, video, image or sound

format and it has some properties Each member has his role and set of permitted

corresponding actions. Each action has list of outcomes

17

Outcomes and risk values for each action

Actions Outcomes Risk context /ProbabilityRisk value

Availability Integrity Confidentiality

View record

- Unavailable

- Leaking information

- Service corrupted- Can not do

- Record too big /f1- Transaction session is full /f2- Data unencrypted /f3- Connection is not secured/f4- Connection is lost /f5

f=1

Cost1

Cost4

Cost7

cost10

Cost2

Cost5

Cost8

0

Cost3

Cost6

Cost9

0

Modify record

- Lose information- Can not update- Can not do

- Connection lost /f6

- Server busy, corrupted /f7 f=1

Cost11

Cost14Cost17

Coss12

Cost150

Cost13

Cost160

18

Risk Assessment -Definitions

Action is an action in set of action A (available for the principle),

is an outcome in set of outcome O of action

is cost of outcome j of action in term of availability

is cost of outcome j of action in term of integrity

is cost of outcome j of action in term of confidentiality

is a set of context parameter is the probability of outcome in

jaio ,

iaNi

jaialo ,_

jaiilo ,_

jaiclo ,_

ks

kjiasof ,, jai

o , ks

19

Risk Assessment -Schema Step 1: Identify actions in service, outcomes of each

action Step 2: Assign weight for each factor availability,

integrity, confidentiality to each action. Step 3: Specify cost of each outcome in term of

availability, integrity, confidentiality Step 4: Identify probability of outcome (f), based on

the set of current context and probability of it. Step 5: We have 2 solutions: Accept or Reject, and

risk value of action in term of availability, integrity and confidentiality in both 2 solution

Step 6: Apply MFEP with the above parameters and choose the better solution

20

Risk Assessment (cont) - Cost of outcome

Cost of outcome: is calculated based on context parameters.

We calculate the cost in the aspect of availability, integrity, confidentiality

21

Risk Assessment (cont) - Cost of outcome

For loss of availability:

For loss of integrity:

For loss of confidentiality:

with exists if and only if all required context parameters exist.

)(__ ,, ,,k

sojao kjiaijiafaloac

)(__ ,, ,,k

sojao kjiaijiafiloic

)(__ ,, ,, k

sojao kjiaijiafclocc

ks

22

Risk Assessment (cont) -Cost of action

Cost of an action is a total weighted evaluation of all outcomes of the action

23

Risk Assessment (cont) -Cost of action

For availability:

For integrity:

For confidentiality:

j

oii jiaactyavailabiliatARV

,_)"",(cos_

j

oii jiaicintegrityatIRV

,_)"",(cos_

j

oii jiaccalityconfidentiatCRV

,_)"",(cos_

24

Risk Assessment (cont) - Risk value evaluation

With each service, we consider the importance of each element (availability, integrity, confidentiality) different.

Risk value of an action is defined as a weighted arithmetic mean of its risk value of availability, confidentiality and integrity.

where and they can be adjusted to a suitable value if more weight

is to be given to a specific metric.

321

321 ___

www

CRVwIRVwARVwRV iii

1,2,3 i , Nwi

25

A Case Study

Actions Outcomes Risk context /ProbabilityRisk value

Availability Integrity Confidentiality

View record

- Unavailable

- Leaking information

- Service corrupted- Can not do

- Record too big /f1=0.3- Transaction session is in peak /f2=0.6- Data unencrypted /f3=0.6- Connection is not secured/f4=0.5- Connection is lost /f5=0.7

f=1

Cost1=5

Cost4=0

Cost7=5

Cost10=cost1

Cost2=0

Cost5=0

Cost8=0

0

Cost3=0

Cost6=1

Cost9=0

0

Modify record

- Lose information- Can not update- Can not do

- Connection lost /f6=0.1

- Server busy, corrupted/f7=0.05 f=1

Cost11

Cost14Cost17

Coss12

Cost150

Cost13

Cost160

26

Step 1: Factor i Factor weight Fwi

Availability 0.3

Integrity 0.4

Confidentiality 0.3

A Case Study

27

A Case Study

Cost Evaluation: 1-10 0: No impact,

1-2: Small impact

3-5: Medium impact

5-8: Big impact

9-10: Disaster View Action: Cost of each outcome- (See the table in previous slide)

28

A Case Study

Assuming that: we have current contextRecord too big, Data unencrypted

View Action:

Accept solution: RV = 0.3x1.5+0.3x0.6

= 0.63

Reject solution:RV = 0.3x5+0.4x0+0.3x0

= 1.5 Choose Accept solution

* But if current context includes Record too big, Data unencrypted and Transaction session is in peak, the result will be Reject solution

Solution Accept Reject

Factor

Availability 1.5 5

Integrity 0 0

Confidentiality 0.6 0

29

Related works

- In some context-based access control model, they really provide dynamic and flexible , but the decision-making process is not powerful and precise as in our model using risk.

- The paper “Using Trust and Risk in RBAC policies” [7] used the concept outcome to calculate cost for each outcome and risk value but they did not consider the context for risk assessment, but trust.

- In “Risk Probability Estimating Based on Clustering” of YongChen et al (2003), they used neural network for risk estimator. In this work, we use a simpler method, that takes advantage of context to know about the state of the network and the service

- Compare with my previous work, this one is better. We apply MFEP to calculate risk and do not need threshold which is hard to define.

30

Conclusion We have investigated how to apply risk to access control and

propose an access control model with risk assessment.

It provides a precise way of making decision because of utilizing context in risk assessment process.

We have further demonstrated how this model can be applied to manage access control in a practical scenario and explored it in manner of ubiquitous computing.

The disadvantage of this mechanism is: the service provider need to work out the cost of each outcome in each action

31

Future work

Decision-making should be done during the working period of the activity, whenever the context changes into another state.

Automatically update the cost of outcomes of the actions in making decision process and detailed information of current network state based on evidence gathered from context

Do the simulation work to prove the performance of the system

We need to consider more parameters and factors that effect to risk assessment process such as risk in authentication phase.

32

References [1] R.J. Hulsebosch , A.H. Salden, M.S. Bargh, P.W.G. Ebben, J. Reitsma. “Context

Sensitive Access Control”. In proceedings of the tenth ACM symposium on Access control models and technologies, Stockholm, Sweden, 2005.

[2] Lalana Kagal, Tim Finin, and Anupam Joshi. “Trust-based security in pervasive computing environments”. IEEE Computer, 34(12):154--157, December 2001.

[3] V. Cahill, B. Shand, E. Gray, et al., "Using Trust for Secure Collaboration in Uncertain Environments," Pervasive Computing, vol. 2, no. 3, pp. 52--61, July-September 2003.

[4] Nathan Dimmock , Jean Bacon, David Ingram, and Ken Moody. “Risk Models for Trust Based Access Control”. University of Cambridge, Computer Laboratory, JJ Thomson Ave, Cambridge CB3 0FD,UK.

[5] Peter Chapin , Christian Skalka , X. Sean Wang. “Risk assessment in distributed authorization”. Proceedings of the 2005 ACM workshop on Formal methods in security engineering, November 11-11, 2005, Fairfax, VA, USA

[6] Hassan Jameel, Le Xuan Hung, Umar Kalim, Ali Sajjad, Sungyoung Lee, Young-Koo Lee, "A Trust Model for Ubiquitous Systems based on Vectors of Trust Values", ism, pp. 674-679,  Seventh IEEE International Symposium on Multimedia (ISM'05),  2005.

[7] Nathan Dimmock et al , “Using Trust and Risk in RBAC policies”, 2004

33

THANK YOU!