Apply measurable risk to strengthen security of a role-based delegation supporting workflow system

Proceedings - 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009

Volumn , Issue , 2009, Pages 45-52

  Han, Weili ^a,b   Ni, Qun ^b   Chen, Hong ^b  

^a FUDAN UNIVERSITY   (China)

^b Purdue University   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

DECISION MODULES; DECISION POLICY; PROTECTION MECHANISMS; RISK MITIGATION; ROLE-BASED DELEGATION; SYSTEM SECURITY; WORK-FLOW SYSTEMS;

FUZZY INFERENCE; FUZZY LOGIC;

MANAGEMENT;

EID: 71049122450     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/POLICY.2009.26     Document Type: Conference Paper

References (16)

1. P. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger, "Fuzzy multilevel security: An experiment on quantified risk.adaptive access control," in Proceedings of 2007 IEEE Symposium on Security and Privacy(SP'07). Oakland, California, USA: ACM, May 2007, pp. 222 - 230.
2. JASON, "Horizontal integration: Broader access models for realizing information dominance," MITRE Corporation, http://www.fas.org/irp/agency/ dod/jason/classpol.pdf, Tech. Rep. JSR-04-132, 2004.
3. L. Zhang, A. Brodsky, and S. Jajodia, "Toward information sharing: Benefit and risk access control (barac)," in Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), 2006, pp. 45-53.
4. L. Zhang, G.-J. Ahn, and B.-T. Chu, "A rule-based framework for role-based delegation and revocation," ACM Transaction on Information and System Security, vol.6, no.3, pp. 404-441, September 2003.
5. N. Li, B. N. Grosof, and J. Feigenbaum, "Delegation logic: A logic-based approach to distributed authorization," ACM Transactions on Information and System Security (TISSEC), vol.6, no.1, pp. 128-171, 2003.
6. D. F. Ferraiola, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, "Proposed nist standard for role-based access control," ACM Transactions on Information and System Security (TISSEC), vol.4, no.3, pp. 224-274, August 2001.
7. I. Molloy, P.-C. Cheng, and P. Rohatgi, "Trading in risk: Using markets to improve access control," in Proceedings of New Security Paradigms Workshop (NSPW'08). Lake Tahoe, California, USA: ACM, September 2008, pp. 1-19.
8. P. Jorion, Value at Risk: The New Benchmark for Managing Financial Risk, 3rd ed. McGraw-Hill, 2006.
9. [9] W. Ru and J. Eloff, "Risk analysis modelling with the use of fuzzy logic," Computers & Security, vol.15, no.3, pp. 239-248, 1996. (Pubitemid 126351696)
10. M. Neil, N. Fenton, and M. Tailor, "Using bayesian networks to model expected and unexpected operational losses," Risk Analysis, vol.25, no.4, pp. 963-972, 2005.
11. D. Georgakopoulos, M. Hornick, and A. Sheth, "An overview of workflow management: From process modeling to workflow automation infrastructure," Distributed and Parallel Databases, vol.3, no.2, pp. 119-153, 1995.
12. M. Kantrowitz, "Answers to questions about fuzzy logic and fuzzy expert systems," Carnegie Mellon University, http://www.cs.cmu.edu/Groups/ AI/html/faqs/ai/fuzzy/, Tech. Rep., 1997.
13. L. Zadeh, "Fuzzy sets," Information and Control, vol.8, pp. 338-353, 1965.
14. P.-C. Cheng, P. Rohatgi, and C. Keser, "Fuzzy multilevel security: An experiment on quantified risk.adaptive access control," IBM Thomas J. Watson Research Center, http://domino.research.ibm.com/comm/research-projects. nsf/pages/system-s-security.index.html/SFILE/ATTH4YZ5.pdf, Tech. Rep., 2007.
15. L. Teo, G. Ahn, and Y. Zheng, "Dynamic and risk-aware network access management," in Proceedings of the eighth ACM symposium on Access control models and technologies (SACMAT'03), Yorktown Heights, New York, USA, June 2003, pp. 156 - 162.
16. N. Dimmock, A. Belokosztolszki, and D. Eyers, "Using trust and risk in role-based access control policies," in Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies , (SACMAT04). Yorktown Heights, New York, USA: ACM, June 2004, pp. 156-162.