A trust-and-risk aware RBAC framework: Tackling insider threat

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Volumn , Issue , 2012, Pages 167-176

  Baracaldo, Nathalie ^a   Joshi, James ^a  

^a UNIVERSITY OF PITTSBURGH   (United States)

Author keywords

Inference threat; Insider threat; Risk management; Role based access control; Trust

Indexed keywords

ASSESSMENT PROCESS; EXPERIMENTAL EVALUATION; INFERENCE THREAT; INSIDER ATTACK; INSIDER THREAT; RISK EXPOSURE; ROLE ACTIVATION; ROLE-BASED ACCESS CONTROL; ROLE-BASED ACCESS CONTROL MODEL; TRUST;

PETRI NETS; RISK ASSESSMENT; RISK MANAGEMENT;

ACCESS CONTROL;

EID: 84864066552     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2295136.2295168     Document Type: Conference Paper

References (33)

1. J. O. Aagedal, F. d. Braber, T. Dimitrakos, B. A. Gran, D. Raptis, and K. Stølen. Model-based risk assessment to improve enterprise security. In Proc. of the 6th International Enterprise Distributed Object Computing Conference, 2002.
2. G.-J. Ahn and R. Sandhu. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur., 3:207-226, November 2000.
3. C. Alberts, S. Behrens, R. Pethia, and W. Wilson. Operationally critical threat, asset, and vulnerability evaluation (octave), 1999.
4. B. Aziz, S. N. Foley, J. Herbert, and G. Swart. Reconfiguring role based access control policies using risk semantics. In Journal of High Speed Networks: Special Issue on Managing Security Policies, Modelling Verification and Configuration, 2006.
5. E. Bertino, E. Terzi, A. Kamra, and A. Vakali. Intrusion detection in rbac-administered databases. In Computer Security Applications Conference, 21st Annual, dec. 2005.
6. J. Biskup. History-dependent inference control of queries by dynamic policy adaption. In Proc. of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy, DBSec'11, pp. 106-121, Berlin, Heidelberg, 2011. Springer-Verlag.
7. A. Brodsky, C. Farkas, and S. Jajodia. Secure databases: constraints, inference channels, and monitoring disclosures. Knowledge and Data Engineering, IEEE Transactions on, 2000.
8. E. Celikel, M. Kantarcioglu, X. Li, and E. Bertino. A Risk Management Approach to RBAC. Risk and Decision Analysis, 1(2), November 2009.
9. S. Chakraborty and I. Ray. Trustbac: integrating trust relationships into the rbac model for access control in open systems. In Proc. of the 11th ACM symposium on Access control models and technologies, SACMAT '06, pp. 49-58, New York, NY, USA, 2006. ACM. (Pubitemid 44300741)
10. L. Chen and J. Crampton. Risk-aware role-based access control. In Proc. of the 7th International Workshop on Security and Trust Management., 2001.
11. Y. Chen and W. Chu. Protection of database security via collaborative inference detection. Knowledge and Data Engineering, IEEE Transactions on, 20(8):1013-1027, aug. 2008.
12. C. Y. Chung, M. Gertz, and K. Levitt. Demids: A misuse detection system for database systems. In Proc. of the Integrity and Internal Control in Information System, pp 159-178, 1999.
13. H. S. Delugach and T. H. Hinke. Using conceptual graphs to represent database inference security analysis. Jour. Computing and Info. Tech., 4(4):291-307, 1994.
14. N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody. Using trust and risk in role-based access control policies. In In Proc. of the 9th ACM Symposium on Access Control Models and Technologies SACMAT'04. ACM Press, 2004.
15. F. Feng, C. Lin, D. Peng, and J. Li. A trust and context based access control model for distributed systems. In Proc. of the 2008 10th IEEE International Conference on High Performance Computing and Communications, HPCC '08, pp 629-634, Washington, DC, USA, 2008. IEEE Computer Society.
16. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4:224-274, August 2001.
17. V. D. Gligor and C. S. Chandersekaran. Surviving insider attacks: A call for system experiments. In S. J. Stolfo, S. M. Bellovin, A. D. Keromytis, S. Hershkop, S. W. Smith, and S. Sinclair, editors, Insider Attack and Cyber Security, volume 39 of Advances in Information Security, pp. 153-164. Springer US, 2008.
18. IBM. Resource access control facility (racf), 2012. www-03.ibm.com/ systems/z/os/zos/features/racf/.
19. C. S. Institute. Csi computer crime and security survey, 2010.
20. K. Jensen. Coloured petri nets. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Petri Nets: Central Models and Their Properties, volume 254 of Lecture Notes in Computer Science, pp. 248-299. Springer Berlin / Heidelberg, 1987.
21. J. Ma, K. Adi, M. Mejri, and L. Logrippo. Risk analysis in access control systems. In Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pp. 160-166, aug. 2010.
22. A. Moore, D. Cappelli, and T. R. The "big picture" of insider it sabotage across u.s. critical infrastructures, 2008. CERT, http://www.cert.org/insider-threat.
23. L. Mui and M. Mohtashemi. A computational model of trust and reputation. In Proc. of the 35th Hawaii International Conference on System Science (HICSS), 2002.
24. N. Nissanke and E. J. Khayat. Risk based security analysis of permissions in rbac. In Proc. of the 2 nd International Workshop on Security In Information Systems, Security In Information Systems, pp. 332-341. INSTICC Press, 2004.
25. Oracle. Application access controls governor, 2012. http://www.oracle. com/us/solutions/corporate-governance/access-controls/index.html.
26. Q. M. S. Osborn, R. Sandhu. Configuring role-based access control to enforce mandatory and discretionary access control policies. In ACM Transaction on Information and System Security, 2000.
27. F. Salim, J. Reid, E. Dawson, and U. Dulleck. An approach to access control under uncertainty. In Availability, Reliability and Security (ARES), 2011 6th International Conference on, pp. 1-8, 2011.
28. R. Sandhu. Role activation hierarchies. In In Proc. of 3rd ACM Workshop on Role-Based Access Control, pp. 33-40. ACM, 1998.
29. SAP. Access risk management, 2012. www.sap.com/solutions/ sapbusinessobjects/large/governance-risk-compliance/accessandauthorization.
30. G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems, recommendations of the national institute of standards and technology, 2002.
31. B. Systems. Identity and access governance, 2012. www.betasystems.com/en/ portfolio/identityaccessgovernance
32. R. Yip and E. Levitt. Data level inference detection in database systems. In Computer Security Foundations Workshop, 1998. Proc. 11th IEEE, pp. 179-189, 1998.
33. L. Young and J. Allen. Security risk assessment using octave ® allegro, podcast's transcripts, 2008.