Beyond accountability: Using obligations to reduce risk exposure and deter insider attacks

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Volumn , Issue , 2013, Pages 213-224

  Baracaldo, Nathalie ^a   Joshi, James ^a  

^a UNIVERSITY OF PITTSBURGH   (United States)

Author keywords

Access control; Insider threat; Obligations; RBAC; Risk; Trust

Indexed keywords

FINANCIAL LOSS; HEALTH CARE INFORMATION SYSTEM; INSIDER THREAT; MISCONFIGURATIONS; OBLIGATIONS; PRIVILEGE MANAGEMENT; RBAC; TRUST;

ACCESS CONTROL; LOSSES; RISKS;

RISK MANAGEMENT;

EID: 84883108231     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2462410.2462411     Document Type: Conference Paper

References (30)

1. C. Alberts, S. Behrens, R. Pethia, and W. Wilson. Operationally critical threat, asset, and vulnerability evaluation (octave), 1999.
2. N. Baracaldo and J. Joshi. A trust-and-risk aware rbac framework: tackling insider threat. In Proc. of the 17th ACM symposium on Access Control Models and Technologies, SACMAT '12, pp. 167-176, 2012.
3. C. Bettini, S. Jajodia, X. Wang, and D. Wijesekera. Obligation monitoring in policy management. In Policies for Distributed Systems and Networks, 2002. Proc. 3rd International Workshop on, pp. 2-12, 2002.
4. J. Buford, L. Lewis, and G. Jakobson. Insider threat detection using situation-aware mas. In Information Fusion, 2008 11th International Conf. on, pp. 1-8, 2008.
5. L. Chen and J. Crampton. Risk-aware role-based access control. In Proc. of the 7th International Workshop on Security and Trust Management., 2011.
6. J.-H. Cho, A. Swami, and I.-R. Chen. A survey on trust management for mobile ad hoc networks. Communications Surveys Tutorials, IEEE, 13(4):562-583, 2011.
7. O. Chowdhury, M. Pontual, W. H. Winsborough, T. Yu, K. Irwin, and J. Niu. Ensuring authorization privileges for cascading user obligations. In Proc. of the 17th ACM symposium on Access Control Models and Technologies, SACMAT '12, pp. 33-44, 2012.
8. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4:224-274, 2001.
9. F. Greitzer, D. Frincke, and Z. M. Social/ethical issues in predictive insider threat monitoring, 2011.
10. F. Greitzer and R. Hohimer. Modeling human behavior to anticipate insider attacks, 2011.
11. F. Greitzer, P. Paulson, K. L., L. Franklin, T. Edgar, and F. D. Predictive modeling for insider threat mitigation, 2009.
12. C. S. Institute. 2010/2011csi computer crime and security survey, 2010.
13. K. Irwin, T. Yu, and W. Winsborough. Assigning responsibility for failed obligations. In Trust Management II, pp. 327-342, 2008.
14. K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In Proc. of the 13th ACM conf. on Computer and communications security, CCS '06, pp. 134-143, 2006.
15. A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: a review. ACM Comput. Surv., 31(3):264-323, 1999.
16. S. Kandala, R. Sandhu, and V. Bhamidipati. An attribute based framework for risk-adaptive access control models. In Proc. of 6th International Conf. on Availability, Reliability and Security, ARES '11, 2011.
17. N. Li, H. Chen, and E. Bertino. On practical specification and enforcement of obligations. In Proc. of the 2nd ACM conf. on Data and Application Security and Privacy, CODASPY '12, pp. 71-82, 2012.
18. A. Moore, D. Cappelli, and T. R. The "big picture" of insider it sabotage across u.s. critical infrastructures, 2008. CERT, http://www.cert.org/insider threat.
19. U. D. of Health and H. Services. The health insurance portability and accountability act (hipaa), 1996.
20. J. Park and R. Sandhu. The uconabc usage control model. ACM Trans. Inf. Syst. Secur., pp. 128-174, 2004.
21. R. Project. Package for hierarchical clustering with p-values (pvclust), 2012.
22. Q. M. S. Osborn, R. Sandhu. Configuring role-based access control to enforce mandatory and discretionary access control policies. 2000.
23. F. Salim, J. Reid, U. Dulleck, and E. Dawson. Budget-aware role based access control. Computers and Security, 2012.
24. R. Shaikh, K. Adi, and L. Logrippo. Dynamic risk-based decision methods for access control systems. Computers and Security, 31(4):447-464, 2012.
25. H. Shimodaira. Approximately unbiased tests of regions using multistep-multiscale bootstrap resampling, 2004.
26. M. Srivatsa, L. Xiong, and L. Liu. Trustguard: countering vulnerabilities in reputation management for decentralized overlay networks. In Proc. of the 14th international conf. on World Wide Web, WWW '05, pp. 422-431, 2005.
27. G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems, recommendations of the national institute of standards and technology, 2002.
28. Y. Zhang and J. B. D. Joshi. Uaq: a framework for user authorization query processing in rbac extended with hybrid hierarchy and constraints. In Proc. of the 13th ACM SACMAT, SACMAT '08, pp. 83-92, 2008.
29. G. Zhao, D. Chadwick, and S. Otenko. Obligations for role based access control. In Proc. of the 21st International Conf. on Advanced Information Networking and Applications Workshops - Vol. 01, AINAW '07, 2007.
30. Y. Zhao and G. Karypis. Criterion functions for document clustering experiments and analysis. Mach. Learn., 55(3), 2002.