An adaptive risk management and access control framework to mitigate insider threats

Computers and Security

Volumn 39, Issue PART B, 2013, Pages 237-254

  Baracaldo, Nathalie ^a   Joshi, James ^a  

^a UNIVERSITY OF PITTSBURGH   (United States)

Author keywords

Access control; Inference threat; Insider threat; Risk management; Role based access control; Trust

Indexed keywords

ADAPTIVE RISK MANAGEMENT; ASSESSMENT PROCESS; EXPERIMENTAL EVALUATION; INFERENCE THREAT; INSIDER THREAT; ROLE-BASED ACCESS CONTROL; ROLE-BASED ACCESS CONTROL MODEL; TRUST;

PETRI NETS; RISK ASSESSMENT; RISK MANAGEMENT;

ACCESS CONTROL;

EID: 84888864547     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2013.08.001     Document Type: Article

References (38)

1. J.O. Aagedal, F.d. Braber, T. Dimitrakos, B.A. Gran, D. Raptis, and K. Stølen Model-based risk assessment to improve enterprise security Proceedings of the 6th International enterprise distributed object computing conference 2002 51
2. G.-J. Ahn, and R. Sandhu Role-based authorization constraints specification ACM Transactions on Information and System Security 3 2000 207 226
3. C. Alberts, S. Behrens, R. Pethia, and W. Wilson Operationally critical threat, asset, and vulnerability evaluation (octave) 1999 URL http://www.cert.org/octave
4. B. Aziz, S.N. Foley, J. Herbert, and G. Swart Reconfiguring role based access control policies using risk semantics Journal of High Speed Networks: Special Issue on Managing Security Policies, Modelling Verification and Configuration 15 3 2006 261 273 (Pubitemid 44285876)
5. N. Baracaldo, and J. Joshi A trust-and-risk aware RBAC framework: tackling insider threat Proceedings of the 17th ACM symposium on access control models and technologies, SACMAT'12 2012 ACM New York, NY, USA 167 176 10.1145/2295136.2295168 http://doi.acm.org/10.1145/2295136.2295168
6. N. Baracaldo, and J. Joshi Beyond accountability: using obligations to reduce risk exposure and deter insider attacks ACM symposium on access control models and technologies (SACMAT) 2013 Amsterdam The Netherlands 213 224 10.1145/2462410.2462411 http://doi.acm.org/10.1145/2462410.2462411
7. E. Bertino, E. Terzi, A. Kamra, and A. Vakali Intrusion detection in RBAC-administered databases Computer security applications conference, 21st annual 2005 170 182 10.1109/CSAC.2005.33 (Pubitemid 46116474)
8. K. Bijon, R. Krishnan, R. Sandhu, Risk-aware RBAC sessions, in: In Proc. 8th International conference on information systems security.
9. J. Biskup History-dependent inference control of queries by dynamic policy adaption Proceedings of the 25th annual IFIP WG 11.3 conference on data and applications security and privacy, DBSec'11 2011 Springer-Verlag Berlin, Heidelberg 106 121 URL http://dl.acm.org/citation.cfm?id=2029896.2029911
10. A. Brodsky, C. Farkas, and S. Jajodia Secure databases: constraints, inference channels, and monitoring disclosures Knowledge and Data Engineering, IEEE Transactions on 12 6 2000 900 919 10.1109/69.895801 (Pubitemid 32130742)
11. C. S. Institute CSI computer crime and security survey 2010
12. E. Celikel, M. Kantarcioglu, X. Li, and E. Bertino A risk management approach to RBAC Risk and Decision Analysis 1 2 2009 21 33
13. S. Chakraborty, and I. Ray Trustbac: integrating trust relationships into the RBAC model for access control in open systems Proceedings of the eleventh ACM symposium on access control models and technologies, SACMAT'06 2006 ACM New York, NY, USA 49 58 10.1145/1133058.1133067 http://doi.acm.org/10.1145/1133058. 1133067 (Pubitemid 44300741)
14. Y. Chen, and W. Chu Protection of database security via collaborative inference detection Knowledge and Data Engineering, IEEE Transactions on 20 8 2008 1013 1027 10.1109/TKDE.2007.190642
15. L. Chen, and J. Crampton Risk-aware role-based access control Proc. of the 7th International Workshop on security and trust management 2001
16. C.Y. Chung, M. Gertz, and K. Levitt Demids: a misuse detection system for database systems Proceedings of the integrity and internal control in information system 1999 159 178
17. CPN CPN tools 2013 http://cpntools.org/
18. H.S. Delugach, and T.H. Hinke Using conceptual graphs to represent database inference security analysis Journal of Computing and Information Technology 4 4 1994 291 307 http://www.cs.uah.edu/delugach/publications.html
19. N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody Using trust and risk in role-based access control policies In Proceedings of the ninth ACM symposium on access control models and technologies SACMAT'04 2004 ACM Press
20. F. Feng, C. Lin, D. Peng, and J. Li A trust and context based access control model for distributed systems Proceedings of the 2008 10th IEEE International conference on high performance computing and communications, HPCC'08 2008 IEEE Computer Society Washington, DC, USA 629 634 10.1109/HPCC.2008.37 http://dx.doi.org/10.1109/HPCC.2008.37
21. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli Proposed NIST standard for role-based access control ACM Transactions on Information and System Security 4 2001 224 274
22. V.D. Gligor, and C.S. Chandersekaran Surviving insider attacks: a call for system experiments S.J. Stolfo, S.M. Bellovin, A.D. Keromytis, S. Hershkop, S.W. Smith, S. Sinclair, Insider attack and Cyber security Advances in information security vol. 39 2008 Springer US 153 164 10.1007/978-0-387-77322-3- 9 http://dx.doi.org/10.1007/978-0-387-77322-3-9
23. IBM Resource access control facility (RACF) 2012 http://www-03.ibm.com/ systems/z/os/zos/features/racf/
24. K. Jensen Coloured petri nets W. Brauer, W. Reisig, G. Rozenberg, Petri nets: central models and their properties Lecture notes in computer science vol. 254 1987 Springer Berlin Heidelberg 248 299 10.1007/BFb0046842 http://dx.doi.org/10.1007/BFb0046842
25. J. Ma, K. Adi, M. Mejri, and L. Logrippo Risk analysis in access control systems Privacy security and trust (PST), 2010 Eighth annual international conference on 2010 160 166 10.1109/PST.2010.5593248
26. A. Moore, D. Cappelli, and R. Trzeciak The "big picture" of insider it sabotage across U.S. critical infrastructures 2008 CERT http://www.cert.org/insider-threat
27. L. Mui, and M. Mohtashemi A computational model of trust and reputation In Proceedings of the 35th Hawaii international conference on system Science (HICSS) 2002
28. N. Nissanke, and E.J. Khayat Risk based security analysis of permissions in RBAC Proceedings of the 2 nd International Workshop on security in information systems, security in information systems 2004 INSTICC Press 332 341
29. Oracle Application access controls governor 2012 http://www.oracle.com/ us/solutions/corporate-governance/access-controls/index.html
30. Q.M.S. Osborn, and R. Sandhu Configuring role-based access control to enforce mandatory and discretionary access control policies ACM Transaction on information and system security 2000
31. F. Salim, J. Reid, E. Dawson, and U. Dulleck An approach to access control under uncertainty Availability, reliability and security (ARES), 2011 Sixth International conference on 2011 1 8 10.1109/ARES.2011.11
32. R. Sandhu Role activation hierarchies Proceedings of 3rd ACM Workshop on role-based access control 1998 ACM 33 40
33. SAP Access risk management 2012 http://www.sap.com/solutions/ sapbusinessobjects/large/governance-risk-compliance/accessandauthorization/ index.epx
34. G. Stoneburner, A. Goguen, and A. Feringa Risk management guide for information technology systems, recommendations of the national institute of standards and technology 2002
35. B. Systems Identity and access governance 2012 http://www.betasystems. com/en/portfolio/identityaccessgovernance/index.html
36. G.T. Wickramaarachchi, W.H. Qardaji, and N. Li An efficient framework for user authorization queries in RBAC systems Proc. of the 14th ACM SACMAT technologies, SACMAT'09, ACM 2009 23 32
37. R. Yip, and E. Levitt Data level inference detection in database systems Computer security foundations Workshop, 1998. Proceedings. 11th IEEE 1998 179 189 10.1109/CSFW.1998.683168
38. ® allegro, podcast's transcripts 2008 http://www.cert.org/ podcast/show/20080916young.html