Risk-based security decisions under uncertainty

CODASPY'12 - Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy

Volumn , Issue , 2012, Pages 157-168

  Molloy, Ian ^a   Dickens, Luke ^b   Morisset, Charles ^c   Cheng, Pau Chen ^a   Lobo, Jorge ^a   Russo, Alessandra ^b  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b IMPERIAL COLLEGE LONDON   (United Kingdom)

^c CNR   (Italy)

Author keywords

access control; classification; decision; risk

Indexed keywords

LEARNING SYSTEMS;

ACCESS CONTROL DECISIONS; ACCESS CONTROL POLICIES; COMMUNICATIONS CHANNELS; DECISION; DECISION UNDER UNCERTAINTY; LOCAL CACHING; POLICY DECISION POINTS; RISK BASED SECURITY DECISION; SPAM FILTERING; UNCERTAINTY;

ACCESS CONTROL;

EID: 85139863684     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2133601.2133622     Document Type: Conference Paper

References (33)

1. C. M. Bishop. Pattern Recognition and Machine Learning (Information Science and Statistics). Springer, 2007.
2. P. Bonatti and P. Samarati. Regulating service access and information release on the web. In Proceedings of the 7th ACM conference on Computer and communications security, CCS '00, pages 134-143, New York, NY, USA, 2000. ACM.
3. K. Borders, X. Zhao, and A. Prakash. Cpol: high-performance policy evaluation. In Proceedings of the 12th ACM conference on Computer and communications security, CCS '05, pages 147-157, New York, NY, USA, 2005. ACM.
4. P.-C. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger. Fuzzy multi-level security: An experiment on quantified risk-adaptive access control. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 2007.
5. J. Crampton, W. Leung, and K. Beznosov. The secondary and approximate authorization model and its application to Bell-LaPadula policies. In Proceedings of 11th ACM Symposium in Access Control Models and Technologies, pages 111-120, 2006.
6. E. Eberlein, R. Frey, M. Kalkbrener, and L. Overbeck. Mathematics in Financial Risk Management. Jahresbericht der Deutschen Mathematiker Vereinigung, 109: 165-193, 2007.
7. Entrust. GetAccess design and administration guide, September 1999.
8. D. F. Ferraiolo and D. R. Kuhn. Role-based access control. In Proceedings of the 15th National Computer Security Conference, pages 554-563, 1992.
9. S. Godik and T. Moses. Oasis extensible access control markup language (XACML). OASIS Committee Secification cs-xacml-specification-1. 0, November 2002, http://www. oasis-open. org/committees/xacml/, 2002.
10. G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network trafic for protocol-and structure-independent botnet detection. In Proceedings of the 17th conference on Security symposium, pages 139-154. USENIX Association, 2008.
11. G. Karjoth. Access control with IBM Tivoli Access Manager. ACM Trans. Inf. Syst. Secur., 6: 232-257, May 2003.
12. J. Kephart. The utility of utility: Policies for self-managing systems. In Policies for Distributed Systems and Networks, International Workshop, POLICY'11 Pisa, Italy, 2011. To appear.
13. A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: Using system-centric models for malware protection. CCS '10: Proceedings of the 17th ACM conference on Computer and communications security, pages 399-419, Jul 2010.
14. L. LaPadula and D. Bell. Secure Computer Systems: A Mathematical Model. Journal of Computer Security, 4: 239-263, 1996.
15. I. Molloy, P.-C. Cheng, and P. Rohatgi. Trading in risk: Using markets to improve access control. In NSPW, 2008.
16. Netegrity. Siteminder concepts guide, 2000.
17. Q. Ni, J. Lobo, S. B. Calo, P. Rohatgi, and E. Bertino. Automating role-based provisioning by learning from examples. In B. Carminati and J. Joshi, editors, SACMAT, pages 75-84. ACM, 2009.
18. S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for _ne-grained access control. In Proceedings of the 2004 ACM SIGMOD international conference on Management of data, SIGMOD '04, pages 551-562, New York, NY, USA, 2004. ACM.
19. A. Rosenthal and E. Sciore. Administering permissions for distributed data: factoring and automated inference. In Proceedings of the fifteenth annual working conference on Database and application security, DAS'01, pages 91-104, Norwell, MA, USA, 2002. Kluwer Academic Publishers.
20. Safeway Inc. Annual report for the fiscal year ended January 3, 2009. http://http://www. sec. gov/Archives/edgar/data/86144/000119312509043434/d10k. htm.
21. Supervalu Inc. Annual report for the fiscal year ended February 28, 2009. http://www. sec. gov/Archives/edgar/data/95521/000095015209004223/c50531e10vk. htm.
22. The Great Atlantic & Pacific Tea Company Inc. Fiscal 2008 Annual Report to Stockholders. http://www. sec. gov/Archives/edgar/data/43300/000139843209000171/ex13. Txt.
23. The Kroger Co. ANNUAL REPORT for the fiscal year ended January 31, 2009. http://www. sec. gov/Archives/edgar/data/56873/000110465909021710/a09-1837 110k. htm.
24. K. Thomas, C. Grier, J. Ma, V. Paxson, and D. Song. Design and evaluation of a real-time url spam filtering service. IEEE Symposium on Security and Privacy, pages 1-16, Mar 2011.
25. M. V. Tripunitara and B. Carbunar. efficient access enforcement in distributed role-based access control (RBAC) deployments. In Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT '09, pages 155-164. ACM, 2009.
26. V. N. Vapnik. Statistical Learning Theory. Wiley-Interscience, Sep 1998. ISBN 9780471030034.
27. Visa Debit Processing Service j Transaction Processing j Authorization Processing. http://www. visadps. com/services/authorization processing. html.
28. Card-Present j Merchants j Visa USA. http://usa. visa. com/merchants/risk management/card present. html.
29. L. Wang, D. Wijesekera, and S. Jajodia. A logic-based framework for attribute based access control. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering, FMSE '04, pages 45-55, New York, NY, USA, 2004. ACM.
30. Q. Wei, J. Crampton, K. Beznosov, and M. Ripeanu. Authorization recycling in rbac systems. In Proceedings of the 13th ACM symposium on Access control models and technologies, SACMAT '08, pages 63-72, New York, NY, USA, 2008. ACM.
31. Q. Wei, M. Ripeanu, and K. Beznosov. Cooperative secondary authorization recycling. In Proceedings of the 16th international symposium on High performance distributed computing, HPDC '07, pages 65-74, New York, NY, USA, 2007. ACM.
32. M. Wimmer and A. Kemper. An authorization framework for sharing data in web service federations. In W. Jonker and M. Petkovic, editors, Secure Data Management, volume 3674 of Lecture Notes in Computer Science, pages 47-62. Springer, 2005.
33. L. Zhang, A. Brodsky, and S. Jajodia. Toward Information Sharing: Benefit And Risk Access Control (BARAC). Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), 0: 45-53, 2006.