research-article

Public Access

Mutated Policies: Towards Proactive Attribute-based Defenses for Access Control

Authors:

Carlos E. Rubio-Medrano,

Josephine Lamp,

Gail-Joon AhnAuthors Info & Claims

MTD '17: Proceedings of the 2017 Workshop on Moving Target Defense

Pages 39 - 49

https://doi.org/10.1145/3140549.3140553

Published: 30 October 2017 Publication History

Abstract

Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a well-defined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result.

In this paper, we propose a novel technique that allows for enterprises to pro-actively collect attributes from the different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.

References

[1]

Christopher Bailey, David W. Chadwick, and Rogério De Lemos. 2011. Selfadaptive authorization framework for policy based RBAC/ABAC models. In 2011 IEEE Dependable, Autonomic and Secure Computing (DASC). IEEE, 37--44.

[2]

Lujo Bauer, Scott Garriss, and Michael K Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC) 14, 1 (2011), 2.

Digital Library

[3]

Mark Hall, Eibe Frank, Geoffrey Holmes, Bernhard Pfahringer, Peter Reutemann, and Ian H. Witten. 2009. The WEKA Data Mining Software: An Update. SIGKDD Explor. Newsl. 11, 1 (Nov. 2009), 10--18.

Digital Library

[4]

Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2012. Detecting and resolving firewall policy anomalies. IEEE Dependable and Secure Computing 9, 3 (2012), 318--331.

Digital Library

[5]

Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800 (2014), 162.

[6]

Ewa Huebner, Derek Bem, and Cheong Kai Wee. 2006. Data hiding in the NTFS file system. digital investigation 3, 4 (2006), 211--226.

[7]

Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2011. Moving target defense: creating asymmetric uncertainty for cyber threats. Vol. 54. Springer Science & Business Media.

[8]

Jing Jin, Gail-Joon Ahn, Hongxin Hu, Michael J. Covington, and Xinwen Zhang. 2011. Patient-centric authorization framework for electronic healthcare services. Computers & Security 30, 2 (2011), 116--127.

Digital Library

[9]

Wenke Lee, Salvatore J. Stolfo, and Kui W. Mok. 1999. A data mining framework for building intrusion detection models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on. IEEE, 120--132.

[10]

M. Lichman. 2013. UCI Machine Learning Repository. (2013). http://archive.ics.uci.edu/ml.

[11]

Bing Liu, Wynne Hsu, and Yiming Ma. 1998. Integrating Classification and Association Rule Mining. In Fourth International Conference on Knowledge Discovery and Data Mining. AAAI Press, 80--86.

[12]

Ken Montanez. 2016. Amazon Access Samples Data Set. (2016). http://archive.ics.uci.edu/ml/datasets/Amazon+Access+Samples.

[13]

Simon Parkinson, Vassiliki Somaraki, and Rupert Ward. 2016. Auditing file system permissions using association rule mining. Expert Systems with Applications 55 (2016), 274--283.

Digital Library

[14]

Ramakrishnan Srikant and Rakesh Agrawal. 1996. Mining quantitative association rules in large relational tables. In ACM SIGMOD Record, Vol. 25. ACM, 1--12.

Digital Library

[15]

James J. Treinen and Ramakrishna Thurimella. 2006. A framework for the application of association rule mining in large intrusion detection infrastructures. In Recent Advances in Intrusion Detection. Springer, 1--18.

Digital Library

[16]

Krishna K. Venkatasubramanian, Tridib Mukherjee, and Sandeep K. S. Gupta. 2014. CAAC - An Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures. ACM Transactions on Autonomous and Adaptive Systems (TAAS) 8, 4 (2014), 20.

[17]

Zhongyuan Xu and Scott D. Stoller. 2015. Mining attribute-based access control policies. IEEE Dependable and Secure Computing 12, 5 (2015), 533--545.

Cited By

Talegaon SBatra GAtluri VSural SVaidya JDietrich SChowdhury OTakabi D(2022)Contemporaneous Update and Enforcement of ABAC PoliciesProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535021(31-42)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535021
Rubio-Medrano CClaramunt LJogani SAhn GLobo JStoller SLiu P(2020)Proactive Risk Assessment for Preventing Attribute-Forgery Attacks to ABAC PoliciesProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395615(131-144)Online publication date: 10-Jun-2020
https://dl.acm.org/doi/10.1145/3381991.3395615
Sanders MYue CBalenson D(2019)Mining least privilege attribute based access control policiesProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359805(404-416)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359805
Show More Cited By

Index Terms

Mutated Policies: Towards Proactive Attribute-based Defenses for Access Control
1. Information systems
  1. Information systems applications
    1. Data mining
      1. Association rules
2. Security and privacy
  1. Security services
    1. Access control

Recommendations

A network access control approach based on the AAA architecture and authorization attributes

Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where ...
A role-based administration model for attributes
SRAS '12: Proceedings of the First International Workshop on Secure and Resilient Architectures and Systems

Attribute based access control (ABAC) provides flexibility and scalability for securely managing access to resources, particularly in distributed environments. In ABAC, access requests are authorized through policies evaluated with respect to attributes ...
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

The OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MTD '17: Proceedings of the 2017 Workshop on Moving Target Defense

October 2017

126 pages

ISBN:9781450351768

DOI:10.1145/3140549

Program Chairs:
Hamed Okhravi
MIT Lincoln Laboratory, USA
,
Xinming Ou
University of South Florida, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

US Department of Energy
National Science Foundation

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30, 2017

Texas, Dallas, USA

Acceptance Rates

MTD '17 Paper Acceptance Rate 9 of 26 submissions, 35%;

Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
267
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)8

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Talegaon SBatra GAtluri VSural SVaidya JDietrich SChowdhury OTakabi D(2022)Contemporaneous Update and Enforcement of ABAC PoliciesProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535021(31-42)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535021
Rubio-Medrano CClaramunt LJogani SAhn GLobo JStoller SLiu P(2020)Proactive Risk Assessment for Preventing Attribute-Forgery Attacks to ABAC PoliciesProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395615(131-144)Online publication date: 10-Jun-2020
https://dl.acm.org/doi/10.1145/3381991.3395615
Sanders MYue CBalenson D(2019)Mining least privilege attribute based access control policiesProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359805(404-416)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359805
Fraunholz DKrohmer DDuque Anton SSchotten HAlbanese MHuang D(2018)Catch Me If You CanProceedings of the 5th ACM Workshop on Moving Target Defense10.1145/3268966.3268970(31-39)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3268966.3268970
Rubio-Medrano CZhao ZAhn GBertino ESandhu RKrishnan R(2018) RiskPol Proceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180462(54-60)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180462

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents