research-article

A trust-and-risk aware RBAC framework: tackling insider threat

Authors:

Nathalie Baracaldo,

James JoshiAuthors Info & Claims

SACMAT '12: Proceedings of the 17th ACM symposium on Access Control Models and Technologies

Pages 167 - 176

https://doi.org/10.1145/2295136.2295168

Published: 20 June 2012 Publication History

Abstract

Insider Attacks are one of the most dangerous threats organizations face today. An insider attack occurs when a person authorized to perform certain actions in an organization decides to abuse the trust, and harm the organization. These attacks may negatively impact the reputation of the organization, its productivity, and may produce losses in revenue and clients. Avoiding insider attacks is a daunting task. While it is necessary to provide privileges to employees so they can perform their jobs efficiently, providing too many privileges may backfire when users accidentally or intentionally abuse their privileges. Hence, finding a middle ground, where the necessary privileges are provided and malicious usage are avoided, is necessary. In this paper, we propose a framework that extends the role-based access control (RBAC) model by incorporating a risk assessment process, and the trust the system has on its users. Our framework adapts to suspicious changes in users' behavior by removing privileges when users' trust falls below a certain threshold. This threshold is computed based on a risk assessment process that includes the risk due to inference of unauthorized information. We use a Coloured-Petri net to detect inferences. We also redefine the existing role activation problem, and propose an algorithm that reduces the risk exposure. We present experimental evaluation to validate our work.

References

[1]

J. O. Aagedal, F. d. Braber, T. Dimitrakos, B. A. Gran, D. Raptis, and K. Stølen. Model-based risk assessment to improve enterprise security. In Proc. of the 6th International Enterprise Distributed Object Computing Conference, 2002.

Digital Library

[2]

G.-J. Ahn and R. Sandhu. Role-based authorization constraints speci_cation. ACM Trans. Inf. Syst. Secur., 3:207--226, November 2000.

Digital Library

[3]

C. Alberts, S. Behrens, R. Pethia, and W. Wilson. Operationally critical threat, asset, and vulnerability evaluation (octave), 1999.

[4]

B. Aziz, S. N. Foley, J. Herbert, and G. Swart. Reconfiguring role based access control policies using risk semantics. In Journal of High Speed Networks: Special Issue on Managing Security Policies, Modelling Verification and Configuration, 2006.

[5]

E. Bertino, E. Terzi, A. Kamra, and A. Vakali. Intrusion detection in rbac-administered databases. In Computer Security Applications Conference, 21st Annual, dec. 2005.

Digital Library

[6]

J. Biskup. History-dependent inference control of queries by dynamic policy adaption. In Proc. of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy, DBSec'11, pp. 106--121, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[7]

A. Brodsky, C. Farkas, and S. Jajodia. Secure databases: constraints, inference channels, and monitoring disclosures. Knowledge and Data Engineering, IEEE Transactions on, 2000.

Digital Library

[8]

E. Celikel, M. Kantarcioglu, X. Li, and E. Bertino. A Risk Management Approach to RBAC. Risk and Decision Analysis, 1(2), November 2009.

[9]

S. Chakraborty and I. Ray. Trustbac: integrating trust relationships into the rbac model for access control in open systems. In Proc. of the 11th ACM symposium on Access control models and technologies, SACMAT '06, pp. 49--58, New York, NY, USA, 2006. ACM.

Digital Library

[10]

L. Chen and J. Crampton. Risk-aware role-based access control. In Proc. of the 7th International Workshop on Security and Trust Management., 2001.

Digital Library

[11]

Y. Chen and W. Chu. Protection of database security via collaborative inference detection. Knowledge and Data Engineering, IEEE Transactions on, 20(8):1013--1027, aug. 2008.

Digital Library

[12]

C. Y. Chung, M. Gertz, and K. Levitt. Demids: A misuse detection system for database systems. In Proc. of the Integrity and Internal Control in Information System, pp 159--178, 1999.

Digital Library

[13]

H. S. Delugach and T. H. Hinke. Using conceptual graphs to represent database inference security analysis. Jour. Computing and Info. Tech., 4(4):291--307, 1994.

[14]

N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody. Using trust and risk in role-based access control policies. In In Proc. of the 9th ACM Symposium on Access Control Models and Technologies SACMAT'04. ACM Press, 2004.

Digital Library

[15]

F. Feng, C. Lin, D. Peng, and J. Li. A trust and context based access control model for distributed systems. In Proc. of the 2008 10th IEEE International Conference on High Performance Computing and Communications, HPCC '08, pp. 629--634, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[16]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4:224--274, August 2001.

Digital Library

[17]

V. D. Gligor and C. S. Chandersekaran. Surviving insider attacks: A call for system experiments. In S. J. Stolfo, S. M. Bellovin, A. D. Keromytis, S. Hershkop, S. W. Smith, and S. Sinclair, editors, Insider Attack and Cyber Security, volume 39 of Advances in Information Security, pp. 153--164. Springer US, 2008.

[18]

IBM. Resource access control facility (racf), 2012. www-03.ibm.com/systems/z/os/zos/features/racf/.

[19]

C. S. Institute. Csi computer crime and security survey, 2010.

[20]

K. Jensen. Coloured petri nets. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Petri Nets: Central Models and Their Properties, volume 254 of Lecture Notes in Computer Science, pp. 248--299. Springer Berlin / Heidelberg, 1987.

Digital Library

[21]

J. Ma, K. Adi, M. Mejri, and L. Logrippo. Risk analysis in access control systems. In Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on, pp. 160--166, aug. 2010.

[22]

A. Moore, D. Cappelli, and T. R. The "big picture" of insider it sabotage across u.s. critical infrastructures, 2008. CERT, http://www.cert.org/insider_threat.

[23]

L. Mui and M. Mohtashemi. A computational model of trust and reputation. In Proc. of the 35th Hawaii International Conference on System Science (HICSS), 2002.

Digital Library

[24]

N. Nissanke and E. J. Khayat. Risk based security analysis of permissions in rbac. In Proc. of the 2nd International Workshop on Security In Information Systems, Security In Information Systems, pp. 332--341. INSTICC Press, 2004.

[25]

Oracle. Application access controls governor, 2012. http://www.oracle.com/us/solutions/corporate-governance/access-controls/index.html.

[26]

Q. M. S. Osborn, R. Sandhu. Configuring role-based access control to enforce mandatory and discretionary access control policies. In ACM Transaction on Information and System Security, 2000.

Digital Library

[27]

F. Salim, J. Reid, E. Dawson, and U. Dulleck. An approach to access control under uncertainty. In Availability, Reliability and Security (ARES), 2011 6th International Conference on, pp. 1--8, 2011.

Digital Library

[28]

R. Sandhu. Role activation hierarchies. In In Proc. of 3rd ACM Workshop on Role-Based Access Control, pp. 33--40. ACM, 1998.

Digital Library

[29]

SAP. Access risk management, 2012. www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/accessandauthorization.

[30]

G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems, recommendations of the national institute of standards and technology, 2002.

[31]

B. Systems. Identity and access governance, 2012. www.betasystems.com/en/portfolio/identityaccessgovernance

[32]

R. Yip and E. Levitt. Data level inference detection in database systems. In Computer Security Foundations Workshop, 1998. Proc. 11th IEEE, pp. 179--189, 1998.

Digital Library

[33]

L. Young and J. Allen. Security risk assessment using octave® allegro, podcast's transcripts, 2008.

Cited By

Xiao LYu AWang HZhao LMeng D(2024)MLCAC: Dynamic Authorization and Intelligent Decision-making towards Insider Threats2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580595(407-412)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580595
Bardhan S(2024)A Risk Assessment based RBAC using Attack Graphs to Mitigate Insider Threat during UAQ2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00190(1440-1443)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00190
YANO TKUZUNO HMAGATA K(2023)File Tracking and Visualization Methods Using a Network Graph to Prevent Information LeakageIEICE Transactions on Information and Systems10.1587/transinf.2022ICP0014E106.D:9(1339-1353)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022ICP0014
Show More Cited By

Recommendations

Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures

Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the ...
Defining the insider threat
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

Many diverse groups have studied the insider threat problem, including government organizations such as the Secret Service, federally-funded research organizations such as RAND and CERT, and university researchers. In addition, many industry ...
Classification of Insider Threat Detection Techniques
CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

Most insider attacks done by people who have the knowledge and technical know-how of launching such attacks. This topic has long been studied and many detection techniques were proposed to deal with insider threats. This short paper summarized and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '12: Proceedings of the 17th ACM symposium on Access Control Models and Technologies

June 2012

242 pages

ISBN:9781450312950

DOI:10.1145/2295136

General Chairs:
Vijay Atluri
Rutgers University, USA
,
Jaideep Vaidya
Rutgers University, USA
,
Program Chairs:
Axel Kern
Beta Systems Software AG, Germany
,
Murat Kantarcioglu
University of Texas at Dallas, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '12

Sponsor:

SIGSAC

SACMAT '12: 17th ACM Symposium on Access Control Models and Technologies

June 20 - 22, 2012

New Jersey, Newark, USA

Acceptance Rates

SACMAT '12 Paper Acceptance Rate 19 of 73 submissions, 26%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
807
Total Downloads

Downloads (Last 12 months)45
Downloads (Last 6 weeks)2

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Xiao LYu AWang HZhao LMeng D(2024)MLCAC: Dynamic Authorization and Intelligent Decision-making towards Insider Threats2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580595(407-412)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580595
Bardhan S(2024)A Risk Assessment based RBAC using Attack Graphs to Mitigate Insider Threat during UAQ2024 IEEE 48th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC61105.2024.00190(1440-1443)Online publication date: 2-Jul-2024
https://doi.org/10.1109/COMPSAC61105.2024.00190
YANO TKUZUNO HMAGATA K(2023)File Tracking and Visualization Methods Using a Network Graph to Prevent Information LeakageIEICE Transactions on Information and Systems10.1587/transinf.2022ICP0014E106.D:9(1339-1353)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022ICP0014
Smyth SCurran KMcKelvey N(2022)The Role of Education and Awareness in Tackling Insider ThreatsResearch Anthology on Business Aspects of Cybersecurity10.4018/978-1-6684-3698-1.ch013(280-299)Online publication date: 2022
https://doi.org/10.4018/978-1-6684-3698-1.ch013
Mehnaz SBertino E(2021)A Fine-grained Approach for Anomaly Detection in File System Accesses with Enhanced Temporal User ProfilesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2954507(1-1)Online publication date: 2021
https://doi.org/10.1109/TDSC.2019.2954507
Sahai SAtre MSharma SGupta RShukla S(2020)Verity: Blockchain Based Framework to Detect Insider Attacks in DBMS2020 IEEE International Conference on Blockchain (Blockchain)10.1109/Blockchain50366.2020.00012(26-35)Online publication date: Nov-2020
https://doi.org/10.1109/Blockchain50366.2020.00012
Heydari MMylonas AKatos VBalaguer-Ballester EAltaf ATafreshi V(2020)Uncertainty-Aware Authentication Model for IoTComputer Security10.1007/978-3-030-42048-2_15(224-237)Online publication date: 22-Feb-2020
https://doi.org/10.1007/978-3-030-42048-2_15
Smyth SCurran KMcKelvey N(2019)The Role of Education and Awareness in Tackling Insider ThreatsCybersecurity Education for Awareness and Compliance10.4018/978-1-5225-7847-5.ch003(33-52)Online publication date: 22-Feb-2019
https://doi.org/10.4018/978-1-5225-7847-5.ch003
Armando ABezzi MMetoui NSabetta A(2019)Risk-Based Privacy-Aware Information DisclosureCensorship, Surveillance, and Privacy10.4018/978-1-5225-7113-1.ch030(567-586)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-7113-1.ch030
Wang YTian LChen Z(2019)Game Analysis of Access Control Based on User Behavior TrustInformation10.3390/info1004013210:4(132)Online publication date: 9-Apr-2019
https://doi.org/10.3390/info10040132
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents