Identifying high-risk over-entitlement in access control policies using fuzzy logic

Cybersecurity - Tập 5 Số 1 - Trang 1-17 - 2022
Parkinson, Simon1, Khana, Saad1
1Department of Computer Science, University of Huddersfield, Huddersfield, UK

Tóm tắt

Analysing access control policies is an essential process for ensuring over-prescribed permissions are identified and removed. This is a time-consuming and knowledge-intensive process, largely because there is a wealth of policy information that needs to be manually examined. Furthermore, there is no standard definition of what constitutes an over-entitled permission within an organisation’s access control policy, making it not possible to develop automated rule-based approaches. It is often the case that over-entitled permissions are subjective to an organisation’s role-based structure, where access is be divided and managed based on different employee needs. In this context, an irregular permission could be one where an employee has frequently changed roles, thus accumulating a wide-ranging set of permissions. There is no one size fits all approach to identifying permissions where an employee is receiving more permission than is necessary, and it is necessary to examine them in the context of the organisation to establish their individual risk. Risk is not a binary measure and, in this work, an approach is built using Fuzzy Logic to determine an overall risk rating, which can then be used to make a more informed decision as to whether a user is over-entitled and presenting risk to the organisation. This requires the exploratory use of establishing resource sensitivity and user trust as measures to determine a risk rating. The paper presents a generic solution, which has been implemented to perform experimental analysis on Microsoft’s New Technology File System to show how this works in practice. A simulation using expert knowledge for comparison is then performed to demonstrate how effective it is at helping the user identify potential irregular permissions.

Tài liệu tham khảo

Abie H, Balasingham I (2012) Risk-based adaptive security for smart IoT in ehealth. In: Proceedings of the 7th international conference on body area networks. ICST (Institute for Computer Sciences, Social-Informatics and...), pp 269–275 Ahmed A, Alnajem A (2012) Trust-aware access control: how recent is your transaction history? In: 2012 second international conference on digital information and communication technology and it’s applications (DICTAP). IEEE, pp 208–213 citation_journal_title=J Internet Technol; citation_title=A tool for access control policy validation; citation_author=M Aqib, RA Shaikh; citation_volume=19; citation_issue=1; citation_publication_date=2018; citation_pages=157-166; citation_id=CR3 Atlam HF, Alenezi A, Walters RJ, Wills GB, Daniel J (2017) Developing an adaptive risk-based access control model for the internet of things. In: 2017 IEEE international conference on Internet of Things (iThings) and IEEE green computing and communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and Ieee Smart Data (SmartData). IEEE, pp 655–661 Atlam HF, Walters RJ, Wills GB, Daniel J (2019) Fuzzy logic with expert judgment to implement an adaptive risk-based access control model for IoT. Mobile Networks and Applications, pp 1–13 citation_journal_title=Soft Comput; citation_title=Taciot: multidimensional trust-aware access control system for the internet of things; citation_author=JB Bernabe, JLH Ramos, AFS Gomez; citation_volume=20; citation_issue=5; citation_publication_date=2016; citation_pages=1763-1779; citation_doi=10.1007/s00500-015-1705-6; citation_id=CR6 Bodnar T, Tucker C, Hopkinson K, Bilén SG (2014) Increasing the veracity of event detection on social media networks through user trust modeling. In: 2014 IEEE international conference on big data (Big Data). IEEE, pp 636–643 Cheng P-C, Rohatgi P, Keser C, Karger PA, Wagner GM, Reninger AS (2007) Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE symposium on security and privacy. SP’07. IEEE, pp 222–230 Cheng P-C, Koved L, Singh KK (2016) Trust/value/risk-based access control policy. Google Patents. US Patent 9,432,375 El Hadj MA, Khoumsi A, Benkaouz Y, Erradi M (2018) Formal approach to detect and resolve anomalies while clustering abac policies. EAI Endorsed Transactions on Security and Safety 5(16) Ferraiolo D, Kuhn DR, Chandramouli R (2003) Role-based access control. In: In Proceedings of the NIST-NSA National (USA) computer security conference, pp 554–563 citation_journal_title=Appl Comput Inform; citation_title=A fuzzy expert system to trust-based access control in crowdsourcing environments; citation_author=O Folorunso, OA Mustapha; citation_volume=11; citation_issue=2; citation_publication_date=2015; citation_pages=116-129; citation_doi=10.1016/j.aci.2014.07.001; citation_id=CR12 citation_journal_title=Manag Audit J; citation_title=Fuzzy logic: application for audit risk and uncertainty; citation_author=GT Friedlob, LL Schleifer; citation_volume=14; citation_issue=3; citation_publication_date=1999; citation_pages=127-137; citation_doi=10.1108/02686909910259103; citation_id=CR13 Gaddam A, Aissi S, Kgil T (2014) Data sensitivity based authentication and authorization. Google Patents. US Patent App. 14/303,461 citation_journal_title=Comput Secur; citation_title=Mining meaningful and rare roles from web application usage patterns; citation_author=N Gal-Oz, Y Gonen, E Gudes; citation_volume=82; citation_publication_date=2019; citation_pages=296-313; citation_doi=10.1016/j.cose.2019.01.005; citation_id=CR15 citation_journal_title=Appl Math Comput; citation_title=Non-zero-sum cooperative access control game model with user trust and permission risk; citation_author=N Helil, A Halik, K Rahman; citation_volume=307; citation_publication_date=2017; citation_pages=299-310; citation_id=CR16 citation_journal_title=IEEE Trans Dependable Secure Comput; citation_title=Discovery and resolution of anomalies in web access control policies; citation_author=H Hu, G-J Ahn, K Kulkarni; citation_volume=10; citation_issue=6; citation_publication_date=2013; citation_pages=341-354; citation_doi=10.1109/TDSC.2013.18; citation_id=CR17 citation_journal_title=Expert Syst Appl; citation_title=Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach; citation_author=S Khan, S Parkinson; citation_volume=113; citation_publication_date=2018; citation_pages=116-127; citation_doi=10.1016/j.eswa.2018.07.006; citation_id=CR18 citation_journal_title=J Inf Secur Appl; citation_title=Discovering and utilising expert knowledge from security event logs; citation_author=S Khan, S Parkinson; citation_volume=48; citation_publication_date=2019; citation_pages=102375; citation_id=CR19 Kiedrowicz M, Stanik J, Kubiak B, Maślankowski J (2015) Selected aspects of risk management in respect of security of the document lifecycle management system with multiple levels of sensitivity. In: Kubiak BF, Maślankowski J (eds) Information management in practice, pp 231–249 Kozhakhmet K, Bortsova G, Inoue A, Atymtayeva L (2012) Expert system for security audit using fuzzy logic. In: Midwest artificial intelligence and cognitive science conference, p 146 Leichtenstern K, André E, Kurdyukova E (2010) Managing user trust for self-adaptive ubiquitous computing systems. In: Proceedings of the 8th international conference on advances in mobile computing and multimedia, pp 409–414 Li N, Tripunitara MV (2005) On safety in discretionary access control. In: 2005 IEEE symposium on security and privacy (S&P’05). IEEE, pp 96–109 citation_journal_title=Int J Distrib Sens Netw; citation_title=Privacy information security classification for internet of things based on internet data; citation_author=X Lu, Z Qu, Q Li, P Hui; citation_volume=11; citation_issue=8; citation_publication_date=2015; citation_pages=932941; citation_doi=10.1155/2015/932941; citation_id=CR24 Mahalle PN, Thakr, PA, Prasad NR, Prasad R (2013) A fuzzy approach to trust based access control in internet of things. In: Wireless VITAE 2013. IEEE, pp 1–5 McLeod S (2007) Maslow’s hierarchy of needs. Simply Psychol 1 citation_journal_title=Int J Ambient Comput Intell (IJACI); citation_title=Trust management model based on fuzzy approach for ubiquitous computing; citation_author=NA Mhetre, AV Deshpande, PN Mahalle; citation_volume=7; citation_issue=2; citation_publication_date=2016; citation_pages=33-46; citation_doi=10.4018/IJACI.2016070102; citation_id=CR27 citation_journal_title=Appl Soft Comput; citation_title=Automatic design of fuzzy logic controllers for medium access control in wireless body area networks-an evolutionary approach; citation_author=SM Nekooei, G Chen, RK Rayudu; citation_volume=56; citation_publication_date=2017; citation_pages=245-261; citation_doi=10.1016/j.asoc.2017.02.022; citation_id=CR28 Ni Q, Bertino E, Lobo J (2010) Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM symposium on information, computer and communications security. ACM, pp 250–260 citation_journal_title=ACM Trans Inf Syst Secur (TISSEC); citation_title=Configuring role-based access control to enforce mandatory and discretionary access control policies; citation_author=S Osborn, R Sandhu, Q Munawer; citation_volume=3; citation_issue=2; citation_publication_date=2000; citation_pages=85-106; citation_doi=10.1145/354876.354878; citation_id=CR30 citation_journal_title=Comput Netw; citation_title=Access control in the internet of things: big challenges and new opportunities; citation_author=A Ouaddah, H Mousannif, AA Elkalam, AA Ouahman; citation_volume=112; citation_publication_date=2017; citation_pages=237-262; citation_doi=10.1016/j.comnet.2016.11.007; citation_id=CR31 Park Y, Gates SC, Teiken W, Cheng P-C (2011) An experimental study on the measurement of data sensitivity. In: Proceedings of the first workshop on building analysis datasets and gathering experience returns for security, pp 70–77 Park Y, Gates C, Gates SC (2013) Estimating asset sensitivity by profiling users. In: European symposium on research in computer security. Springer, pp 94–110 citation_journal_title=IBM J Res Dev; citation_title=Data classification and sensitivity estimation for critical asset discovery; citation_author=Y Park, W Teiken, JR Rao, S Chari; citation_volume=60; citation_issue=4; citation_publication_date=2016; citation_pages=2-1; citation_doi=10.1147/JRD.2016.2557638; citation_id=CR34 citation_journal_title=Netw Secur; citation_title=Use of access control to minimise ransomware impact; citation_author=S Parkinson; citation_volume=2017; citation_issue=7; citation_publication_date=2017; citation_pages=5-8; citation_doi=10.1016/S1353-4858(17)30069-7; citation_id=CR35 citation_journal_title=J Inf Secur Appl; citation_title=Identification of irregularities and allocation suggestion of relative file system permissions; citation_author=S Parkinson, A Crampton; citation_volume=30; citation_publication_date=2016; citation_pages=27-39; citation_doi=10.1016/j.jisa.2016.04.004; citation_id=CR36 citation_journal_title=J Inf Secur Appl; citation_title=Identifying irregularities in security event logs through an object-based chi-squared test of independence; citation_author=S Parkinson, S Khan; citation_volume=40; citation_publication_date=2018; citation_pages=52-62; citation_id=CR37 citation_journal_title=Expert Syst Appl; citation_title=Auditing file system permissions using association rule mining; citation_author=S Parkinson, V Somaraki, R Ward; citation_volume=55; citation_publication_date=2016; citation_pages=274-283; citation_doi=10.1016/j.eswa.2016.02.027; citation_id=CR38 citation_journal_title=Concurr Comput Pract Exp; citation_title=Graphbad: a general technique for anomaly detection in security information and event management; citation_author=S Parkinson, M Vallati, A Crampton, S Sohrabi; citation_volume=30; citation_issue=16; citation_publication_date=2018; citation_pages=4433; citation_doi=10.1002/cpe.4433; citation_id=CR39 citation_journal_title=Cybersecurity; citation_title=Creeper: a tool for detecting permission creep in file system access controls; citation_author=S Parkinson, S Khan, J Bray, D Shreef; citation_volume=2; citation_issue=1; citation_publication_date=2019; citation_pages=14; citation_doi=10.1186/s42400-019-0031-1; citation_id=CR40 citation_title=Fuzzy logic: implementation and applications; citation_publication_date=2012; citation_id=CR41; citation_author=MJ Patyra; citation_author=DJ Mlynek; citation_publisher=Springer Pfleeger CP, Pfleeger SL (2002) Security in Computing. Prentice Hall Professional Technical Reference Rahmati A, Fernandes E, Eykholt K, Prakash A (2018) Tyche: a risk-based permission model for smart homes. In: 2018 IEEE cybersecurity development (SecDev), pp. 29–36. IEEE citation_journal_title=Comput Secur; citation_title=Towards a location-based mandatory access control model; citation_author=I Ray, M Kumar; citation_volume=25; citation_issue=1; citation_publication_date=2006; citation_pages=36-44; citation_doi=10.1016/j.cose.2005.06.007; citation_id=CR44 Ryutov T, Zhou L, Neuman C, Leithead T, Seamons KE (2005) Adaptive trust negotiation and access control. In: Proceedings of the tenth ACM symposium on access control models and technologies, pp. 139–146. ACM Salem MB, Bhatti R, Solderitsch J (2013) Method and system for resource management based on adaptive risk-based access controls. Google Patents. US Patent App. 13/774,356 Samarati P, de Vimercati SC (2000) Access control: policies, models, and mechanisms. In: International school on foundations of security analysis and design, pp. 137–196. Springer, Berlin citation_journal_title=IEEE Commun Mag; citation_title=Access control: principle and practice; citation_author=RS Sandhu, P Samarati; citation_volume=32; citation_issue=9; citation_publication_date=1994; citation_pages=40-48; citation_doi=10.1109/35.312842; citation_id=CR48 citation_journal_title=Computer; citation_title=Role-based access control models; citation_author=RS Sandhu, EJ Coyne, HL Feinstein, CE Youman; citation_volume=29; citation_issue=2; citation_publication_date=1996; citation_pages=38-47; citation_doi=10.1109/2.485845; citation_id=CR49 Shahriar H, Zulkernine M (2011) A fuzzy logic-based buffer overflow vulnerability auditor. In: 2011 IEEE ninth international conference on dependable, autonomic and secure computing. IEEE, pp 137–144 citation_journal_title=Procedia Comput Sci; citation_title=Data classification for achieving security in cloud computing; citation_author=R Shaikh, M Sasikumar; citation_volume=45; citation_publication_date=2015; citation_pages=493-498; citation_doi=10.1016/j.procs.2015.03.087; citation_id=CR51 Sherwin K (2016) Hierarchy of trust: the 5 experiential levels of commitment. https://www.nngroup.com/articles/commitment-levels Stanik J (2017) System risk model of the it system supporting the processing of documents at different levels of sensitivity. In: MATEC Web of Conferences, vol. 125, p. 02011. EDP Sciences citation_journal_title=J Inf Secur Appl; citation_title=An access control model for cloud computing; citation_author=YA Younis, K Kifayat, M Merabti; citation_volume=19; citation_issue=1; citation_publication_date=2014; citation_pages=45-60; citation_id=CR54 citation_journal_title=EURASIP J Wirel Commun Netw; citation_title=A security authentication method based on trust evaluation in VANETs; citation_author=A Zhou, J Li, Q Sun, C Fan, T Lei, F Yang; citation_volume=2015; citation_issue=1; citation_publication_date=2015; citation_pages=1-8; citation_id=CR55
Thông tin
Thông tin xuất bản

Cybersecurity

Tập 5 Số 1

1-17

Thông tin tác giả