Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Towards Attribute-Based Access Control Policy Engineering Using Risk

  • Conference paper
  • First Online:
Risk Assessment and Risk-Driven Testing (RISK 2013)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 8418))

Included in the following conference series:

Abstract

In this paper, we consider a policy engineering problem for attribute-based access control. The general goal is to help a policy writer to specify access control policies. In particular, we target the problem of defining the values of attributes when access to an object should be granted or denied. We use risk to quantify possible harm caused by misuses and abuses of granted access rights and apply the risk-benefit analysis to maximize the profit from granting an access.

This work was partly supported by EU-FP7-ICT NESSoS, EU-FP7-ICT ANIKETOS, and 295354 SESAMO projects.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring role based access control policies using risk semantics. J. High Speed Netw. 15(3), 261–273 (2006)

    Google Scholar 

  2. Boyd, S., Vandenberghe, L.: Convex Optimization. Cambridge University Press, Cambridge (2004)

    Book  MATH  Google Scholar 

  3. Celikel, E., Kantarcioglu, M., Thuraisingham, B., Bertino, E.: Usage control in computer security: a survey. Risk Decis. Anal. 1(1), 21–33 (2009)

    Google Scholar 

  4. Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  5. Colantonio, A., Pietro, R.D., Ocello, A., Verde, N.V.: A new role mining framework to elicit business roles and to mitigate enterprise risk. Decis. Support Syst. 50(4), 715–731 (2011)

    Article  Google Scholar 

  6. Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing access control using risk assessment. In: Proceedings of the 4th European Conference on Universal Multiservice Networks, pp. 419–424 (2007)

    Google Scholar 

  7. Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using trust and risk in role-based access control policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, pp. 156–162 (2004)

    Google Scholar 

  8. Ferraiolo, D., Atluri, V., Gavrila, S.: The policy machine: a novel architecture and framework for access control policy specification and enforcement. J. Syst. Architect. 57(4), 412–424 (2011)

    Article  Google Scholar 

  9. Frank, M, Buhmann, J.M., Basin, D.: On the definition of role mining. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 35–44. ACM

    Google Scholar 

  10. Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  11. Krautsevich, L., Lazouski, A., Martinelli, F., Mori, P., Yautsiukhin, A.: Integration of quantitative methods for risk evaluation within usage control policies. In: Proceedings of 22nd International Conference on Computer Communications and Networks (2013) (to appear)

    Google Scholar 

  12. Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Cost-effective enforcement of access and usage control policies under uncertainties. IEEE Syst. J. Spec. Issue Secur. Priv. Complex Syst. 7(2), 223–235 (2013)

    Google Scholar 

  13. Krautsevich, L., Martinelli, F., Morisset, C., Yautsiukhin, A.: Risk-based auto-delegation for probabilistic availability. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 206–220. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  14. Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: a survey. Comput. Sci. Rev. 4(2), 81–99 (2010)

    Article  Google Scholar 

  15. Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 250–260 (2010)

    Google Scholar 

  16. Nissanke, N., Khayat, E.J.: Risk based security analysis of permissions in RBAC. In: Proceedings of the 2nd International Workshop on Security in Information Systems, pp. 332–341 (2004)

    Google Scholar 

  17. OASIS. eXtensible Access Control Markup Language (XACML) Version 3.0. http://www.oasis-open.org/committees/xacml

  18. Sandhu, R., Park, J.: Usage control: a vision for next generation access control. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 17–31. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  19. Zhang, L., Brodsky, A., Jajodia, S.: Toward information sharing: Benefit and risk access control (BARAC). In: Proceedings of the 7th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 45–53 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Istituto di Informatica E Telematica, Consiglio Nazionale Delle Ricerche, Via G. Moruzzi 1, 56124, Pisa, Italy

    Leanid Krautsevich, Aliaksandr Lazouski, Fabio Martinelli & Artsiom Yautsiukhin

Authors
  1. Leanid Krautsevich
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aliaksandr Lazouski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Artsiom Yautsiukhin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Artsiom Yautsiukhin .

Editor information

Editors and Affiliations

  1. Fraunhofer IESE, Kaiserslautern, Germany

    Thomas Bauer

  2. Fraunhofer Institut FOKUS, Berlin, Germany

    Jürgen Großmann

  3. SINTEF ICT, Oslo, Norway

    Fredrik Seehusen

  4. SINTEF ICT, Oslo, Norway

    Ketil Stølen

  5. Fraunhofer Institut FOKUS, Berlin, Germany

    Marc-Florian Wendland

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A. (2014). Towards Attribute-Based Access Control Policy Engineering Using Risk. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2013. Lecture Notes in Computer Science(), vol 8418. Springer, Cham. https://doi.org/10.1007/978-3-319-07076-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-07076-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07075-9

  • Online ISBN: 978-3-319-07076-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation