ABSTRACT
Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a well-defined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result.
In this paper, we propose a novel technique that allows for enterprises to pro-actively collect attributes from the different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.
- Christopher Bailey, David W. Chadwick, and Rogério De Lemos. 2011. Selfadaptive authorization framework for policy based RBAC/ABAC models. In 2011 IEEE Dependable, Autonomic and Secure Computing (DASC). IEEE, 37--44.Google Scholar
- Lujo Bauer, Scott Garriss, and Michael K Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC) 14, 1 (2011), 2.Google ScholarDigital Library
- Mark Hall, Eibe Frank, Geoffrey Holmes, Bernhard Pfahringer, Peter Reutemann, and Ian H. Witten. 2009. The WEKA Data Mining Software: An Update. SIGKDD Explor. Newsl. 11, 1 (Nov. 2009), 10--18. Google ScholarDigital Library
- Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2012. Detecting and resolving firewall policy anomalies. IEEE Dependable and Secure Computing 9, 3 (2012), 318--331. Google ScholarDigital Library
- Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800 (2014), 162. Google ScholarCross Ref
- Ewa Huebner, Derek Bem, and Cheong Kai Wee. 2006. Data hiding in the NTFS file system. digital investigation 3, 4 (2006), 211--226.Google Scholar
- Sushil Jajodia, Anup K. Ghosh, Vipin Swarup, Cliff Wang, and X. Sean Wang. 2011. Moving target defense: creating asymmetric uncertainty for cyber threats. Vol. 54. Springer Science & Business Media. Google ScholarCross Ref
- Jing Jin, Gail-Joon Ahn, Hongxin Hu, Michael J. Covington, and Xinwen Zhang. 2011. Patient-centric authorization framework for electronic healthcare services. Computers & Security 30, 2 (2011), 116--127. Google ScholarDigital Library
- Wenke Lee, Salvatore J. Stolfo, and Kui W. Mok. 1999. A data mining framework for building intrusion detection models. In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on. IEEE, 120--132.Google Scholar
- M. Lichman. 2013. UCI Machine Learning Repository. (2013). http://archive.ics.uci.edu/ml.Google Scholar
- Bing Liu, Wynne Hsu, and Yiming Ma. 1998. Integrating Classification and Association Rule Mining. In Fourth International Conference on Knowledge Discovery and Data Mining. AAAI Press, 80--86.Google Scholar
- Ken Montanez. 2016. Amazon Access Samples Data Set. (2016). http://archive.ics.uci.edu/ml/datasets/Amazon+Access+Samples.Google Scholar
- Simon Parkinson, Vassiliki Somaraki, and Rupert Ward. 2016. Auditing file system permissions using association rule mining. Expert Systems with Applications 55 (2016), 274--283. Google ScholarDigital Library
- Ramakrishnan Srikant and Rakesh Agrawal. 1996. Mining quantitative association rules in large relational tables. In ACM SIGMOD Record, Vol. 25. ACM, 1--12. Google ScholarDigital Library
- James J. Treinen and Ramakrishna Thurimella. 2006. A framework for the application of association rule mining in large intrusion detection infrastructures. In Recent Advances in Intrusion Detection. Springer, 1--18. Google ScholarDigital Library
- Krishna K. Venkatasubramanian, Tridib Mukherjee, and Sandeep K. S. Gupta. 2014. CAAC - An Adaptive and Proactive Access Control Approach for Emergencies in Smart Infrastructures. ACM Transactions on Autonomous and Adaptive Systems (TAAS) 8, 4 (2014), 20.Google Scholar
- Zhongyuan Xu and Scott D. Stoller. 2015. Mining attribute-based access control policies. IEEE Dependable and Secure Computing 12, 5 (2015), 533--545. Google ScholarCross Ref
Index Terms
Mutated Policies: Towards Proactive Attribute-based Defenses for Access Control
Recommendations
A network access control approach based on the AAA architecture and authorization attributes
Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where ...
A role-based administration model for attributes
SRAS '12: Proceedings of the First International Workshop on Secure and Resilient Architectures and SystemsAttribute based access control (ABAC) provides flexibility and scalability for securely managing access to resources, particularly in distributed environments. In ABAC, access requests are authorized through policies evaluated with respect to attributes ...
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web servicesThe OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...
Comments