The schematic protection model: its definition and analysis for acyclic attenuating schemes
Journal of the ACM (JACM)
Role-Based Access Control Models
Computer
Computers and Intractability: A Guide to the Theory of NP-Completeness
Computers and Intractability: A Guide to the Theory of NP-Completeness
On context in authorization policy
Proceedings of the eighth ACM symposium on Access control models and technologies
On mutually exclusive roles and separation-of-duty
ACM Transactions on Information and System Security (TISSEC)
Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
An investigation of Zipf's Law for fraud detection (DSS#06-10-1826R(2))
Decision Support Systems
Discrete Applied Mathematics
Risk models for trust-based access Control(TBAC)
iTrust'05 Proceedings of the Third international conference on Trust Management
Satisfiability and resiliency in workflow systems
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Hi-index | 0.00 |
Among various attacks that may potentially target information systems, insider threat is recognized as an important factor of serious damage. In this paper, we investigate this problem from the view of authorizations in the context of access control. The objectives are to assess the sensitive authorizations in a system and to make appropriate arrangement for reducing the convenience of insider fraud. The proposed analytical framework takes the security constraints and the user relationships into account besides the traditional assessment of each independent user. Specially, different fraud patterns and insider attacks are formally modeled. These concerns are meaningful in practice since with the enforcement of security constraint like Separation of Duty, a single user only possesses partial privileges for a sensitive task. Thus a person who want to launch an attack need to adopt social engineering and collude with others. Based on this framework, we study the critical user problems, which find the most critical subset of users for a sensitive task, as well as discuss how to mitigate the fraud risk to the lowest level. We show that the computational complexities of these problems are NP-hard in general case but some special cases remain tractable. An approximate solution to these problems is presented.