Advances in Petri nets 1986, part I on Petri nets: central models and their properties
RBAC '98 Proceedings of the third ACM workshop on Role-based access control
DEMIDS: a misuse detection system for database systems
Integrity and internal control information systems
Configuring role-based access control to enforce mandatory and discretionary access control policies
ACM Transactions on Information and System Security (TISSEC)
Role-based authorization constraints specification
ACM Transactions on Information and System Security (TISSEC)
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
Secure Databases: Constraints, Inference Channels, and Monitoring Disclosures
IEEE Transactions on Knowledge and Data Engineering
Model-Based Risk Assessment to Improve Enterprise Security
EDOC '02 Proceedings of the 6th International Enterprise Distributed Object Computing Conference
Data Level Inference Detection in Database Systems
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
A Computational Model of Trust and Reputation for E-businesses
HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
Using trust and risk in role-based access control policies
Proceedings of the ninth ACM symposium on Access control models and technologies
Intrusion Detection in RBAC-administered Databases
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
TrustBAC: integrating trust relationships into the RBAC model for access control in open systems
Proceedings of the eleventh ACM symposium on Access control models and technologies
Protection of Database Security via Collaborative Inference Detection
IEEE Transactions on Knowledge and Data Engineering
A Trust and Context Based Access Control Model for Distributed Systems
HPCC '08 Proceedings of the 2008 10th IEEE International Conference on High Performance Computing and Communications
History-dependent inference control of queries by dynamic policy adaption
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
An Approach to Access Control under Uncertainty
ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Risk-Aware role-based access control
STM'11 Proceedings of the 7th international conference on Security and Trust Management
Beyond accountability: using obligations to reduce risk exposure and deter insider attacks
Proceedings of the 18th ACM symposium on Access control models and technologies
A model for trust-based access control and delegation in mobile clouds
DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
| Hi-index | 0.00 |
Insider Attacks are one of the most dangerous threats organizations face today. An insider attack occurs when a person authorized to perform certain actions in an organization decides to abuse the trust, and harm the organization. These attacks may negatively impact the reputation of the organization, its productivity, and may produce losses in revenue and clients. Avoiding insider attacks is a daunting task. While it is necessary to provide privileges to employees so they can perform their jobs efficiently, providing too many privileges may backfire when users accidentally or intentionally abuse their privileges. Hence, finding a middle ground, where the necessary privileges are provided and malicious usage are avoided, is necessary. In this paper, we propose a framework that extends the role-based access control (RBAC) model by incorporating a risk assessment process, and the trust the system has on its users. Our framework adapts to suspicious changes in users' behavior by removing privileges when users' trust falls below a certain threshold. This threshold is computed based on a risk assessment process that includes the risk due to inference of unauthorized information. We use a Coloured-Petri net to detect inferences. We also redefine the existing role activation problem, and propose an algorithm that reduces the risk exposure. We present experimental evaluation to validate our work.