Towards more pro-active access control in computer systems and networks

Towards more pro-active access control in computer systems and networks

Accepted Manuscript Towards More Pro-active Access Control in Computer Systems and Networks Yixuan Zhang, Jingsha He, Bin Zhao, Zhiqing Huang, Ruohong...

1MB Sizes 0 Downloads 30 Views

Accepted Manuscript Towards More Pro-active Access Control in Computer Systems and Networks Yixuan Zhang, Jingsha He, Bin Zhao, Zhiqing Huang, Ruohong Liu PII:

S0167-4048(14)00181-3

DOI:

10.1016/j.cose.2014.12.001

Reference:

COSE 861

To appear in:

Computers & Security

Received Date: 20 November 2013 Revised Date:

30 September 2014

Accepted Date: 19 December 2014

Please cite this article as: Zhang Y, He J, Zhao B, Huang Z, Liu R, Towards More Pro-active Access Control in Computer Systems and Networks, Computers & Security (2015), doi: 10.1016/ j.cose.2014.12.001. This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT

Towards More Pro-active Access Control in Computer Systems and Networks* Yixuan Zhanga, Jingsha Hea,b†, Bin Zhaoa, Zhiqing Huanga, Ruohong Liub a

School of Software Engineering

Beijing University of Technology, Beijing 100124, China

SC

Abstract

RI PT

[email protected], [email protected], [email protected], [email protected] b General Administration Department Beijing Development Area Co., Ltd., Beijing 100176, China [email protected]

Access control is a core security technology which has been widely used in computer systems and networks to protect sensitive information and critical resources and to counter malicious attacks. Although many access control models have been developed in the past, such as discretionary access

M AN U

control (DAC), mandatory access control (MAC) and role-based access control (RBAC), these models are designed primarily as a defensive measure in that they are used for examining access requests and making authorization decisions based on established access control policies. As the result, even after a malicious access is identified, the requester can still keep issuing more malicious access requests without much fear of punitive consequences from the access control system in subsequent accesses. Such access control may be acceptable in closed systems and networks but is not adequate in open systems and networks where the real identities and other critical information about requesters may not

TE D

be known to the systems and networks. In this paper, we propose to design pro-active access control so that access control systems can respond to malicious access pro-actively to suit the needs of open systems and networks. We will first apply some established principles in the Game Theory to analyze current access control models to identify the limitations that make them inadequate in open systems and networks. To design pro-active access control (PAC), we incorporate a constraint mechanism that

EP

includes feedback and evaluation components and show based on the Game Theory how to make such access control respond to malicious access in a pro-active manner. We also present a framework design of PAC and demonstrate through the implementation of trust-based access control the feasibility of

AC C

design, implementation and application of pro-active access control. Such kind of models and mechanisms can serve as the foundation for the design of access control systems that will be made more effective in deterring malicious attacks in open systems and networks.

Key Words: Security; Access Control; Game Theory; Evaluation; Payoffs; Trust.

1. Introduction Access control in computer systems and networks refers to the whole suite of models and mechanisms that are used to govern user access to information, resources, services, etc. and to counter malicious attacks. Access control was first introduced by Lampson in early 1970s in the form of an *

The work in this paper has been supported by National Natural Science Foundation of China (61272500), Beijing Natural Science Foundation (4142008), Pre-launch of Beijing City Government Key Tasks and District Government Emergency Projects (Z131100005613030) and the 12th Graduate Technology Fund of Beijing University of Technology (ykj-2013-9929). † The corresponding author, tel:+86-13501029035, email: [email protected].

1

ACCEPTED MANUSCRIPT access control matrix model (Lampson, 1971). In the model, the rows and the columns of the matrix represent respectively the subjects who issue access requests and the objects that need to be protected. The value in each matrix entry records the access rights or permissions that a subject has to the corresponding object. When a subject issues a request, access control will perform some necessary checks and make an authorization decision on whether to grant or to deny the request based on the access permissions that are present in the corresponding matrix entry. Many different access control models have been developed over the past few decades to meet

RI PT

different access control requirements, which can be generally classified into three types: discretionary access control (DAC) (Snyder, 1981), mandatory access control (MAC) (Bell et al., 1973) and role-based access control (RBAC) (Sandhu et al, 1996; Ferraiolo and Kuhn, 1992). In DAC, the owner of objects determines the access rights that a subject can have to the object (Sandhu and Samarati, 1996). In MAC, a mandatory access policy is enforced throughout a system without the discretion of

SC

any owner to confine the flow of information resulting from access to objects based on a lattice of security labels so that not even the owner of objects can assign access rights to other subjects. Notice that in DAC a great deal of risks originates from the fact that an owner may place too much trust on a subject who may be dishonest or malicious. Furthermore, it is very hard for the owner to control the

M AN U

granting of access rights because the subject to whom the owner has given some access rights may turn around and give some of the access rights to other subjects who may turn around and do similar things. The above process may go on until the access rights are obtained by a malicious subject. In the RBAC model, a set of roles are defined in addition to subjects and objects and access rights or permissions are assigned to roles rather than to subjects directly. In essence, RBAC uses the notion of roles to express a collection of permissions, which corresponds well to the internal structure of an organization where rights or permissions are usually associated with positions and roles of individuals.

TE D

Thus, access control can be performed through a permission-to-role assignment and subjects are granted access to objects through a subject-to-role mapping at the expense of possibly reduced granularity of permission assignment. To improve the granularity of access control, some enhancements have been proposed, such as context-based access control (CBAC) (Yao et al., 2005) and attribute-based access control (ABAC) (Wang and Wang, 2007).

EP

Although the above access control models have been widely used in the protection of information and resources in computer systems and networks, the main functionality of access control in these models is to make authorization decisions for incoming access requests. When dishonest or malicious

AC C

access is identified, the most that an access control system can do is to deny the request. However, the dishonest subjects may keep issuing more malicious access requests without much fear of punitive consequences, making access control essentially a defensive measure in dealing with potential threats and malicious attacks in computer systems and networks. This shortcoming may result from the fact that most current access control models were originally designed for organizations in which all subjects are known to the systems. Thus, dishonest or malicious subjects can be easily located and consequently punished for their malicious behavior according to organization rules and legal laws. In open systems and networks, however, this type of models is no longer effective since in such environments, the real identities and other critical information about the dishonest subjects may not be known to the systems, making it very difficult, if not impossible, to punish the dishonest subjects. An solution to overcome this shortcoming is to equip access control with the pro-active capability so that the rights or permissions that dishonest subjects can be immediately reduced or even revoked by access control, a more effectively access control in open systems and networks.

2

ACCEPTED MANUSCRIPT In this paper, we propose to design pro-active access control so that malicious access can be dealt with in a more pro-active manner. Access control then has the capability of regulating incoming access requests to effectively curb malicious access in open systems and networks. We will first apply some well-established principles in the Game Theory to analyze current access control models to identify the challenges and limitations. To design pro-active access control, we propose to incorporate a constraint mechanism that includes feedback and evaluation components and show based on the Game Theory how to make access control pro-active in response to malicious access. With the feedback component,

RI PT

access control can get some information for the evaluation component to perform evaluation on a subject who has just performed access. A value of the evaluation is used to determine a set of permissions through a mapping function. Using the set of permissions, we analyze the payoffs of the subject and the object based on the Game Theory to derive the necessary conditions that would allow access control to respond to malicious access in a pro-active manner, which is the foundation for the

SC

design of pro-active access control. We also design a trust-based access control following the requirements of pro-active access control to demonstrate the feasibility of achieving the pro-active access control design goal. Such kind of access control models can serve as the foundation for the open systems and networks.

M AN U

design of access control systems that can function more effectively in deterring malicious access in The rest of this paper is organized as follows. In the next section, we review some related work. In Section 3, we apply the Game Theory to analyze current access control models and show that these models exhibit some fundamental limitations, making them incapable of providing pro-active access control in open systems and networks. In Section 4, based on analysis using the Game Theory, we propose a pro-active access control model (PAC) that incorporates a constraint mechanism with feedback and evaluation. In Section 5, we show through presenting a framework design of PAC and

TE D

implementing a trust-based access control system the feasibility of realizing pro-active access control. In Section 6, we perform some experiment to show the effectiveness of PAC on constraining the behavior of subjects in pro-active access control. Finally, in Section 7, we conclude this paper in which we also discuss our future research.

EP

2. Related Work

A great deal of work has been done in the past few years on access control models and mechanisms to deal with the more complex issue of data protection in open systems and networks, among which

AC C

trust has emerged as an effective tool. Under the general framework of trust and trust management, trust-based access control (TrusBAC) was proposed as an enhancement to RBAC (Chakraborty and Ray, 2006) with the main idea that evaluation based on the identity, behavior history and some other factors that are related to a subject can be performed and the evaluation value can then be used to determine the role of the subject. Consequently, as the evaluation value changes, so does the role of the subject, hence the corresponding access permissions. Sandhu and Zhang proposed architecture of trust management based on roles that combines RBAC with trust management to build an access control system based on certificates (Sandhu and Zhang, 2005). Li proposed a dynamic trust model that is related to the context of the system in distributed environment (Li et al, 2008). Guo proposed a method that can combine trust and RBAC to solve the issue of unknown users (Guo et al, 2005). Tian proposed a dynamic role access control model based on the idea of establishing trust based on the behavior of users (Tian et al, 2008). He applied the Game Theory to analyzing a proposed trust-based access control in which trust values are computed based on multiple factors (He et al, 2013). 3

ACCEPTED MANUSCRIPT A close examination of the above models and methods reveals that they are still essentially identity based access control models since access control decisions are made based on the identities of subjects. Although trust has been introduced into these models, it is used primarily to determine the roles and thus the permissions that a subject can assume. Nor has there been any attempt to formally analyze how trust would systematically affect access control decisions. Game Theory is a field of applied mathematics that is used to describe and analyze interactive situations in order to makes decisions (Fudenberg and Tirole, 1991). It provides an analytical tool to

RI PT

predict the outcome of a complex interaction among rational entities in which rationality demands strict adherence to a strategy based on perceived or measured results. Game Theory has found many applications in the areas of economics, political science, biology and sociology. It has been applied to solving problems in engineering and computer science since early 1990s (Anderson and Moore, 2006). In the Game Theory, decision-making among multiple players is viewed as a game in which each

SC

player would choose the game strategies that can bring the best possible results to the player while anticipating the rational actions from other players (Osborne and Rubinstein, 1994). Game is a precise description of strategic interactions that include the constraints of, and the payoffs for, the actions that the players can take, but not necessarily the actions that they will actually take (Roy et al, 2010). (1)

M AN U

According to the Game Theory, a game consists of the following four basic elements (Osborne, 2004): Player: a basic entity in a game that assumes the task of making choices for actions. A player can be a person, a machine or a group of persons within a game. In access control, subjects and objects are the players. (2)

Strategy: a plan of actions within the game that a player can take during the play of a game. In access control, subjects issue access requests and access control makes decisions on behalf of objects following a strategy.

Order: the sequence of steps in a strategy chosen by the players. In access control, a subject issues

TE D

(3)

an access request first. After receiving the access request, access control makes a decision on whether to authorize the request. After each access, access control may also perform some analysis on the access to prepare itself for dealing with future access requests. (4)

Payoff: the positive or negative rewards to a player for taking a given action within the game. In

EP

access control, the payoff for a subject is the set of access permissions as it implies the amount of information and resources that the subject can obtain while that for access control is to allow maximal use of information and resources with minimal security risks based on access control

AC C

rules or policies.

In the Game Theory, Nash equilibrium describes the conditions for a stable state of a game in which no player would unilaterally change its strategy as doing so would lower its own payoffs provided that all other players would adhere to the prescribed strategy (Nash, 1950). The set of strategies that leads to Nash equilibrium should then be chosen by the players in order to maximize their individual payoffs. Access control can be modeled as a two-player game, i.e., between the subjects and the objects (or the access control on behalf of the objects). Thus, Nash equilibrium provides the conditions in which the subject as a player has nothing to gain by changing its strategy unilaterally and can guide the design of an access control model to curb malicious access by subjects. The basic principle is that if a player, e.g., the objects, has chosen a strategy and the other player, e.g., a subject, cannot benefit from changing its strategy with the first player’s choice unchanged, then the set of choices and the corresponding payoffs constitute the Nash equilibrium (Charilas and Panagopoulos, 2010).

4

ACCEPTED MANUSCRIPT Game Theory has been widely applied to many aspects of network interactions, but there has not been much in-depth study on applications to access control. There are so far only a few attempts in which the Game Theory has been applied to access control to make authorization decisions based on analysis of potential payoffs that objects can get by providing the requested access. Zhang proposed a game-theory based access control method for social networks (Zhang et al, 2011) in which the Game Theory is used to evaluate the payoffs as the basis of authorizing access requests from peers. Tian and Lin proposed a game-theoretic control mechanism for user behavior in trustworthy networks (Tian and

RI PT

Lin, 2007) in which a mechanism is proposed based on Bayesian network to predict the trust on user behavior. Chen proposed a trust game method based on probability model in networks (Chen et al., 2010) in which a trust game method is proposed based on probability density in networks.

Analysis of the above applications reveals that they used some relevant principles in the Game Theory only for the purpose of making simple decisions of “yes” or “no” during the authorization of

SC

access requests. None of the work has addressed the fundamental issues for achieving pro-active access control. In addition, all the proposed methods can only be applied to P2P networks, but not general open systems and networks that are far more complex and face a wide range of security threats.

M AN U

3. Analysis of Traditional Access Control Models

Since in most traditional access control models, access decisions are based essentially on the identities of subjects, these models are more suitable for closed environments such as organizations in which the set of subjects who can access the information and services within the organizations are known to the organizations. In such environments, if a subject makes a malicious access to a system and network, the potential punishment that the subject may get can always be initiated from organizations or law enforcement agencies, but not the system itself using means such as reducing or

TE D

revoking access rights, i.e., access control has no built-in mechanism to punish dishonest or malicious subjects. This may not be necessary since every subject is known to the system and the means of punishment based on organization rules or legal laws can be very effective. This also makes access control easy and simple to design and implement.

Under such circumstances, we can see through analysis that subjects would have a clear advantage

EP

over objects when we model access to objects by subjects as a game that is played between them. Following is our analysis using the Game Theory.

AC C

O _ income hon per : Object’s income payoff when subject chooses the honest access strategy and object chooses the permit access strategy. It is also the object’s loss payoff when subject chooses the honest access strategy and object chooses the deny access strategy. : Subject’s income payoff when subject chooses the honest access strategy and object S _ income hon per

chooses the permit access strategy. O _ loss mal per : Object’s loss payoff when subject chooses the malicious access strategy and object

chooses the permit access strategy. : Subject’s income payoff when subject chooses the malicious access strategy and S _ incomemal per object chooses the permit access strategy. It should be noted that when subject chooses the malicious

5

ACCEPTED MANUSCRIPT strategy, the payoff should be more than that from the honest access strategy, which would motivate the subject to choose the malicious access strategy. mal O _ incomeden : Object’s income payoff when subject chooses the malicious access strategy and

object chooses the deny access strategy. This income comes from the successful protection of the object by denying malicious access from the subject. When subject chooses the honest access strategy and object chooses the permit access strategy, both

RI PT

would get income payoffs. For the subject, the income payoff is access to the requested information, resources or services while for the object, the income payoff is the expansion of its influence by providing available information, resources or services so that it can attract more subjects to realize its worth.

However, when subject chooses the malicious access strategy and object chooses the permit access

SC

strategy, the subject get income payoff while the object gets loss payoff of the same value. For the subject, the income payoff is access to information, resources or services that is supposed to provide more benefits to the malicious subject, i.e., S _ incomemal ≥ S _ incomehon . For the object, the loss per per

or services that should not be provided.

M AN U

payoff is an attack by the dishonest or malicious subject, resulting in providing information, resources When subject chooses the honest access strategy and object chooses the deny access strategy, the subject doesn’t get any payoff while the object gets a loss payoff. The loss payoff is the reduced influence due to the failure of providing information, resources or services, thus reducing the potential of attracting more subjects to realize its worth.

When subject chooses the malicious access strategy and object chooses the deny access strategy, the

TE D

subject doesn’t get any income payoff while the object gets income payoff from the successful protection of the object by denying the malicious access. Table 1 illustrates the game-play scenarios for the traditional access control models.

EP

Table 1. Game play matrix for the traditional access control models. Subjects

Honest access

Malicious access

Permit access

hon O _ income hon per , S _ income per

mal − O _ loss mal per , S _ income per

Deny access

− O _ incomehon per ,0

mal O _ incomeden ,0

AC C

Objects

Analyzing the game matrix in Table 1 using the classical line drawing method, we can conclude that the pure strategy Nash equilibrium (PSNE) is (Deny access, Malicious access) with payoff mal ( O _ incomeden ,0 ). This result shows that to achieve the PSNE so that access control can provide

effective protection to objects, access control must be able to identify each and every malicious access from the subjects and thus deny their access, which raises a serious challenge to access control. This is because not every malicious access request can be successfully detected using mechanisms such as intrusion detection systems (IDS) with today’s technology. In addition, even if access control can 6

ACCEPTED MANUSCRIPT successfully detect malicious access attempts, there is still a lack of mechanisms in the traditional access control models to take necessary steps to punish the responsible subjects, which is expressed as the loss payoff of the subject in the case of PSNE. Without such measures, there is little fear on the side of the offensive subjects for launching more attacks by issuing malicious access requests. The situation becomes even more severe in open systems and networks because there is usually not sufficient information about every access request to the system (Yuan and Tong, 2005). Access control, whose purpose is to restrict the use of information and resources and which still serves as a core

RI PT

security measure in such environments, becomes far less effective due to the lack of information about subjects (Sandhu and Samarati, 1994). It is obvious that security threats and attacks that objects have to confront with in open systems and networks are far more lethal than those in closed systems and networks. Thus, more effective access control mechanisms need to be developed for open systems and networks to protect information and resources in such hostile environments.

SC

4. Pro-active Access Control

Pro-active access control (PAC) refers to a suite of models and mechanisms that would respond to

M AN U

malicious access in a pro-active manner. That is, a malicious access attempt should not only receive a “no” response, but, more importantly, it should also cause a negative impact on future accesses, thus a constraint measure that can be more effective in curbing malicious access. In the case that a malicious access attempt could not be successfully identified in time, post-analysis of the access should still be able to initiate actions to result in a negative impact on future accesses. More specifically, when a malicious access is initiated targeting an object, access control should not only try to block the access through detection, but will also punish such an access attempt by reducing, or even invoking, access rights in subsequent accesses. In the event that the first line of protection fails to succeed, access

TE D

control would still have ample opportunity to exercise the latter mechanism so that the subsequent access will have a lower chance of being successful. This dynamism would also help to reduce the reliance on the detection of malicious access attempts since post punitive actions can be applied to subsequent access, limiting the overall loss on behalf of the object. To provide the pro-active capability, we propose to incorporate a constraint mechanism in access

EP

control which includes a feedback component and an evaluation component. The feedback component provides a contribution value as feedback information to reflect the consequence of the current access by a subject. The evaluation component will then perform an evaluation to derive a value on subject’s

AC C

current access based on the contribution value. This evaluation value will eventually be used by access control in the determination of the set of permissions through a mapping function for subsequent accesses by the same subject. In terms of the Game Theory, subjects and objects play a game on the basis of what permissions that subjects can get for access to the objects and what permissions that objects should grant to subjects based on the income or loss payoffs that they would each receive. 4.1 The Basics Subject is the earlier player in the game through submitting a request to access object(s). The access could be honest or dishonest. After receiving the access request from a subject, access control chooses a strategy for the object(s). The strategy could be to permit or to deny the access. Let’s first define a few notations to describe the dynamic situations in pro-active access control (PAC). Access value: this value is used to describe the network conditions surrounding the current access, which is determined by a composite of many factors such as the location and time of the access, 7

ACCEPTED MANUSCRIPT network survivability in the event of a malicious access or an attack, etc. This value is used to describe the general access environment concerned. Depending on access control policies, a matrix could be constructed for easy retrieval of the access value when an access request is received by access control. Evaluation value: denoted as E, this is the evaluation result on a subject based on past access history by the same subject as well as the current network conditions expressed using the access value. While current network conditions describe the general access environment, past access history reflects the access behavior, honest or dishonest/malicious, of each and every subject.

RI PT

Permission matrix: this is a matrix in which the rows represent access permissions such as read, write, modify, execute, etc. and the columns represent objects. Each matrix entry indicates whether a subject with a particular evaluation value has the corresponding access permission to the corresponding object. A binary value 1 would mean “yes” and 0 would mean “no”.

Mapping function: denoted as F, this is a function that is used to map an evaluation value to a set of

SC

permissions. Generally speaking, as the evaluation value varies from low to high, the set of permissions in the permission matrix will also expand, but at least won’t become a smaller set. For example, if an evaluation value is mapped to the permissions set {read, write}, a higher evaluation value should be mapped to a permissions set that generally contains more permissions, but at least it cannot be mapped

M AN U

to a permissions set that is a subset of {read, write}.

Prior information: this is a value used to reflect the consequence of a past access by a subject which would affect access control decision that would be made by access control on the current access request by the same subject. In general, if a subject makes a dishonest access in the past, a future access request could be denied whereas the same request would be authorized without considering the past history. Prior information makes it possible for access control systems to punish subjects for dishonest access through reducing or even revoking access privileges. It can also be used to reward subjects for

TE D

continued honest access through granting more access privileges.

Contribution value: denoted as C within the value range (-∞, 1], this reflects the degree of influence that an access strategy chosen by a subject will have on the evaluation value through feedback. When a subject makes an honest access, the range of values for C should fall into (0, 1] and the evaluation value on the subject should generally go up as honest access continues. Conversely, when a subject

EP

makes a malicious access, the range of values for C should fall into⊿(-∞, 0] and the evaluation value on the subject should generally go down at a much faster pace. The way in which the contribution value is assigned is determined by how an honest access should be rewarded and a dishonest or even malicious

AC C

access should be punished.

4.2 The Constraint Mechanisms in PAC The purpose of the constraint mechanism in PAC is to force, or at least to motivate, a subject to take

the honest access strategy and to refrain from taking the malicious access strategy. Fig. 1 illustrates the general procedure of PAC followed with an explanation of the individual steps. (1)

A subject issues a request to access a set of objects: object1, object2, ..., objectn. We can use a permission matrix to express such an access request. For ease of description, we may abstract the set of objects with a single object in our discussion when there is no loss of granularity.

(2)

PAC would derive some parameters about the current access such as the place and time at which the access request is issued as well as current network conditions that would impact the survivability of the network in dealing with security violations. PAC will also retrieve the prior

8

ACCEPTED MANUSCRIPT information about the subject based on the identity of the subject which should reflect past

M AN U

SC

RI PT

access behavior of the subject.

Figure 1. The procedure of PAC (3)

Based on the access value and some prior information available, PAC would derive evaluation

TE D

value Ei on the subject. If it is the first time that the subject issues an access request, an arbitrary initial value could be used as Ei. (4)

Through the mapping function F, the constraint mechanism derives a set of permissions for the subject, which is expressed as follows:

M = F (Ei )

The two matrices in (1) and (4) are combined together through an entry-by-entry intersection of

EP

(5)

(1)

the corresponding values to arrive at a permission matrix that the subject is granted for the current access request.

Based on the set of permissions that a subject has been granted, the constraint mechanism in PAC

AC C

(6)

calculates the income and/or loss payoffs for the objects and the subject when they choose different strategies.

(7)

Based on the different payoffs and with the goal of reaching a Nash Equilibrium, PAC will calculate the probability that the subject has chosen the honest access strategy as well as the probability that the objects would choose the permit access strategy. Details of (6) and (7) will be described in 4.3.

(8)

PAC makes an authorization decision on the subject’s access request based on the probabilities from (7) and access control policies in PAC which should define some kind of threshold that would permit or deny the subject’s access request based on the probabilities. To provide adequate security while increasing the utilization of information and resources to maximize the income payoff of the objects, the threshold can be specified rather flexibly according to access control policies. That is, if the system also has some other protective measures like firewalls, intrusion 9

ACCEPTED MANUSCRIPT detection, etc., the threshold could be set at a lower level for the system to serve more access requests. On the hand, if the system is vulnerable to outside attacks, the threshold should be raised so that the system could rely more on PAC to provide the necessary security protection. (9)

As the access finishes, based on the consequence of the access strategy that the subject chose, the constraint mechanism will derive a contribution value C for the subject as the feedback information.

(10) After the access has finished, the constraint mechanism will amend the information about the

RI PT

subject based on the feedback information.

(11) The amended information will have an influence on the prior information about the subject. When the subject issues a new access request to the objects in the future, the constraint mechanism will calculate a new evaluation value on the subject based on the most-recent prior information.

SC

From the procedure in Fig. 1, we can see that the set of permissions that PAC allows a subject to have would dynamically change along with changes of the prior information about the subject. If a subject chooses the honest access strategy, the range of the contribution value should fall into (0, 1] and the corresponding evaluation value would go up so that the subject would get more permissions for

M AN U

future access. On the other hand, if the subject chooses a malicious access strategy, the range of the contribution value should fall into⊿(-∞, 0] and the corresponding evaluation value would go down so that the subject will have the set of access permissions reduced or even revoked for future access depending on the seriousness of the malicious access. Thus, the constraint mechanism in PAC would make the access control respond to malicious access in a pro-active manner. 4.3 Analysis of the Game between Subjects and Objects

TE D

Let’s first define the following set of parameters that will be used in our analysis. : Subject’s income payoff when subject chooses the honest access strategy and objects S ' _ incomehon per choose the permit access strategy. The income payoff should be the set of permissions that the subject is authorized to have in (5) of 4.2, which can be expressed as follows:

EP

S ' _ incomehon per = S _ Matrix

(2)

AC C

: Objects’ income payoff when subject chooses the honest access strategy and objects O' _ incomehon per choose the permit access strategy. It is also objects’ loss payoff when subject chooses the honest access strategy and objects choose the deny access strategy. : Subject’s income payoff when subject chooses the malicious access strategy and S ' _ income mal per

objects choose the permit access strategy, which now should include three parts: the set of permissions that the subject is authorized to have, the extra benefit obtained through malicious access and the loss payoff f(

E) due to the change of the evaluation value which should generally go down through the

feedback information. S ' _ incomemal can thus be expressed as follows: per

S ' _ incomemal per = S _ Matrix + S _ extra − f (∆E )

(3)

10

ACCEPTED MANUSCRIPT mal : Subject’s loss payoff when subject chooses the malicious access strategy and objects S ' _ lossden

choose the deny access strategy. Although it is still true that in the PAC model, not every malicious access by subjects can be detected prior to authorizing the access, the constraint mechanism has the capability of carrying out evaluation based on the contribution as the result of the access, thus lowering the requirements for access control to deal with malicious access. Furthermore, if a malicious access is detected after the access, the constraint mechanism in PAC will punish the malicious subject through

RI PT

feeding back a negative contribution value C to affect the evaluation value on the subject. That is, mal mal is now the third part f( E) of S ' _ income mal . S ' _ lossden can thus be expressed as: S ' _ lossden per mal S ' _ lossden = f (∆E )

(4)

SC

: Objects’ loss payoff when subject chooses the malicious access strategy and objects O' _ loss mal per choose the permit access strategy. The probable reason for PAC to permit the subject to access the objects could be that it mistakenly believed that the subject is honest based on the prior information and

M AN U

access value of the subject.

mal O' _ incomeden : Objects’ income payoff when subject chooses the malicious access strategy and

objects choose the deny access strategy resulting from the successful protection of the objects by denying the malicious access by the subject.

If a subject is honest and PAC permits the access, the payoffs for the subject and the objects are and O ' _ incomehon , respectively. If the subject is honest but PAC denies the access, S ' _ incomehon per per

TE D

the payoffs of the subject and the objects are 0 and − O' _ incomehon , respectively. If the subject is per malicious but PAC permits the access, the payoffs to the subject and to the objects are S ' _ income mal per

EP

and − O ' _ loss mal , respectively. If the subject is malicious and PAC denies the access, the payoffs of the per mal mal and O' _ incomeden subject and the objects are − S ' _ loss den , respectively. Table 2 is the matrix that

AC C

illustrates the game play between the subject and the object.

Subjects

Table 2. Game play matrix in PAC.

Honest access

Malicious access

Permit access

hon O' _ incomehon per , S ' _ incomeper

mal − O' _ loss mal per , S ' _ incomeper

Deny access

− O' _ incomehon per ,0

mal mal O' _ incomeden ,− S ' _ lossden

Objects

Analysis of the above game play matrix using the classical line drawing method reveals that there is no PSNE unlike the case for the traditional access models. This is because the constraint mechanism in 11

ACCEPTED MANUSCRIPT mal PAC would punish a subject for a malicious access by − S ' _ lossden when the subject chooses the

malicious access strategy. Let’s now try to find a mixed strategy Nash equilibrium (MSNE). The revenue matrix of subject is Psubject which is composed of the payoffs of the subject. Similarly, the revenue matrix of objects is Pobject. If the probability of objects’ choosing the permit access strategy is x, then the mixed strategy for the objects is Po=(x, 1-x). Similarly, if the probability of a subject’s choosing the honest access strategy is y, expressed as follows:

Eobject = PO × Pobject × PS = ( x,1 − x ) × T

O' _ incomehon per − O' _ incomehon per

(

)

RI PT

then the mixed strategy for the subject is Ps=(y, 1-y). The payoff function of objects Eobject can then be

− O' _ loss mal per

× ( y,1 − y )

T

mal O' _ incomeden

SC

mal mal = (2 x − 1) × y × O ' _ income hon per + x × − O ' _ loss per × (1 − y ) + (1 − x ) × (1 − y ) × O ' _ income den

(5)

By taking the derivative of Eobject on x, we get the following formula:

∂x

(

)

mal mal = 2 × y × O ' _ income hon per − O ' _ loss per + O ' _ incomeden × (1 − y )

M AN U

∂Eobject

(6)

Then, by forcing Equation (6) to be 0, we get the value of y using the following formula:

y=

mal O ' _ loss mal per + O ' _ incomeden

(7)

mal per 2 × O ' _ income hon per + O ' _ loss per + O ' _ incomeden

TE D

mal Equation (7) shows that y increases as the value of O' _ loss mal and that that of O' _ incomeden per

increase, which means that the probability of subject’s choosing the honest access strategy increases when objects’ loss payoff increases due to subject’s choosing the malicious access strategy and objects’ choosing the permit access strategy and/or when objects’ income payoff increases due to subject’s choosing the malicious access strategy and objects’ choosing the deny access strategy.

EP

Similarly, we can get the payoff function of subject Esubject as shown below.

Esubjct = Po × Psubject × PST = ( x,1 − x ) ×

S ' _ income hon per

AC C

0

× ( y,1 − y )

T

S ' _ incomemal per mal − S ' _ lossden

(

)

mal mal = x × S ' _ income hon per × y + x × S ' _ income per × (1 − y ) + (1 − x ) × − S ' _ loss den × (1 − y )

= x × y × (− S _ extra) + x × (S _ Matrix + S _ extra − f (∆E )) − (1 − x − y )× f (∆E )

(8)

By taking the derivative of Esubject on y, we get the following formula:

∂E subject ∂y

= x × (− S _ extra ) + f (∆E )

(9)

Then, by forcing Equation (9) to be 0, we get the value of x using the following formula:

x=

f (∆E ) S _ extra

(10)

12

ACCEPTED MANUSCRIPT Analysis of Equation (10) shows that x will go up as S_extra goes down and/or as f(

E) goes up.

We can thus conclude that reducing the extra benefit or incurring higher loss on the evaluation value of the subject as the result of a malicious access will increase the probability of objects’ choosing the permit access strategy, which would motivate the subject to make honest access. At last, from Equations (7) and (10), we can get the MSNE of PAC as follows:    

(11)

RI PT

mal  f (∆E ) O' _ loss mal 2 × O' _ income hon f (∆E )   per + O ' _ incomeden per , ,1 − ,  hon mal mal mal mal  S _ extra   2 × O ' _ income per + O ' _ loss per + O' _ incomeden 2 × O' _ income hon  S _ extra per + O ' _ loss per + O ' _ incomeden

From the above MSNE, the PAC can compute the probability of subject’s choosing the honest access strategy and that of objects’ choosing the permit access strategy. PAC can then make an authorization decision regarding whether to permit or to deny the current access request according to the access control policy in PAC where some kind of threshold could be established based on the probabilities. If the general network environment is considered to be friendly or the network under

SC

protection also have some other security mechanisms in addition to access control that would make the network more tolerable to security threats, the threshold could be set up more flexibly in the access control policy in PAC. On the other hand, if few other security mechanisms are present, a high level of

M AN U

security is desirable or a harsh network condition is assessed, the threshold could be chosen more conservatively. The purpose of the MSNE is to allow PAC to derive the important results, i.e., the probabilities, so that PAC can make the access control decision based on established access control policy.

In addition, we can see from Equation (7) that the probability of subject’s choosing the honest access strategy is affected by the loss payoff that the subject causes to the objects when it takes the malicious access strategy and the access is successful. It is also affected by the income payoff that objects get when objects protect itself successfully from subject’s malicious access. Moreover, this

TE D

probability goes up as the loss payoff or the income payoff increases. The former case represents the situations in which the subject has launched a malicious attack which has caused serious damage to the objects. Then, reactions from PAC will cause the probability of the subject’s choosing the honest access strategy to become higher according to the MSNE. We can also see from Equation (10) that the probability of objects’ choosing the permit access strategy will become lower as the extra benefit

EP

decreases or as the impact to the evaluation value increases due to the subject’s malicious access. Since the evaluation value is affected by the value of C which in turn is determined by the degree of damage due to subject’s malicious access, the probability of permitting the subject to access is closely related to

AC C

whether the subject is honest as well as to the consequence of the subject’s malicious access. According to the MSNE, the probability of objects’ choosing the permit access strategy would motivate or force the subject to choose the honest access strategy.

5. Design and Implementation of PAC 5.1 A Framework Design of PAC We present a framework design of PAC as shown in Fig. 2 in which the various functions of PAC are placed into two points or blocks, i.e., the access execution point (AEP) and the access decision point (ADP), depending on where they may naturally happen in a real system. There is also a database attached to ADP in which the prior information about subjects are stored to reflect the past access behavior of the subjects in the system.

13

M AN U

SC

RI PT

ACCEPTED MANUSCRIPT



Figure 2. Framework design of PAC

In the framework design, AEP is responsible for carrying out the actual access from the subject to the object based on the decision made by ADP. AEP would also measure the consequence of each and every access and provide the result to ADP. Thus, besides performing the tasks required for the actual access, AEP contains two functional modules: current access condition retrieval (CAR) and current

TE D

access measurement (CAM). The main functionality of CAR is to collect or measure various parameters related to the current access and send them to ADP, typical of which would include those related to the subject such as ID and those related to the access environment such as place and time of the access, current network situation, etc. These parameters will enable ADP to make an authorization decision. The main functionality of CAM is to measure the consequence of the access to the object and

EP

post it to ADP. The measurement can be done in a variety of ways both inside and outside of PAC. The consequence expresses the value to reflect the damage or goodness that the subject has caused to the object due to malicious or honest access behavior. Examples of a negative value could be the result of

AC C

the following measurement: the access has caused the system to slow down significantly, DoS conditions have started to form; the access has allowed the subject to take too much disk space. A negative value implies something abnormal due to the malicious access strategy of the subject. If the subject makes the access normally, CAM will also provide a value which presumably is a positive number to ADP to indicate that the subject should have chosen an honest access strategy this time. In the framework design, ADP is responsible for making authorization decisions for the access request that the subject has submitted. The decision will be made based on the access request parameters from AEP. It could also rely on the prior information about the subject to reflect the past access behavior of the subject. Access control policy in ADP makes it flexible to set up security requirements to suit the needs of different environments. There are a total of four functional components in ADP:⊿access request evaluation (ARE), access permission determination (APD), game theory-based analysis (GTA), and post-access evaluation (PAE). The main functionality of ARE is to perform evaluation on the current access based on access request

14

ACCEPTED MANUSCRIPT parameters (AV) from AEP and prior information (PI) about the subject from the PI database. The result of the evaluation is a value Ei which is a weighted average of AV and PI. The main functionality of APD is to deduce a set of access permissions that the subject is allowed to possess based on Ei according to the access control policy in ADP. The deduction of the set of access permissions is through a function that would map an evaluation value to an access permission set. With the deduced permission set, GTA will apply the Game Theory to calculate the income or loss payoffs for the subject and the object and then make an authorization decision based on the calculation results in reference to

RI PT

the access control policy. The calculation results are the probability of the subject’s choosing the honest access strategy and that of the object’s choosing the permit access strategy. The access control policy will specify the respective thresholds for the probabilities, which would allow different access control policies to be flexibly set up to suit the needs of different environments. After an authorization decision is reached, ADP will send the result to AEP for it to permit or to deny the access.

SC

When the access is finished and the access result is provided to the subject, CAM in AEP will measure the consequence of the access and post the result to PAE in ADP which will compute new prior information for the subject and update the PI database accordingly. In the process, PAE will first compute a contribution value and then a new PI. If CAM provides a negative number, the contribution

M AN U

value should also be in the negative range [- ∞ , 0) and should drop exponentially as the damage caused by the subject’s malicious access gets greater. On the other hand, if CAM provides a positive number, the contribution value should also be in the positive number [0, 1) and should increase linearly as the goodness brought by the subject’s honest access gets greater. Moreover, a positive contribution value will result in a new PI that will be greater than the present one and a negative contribution value will result in a new PI that will be smaller than the present one. The PI database will be updated with the newly calculated PI value.

TE D

Compared to traditional access control models, access authorization in PAC is more suitable to open systems and networks. First, every access request is evaluated by ARE to produce a value that corresponds to the level of security if the access is permitted. The evaluation value is then mapped to a set of permissions by APD. The higher the value is, the more permissions that it would correspond to. Using the past access history information in the PI database as well as the functionalities in ARE and

EP

ADP, the access privileges that a subject are granted would dynamically change based on the results of past access that the subject has made. An honest subject should generally be awarded with increasingly more access privileges while a dishonest or malicious subject should be punished with decreasingly

AC C

fewer access privileges at a faster pace or even with the revocation of all privileges. A subject could change its identity in order to get illegal payoffs. However, since every new identity would generally correspond to a very low evaluation level as the initial value to start with and thus fewer access privileges, if not null, the subject would have a very hard time to realize illegal payoffs, making it even less threatening to the objects. Furthermore, since the PAC mechanism would continue performing comprehensive evaluations to make authorization decisions for each and every access request from subjects based on performance of past access along the way, the proposed PAC model can automatically adapt to the dynamic situations of threats and attacks in open computer systems.

5.2 Trust-based PAC: an Implementation One implementation of the pro-active access control model that we proposed in this paper could be the use of the trust mechanism to perform the evaluation and the evaluation value E would then correspond to the resulting trust value. Trust was first introduced as a concept of sociology and has

15

ACCEPTED MANUSCRIPT been used as a tool to help reduce the complexity of making decisions (Sztompka, 1999). Trust and trust management have been studied extensively and applied in many areas including access control. For the application in our model, we use trust levels to express the results of the evaluation. With trust quantification, we can label trust with different levels ranging from low to high with a higher trust level corresponding to a richer set of access permissions and thus the access to more resources and services than a lower one. As a subject keeps choosing the honest access strategy, the subject will get increasingly higher trust levels. On the other hand, if a subject makes a malicious access, PAC will

RI PT

punish it by lowering its trust level based on the degree of damage caused by the malicious access through feeding back the contribution value C. By using trust and punishment, PAC can respond to network attacks in a pro-active manner. In PAC, each and every evaluation value is derived based on the access value and the subject’s prior information value. In this example, we use frequency of access and current network condition as the current access value. Consequently, we consider the following

SC

three factors in trust evaluation: prior information, frequency of access and current network condition. We use T1 to express the frequency of access which has four values: frequent, normal, occasional and never. Similarly, we assign four linearly disjoint sub-ranges of trust values to the four access

M AN U

situations as shown in Table 3.

Table 3. Assignment of trust levels to frequency of access Frequency of Access

Frequent

Normal

Occasional

Never

Trust Level

[0.75, 1]

[0.5, 0.75)

[0.25, 0.5)

[0, 0.25)

We use T2 to denote current network condition, which reflects a subjective or an objective view on the ability of the system to defend and to recover from a malicious attack. In our design, T2 is also described using four scenarios: very strong, strong, weak and very weak, which corresponds to the trust

TE D

levels in a way as shown in Table 4.

Table 4. Assignment of trust levels to current network condition Network Condition

Strong

Weak

Very Weak

[0.75, 1]

[0.5, 0.75)

[0.25, 0.5)

[0, 0.25)

EP

Trust Level

Very Strong

Since the access value of a subject which reflects the current network conditions is determined by

AC C

the above factors and is dynamically changing, we can use formula (12) above to compute AV, where α 1 and α 2 represent the weights of the two factors and the sum of α1 , α 2 is 1. So

AV = α1T1 + α 2T2 where α1 + α 2 = 1

(12)

Prior information is the evaluation of a subject’s past behavior by PAC which would affect the future

trust level of the subject. We use PI to denote prior information which has four categories: very safe, safe, dangerous and very dangerous. If trust levels are designed to fall into range [0, 1], we can divide the trust range into four linearly disjoint sub-ranges to correspond to the four categories of prior information. Table 5 shows the relationship between trust levels and prior information categories. Table 5. Assignment of trust levels to prior information categories Prior Information

Very Safe

Safe

Dangerous

Very Dangerous

Trust Level

[0.75, 1]

[0.5, 0.75)

[0.25, 0.5)

[0, 0.25)

16

ACCEPTED MANUSCRIPT Since the trust level of a subject is determined by the access value AV and prior information PI, we can use formula (13) above to compute a value for trust, where β1 and β 2 represent the weights of the two factors and the sum of β1 , β 2 is 1. So

Ei = β1 AV + β 2 PI where β1 + β 2 = 1

(13)

For ease of illustration, we can simply initialize the three weights to be the same, i.e., 1/3. We can then use the fuzzy comprehensive evaluation method (Ma et al, 2011) to compute the new weights for the three factors to allow PAC to derive a new trust value after an access is completed and the values of

RI PT

the three factors become available.

Note that since this trust-based access control is one instance of PAC, we can simply follow the steps of the procedure shown in Fig. 1 and Fig. 2 to perform access control, which is illustrated below: (1) A subject issues a request to access objects by asking for a set of permissions that the subject wishes to have to access a set of objects in the form of a permission matrix.

SC

(2) Based on the frequency of access that the subject has made and the current network condition, PAC will get the access value AV, and based on AV and prior information PI about the subject, PAC will derive an evaluation value E. If this is the first time that the subject makes the access, PAC could simply use a default trust level. The evaluation value E could be derived based on the

M AN U

fuzzy comprehensive evaluation method presented in (Ma et al, 2011). Following are a few example results:

Case 1: if there are two subjects SA and SB where SA is “very safe” while SB is “dangerous”, the frequency that SA and SB access the objects are both “frequent”, and the current network condition is “weak”, assuming that TA1=0.8 while TB1=0.3, TA2= TB2=0.8, and PIA= PIB=0.3, then EA=0.6333 and EB=0.4667.

Case 2: if both SA and SB are “safe”, the frequency of SA is “normal” and that of SB is “never”, and

TE D

the network condition is “strong”, assuming that TA1=TB1=0.7, TA2=0.6 while TB2=0.2, and PIA= PIB =0.7, then EA=0.6667 and EB=0.5333.

Case 3: if both SA and SB are “very dangerous”, the frequency that SA and SB access the objects are both “occasional”, and the network condition for SA is “very strong” while that for SB is “very weak”, assuming that TA1= TB1=0.2, TA2=TB2=0.4, and PIA=0.9 while PIB=0.1, then EA=0.5000 and

EP

EB=0.2333.

(3) PAC uses a mapping function to get the set of permissions for the subject. If the number of permission sets is p, we can design a simple linear mapping function to correspond the trust levels

AC C

to the permission sets in such a way that the highest trust level would map to the most powerful permissions set, the lowest trust level would map to the least powerful permissions set, i.e., {Ø}, and each of the other trust levels would map to a set of permissions that corresponds to the level so that a higher trust level will never be mapped to a permissions set that is a subset of another permissions set for a lower trust level. The set of permissions that the subject can eventually get is the result of the intersection of the set of the permissions that the subject has asked for and the set that PAC has allowed the subject to have, which can be expressed using another permission matrix. (4) Based on the set of permissions thus derived, PAC would compute the payoffs for the objects and the subject when they choose different strategies. According to the different payoffs, PAC will calculate the probability of the subject’s choosing the honest access strategy, i.e., y, and that of the objects’ choosing the permit access strategy, i.e., x,

17

ACCEPTED MANUSCRIPT based on the condition for reaching the MSNE. Following are the calculations for the same cases in (2): Case 1: EA=0.6333 and EB=0.4667, then the probabilities of the objects’ choosing the permit access strategy are xA=0.8569 and xB=0.3421, respectively, and those of the subject’s choosing the honest access strategy are yA=0.3872 and yB=0.6571, respectively. Case 2: EA=0.6667 and EB=0.5333, then the probabilities of the objects’ choosing the permit honest access strategy are yA=0.2653 and yB=0.5463, respectively.

RI PT

access strategy are xA=0.8875 and xB=0.6855, respectively, and those of the subject’s choosing the Case 3: EA=0.5000 and EB=0.2333, then the probabilities of objects’ choosing the permit access strategy are xA=0.6431 and xB=0.2487, respectively, and those of the subject’s choosing the honest access strategy are yA=0.5906 and yB=0.8743, respectively.

(5) PAC will make an access decision based on an established access control policy that is expressed

SC

in terms of the two probabilities.

(6) As the access finishes, based on the consequence caused by the access, PAC will get a contribution value C for the subject as the access feedback information with the formula (12) above. The information that PAC has had about the subject will then be amended according to the

M AN U

access feedback information. If the subject has just made an honest access, C should be a positive number within [0,1) which should increase as a response to the goodness that has been brought by subject’s honest access. If the subject has just made a malicious access, C should be a negative number within [- ∞ ,0) which should decrease as the result of damage that has been brought by subject’s malicious access.

(7) After the access has finished, PAC will amend the information about the subject based on the feedback information with formula (13) above. The amended new information will impact the

TE D

prior information about the subject. When the subject issues a new access request in the future, PAC will compute a new trust level for the subject according to the new prior information. If C is a positive number, the next E will be higher and subject’s trust level will go up correspondingly. If C is a negative number, the next E will be lower and subject’s trust level will go down, which makes PAC respond to malicious access dynamically in a pro-active manner.

EP

The different parameters and values calculated throughout the above procedure are summarized in Table 6.

AC C

6. Experiment and Analysis

We have performed some experiment to evaluate the effectiveness of PAC as the subject chooses

different access strategies and as the object (or PAC on its behalf) derives the critical information, i.e., the probabilities, for making the final access control decisions based on an established access control policy. First, from Fig. 1, we can see that the evaluation value E on a subject is affected by the access value and the prior information of the subject. When the subject continues to make honest access, E should go up as the number increases. Conversely, when the subject makes a malicious access, the E should go down. Our evaluation is performed based on prior research on the quantification of evaluation values (Ma et al, 2011) since the main focus of this paper is not to develop a model for the evaluation upon the finish of access by the subject. Rather, our main purpose is for PAC to derive the probabilities of subject’s choosing the honest access strategy and objects’ choosing the permit access strategy for PAC to make an authorization decision based on an established access control policy.

18

ACCEPTED MANUSCRIPT Table 6. Summary of different values in the example T1 Very Safe

Cases

Safe

T2 Dang erous

Very Dang erous

T3

Freque

Nor

Occasi

Neve

Very

Stron

nt

mal

onal

r

Strong

g

Proba Weak

Very

Evaluat

Weak

ion value

[0.75,

[0.5,

[0.25,

[0,

[0.75,

[0.5,

[0.25,

[0,

[0.75,

[0.5,

[0.25,

[0,

1]

0.75)

0.5)

0.25)

1]

0.75)

0.5)

0.25)

1]

0.75)

0.5)

0.25)

SA

1

SB

0.8

0.8

Case

SA

0.7

2

SB

0.7

Case

SA

0.2

0.4

3

SB

0.2

0.4

0.3

0.3

0.8 0.7 0.2

0.7 0.9

ility of

permit

honest

ting

access

access

y

x 0.6333

0.3

0.6

Probab

of

0.8569

RI PT

Case

E

bility

0.1

0.3421

0.6571

0.6667

0.8875

0.2653

0.5333

0.6855

0.5463

0.5000

0.6431

0.5906

0.2333

0.2487

0.8743

SC

We performed the experiment using the Matlab platform in which we assumed that there are four parameters f1, f2, f3 and f4 to be used to derive the access value AV and the weights for the parameters are the same, i.e.,

. To compute the evaluation value Ei, the weights for AV and PI are also the same,

. The values for f1, f2, f3, f4 and PI are all within the range [0, 1]. The initial value of Ei is 0.5

M AN U

i.e.,

0.3872

0.4667

and the threshold for authorizing access is 0.5.

We use the same scenario as that in (Ma et al, 2011) for our experiments in which there are ten subjects labeled as S1, S2 …S10 and ten objects labeled as O1, O2, … O10. In the experiment, each subject makes 15 consecutive accesses to the objects randomly at the interval of 5 seconds. Our goal is to derive the probabilities of the subjects’ and the objects’ choosing different access strategies. We repeated the experiment 100 times to generate 100 sample results and used the equidistant sampling

TE D

method to select samples following the procedure in (Jacobson et al, 2000). With this sampling method, for each access in the experiment that would generate 100 samples, we chose the first sample randomly from the first five samples and then took every fifth sample afterwards. In total, we would get 20 samples out of the 100 and then compute an average value as the result. The results of the evaluation value E are shown in Fig. 3 and the probabilities of the objects’

EP

choosing the permit access strategy and the subjects’ choosing the honest access strategy are shown in Fig. 4. We can see from the two figures that the probability of the objects’ choosing the permit access strategy varies along with E in the same direction, which means that as the subjects continue to make

AC C

honest access, the probability that the subjects will get the permission to access the objects will also increase. If a malicious access is identified, the PAC will punish the subjects by sharply lowering the probability of permitting the subjects to continue getting the access permission. Meanwhile, the probability of the subjects’ choosing the honest access strategy changes in an

opposite direction with E, which implies that as the subjects continue to get higher evaluation values as the result of making honest access, the probability that the subjects will choose the honest access strategy actually goes down. When the subjects make malicious access and get punished, the probability that they would choose the honest access strategy in the subsequent access would go up. This phenomenon illustrates that in PAC, as a subject gains more and more access permissions to access objects, PAC would become more cautious on future access by the same subject since a malicious access by a subject with a high evaluation value and consequently a high probability of getting the access permission could cause more damage to the objects. Access control policy in PAC should be designed to balance the current access and future access in making access control decisions. It should also be defined dynamically to meet specific security requirements of systems and networks. 19

RI PT

ACCEPTED MANUSCRIPT

SC



TE D

M AN U

Figure 3. Evaluation value E as the response to different types of access



EP

Figure 4. Probabilities of the objects’ choosing the permit access strategy and the subjects’ choosing the honest access strategy

AC C

Compared to traditional access control models, PAC would need some extra evaluations and calculations to support pro-active access control, which may influence the performance of the access control system. Therefore, another experiment that we performed was to evaluate the performance degradation caused by the PAC mechanisms. In this experiment, there are 15 subjects denoted as S1, S2, … , S15 and 10 objects denoted as O1, O2, … O10 and each object represents 5 files. Since the extra performance delay would mostly result from pre-evaluation which involves ARE, APD and GTA and post-evaluation which involves PAE in ADP as shown in Fig. 2, we evaluated the performance degradation by considering the pre-evaluation and the post-evaluation separately and the results are shown in Fig. 5. Note that in normal situations of access, only pre-evaluation matters because it would actually consume some time before an authorization decision can be reached. Post-evaluation normally happens after each access. The worst performance degradation will occur only when the same object is being continuously accessed, leaving no time for post-evaluation before next access to the same object starts, hence making both delays of pre-evaluation and post-evaluation affect the performance.

20

SC

RI PT

ACCEPTED MANUSCRIPT



Figure 5. Performance comparison between traditional access control and PAC models

M AN U

We can see from Fig. 5 that in normal situations of access, the PAC evaluation mechanisms would incur about 25% more time delay for access authorization in our experiment. However, as the number of subjects that simultaneously issue access requests increases, the difference seems to narrow. In the worst case where the same object is accessed continuously without leaving time for updating the information on past access behavior before next access request arrives, the performance degradation would be about 30% and the trend is about the same as the number of subjects increases. Obviously, extra resources and time are needed for more effective security in open systems and networks where

TE D

security threats and attacks become more common, which should well justify the not-so-bad performance degradation introduced by PAC.

7. Conclusion

In this paper, we focused on the fundamental issues for the design of pro-active access control after

EP

pointing out that most traditional access control models are defensive in nature and thus are not effective in open systems and networks. We first applied some well-established principles in the Game Theory to analyze traditional access control models and showed that these models have some

AC C

fundamental limitations that render them inadequate for building effective security solutions in open environments. In particular, we showed that these access control models are defensive due to the lack of feedback mechanisms needed for taking pro-active measures. For pro-active access control, we proposed to incorporate constraint mechanisms into access control and designed a pro-active access control (PAC) model that includes a feedback component and an evaluation component. We also analyzed the proposed access control model and derived the formulas for PAC to update critical information in order to make access control decisions based on established access control policies. Such information is necessary for pro-active access control and should be updated by PAC following each and every access by a subject to one or more objects. We also illustrated how such pro-active access control can be realized through introducing a framework design and a trust-based implementation so that malicious attacks can be deterred more effectively. At last, we presented some results on the evaluation of PAC to justify the extra resources and time needed for more effective security in open systems and networks.

21

ACCEPTED MANUSCRIPT In the future, we will further improve the proposed pro-active access control model to make it more easily adaptable to different open environments defined through establishing access control policies. We will also carry out in-depth study on the design of the mapping functions from contribution values to evaluation values and from evaluation values to sets of access permissions to suit the needs of common access control requirements.

References Butler W. Lampson. Protection. Proc. 5th Princeton Symposium on Information Sciences and

RI PT

[1]

Systems, Princeton, NJ, pp.437-443, 1971. [2]

Baoyi Wang, Lanjing Wang. Design of Attribute-based Access Control Model for Power Information Systems. Automation of Electric Power Systems, 31(7), pp. 81-84+98, 2007. (in Chinese)

D. Elliott Bell, Leonard J. LaPadula. Secure Computer Systems: A Mathematical Model. Mitre

SC

[3]

Corporation, Bedford, MA, 1973.

Drew Fudenberg, Jean Tirole. Game Theory, MIT Press, 1991.

[5]

David F. Ferraiolo, D. Richard Kuhn. Role-based Access Control. Proc. 15th National Computer

M AN U

[4]

Security Conference, Baltimore, MD, pp. 554-563, 1992. [6]

Dimitris E. Charilas, Athanasios D Panagopoulos. A Survey on Game Theory Applications in Wireless Networks. Computer Networks, 54(18), pp. 3421-3430, 2010.

[7]

Eric Yuan, Jin Tong. Attributed Based Access Control for Web Services. Proc. 2005 IEEE International Conference on Web Services, Orlando, FL, pp. 561-569, 2005.

[8]

Hanbing Yao, Heping Hu, Baohua Huang, Ruixuan Li. Dynamic Role and Context-based Access Control for Grid Applications. Proc. 6th International Conference on Parallel and Distributed

[9]

TE D

Computing, Applications and Technologies, Dalian, China, pp. 404-406, 2005. Jing Chen, Rui-Ying Du, Li-Na Wang, Zai-Rong Tian. A Trust Game Method Basing on Probability Model in Networks. Acta Electronica Sinica, 38(2), pp. 427-433, 2010. (in Chinese) [10] Jingsha He, Shunan Ma, Bin Zhao. Analysis of Trust-based Access Control Using Game Theory. International Journal of Multimedia and Ubiquitous Engineering, 8(4), pp. 15-24, 2013.

EP

[11] John F. Nash. Equilibrium Points in N-Person Games. Proc. National Academy of Science of the United States of America, pp. 48-49, 1950. [12] Lawrence Snyder. Formal Models of Capability-Based Protection Systems. IEEE Trans. on

AC C

Computers, 30(3), pp. 172-181, 1981.

[13] Li-Qin Tian, Chuang Lin. A Kind of Game Theoretic Control Mechanism of User Behavior Trust based on Prediction in Trustworthy Network. Chinese Journal of Computers, 30(11), pp. 1930-1938, 2007. (in Chinese)

[14] Li-Qin Tian, Tie-Guo Ji, Chuang Lin, Yang Yang. Kind of User Behavior Trust and Role based Dynamic Access Control Model. Computer Engineering and Applications, 44(19), pp. 12-15+23, 2008. (in Chinese) [15] Martin J. Osborne, Ariel Rubinstein. A Course in Game Theory, MIT Press, 1994. [16] Martin J. Osborne. An Introduction to Game Theory, Oxford University Press, 2004. [17] Piotr Sztompka. Trust: A Sociological Theory, Cambridge University Press, 1999. [18] Ravi S. Sandhu, Pierangela Samarati. Access Control: Principles and Practice. IEEE Communications Magazine, 32(9), pp. 40-48, 1994.

22

ACCEPTED MANUSCRIPT [19] Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, Charles E. Youman. Role-based Access Control Models. Computer, 29(2), pp. 38-47, 1996. [20] Ravi S. Sandhu, Pierangela Samarati. Authentication, Access Control, and Audit. ACM Computing Surveys, 28(1), pp. 241-243, 1996. [21] Ravi S. Sandhu, Xinwen Zhang. Peer-to-Peer Access Control Architecture Using Trusted Computing Technology. Proc. 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, pp. 147-158, 2005.

RI PT

[22] Ross Anderson, Tyler Moore. The Economics of Information Security. Science, 314, pp. 610-613, 2006.

[23] Ruixuan Li, Zhuo Tang, Zhengding Lu, Jinwei Hu. Request-Driven Role Mapping Framework for Secure Interoperation in Multi-Domain Environment. Computer Systems Science and Engineering, 23(3), pp. 193-207, 2008.

SC

[24] Sudip Chakraborty, Indrajit Ray. TrusPAC: Integrating Trust Relationships into the RBAC Model for Access Control in Open Systems. Proc. 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe, CA, pp. 49-58, 2006.

[25] Sankardas Roy, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek Shandilya, Qishi Wu. A

M AN U

Survey of Game Theory as Applied to Network Security. Proc. 43rd Annual Hawaii International Conference on System Sciences, Koloe, HI, pp. 1-10, 2010.

[26] Shengbing Zhang, Wandong Cai, Yongjun Li. A Game Theory-based Social Network Access Control Method. Journal of Northwestern Polytechnic University, 29(4), pp. 652-657, 2011. (in Chinese)

[27] Sheldon H. Jacobson, John E. Kobza, Marvin K. Nakayama. A Sampling Procedure to Estimate Risk Probabilities in Access-control Security Systems. European Journal of Operational

TE D

Research, 122(1), pp. 123-132, 2000.

[28] Shunan Ma, Jingsha He, Xunbo Shuai. Application of Fuzzy Comprehensive Evaluation Method in Trust Quantification. International Journal of Computational Intelligence Systems, 4(5), pp. 768-776, 2011.

[29] Ya-Jun Guo, Fan Hong, Qing-Guo Zhang, Rong Li. An Access Control Model for Ubiquitous

EP

Computing Application. Proc. 2005 2nd International Conference on Mobile Technology,

AC C

Applications and Systems, Guangzhou, China, pp. 1-6, 2005.

23

ACCEPTED MANUSCRIPT

AC C

EP

TE D

M AN U

SC

RI PT

Highlights:  We analyzed current access control models to identify their drawbacks.  We proposed pro-active access control for open systems and networks.  We based our design and analysis on well-established principles in the Game Theory.  We used trust-based access control to demonstrate the feasibility of our proposal.

ACCEPTED MANUSCRIPT Yixuan Zhang is a Ph.D. candidate in the School of Software Engineering at Beijing University of Technology, Beijing, China. She received her B.S. degree in Beijing University of Technology in 2011. Her research interests include network security, access control, game theory and distributed network technology.

RI PT

Jingsha He is a professor in the School of Software Engineering at Beijing University of Technology (BJUT) in Beijing, China. He received a Ph.D. degree from the University of Maryland at College Park in 1990. Prior to joining BJUT in 2003, he worked for IBM, MCI Communications and Fujitsu Laboratories engaging in R&D of advanced networking and computer security. Prof. He’s interests include methods and techniques that can improve the security and performance of the Internet. He has published nearly 200 papers in the above areas.

M AN U

SC

Bin Zhao is a Ph.D. candidate in the School of Software Engineering at Beijing University of Technology, Beijing, China. His research focuses on network security, cloud computing, information forensics. He has published several papers in scholarly journals and international conferences in the above research areas.

TE D

Zhiqing Huang is an associate professor in the School of Software Engineering at Beijing University of Technology (BJUT) in Beijing, China. He received a Ph.D. degree from Chongqing University in 2001. Prior to jointing BJUT in 2011, he worked for Lucent Technologies and Alcatel-Lucent engaging in the development of telecommunications network and IP network communication protocols. His interests include embedded computing and networking, 4G mobile communications and IPv6.

AC C

EP

Ruohong Liu is the General Manager of the IT Department at Beijing Development Area Co., Ltd in Beijing, China. His interests include enterprise cloud computing and information security.