Risk Based Access Control Using Classification

Abstract

Traditional access control operates under the principle that a user’s request to a specific resource is denied if there does not exist an explicit specification of the permission in the system. In many emergency and disaster management situations, access to critical information is expected because of the ‘need to share’, and in some cases, because of the ‘responsibility to provide’ information. Therefore, the importance of situational semantics cannot be underestimated when access control decisions are made. There is a need for providing access based on the (unforeseen) situation, where simply denying an access may have more deleterious effects than granting access, if the underlying risk is small. These requirements have significantly increased the demand for new access control solutions that provide flexible, yet secure access. In this paper, we quantify the risk associated with granting an access based on the technique of classification. We propose two approaches for risk-based access control. The first approach, considers only the simple access control matrix model, and evaluates the risk of granting a permission based on the existing user-permission assignments. The second assumes role-based access control, and determines the best situational role that has least risk and allows maximum permissiveness when assigned under uncertainty. We experimentally evaluate both approaches with real and synthetic datasets.