A Feasible Fuzzy-Extended Attribute-Based Access Control Technique

Xu, Yang; Gao, Wuqiang; Zeng, Quanrun; Wang, Guojun; Ren, Ju; Zhang, Yaoxue

doi:https://doi.org/10.1155/2018/6476315

Security and Communication Networks

On this page

Abstract Introduction Related Work Discussion Conclusion Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Cyberspace Security for Future Internet

View this Special Issue

Research Article | Open Access

Volume 2018 | Article ID 6476315 | https://doi.org/10.1155/2018/6476315

A Feasible Fuzzy-Extended Attribute-Based Access Control Technique

Yang Xu,¹Wuqiang Gao,¹Quanrun Zeng,¹Guojun Wang,²Ju Ren,¹and Yaoxue Zhang¹

Academic Editor: Debasis Giri

Received29 Dec 2017

Revised19 Apr 2018

Accepted29 Apr 2018

Published05 Jun 2018

Abstract

Attribute-based access control (ABAC) is a maturing authorization technique with outstanding expressiveness and scalability, which shows its overwhelmingly competitive advantage, especially in complicated dynamic environments. Unfortunately, the absence of a flexible exceptional approval mechanism in ABAC impairs the resource usability and business time efficiency in current practice, which could limit its growth. In this paper, we propose a feasible fuzzy-extended ABAC (FBAC) technique to improve the flexibility in urgent exceptional authorizations and thereby improving the resource usability and business timeliness. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of the requests that do not comply with policies, so that the system can make special approval decisions accordingly to achieve unattended exceptional authorizations. We also designed an auxiliary credit mechanism accompanied by periodic credit adjustment auditing to regulate expediential authorizations for mitigating risks. Theoretical analyses and experimental evaluations show that the FBAC approach enhances resource immediacy and usability with controllable risk.

1. Introduction

The burgeoning communication and computing technologies such as the 5G mobile Internet [1] and network computing [2–5] have substantially enhanced the availability and usability of resources to end users. Consequently, new evolutions including the popularity of telecommuting [6] and the general acceptance of “bring your own device” [7] have inadvertently driven the emergence of more complex and diverse resource access and usage scenarios. However, the developments in access control technologies have somewhat lagged behind. The typical role-based access control (RBAC) [8] model and older paradigms such as mandatory access control (MAC) [9] and discretionary access control (DAC) [10] are insufficient to support dynamic, distributed, and unpredictable access scenarios, because of their inherent limitations in flexibility, scalability, adaptability, and control granularity. More effective solutions that consider additional relevant parameters (e.g., subject states, object states, and contextual information) have also been explored, among which the attribute-based access control (ABAC) is the most promising approach for the new era. It has successfully transitioned from purely academic studies [11–20] to the practical application phase [21–24]. By enforcing attribute-formed policies on access requests, this adjustive, expressive, and highly extensible authorization model has an overwhelmingly competitive advantage, especially in dynamic and complicated environments.

Unfortunately, the ABAC ineluctably encounters practical problems during the use in current dynamic and complex scenarios spawned by the latest communication and computing techniques. Due to the rigid policy-based access control enforcement and the inability to automatically and efficiently handle exceptional access requests, some urgent requests which may not fully comply with the original ABAC policies would not be authorized in time due to the requirements of inefficient human involved approval processes, which impacts the resource availability and thereby affects the business timeliness and even leads to irreversible unfortunate consequences. There is a particular negative example that a world’s top chip manufacturer once restricted its private cloud services only accessible by on-site staffs within the working hours for security purpose. Nevertheless, the staffs were easily frustrated in policy matching due to not only human factors but also technical reasons (The mobile positioning can be unsteady or outdated due to the functional defects or optimization reasons. Besides, the time limit obstructs lots of workflows in practice.). In absence of a flexible and efficient exceptional request handling mechanism, consequently, the working efficiency was severely affected as staffs could not get expected services in time when inefficient administrator involvements were often required for handling exceptional requests. Undoubtedly, the problem can be even worse in some time-sensitive cases, such as the sudden and urgent needs for classified information in stock or futures markets, the remote patient privacy data requirements in emergency surgeries, and the interorganizational confidential information requests in critical intelligence analyses.

Obviously, a more flexible and efficient exceptional access authorization method is badly needed by the stock ABAC paradigm to guarantee the business timeliness, especially for emergency situations, so as to make the ABAC more feasible, flexible, and adaptive for fitting current dynamic, distributed, unexpectable, and complicated situations.

In a sense, access control can be regarded as risk control. Therefore, the concept of risk and the opposite concept of trust have naturally been introduced as an effective and flexible assistive tool for the authorization decision-making process. For instance, the risk assessment method has already been integrated into classical models like RBAC and multiple levels of security (MLS) [25, 26]. By estimating the risk of the certain request based on the specific involving information and comparing the risk with some preset acceptance criteria of risk, these risk-oriented enhanced models have achieved flexible and efficient unattended authorizations for urgent requests which do not comply with the basic access rules in original models. More recently, risk and trust evaluation schemes are increasingly viable in access control when taking more parameters (e.g., environment states) into account, which yields more expressive and flexible solutions [27–31]. Because of these encouraging attempts, we are reasonably confident that the ABAC paradigm will benefit from risk evaluation schemes as well, especially the more flexible and efficient decision-making ability to deal with exceptional urgent access requests in dynamic and complex access environments. In this context, fuzzy logic [32], as one of the most recognized math tools for assessment that reasons probability from vague knowledge, is a viable option to determine the semantic matching degree of access requests and ABAC policies.

Focusing on the situations described above, in this article, we propose a feasible ABAC-based access control paradigm named fuzzy-extended ABAC (FBAC) to improve the flexibility and time efficiency when tackling low-risk exceptional authorizations for the emergency cases. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of requests failed to meet policies and then make authorization decisions according to both the denial threshold and the credit available to the requesters, to achieve unattended temporary authorization for the exceptional urgent access requests which are initiated by reputable users (reflected by credit values) but slightly violate the predefined ABAC policies. Furthermore, we designed an auxiliary credit system to impose restrictions on special authorizations and perform periodic credit adjustment auditing, to reduce the potential for abuse of expediential approvals. In addition, we describe a detailed case study to help readers understand the FBAC better and finally demonstrate our improvements from the perspectives of usability, security, and performance theoretically and experimentally.

The major contributions of our work are summarized as follows.

(1) We introduce the matching-degree-based fuzzy evaluation method into the original ABAC paradigm, which enables more efficient and flexible unattended approval for exceptional urgent authorization cases, to increase the resource usability and thereby the business timeliness.

(2) We keep the risk of special authorization abuse under control by not only using the configurable threshold to intercept high-risk requests directly but also by building a credit system combined with periodic credit adjustment audit mechanism.

(3) We analyzed the FBAC model theoretically for its usability, risk, and complexity and then implemented a prototype system to evaluate its effectiveness and efficiency by experiments, to demonstrate our enhancements in usability and immediacy, as well as the acceptance of security risks.

The remainder of this article is organized as follows. We introduce some articles related to our work in Section 2. In Section 3, we review several basic concepts of fuzzy logic. In Section 4, we propose our fuzzy-extended ABAC (FBAC) paradigm and detail it in the case study. Section 5 gives a brief discussion of FBAC’s usability, risk, and complexity. Then in Section 6, we evaluate our prototype and analyze the experimental results. The last section summarizes this paper and describes possible improvements.

Access control is an indispensable security technology for preventing sensitive resources from illegal access. A variety of access control models have been studied over the years, and different ones are designed for addressing discrete challenges focusing on confidentiality, integrity, scalability, manageability, etc. Some typical patterns like DAC [10], MAC [9], and RBAC [8] have emerged. Nonetheless, these classical models above are not expressive enough to take into account the effects of other additional factors (e.g., time of the day or user IP). As a result, they are gradually unable to meet the new requirements of geographical, temporal, and context-aware information systems.

Breaking the limitation of the subject-object pattern, more revealing access control paradigms are well studied.

One inspiring endeavor is bringing in risk factor to strike balance between system security and usability. The concept of “fuzzy” has been introduced to the RBAC for achieving better flexibility in handling exceptional requests [25]. The fuzzy RBAC carried out the more relaxed assignments of user-role and role-permission compared with the original RBAC model. And the assignment degrees were subjectively assigned to represent the accompanying uncertainties and risks of corresponding assignments. Then the access control enforcement was based on the risks of requests reflected by the overall assignment degrees. However, this conceptual solution did not provide a practical and detailed calculation method of assignment degrees. Cheng et al. [26] proposed the fuzzy MLS, a risk self-adjusting access control technique, which can quantify the potential risks associated with the exceptional access and thereby optimize the risk-benefit trade-off. In this model, the risk of the request was quantitatively assessed according to both the value of the object and the empirical illegal disclosure probability determined by the MLS tags (security level, etc.) of the involving subject and object and then made the access decision by comparing the risk with a preset risk scale and asking the user to provide corresponding risk tokens assigned by the administrator. Meanwhile, trust mechanism, closely connected to the concept of risk, has also been ushered in. Dimmock et al. expanded the existing access control framework and combined the trust-based assessment with reasoning to form a dynamic model that can manage risk more intelligently [27]. Liu combined the dynamic hierarchical fuzzy system with trust evaluation, then introduced a fuzzy multiattribute trust access control scheme for cloud manufacturing system [28]. Mahalle et al. [29] developed a trust-extended fuzzy authorization scheme and put forward the concept of trust rating for identity management. Context awareness is a significant precondition for accurately perceiving and properly handling risks. Feng et al. [30] integrated user behaviors and operating environment to propose a scalable trust-based and context-aware access control technique for large-scale, widely distributed networks. Taking into account both factors of trust and environmental perception, Bhatti et al. [31] constructed a trust-enhanced, environment-sensitive authorization model for network traffic based on X-GTRBAC (XML-based generalized temporal RBAC) framework.

As cross-organizational, multisectoral cooperations become integral parts of current business processes, to overcome the drawbacks of the mainstream access control models while unifying their advantages, there has been considerable interest in a more general model, namely ABAC [11, 12], which is considered as “next generation” authorization model for its dynamic, context-aware, and fine-grained features, defines a multidimensional access control paradigm where access requests are accepted or rejected based on all kinds of assigned attributes, including subject attributes (e.g., age, department, job title), action attributes (e.g., read, write, append), object attributes (e.g., owner, size, classification), and contextual attributes (e.g., time, location), and a set of policies. ABAC empowers more precise access control, facilitating the generation of expressive and flexible policies through the combination of a wide range of factors.

Determined attempts have been made not only by standards organizations [11] but also by many IT giants such as IBM and Cisco [21, 22], which contributes much to the development and widespread deployment of ABAC technique. Meanwhile, the academic community has also invested significant effort in this research area [13]. Li et al. [14] conducted in-depth discussions on the inherent logical relations and system architecture of ABAC. Jin [15] has formalized the ABAC scheme and achieved the simulation of other classical models. Sookhak et al. [16] carried out an exhaustive survey on ABAC techniques befitting cloud and distributed environment. Based on the authorization requirements of grid systems, Bo et al. [17] developed an efficient multipolicy ABAC technique suitable for grid computing based on the third-party authorization framework.

Regardless the benefits of ABAC, its rigid policy-enforcement mechanism as well as the guideless policy-configuration process may somehow lead to the reduction of resource usability and then the time efficiency of business. Demchenko and Ngo [18] mitigated this problem by proposing a specific ABAC solution for the cloud tenants which enables hierarchical delegations to support the efficient collaborations among tenants. Although this approach contributes to yield a more flexible ABAC paradigm, it is not a general solution which can only fit for limited scenarios. In a more intrinsic view, it reflects the fact that ABAC is thoughtless in how to efficiently deal with exceptional access requests.

Considering all these challenges and even more complex and urgent application scenarios, in our previous conference paper [19], we put forward a rough fuzzy ABAC framework conceptually aiming to achieve flexible special authorizations for exceptional urgent requests with low risks. However, it did not consider the effects of benign users’ unintentional misoperations and ignored the differences in importance among attributes. Besides, its credit management mechanism is not reasonable enough while the experimental evaluation and analysis are not included. This research is inclined to make up for the past deficiencies so as to achieve an innovative approach with the auxiliary exceptional requests handling functionality, for enhancing the resource usability and thereby business timeliness in highly dynamic and unexpectable environments.

3. Preliminary

This section goes through some necessary concepts of the fuzzy theory [32].

Fuzzy Set. Fuzzy set is an extension of sets whose elements have degrees of membership. A fuzzy set can be defined as a pair in which is the universe set of elements and is the membership function that mapping elements to corresponding membership degree, as follows:

Fuzzy Logic. The fuzzy logic is one type of multivalue logic which is based on fuzzy set theory. In fuzzy logic, the true/false value is replaced with membership values, which are real numbers between 0 and 1. A possible definition of operations in fuzzy logic is based on max/min function [33] in which the AND operator means taking the minimum value among membership values, while the OR operator means taking the maximum.

4. FBAC

In this section, we define several necessary notations at the beginning. Then, we introduce the architecture of FBAC briefly and describe its workflow step by step. Further, we demonstrate its essential components in detail. And finally, we study a detailed case to help readers understand the FBAC better.

For convenience, we only adopt granting policies (Although the policies in ABAC can be granting or denying ones, they are mutually transformable.) in this paper and employ a refusal precedence principle for the decision-making process; i.e., a granted decision would be made when the request meets at least one clause in the policy set.

4.1. FBAC Model

The FBAC model wraps the standard ABAC as a preliminary screening module and integrates additional decision support components for improving the resource usability, thereby gaining better business timeliness.

Notations. Throughout this paper, we use the notations in Table 1 for simplified description purpose.

Architecture and Workflow. As seen in Figure 1, the FBAC is built upon the standard ABAC model with additional fuzzy evaluation component and credit component. The first component is developed to support unattended special authorizations, while the second is a security remedial measure. These additional components are independent to standard ABAC which contributes to the effortless integration.

When a request is reached, the FBAC firstly collects the states of related attributes of that request, including the attributes of subject, object, context, and action (Steps 1-2). After applying the policies, if this request is not granted by the standard ABAC process, it will be delivered to our fuzzy evaluation component for a further decision based on the membership degree calculation and the rejection threshold filter (Step 3). The credit component will check the available credits of the requester and denies the request if the requester is unable to afford the credit cost for approving this exceptional request (Step 4). If the corresponding subject has sufficient credits to pay the credit cost, the credit component will issue a prompt to ask the requester to confirm the credit consumption (Step 5). Once confirmed by the requester, the request will be granted and logged, at the expense of corresponding credit consumption. Note that part of the consumed credit will be restored after audit if the subject is not malicious. Otherwise, this request will be denied (Step 6). The final decision is delivered to the enforcement facility which will mediate the corresponding access to the object accordingly (Step 7). The major decision-making process is illustrated in Algorithm 1.

Input: ,
Output:
(1) if match any policy then
(2) return granted
(3) end if
(4)
(5)
(6) if or then
(7) return denied
(8) end if
(9)
(10) return granted

Apart from the major decision-making process, there is an audit process which will router the recorded exceptional access authorizations to administrators for review periodically. And then the credit audit system will restore a part of the users’ credit according to the auditing results (Step a).

Fuzzy Evaluation Component. When a request is rejected by the standard ABAC module because it can not exactly match any policy, the FBAC system will turn to fuzzy evaluation component for further judgments. This component will evaluate the matching degree of the to policies through membership degree calculation. Specifically, for the th clause in the policy set, this component will calculate the membership degree of the request to that clause as follows:

In formula (2), is the membership subfunction that maps to a certain membership degree according to the matching degree of to the constraint range of the th attribute in the th clause. The design of is closely related to the meaning of the corresponding attribute and policy clause and also depends on administrators subjectively. There exist several primary guidelines for determining the membership subfunction [34]. And the most commonly recommended function templates include the trapezoid subordinate function, the trigonometric membership function, the step function, etc. In this paper, we select the trapezoid subordinate function and the step function for different policy clauses respectively (cf. Section 4.2). The FBAC gives the administrators greater freedom to determine the attributes which should be fuzzy processed based on practical administrative needs. In general, the continuous attributes can be fuzzy processed, while the discrete ones (e.g., users names) should be fully matched for obtaining final authorizations. Additionally, if the discrete attributes can be somehow transformed into continuous ones based on partial ordered relations, they can also be fuzzy processed similarly, e.g., converting the discrete and hierarchical job titles to continuous level numbers. is the weight of the corresponding attribute. Introducing weight factor enables administrators to adjust the influence of each attribute in the policies, so as to provide more flexible and expressive manageability.

Since there usually exist more than one clause in the policy set, the holistic matching degree is synthesized with maximum synthesis rules [33], as shown in the following formula:

After obtaining the matching degree , the FBAC will compare with the rejection threshold . If , the request will be denied by FBAC. Otherwise, the credit component will be invoked for supporting further judgments.

Credit Component and Audit Mechanism. The fuzzy evaluation component provides users with extra access opportunities without manual reviews. However, in spite of the benefits in the resource usability and business timeliness, this fuzzy evaluation module poses potential threats such as abuse issues unintentionally. Therefore, we build a credit component combined with periodic credit adjustment auditing mechanism as the countermeasure to mitigate the risk of abuse.

Our credit component maintains a credit value (, where is the preset credit line) for each subject . When the FBAC is initialized, every will be set as without discrimination. During the use, the credit component will be invoked to provide further decision support for the request if its matching degree exceeds the rejection threshold . We define as the special approval cost for the request with the matching degree , because the can reflect the gap between the states of the and the precise requirements of policies. Thus, the credit component will compare the credit of the requester with the corresponding special approval cost . If , then a denial suggestion will be issued for the as the requester does not have enough credit to afford the cost. Otherwise, the FBAC will ask the requester for confirmation to consume that and enforce the requester to comment reasons for the unusual request. This additional prompt scheme is quite useful to avoid user misuse and is also helpful for future audits. Then if the requester replies in the affirmative to that credit consumption prompt, the FBAC will grant the request by charging the requester corresponding fee, i.e., deducting from . In fact, for individuals, the FBAC would degrade to standard ABAC when they max out their credits.

Furthermore, for achieving better credit management and thereby controlling credit abuse risks, a periodic manual audit mechanism is also integrated into the FBAC model. During an audit, the unusual authorization records will be reviewed by the system administrators according to all the relevant information in the system including corresponding explanatory comments typed by requesters in the confirmation process. Based on auditing results, the audit routine will restore credits for the users who pass checks successfully, while disables such recovery for the suspects unless proved innocent (More tougher punishments can be given when the suspect is finally proven guilty.), to ensure the credit system works well, thereby providing enough flexibility with controllable abuse risks.

Note that the credit recovery strategy depends on the administrator. For instance, our approach gives the proportional credit back ( in ) of the margin between the credit line and the current credit value (i.e., ) after each audit process. This is because we hold a conservative opinion that the special approval is a compromise for improving business timeliness, which should not be encouraged in routine work. Therefore, the formula for calculating new credit value is as follows:

4.2. Case Study

This subsection provides a case study of FBAC to help people understand how it works in detail.

Assuming there exists an FBAC system with the threshold , , and two clauses in the policy set as follows:

We can see that there are 3 types of attributes involved in the policy set: is the timestamp of the request, denotes the requester’s location (given in latitude and longitude), and denotes the ’s job position. Then we define the membership functions as follows:

In this case, we set all the attributes in the same policy to the same weight, as shown below:

In order to describe , we firstly predefine a function to describe the distance between and in meters. Then, we give the definitions of as follows:

Then we assume that a subject initiates a request as follows:

When request is initiated, the FBAC attempts to match with policies but fails. Then it turns to the fuzzy evaluation process. As the credit cost of the is , then is going to be consumed from for making be granted. The system will ask subject for the consumption confirmation in order to make sure whether is willing to consume required credits to continue. Suppose that chooses to spend his credits, then is granted, and is decreased to .

Next, when try to initiate another request later as follows:

in the same way, we get that . Since after the request , can not afford the cost of the , so will be rejected directly.

In addition, if passes the audit with his credit value , then will be restored to according to expression (4).

5. Discussion

In this section, we will briefly analyze the effect on usability and security of FBAC, followed by complexity analyses.

Usability and Security. To describe the enhancive effect on the overall resource usability of FBAC, we chose the granted rate, which is defined as the rate of the granted requests to total requests per unit time, as a reflection of usability.

Let denote the usability and denote the granted rate; then we get the following expression in which and denote the granted rates of requests matching or not matching policies, respectively, while notation “” denotes the relationship of positive correlation.

Since FBAC shares the same with its elder sibling ABAC obviously, the FBAC obtains extra usability improvement which is positively correlated with when compared with ordinary ABAC, namely,

Naturally, the configurable threshold is closely associated with the usability. For any request failed in policies matching with overall matching degree , we suppose that obeys a probability density distribution while the probability of available credit of requester obeys another probability density distribution , then we can deduce the following relational expression:

Since and are commonsensically positive, we find an inverse correlation between the incremental usability and the threshold in expression (13); that is, a lower leads to more approvals on requests. Apparently, the FBAC would deteriorate to standard ABAC if tends to the upper bound, i.e., the value in our case.

Not surprisingly, the usability improvement also comes with security risks. As the FBAC may authorize exceptional access requests which do not fully comply with the current policies in some cases, this feature can be abused by indiscreet users or even be exploited by malicious users for accessing extra resources and thereby bringing additional risks to the system. Here, the deviation between the overall matching degree of the exceptional request (i.e., ) and the closest matching policy (the standard normalization value “1”) is used as the risk indicator of each exceptional authorization.

Correspondingly, the FBAC has effective countermeasures to mitigate the risks induced by the fuzzy assessment mechanism to the acceptable level. Firstly, as a general and indiscriminate defense, the reject threshold is used to screen out high-risk requests deviating far from current policies, i.e., any request with overall matching degree lower than the threshold would be declined directly, because the FBAC is aiming at improving the flexibility and efficiency of exceptional authorizations rather than invalids the security policies. Thus, the security risk of each exceptional authorization is limited within the controllable range . Secondly, the credit mechanism is used as the individualized constraint against the abuse attacks on the FBAC. As for each requester, each exceptional authorization definitely comes with corresponding credit cost which is determined by the risk of that request (i.e., ). In other words, a request will be declined if the corresponding requester does not have enough credit to afford the credit cost of the exceptional request, i.e., . Therefore, the immoderate and even malicious exceptional access behaviors are mitigated due to the limitation of credit. According to the analysis above, then the maximum security risk of one exceptional authorization associated with a requester is further limited within Minimum(, ). Meanwhile, within each audit cycle, the total security risk which can be caused by the exceptional authorizations related to each single requester is limited below his credit value (the value at the beginning of the audit cycle). In addition, for each subject , the credit consumption has the additive restrictive effect on future requests because only a portion of the already consumed credits could be restored according to credit recovery mechanism. Briefly, the more credits the requester used in one audit cycle, the less total amount he will have in the future, which further reduces the abuse risks of the exceptional authorizations. Finally, the FBAC integrates a periodic manual audit mechanism as the post-security mechanism to review all the exceptional authorizations. As for the suspects, their credit restorations would be suspended until proven innocent. As a result, they would lose the privileges to obtain instant approvals for their exceptional requests as their credits will keep reducing and can not get replenished. Therefore, the entire risk which can be caused by the exceptional authorizations granted for a single suspect identified during the audits is limited within the credit line .

Summarily, the FBAC broadens the granting bounds to a certain extent for all the requests with the help of fuzzy evaluation mechanism and limits the special approval rate of each individual requester with the help of credit and audit mechanism, thereby achieving better timely usability than standard ABAC with the controllable sacrifice of security.

Complexity. The complexity of access control is related to the number of concurrent requests, policies, and attributes contained in each policy. The more the attributes are involved in a policy, the higher the computational complexity of this policy will be. Generally, as the granularity of access control becomes finer, the complexity of policy increases and the time cost of decision-making process also grows slightly and tends to flatten out.

Assuming there are policies and attributes, the number of requests that occur at the same time in the system is , the computational complexity of a basic matching process is in original ABAC model. In the worst case, each policy and attribute needs a matching calculation, and thus the complexity of a single decision is . Because complexity is proportional to the number of requests made simultaneously, the total computational complexity of the whole system is .

Correspondingly, the computational complexity of both a basic matching process and credit evaluation process in our FBAC model is also ; that is to say, the complexity of a single decision is still ; thus the total computational complexity remains at .

Compared with the standard ABAC model, our FBAC model has two additional processes, the credit-based judgment and the fuzzy assessment, which is a little complex than the simple yes/no decision. And the overhead of both parts can be considered of the same order of magnitude as the former. This explains why both models (i.e., ABAC and FBAC) have the same computational complexity. It also shows that the impact of FBAC in terms of performance is within an acceptable range.

6. Experimental Evaluation

We developed an FBAC prototype to evaluate its availability, security, and performance through several experiments.

6.1. Test Scenarios

By modifying the ABAC source codes of Deter Project [35], we implemented a prototype of FBAC and deployed it to 5 virtual servers on a single physical machine (64-bit CentOS 7, 4vCPUs (i5-7500 3.4GHz), 16GB RAM, 1TB Storage, supported by OpenStack (Pike v3.12.0)) for experiments.

In our FBAC systems, we firstly configured the following policy set and set the audit time interval to one week uniformly.

And then we conducted four experiments with respective FBAC configuration parameters shown in Table 2. And in each experiment, we simulated 500 users to initiate requests to FBAC servers. These users follows Poisson distribution in time and move around according to Random Way Point (RWP) [36] model to fit the mobile features. The simulation system will randomly regenerate the destination and the moving speed for each user every 30 minutes. Additionally, we also introduced small noises () randomly to users’ location coordinate data for simulating the fluctuations in the real positioning system. These users were set as “benign” or “malicious” separately with several different user behavioral patterns correspondingly to generate requesting data. Furthermore, we set that benign users will abort their requests randomly in responding to credit misuse prompts whereas malicious users will not, according to the knowledge that benign users are more compliance with rules.

Note that in the fourth and fifth cases, we forced all the users to obey the time restriction to articulate the effect of attribute weights.

The experiments last for four weeks and each audit period is 5 days long. All the access histories are recorded in access logs for further analyses.

6.2. Analysis

Usability. As the granted ratio of requests which fail to meet policies (denoted by ) reflects the extra improvement on immediate resource usability, we count up such average granted rate based on the Case 1, as shown in Figure 2. We can learn that the average granting rate of exceptional requests is maintained in a positive range during the experiment, which illustrates the usability increment of FBAC compared with ABAC through the employment of fuzzy evaluation method.

Security. Again, based on Case 1, we evaluated the resistance of FBAC against security risks. Figure 3 shows the granted ratios of both benign and malicious user respectively. It is clear that of benign users is limited to a certain upper bound by the threshold, particularly, below 35% in Case 1, while that of malicious users is even far lower throughout the test duration. Furthermore, it also illustrates that such rates of both benign and malicious users are further constrained by credit mechanism. With the consumption and partial recovery of credits controlled by credit and audit mechanism, of benign users reveals a hysteretic declined trend within each audit cycle and will fluctuate along with audit cycles during the testing period. When it comes to malicious users, this ratio is decreasing continuously over audit cycles and is gradually converging to 0.

Such results demonstrate that the threshold provides a general and coarse-grained restriction on requests while credit system supplies additive restrictive effect on the requests in each audit cycle. In addition, the audit mechanism is effective in limiting of users with malicious or abnormal behaviors as their credits will be used up easily and can hardly be restored because of the audit mechanism. Therefore, the FBAC is sufficient to defend against abuse attacks.

Parameter Effects. We have tuned two major regulative parameters in FBAC to explore their potential influence.

(1) Threshold. To study the impact of the reject threshold, we increased the threshold by 0.05 in Case 1, Case 2 and Case 3 gradually. Unsurprisingly, Figure 4 illustrates that in FBAC is closely related to the threshold ; i.e., the higher is, the lower the granted rate will be. Besides, although a low may accelerate the credit consumption, which in turn affects the granted rate due to the rejection cases caused by credit insufficiency, this side effect is unable to impact the main trend on a macroscale.

(a)

(b)

(c)

(2) Attribute Weight. When it comes to the attribute weight, s Cases 4 and 5 were selected for comparison as they set the time variable to fixed value by obeying the time restriction and share the same and parameters. As seen in Figure 5, the bigger weight coefficient for the location attribute in Case 5 leads to a lower granted rate when compared with that of Case 4. This shows that the weight mechanism can effectively adjust the overall impact of each attribute on the decision-making process.

(a)

(b)

Performance. We evaluated the time cost of decision-making processes of both FBAC and ABAC to measure the performance. According to the results in Table 3, although FBAC wraps ABAC and adds additional mechanisms for making authorization decisions, it only incurs quite light and acceptable overhead in average compared with ABAC, which is almost imperceptible to requesters.

7. Conclusion

In this paper, a feasible FBAC technique is proposed that improves upon the standard ABAC paradigm with good flexibility and time efficiency in dealing with exceptional urgent requests which do not comfort to policies in the dynamic and unpredictable environment. Beyond ABAC, we use a fuzzy evaluation method to do unattended special authorizations for exceptional requests that failed in policy matching. We also use credit and corresponding audit mechanisms to limit the abuse risk of special approvals. A tangible example is given to explain the working details, which indicates the suitability of FBAC in mobile and dynamic scenarios. In addition, the theoretical analyses and experimental evaluations show that the FBAC paradigm reinforces the system in favor of time efficiency and usability with the controllable expense of security.

In future work, we would like to further refine the authorization decision-making scheme with the support of the latest deep learning techniques (e.g., neural network) to discover benign and riskful access patterns based on the access behavior mining for helping the FBAC better distinguish between benign and malicious requests, thereby enabling more intelligent and accurate handling for exceptional access cases. Moreover, we also believe that deploying the FBAC system in China’s current Xiangya medical big data system would have more practical and exploratory meanings.

Disclosure

This work was presented in part at the SpaCCS 2017, Guangzhou, China, 12–15 December 2017.

Conflicts of Interest

The authors declare that there are no conflicts of interest.

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China under Grants 61702562 and 61472451, the Mobile Health Ministry of Education-China Mobile Joint Laboratory, the Hunan Provincial Innovation Foundation for Postgraduate under Grant CX2015B047, the China Scholarship Council Foundation under Grant 201506370106, the Guangdong Provincial Natural Science Foundation under Grant 2017A030308006, and the Joint Research Project between Tencent and Central South University.

References

G. Fettweis and S. Alamouti, “5G: personal mobile internet beyond what cellular did to telephony,” IEEE Communications Magazine, vol. 52, no. 2, pp. 140–145, 2014.
View at: Publisher Site | Google Scholar
Y. Zhang, K. Guo, J. Ren, J. Wang, and J. Chen, “Transparent computing: A promising network computing paradigm,” Computing in Science Engineering, vol. 19, no. 1, p. 20, 2017.
View at: Publisher Site | Google Scholar
Y. Zhang, J. Ren, J. Liu, C. Xu, H. Guo, and Y. Liu, “A survey on emerging computing paradigms for big data,” Journal of Electronics, vol. 26, no. 1, pp. 1–12, 2017.
View at: Publisher Site | Google Scholar
J. He, Y. Zhang, J. Lu, M. Wu, and F. Huang, “Block-Stream as a Service: A More Secure, Nimble, and Dynamically Balanced Cloud Service Model for Ambient Computing,” IEEE Network, vol. 32, no. 1, pp. 126–132, 2018.
View at: Publisher Site | Google Scholar
T. Peng, Q. Liu, and G. Wang, “A multilevel access control scheme for data security in transparent computing,” Computing in Science & Engineering, vol. 19, no. 1, Article ID 7802524, pp. 46–53, 2017.
View at: Publisher Site | Google Scholar
I. Hardill and A. Green, “Remote working - Altering the spatial contours of work and home in the new economy,” New Technology, Work and Employment, vol. 18, no. 3, pp. 212–222, 2003.
View at: Publisher Site | Google Scholar
A. M. French, C. Guo, and J. P. Shim, “Current status, issues, and future of bring your own device (BYOD),” CAIS, vol. 35, pp. 1–10, 2014.
View at: Google Scholar
D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, “Proposed NIST standard for role-based access control,” ACM Transactions on Information and System Security, vol. 4, no. 3, pp. 224–274, 2001.
View at: Publisher Site | Google Scholar
S. Upadhyaya, “Mandatory access control,” in Encyclopedia of Cryptography and Security, pp. 756–758, Springer, 2011.
View at: Publisher Site | Google Scholar
L. Liu and M. Tamer Özsu, “Discretionary access control,” in Encyclopedia of Database Systems, pp. 864–866, Springer, 2009.
View at: Publisher Site | Google Scholar
V. C. Hu, D. Ferraiolo, R. Kuhn et al., “Guide to Attribute Based Access Control (ABAC) Definition and Considerations,” National Institute of Standards and Technology NIST SP 800-162, 2014.
View at: Publisher Site | Google Scholar
V. C. Hu, D. R. Kuhn, and D. F. Ferraiolo, “Attribute-based access control,” The Computer Journal, vol. 48, no. 2, Article ID 7042715, pp. 85–88, 2015.
View at: Publisher Site | Google Scholar
D. Servos and S. L. Osborn, “Current research and open problems in attribute-based access control,” ACM Computing Surveys, vol. 49, no. 4, article no. 65, 2017.
View at: Publisher Site | Google Scholar
X. Li, D. Feng, Z. Chen, and Z. Fang, “Model for attribute based access control,” Journal on Communications, vol. 29, no. 4, pp. 90–98, 2008.
View at: Google Scholar
X. Jin, Attribute-based access control models and implementation in cloud infrastructure as a service [Ph.D. thesis], The University of Texas at, San Antonio, 2014, Ph.D. dissertation.
M. Sookhak, F. R. Yu, M. K. Khan, Y. Xiang, and R. Buyya, “Attribute-based data access control in mobile cloud computing: Taxonomy and open issues,” Future Generation Computer Systems, vol. 72, pp. 273–287, 2017.
View at: Publisher Site | Google Scholar
B. Lang, I. Foster, F. Siebenlist, R. Ananthakrishnan, and T. Freeman, “A flexible attribute based access control method for grid computing,” Journal of Grid Computing, vol. 7, no. 2, pp. 169–180, 2009.
View at: Publisher Site | Google Scholar
C. Ngo, Y. Demchenko, and C. De Laat, “Multi-tenant attribute-based access control for cloud infrastructure services,” Journal of Information Security and Applications, vol. 27-28, pp. 65–84, 2016.
View at: Publisher Site | Google Scholar
Y. Xu, W. Gao, Q. Zeng, G. Wang, J. Ren, and Y. Zhang, “FABAC: A flexible fuzzy attribute-based access control mechanism,” in Proceedings of the Proc. 10th International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, pp. 332–343, Springer, 2017, pp. 332-343.
View at: Publisher Site | Google Scholar
X. Liu, Q. Liu, T. Peng, and J. Wu, “Dynamic access policy in cloud-based personal health record (PHR) systems,” Information Sciences, vol. 379, pp. 62–81, 2017.
View at: Publisher Site | Google Scholar
IBM Corporation, https://www.ibm.com/support/knowledgecenter/en/SSNGTE_7.0.0/com.ibm.tspm.doc_7.0/install/concept/AttributeBasedAccessControl.htm.
“Cisco Systems, Inc,” https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/firewall/asdm-77-firewall-config/virtual-access-vm-attributes.pdf.
View at: Google Scholar
Axiomatics, https://www.axiomatics.com/.
Jericho Systems Corporation, https://www.jerichosystems.com/technology/glossaryterms/attribute_based_access_control.html.
C. Martnez-Garca, G. Navarro-Arribas, and J. Borrell, Fuzzy role-based access control, vol. 111 of Information Processing Letters, Elsevier, 2011, pp. 483-487.
P.-C. Cheng, P. Rohatgi, C. Keser, P. A. Karger, G. M. Wagner, and A. S. Reninger, “Fuzzy multi-level security: an experiment on quantified risk-adaptive access control,” in Proceedings of the IEEE Symposium on Security and Privacy (SP '07), pp. 222–230, IEEE, Berkeley, Calif, USA, May 2007.
View at: Publisher Site | Google Scholar
N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody, “Using trust and risk in role-based access control policies,” in Proceedings of the Proceedings on the Ninth ACM Symposium on Access Control Models and Technologies, SACMAT 2004, pp. 156–162, usa, June 2004.
View at: Google Scholar
Y. Li, The research of access control mechanism based on attiubute and trust evaluation , Masters thesis [Master, thesis], Southwest Jiaotong University, 2016.
P. N. Mahalle, P. A. Thakre, N. R. Prasad, and R. Prasad, “A fuzzy approach to trust based access control in internet of things,” in Proceedings of the Proc. 3rd International Conference on Wireless Communications, Vehicular Technology, Information Theory and Aerospace Electronic Systems (VITAE, pp. 1–5, 2013.
View at: Google Scholar
F. Feng, C. Lin, D. Peng, and J. Li, “A trust and context based access control model for distributed systems,” in Proceedings of the Proc. 10th IEEE International Conference on High Performance Computing and Communications, pp. 629–634, 2008.
View at: Google Scholar
R. Bhatti, E. Bertino, and A. Ghafoor, “A trust-based context-aware access control model for web-services,” Distributed and Parallel Databases, vol. 18, no. 1, pp. 83–105, 2005.
View at: Publisher Site | Google Scholar
F. J. Pelletier, “Metamathematics of fuzzy logics by Petr Hajek,” Bulletin of Symbolic Logic, vol. 6, no. 3, pp. 342–346, 2000.
View at: Google Scholar
E. H. Mamdani and S. Assilian, “An experiment in linguistic synthesis with a fuzzy logic controller,” International Journal of Man-Machine Studies, vol. 7, no. 1, pp. 1–13, 1975.
View at: Publisher Site | Google Scholar
J. Dombi, “Membership function as an evaluation,” Fuzzy Sets and Systems, vol. 35, no. 1, pp. 1–21, 1990.
View at: Publisher Site | Google Scholar | MathSciNet
DETER Project, https://abac.deterlab.net/.
D. Johnson and D. Maltz, “Dynamic source routing in Ad Hoc wireless networks,” in The Kluwer International Series in Engineering and Computer Science, vol. 353, pp. 153–181, 1996.
View at: Google Scholar

Copyright

Copyright © 2018 Yang Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1806

Downloads

983

Citations

Security and Communication Networks

Cyberspace Security for Future Internet

A Feasible Fuzzy-Extended Attribute-Based Access Control Technique

Abstract

1. Introduction

2. Related Work

3. Preliminary

4. FBAC

4.1. FBAC Model

4.2. Case Study

5. Discussion

6. Experimental Evaluation

6.1. Test Scenarios

6.2. Analysis

7. Conclusion

Disclosure

Conflicts of Interest

Acknowledgments

References

Copyright