#### Abstract

Access control is a key technology in providing security in the Internet of Things (IoT). The mainstream security approach proposed for the sensing layer of the IoT concentrates only on authentication while ignoring the more general models. Unreliable communications and resource constraints make the traditional access control techniques barely meet the requirements of the sensing layer of the IoT. In this paper, we propose a model that combines space and time with reputation to control access to the information within the sensing layer of the IoT. This model is called spatiotemporal access control based on reputation (STRAC). STRAC uses a lattice-based approach to decrease the size of policy bases. To solve the problem caused by unreliable communications, we propose both nondeterministic authorizations and stochastic authorizations. To more precisely manage the reputation of nodes, we propose two new mechanisms to update the reputation of nodes. These new approaches are the authority-based update mechanism (AUM) and the election-based update mechanism (EUM). We show how the model checker UPPAAL can be used to analyze the spatiotemporal access control model of an application. Finally, we also implement a prototype system to demonstrate the efficiency of our model.

#### 1. Introduction

As a dynamic global ubiquitous network, the Internet of Things (IoT) links physical and virtual objects by integrating sensors, smart terminals, and global positioning systems (GPSs). Authoritative institutes predicate that the IoT will create hundreds of billions of dollars in savings and productivity gains for businesses, governments, and households: Cisco believes that the IoT will create a US$14.4 trillion business opportunity in 2020 (http://www.eetimes.com/document.asp?doc_id=1263115) and Groupe Speciale Mobile Association (GSMA) predicts that, in 2020, the connected life (one part of the IoT) will bring a US$4.5-trillion global impact on people and businesses (http://www.gsma.com/newsroom/gsma-announces-the-business-impact-of-connected-devices-could-be-worth-us4-5-trillion-in-2020/).

Along with the increasingly rapid development of the IoT, security issues have also become increasingly serious, especially when industrial controllers are either directly or indirectly connected to IoT. A typical example of this type of security compromise is the worm Stuxnet. Known as the first cyber-warfare weapon, Stuxnet was used to attack the Natanz uranium enrichment facility in Iran and is believed to have caused its production to drop by 15% in 2009 [1]. Obviously, security problems will cause a serious impact to the IoT.

As one of the key technologies involved in providing security, access control—determining* who* is allowed access,* when* access is permitted, and* where* access takes place—has been widely studied [2]. Access control models, which have been widely used, include role-based access control (RBAC) and usage control (UCON) [3, 4], Internet content control (ICCON) [5], Attribute-based access control [6], and user-driven access control [7].

Although these models succeed in the traditional Internet and operating systems, the IoT has raised several new and challenging issues surrounding the use of digital resources and its following critical characteristics make the above models not efficient any more. (1) Uncontrollable environments: sensors could be deployed in unattended environments, where physical nodes are more likely lost and false messages are more easily injected and transmitted. (2) Sensor-node resource constraints: computing and storage resources for sensor nodes are usually very limited, thereby severely constraining their ability to store and process the sensed data. Therefore high-weight access control models for the Internet should be revised for the sensing layer of the IoT. (3) Unreliable communications: the wireless communication adopted by the sensor nodes is often unreliable and unstable; therefore nodes may not receive the authorization in time. As a result, security in the IoT becomes more severe.

To minimize these threats, we proposed spatiotemporal access control based on reputation (STRAC), which considers time, location, and reputation as key elements in deciding whether access is granted or not. STRAC uses a lattice structure to decrease the storage complexity of policy bases. To reduce the risk caused by unreliable communications, we proposed nondeterministic authorizations (i.e., pessimistic, optimistic, and trade-off authorizations) and stochastic authorization. We demonstrate that pessimistic and trade-off authorizations are secure and that optimistic and stochastic authorizations can improve the QoS. In order to correctly update the reputation of nodes, we propose two novel policies (authority-based updates and election-based updates), based on the “group” characteristics of the sensing layer, and we prove that our proposed policies are secure. Our experiments show the efficiency of our model.

#### 2. Related Work

Research about access control for the sensing layer can be divided into two general categories: access control algorithms (ACAs) and access control models (ACMs). ACAs mainly focus on new node addition. New node addition algorithms prevent malicious nodes from joining the sensor network. For example, [8] uses the self-certified elliptic curve Diffie-Hellman protocol to establish a pairwise key between new sensor nodes and the controller node, which launches a two-way authentication with the new nodes. However, in this scheme, all nodes share a network-wide key. Once one node is compromised, the secret key for all nodes must be updated, thereby causing huge losses. In order to solve this problem, [9, 10] proposes a new dynamic access control protocol, which uses hash functions to reduce computations and communications between two nodes.

In ACMs, much effort is spent on extending RBAC for pervasive computing. Reference [11] proposes a dynamic role-based access control (DRBAC) model, which provides context aware access control by dynamically adjusting role assignments and permission assignments based on context information. However, important features of the IoT (i.e., location and time) are not considered. In order to make RBAC more pervasive, many researchers extend RBAC by introducing time and location [12–15], where [12, 14] imposes spatiotemporal constraints on user-role assignments and permission assignments, and [15] introduces the concept of spatiotemporal zones and allows spatiotemporal constraints to be specified with prerequisite constraints. In addition, [16] adopts RBAC-based (role-based access control) authorization method using the thing’s particular role(s) and application(s) in the associated IoT network. Reference [17] designs a capability-based access control delegation model for the federated IoT network. Reference [18] focuses on a minimal use of computation, energy, and storage resources at wireless sensors and proposes a novel access control solution for wireless network services in Internet of Things scenarios.

Although RBAC is often extended for pervasive computing, these extensions cannot be widely adopted for the sensing layer of the IoT because of the PSPACE-completeness [19] of RBAC.

Other spatiotemporal models that are not based on RBAC are also proposed. Reference [20] uses composition algebra to regulate access to patient data and balances the rigorous nature of traditional access control systems with the “delivery of care comes first” principle. Recently, reputation has been incorporated into models of access control for cyber-physical systems as in [21, 22]; however, these particular models do not deal with the loss of nodes.

Our work differs from the above solutions in several ways. First, we consider reputation, rather than roles, as a fundamental factor of access control for the sensing layer of the IoT, because the behavior of selfish nodes can be directly modeled by reputation but not easily modeled by roles. Such a change is nontrivial. If a node becomes selfish, then we are only required to assign a lower reputation to it. Therefore, reputation is more suitable than roles in controlling access to the sensing layer.

Second, the existing access control models do not efficiently handle the problem caused by unreliable communications. We propose nondeterministic authorizations and stochastic authorizations to solve this problem. Our method reduces the security risks of security-critical systems when failing to receive the key authorization instructions.

Finally, the existing models for the IoT do not consider the group characteristics of the sensing layer. In our work, node’s reputation is cooperatively updated based on the group characteristics, thereby simplifying the reputation-update process.

#### 3. Formalizing Time, Space, and Reputation

In order to construct a spatiotemporal access model based on reputation, we first formally define time, space, and reputation.

##### 3.1. Reputation Description

Due to the limitations of storage and the computing resources, some nodes do not cooperate with others and demonstrate* selfishness*. In order to obtain more benefits, some nodes may attack others and demonstrate* misbehavior*. Because reputation (the opinion of one entity regarding another) can reflect both selfishness and misbehavior in interactions, it is adopted in modeling the behavior of nodes in our study.

Generally, from the aspect of reputation obtainment, reputation includes direct reputation (DR) and indirect reputation (IR), where DR and IR, respectively, refer reputation estimated by estimators based on their first-hand and second-hand experiences. From the aspect of goal, individual reputation should be distinguished with group reputation. Reference [23] surveys notions of reputation. In this paper, we only focus on individual and direct reputation, as follows.

We define reputation to have different ratings, and thus it can be denoted by a finite set; that is, , where is a reputation rating . Given any and in , they are mutually comparable, that is, or . Thus, is a total order set. For a given node, its reputation is formed and updated through direct observations of its behavior and through feedback provided by other nodes. In this paper, we concentrate on general access models and do not discuss the methods of computing reputation in detail.

##### 3.2. Time Description

In order to describe operations that can only be executed within a given time period, the notion of a calendar is adopted [24, 25]. A calendar consists of a countable set of contiguous intervals, for example, years, months, and days. Because two calendars can have different granularities, a subcalendar relationship can be established among them. That is, given two calendars and, is a subcalendar of (written as ), if and only if there exists a natural number, such that . For example, days are a representative subcalendar of months. Obviously, is a partial order relation. A calendar base represents a set of calendars and generally changes with different contexts. For example, if a school curriculum is comprised of years, semesters, and weeks, then its is {years, semesters, weeks}.

*Definition 1 (calendar time). *Given , calendar time is defined as , where, and for all , one has .

Let be a set of calendar times. Generally, any two calendar times are always comparable. That is, for any and in , one can have or ( is the total order relation). In the IoT, different types of time constraints exist, such as the earliest access time (), the latest access time (), the earliest finish time, and the latest finish time. In our study, and are adopted.

*Definition 2 (time constraints). *Time constraint is a set of two-dimensional vectors of calendar times, where the first dimension and the second dimension represent and , respectively. Time constraints must satisfy the following condition: for any , .

*Example 3. *Given , , and an event satisfies , if access time (from start time to end time) of the event falls entirely within the time range from to , or within the time range from to .

A time constraint with overlapping ranges can be reduced to , based on the following definition.

*Definition 4 (simplest time constraints). *A time constraint is the simplest, if for any and , , , .

Henceforth, one assumes that time constraints are always the simplest. Given two time constraints and shown in Figure 1, where (1) — of —is greater than or equal to that of and (2) — of —is less than or equal to that of . If an event satisfies , then it will satisfy ; this means that is stricter than . Thus, one has Definition 5.

*Definition 5 (order relation on ). *Given and in , (meaning that is stricter than ), if and only if and , where and .

Proposition 6. * on is a partial order.*

*Definition 7 (order relation on ). *Given any and , (meaning that is stricter than ), if and only if, for any , there exists with .

Proposition 8. * on is a partial order.*

In the real environment, time constraints can be constructed by way of union or intersection of some constraints. One defines the intersection and the union as follows.

*Definition 9 (intersection). *Intersection is a function from to defined as
where

*Definition 10 (union). *Union is a function from to defined as .

Because the time constraints obtained by computing are not always the simplest, one reduces them to the simplest form as follows. Given a time constraint , if there exists , , , with , , , then both , and (, ) are deleted from and , , , are inserted into . Obviously, the original is semantically equivalent to the modified . Henceforth, one assumes that the intersection and the union of time constraints are always the simplest.

Proposition 11. *Given any and in , if is closed under and , then and are the supremum and the infimum of , respectively.**The definitions above concentrate on physical time. However, in some cases, logical time (such as work time or class time) is more important.*

*Definition 12. *: is a function mapping to the nonempty power set of , where represents a set of names of logical time.

*Definition 13 (order relation on ). *Given any and in , if and only if .

Proposition 14. * on is a partial order.*

*Definition 15 (intersection on ). *(Here, we do not differentiate the of Definition 9 from the of Definition 15, because they are easily distinguished; Similarly, we also do not differentiate of Definition 10 and of Definition 16). is an intersection function mapping to , defined as , where and .

*Definition 16 (union on ). * is a union function mapping to , defined as , where

Proposition 17. *For any and in , if is closed under and , then and are the supremum and the infimum of , respectively.**Proof that the supremum of is : from Definition 15, we have and ; therefore, is the upper boundary of . Next, we prove that is the least element of the upper boundary of . Let and ; then, for any , there exists and , such that and . According to Proposition 11, . According to Definition 15, ; therefore, so is the supremum of .*

##### 3.3. Location Description

In the IoT, physical locations are often distinguished from logical locations. Physical locations are divided into two classes: hierarchical (topological, descriptive, or symbolic), such as a room, and Cartesian (coordinate, metric, or geometric), such as GPS position [12, 14, 26]. Logical locations represent the boundaries of the logical space that corresponds to the physical space.

Let ,…, be a set of physical locations, where is a specific physical location, such as a 50 50 unit square area. Let ,…, represent the set of logical locations, where each in denotes the notion for one or more physical locations. Generally, relations between physical and logical locations are illustrated as a many-to-many map, denoted by .

*Definition 18. *A function : maps to the power set of , returning all physical locations assigned to a given logical location. In other words, .

*Definition 19. *A function : maps to the power set of , returning all assigned logical locations of a given physical location. In other words, .

Given two logical locations, a containment relation may exist. This is defined as follows.

*Definition 20. *A logical location is contained in another logical location , written as , if and only if .

Generally, physical locations of a given logical location are unchanged within a period; therefore, for simplicity, a logical location is used to denote its corresponding physical location. Similarly, one can define intersection and union based on logical locations, but one does not discuss them.

#### 4. STRAC Framework

First, we provide an overview of the framework of our model. As shown in Figure 2, STRAC consists of two core components: the access request component (ARC) and the reference monitor component (RMC). The ARC of a node creates an access request, which has two forms: the first form includes five elements: the node’s , the accessed object , the expected operation to be performed on , the node’s current location (generally, a node’s location information may come from GPSs or wifi), and the node’s reputation ; the second form includes three elements: the node’s , the accessed object , the expected operation to be performed on , and the node’s current location . In the first form, each node locally stores its reputation and physical location; in the second form, the reputation of each node is centrally stored in PEP (see the next paragraph for PEP) and its physical location is tracked by PEP.

RMC includes two modules: policy enforcement point (PEP) and policy decision point (PDP). The PEP module receives the user request, consults with the PDP module about the user authorization, and ensures that all access requests go through the PDP module. PEP is comprised of two submodules (access request extractor (ARE) and authorization token requester (ATR)) and two access tables which map the current time and physical locations to the logical time and the logical location, respectively (the two tables are called ID-RTL table in Figure 2). When the PEP module receives an access request from a user, ARE executes two steps: (1) it accepts the request and extracts the encapsulated location, , , , , and if the first type of access requests is adopted; it extracts , , and if the second type is used, and (2) it queries the access database and returns the ’s logical location and logical time (in addition to the three elements, it returns the reputation of node if the second type of access requests is used). ATR encapsulatesthis information , , , , and and sends it to the PDPmodule to request an authorization token (AT). Once this request is granted, an AT will be returned, and the user can access the target resources using this AT. PEP maintains a list of users’ ATs, and this list is updated at a specified interval. AT will be revoked when the user deactivates the task or when the location and time associated with the use are out of the allowed scope.

The PDP module, comprised of one submodule (Authorization Token Granter (ATG)) and one policy base, makes the authorization decision based on a set of rules or policies. When PDP receives an AT request, it extracts the information , , , , and from the request and consults the security policies. If the polices denote that a node with reputation at the time period in the location has the right to perform the operation on the target , then ATG grants to access request.

The source of authority (SOA) is administrator or a group of administrators, who define the policies. SOA can also update the policy at runtime if necessary. In some cases, group nodes may also cooperatively update the node’s reputation and make access decisions based on stochastic information (stochastic authorization in Figure 2).

Our model can be implemented with two alternative modes: ACI and AII. ACI focuses on authorization when complete information is available, while AII deals with authorization having only incomplete information. The precondition for ACI is that decision makers always can obtain authorization information in time. In other word, ACI requires a stable communication. Contrarily, this precondition is not necessary in AII. AII is very useful because unstable communications in the IoT are considered to be persuasive phenomenon. Generally, while in the ACI mode both PEP and PDP are mounted in the gateway and ARC is integrated into terminal nodes. Contrarily, to implement the AII mode, ARC and two lightweight modules, PEP and PDP, are mounted into terminal nodes.

#### 5. STRAC Model

##### 5.1. Basic Components of STRAC

The basic STRAC model is comprised of the following components: ,…, is a set of node IDs; ,…, is a set of reputations; for example, , ; ,…, is a set of logical time constraints; ,…, is a set of logical locations; for example, , ; ,…, is a set of operations; for example, , ; ,…, is a set of target objects; for example, , ; is a set of permissions, where , means that is performed on . For example, if , is assigned to device , then the device owns the permission to open ; is a set of , where each access zone is a triple , , ; is a many-to-many map of connections between permissions and access zones. , means that any node with has permission . For example, denotes that a node satisfying the constraint of with reputation at location can execute operation on object ; : assigns a permission level to access zones, where , ; that is, given a , function returns all access zones which the can access. For example, if , , , , , , , , , , , , , , , then , , , , , , ; : assigns an access zone to permissions, where , ; that is, given an , function returns all permissions by which the can be accessed. For example, in the example of , , , , , , ; : , is a predicate; if it returns true, then node requests permission to execute on . Recall that the storage of is either distributed or centralized. To model the two cases, we remove from access requests; for simplicity, we also remove the ID’s location and reputation from access requests and encapsulate the three elements into the function (we will discuss it next); : , is a predicate; if it returns true, then node is allowed to on ; : , is a predicate; if it returns true, then node is not allowed to execute on ; : , is a predicate; if it returns true, then the permission that node executes on will be revoked; : is a function and returns ’s current reputation, its logical time, and logical locations (a node may be located in many different logical locations).

In order to return the logical locations of a node, its physical location must be first obtained, and then its logical locations can be computed using the function . Because a physical location can be associated with many logical areas, returns a set of logical locations.

##### 5.2. Mechanism for Authorization and Revocation

Intuitively, if a node located in an appropriate area has an acceptable reputation and satisfies the given time constraints, its requests to execute some operations on an object should be allowed. In order to avoid using too many symbols, we overload the notation , as follows.

Given , , and , let and = ; if and only if there exists *∈* with , ( if and only if holds, where ) and . The authorization schemes are as follows:(1)(2)(3).

Formulas (1) and (2) show the following: (1) if the node requests permission to execute on , and if (the current reputation, access time, and location of ) satisfies the conditions to execute on , then the request will be allowed; (2) if the node requests permission to execute on , but does not satisfy the conditions to execute on , then the request will be denied. Formula (3) suggests that if node has received the permission of executing on and no longer satisfies the conditions to execute on longer, the permission will be revoked.

#### 6. Access Lattice

Because terminal nodes could move into many areas at different times, enumerating all areas and periods of time rapidly increases the size of PA (as shown above, PA connections between permissions and the power set of access zones). As a result, the size of the PA table could exceed the storage capacity. In addition, querying a big table consumes more energy and computing resources, thereby decreasing the efficiency of queries and even reducing a node’s lifetime. Thus, decreasing the size of permission access table is critical. In order to achieve this goal, we adopted the access lattice in this study.

We make the following realistic assumptions regarding the sensing layer of the IoT. (1) A node with a high reputation can be granted all permissions of a lower-reputation node. (2) If a task can be executed in a wide area or a longer time period, then it can be also executed in a narrow area or a shorter time period. These assumptions mean that if one node owns two access zones and , where is stricter than , then can be omitted from the set of access zones, because any permission allowed under is allowed under . We chose the lattice to decrease the size of the permission access table, because it models the strict relationship among elements. In order to formally describe the access lattice, we first define the order relation.

*Definition 21 (). *Given any and , , if and only if , , .

Theorem 22. *If (1) is closed under and and (2) is closed under and , then is a lattice.*

Proof that there exists a supremum and an infimum for any , : if and are comparable, then there exists a supremum and an infimum for them. Even if and are incomparable, there exists a supremum and an infimum for them. Because on is a total order, there exists a supremum for ; let the supremum be , because is closed under both and , and is closed under and ; therefore, is in and is the upper boundary of and . Let be another upper boundary of and , then we have and ; therefore, . Because is the supremum of , . According to Proposition 17, we have . Thus, . Therefore, is a supremum of and . Similarly, is an infimum of and , where is an infimum of .

We assume that is closed under and , is closed under and . We redefine the permission function under a lattice, as follows:

: maps the access zones to permissions, and .

Because and are similar and easily distinguished from one another; therefore, is adopted to denote the two functions in the sequel. Similarly, is used to denote .

Theorem 23. *Given any and , if , then .*

Theorem 24. *Consider the following.**If , then .**If , then .**If , then .*

Theorem 24 shows (1) if a node with a low reputation can execute on , then another node with a higher reputation is also able to perform the same operation; (2) if a node with a high reputation is unable to execute operation on , then a node with a lower reputation is also unable to do so; and (3) if access permissions are revoked from a node with a high reputation, then the corresponding permissions are also revoked from a node with a lower reputation.

The following example illustrates that the lattice can efficiently decrease the size of policy bases.

*Example 25. *Let , , , , , , , , , . The access base for each permission is as follows: , , , , , , , and