International Journal of Computer Network and Information Security(IJCNIS)

ISSN: 2074-9090 (Print), ISSN: 2074-9104 (Online)

Published By: MECS Press

IJCNIS Vol.10, No.1, Jan. 2018

Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

Full Text (PDF, 537KB), PP.26-35

Views:342   Downloads:40


Hany F. Atlam, Ahmed Alenezi, Raid Khalid Hussein, Gary B. Wills

Index Terms

Security;Internet of Things;Risk;access control;Adaptive;Context;Validation


The Internet of Things (IoT) has spread into multiple dimensions that incorporate different physical and virtual things.  These things are connected together using different communication technologies to provide unlimited services. These services help not only to improve the quality of our daily lives, but also to provide a communication platform for increasing object collaboration and information sharing. Like all new technologies, the IoT has many security challenges that stand as a barrier to the successful implementation of IoT applications. These challenges are more complicated due to the dynamic and heterogeneous nature of IoT systems. However, authentication and access control models can be used to address the security issue in the IoT. To increase information sharing and availability, the IoT requires a dynamic access control model that takes not only access policies but also real-time contextual information into account when making access decisions. One of the dynamic features is the security risk. This paper proposes an Adaptive Risk-Based Access Control (AdRBAC) model for the IoT and discusses its validation using expert reviews. The proposed AdRBAC model conducts a risk analysis to estimate the security risk value associated with each access request when making an access decision. This model has four inputs/risk factors: user context, resource sensitivity, action severity and risk history. These risk factors are used to estimate a risk value associated with the access request to make the access decision. To provide the adaptive features, smart contracts will be used to monitor the user behaviour during access sessions to detect any malicious actions from the granted users. To validate and refine the proposed model, twenty IoT security experts from inside and outside the UK were interviewed. The experts have suggested valuable information that will help to specify the appropriate risk factors and risk estimation technique for implantation of the AdRBAC model.

Cite This Paper

Hany F. Atlam, Ahmed Alenezi, Raid Khalid Hussein, Gary B. Wills,"Validation of an Adaptive Risk-based Access Control Model for the Internet of Things", International Journal of Computer Network and Information Security(IJCNIS), Vol.10, No.1, pp.26-35, 2018.DOI: 10.5815/ijcnis.2018.01.04


[1]M. Elkhodr, S. Shahrestani, and H. Cheung, “The Internet of Things: Vision & challenges,” IEEE 2013 Tencon - Spring, TENCONSpring 2013 - Conf. Proc., pp. 218–222, 2013.

[2]L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A survey,” Comput. Networks, vol. 54, no. 15, pp. 2787–2805, 2010.

[3]J. Kaur and K. Kaur, “Internet of Things: A Review on Technologies, Architecture, Challenges, Applications, Future Trends,” Int. J. Comput. Netw. Inf. Secur., vol. 9, no. 4, pp. 57–70, 2017.

[4]K. Ashton, “That ‘Internet of Things’ Thing,” RFiD J., p. 4986, 2009.

[5]ITU, “The Internet of Things,” Itu Internet Rep. 2005, p. 212, 2005.

[6]ITU, “Overview of the Internet of things,” Ser. Y Glob. Inf. infrastructure, internet Protoc. Asp. next-generation networks - Fram. Funct. Archit. Model., p. 22, 2012.

[7]K. Habib and W. Leister, “Context-Aware Authentication for the Internet of Things,” Elev. Int. Conf. Auton. Auton. Syst. fined, pp. 134–139, 2015.

[8]D. R. Dos Santos, C. M. Westphall, and C. B. Westphall, “A dynamic risk-based access control architecture for cloud computing,” IEEE/IFIP NOMS 2014 - IEEE/IFIP Netw. Oper. Manag. Symp. Manag. a Softw. Defin. World, pp. 1–9, 2014.

[9]J. Liu, Y. Xiao, and C. L. P. Chen, “Authentication and access control in the Internet of things,” Proc. - 32nd IEEE Int. Conf. Distrib. Comput. Syst. Work. ICDCSW 2012, pp. 588–592, 2012.

[10]N. Ye, Y. Zhu, R. C. Wang, R. Malekian, and Q. M. Lin, “An efficient authentication and access control scheme for perception layer of internet of things,” Appl. Math. Inf. Sci., vol. 8, no. 4, pp. 1617–1624, 2014.

[11]V. Suhendra, “A Survey on Access Control Deployment,” Commun. Comput. Inf. Sci., pp. 11–20, 2011.

[12]D. Kumar, A. Sharma, and S. Singh, “Entity Based Distinctive Secure Storage and Control Enhancement in Cloud,” Int. J. Inf. Eng. Electron. Bus., vol. 9, no. 1, pp. 10–19, 2017.

[13]K. Z. Bijon, R. Krishnan, and R. Sandhu, “A framework for risk-aware role based access control,” 2013 IEEE Conf. Commun. Netw. Secur., pp. 462–469, 2013.

[14]N. N. Diep, L. X. Hung, Y. Zhung, S. Lee, Y. Lee, and H. Lee, “Enforcing Access Control Using Risk Assessment,” Fourth Eur. Conf. Univers. Multiservice Networks, pp. 419–424, 2007.

[15]S. Lee, Y. W. Lee, N. N. Diep, S. Lee, Y. Lee, and H. Lee, “Contextual Risk-based access control,” Proc. 2007 Int. Conf. Secur. Manag., p. pp 406–412, 2007.

[16]A. Alenezi, N. H. N. Zulkipli, H. F. Atlam, R. J. Walters, and G. B. Wills, “The Impact of Cloud Forensic Readiness on Security,” in Proceedings of the 7th International Conference on Cloud Computing and Services Science (CLOSER 2017), 2017, pp. 511–517.

[17]D. Ricardo dos Santos, C. M. Westphall, and C. B. Westphall, “Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation,” Proc. Seventh Int. Conf. Emerg. Secur. Information, Syst. Technol. (SECUREWARE 2013), pp. 8–13, 2013.

[18]C. Jason, “HORIZONTAL INTEGRATION: Broader Access Models for Realizing Information Dominance,” MITRE Corp. Tech. Rep. JSR- 04-132, 2004.

[19]R. McGraw, “Risk-Adaptable Access Control ( RAdAC ),” inPrivilege Manag. Work. NIST–National Inst. Stand. Technol. Technol. Lab., 2009.

[20]S. Kandala, R. Sandhu, and V. Bhamidipati, “An Attribute Based Framework for Risk-Adaptive Access Control Models,” Proc. 6th Int. Conf. Availability, Reliab. Secur., pp. 236–241, 2011.

[21]H. Khambhammettu, S. Boulares, K. Adi, and L. Logrippo, “A framework for risk assessment in access control systems,” Comput. Secur., vol. 39, pp. 86–103, 2013.

[22]M. Sharma, Y. Bai, S. Chung, and L. Dai, “Using risk in access control for cloud-assisted ehealth,” High Perform. Comput. Commun. 2012 IEEE 9th Int. Conf. Embed. Softw. Syst. (HPCC-ICESS), 2012 IEEE 14th Int. Conf., pp. 1047–1052, 2012.

[23]C. World, “The Internet of Things?: An Overview,” Internet Soc., no. October, 2015.

[24]S. Li, L. Da Xu, and S. Zhao, “The internet of things: a survey,” Inf. Syst. Front., vol. 17, no. 2, pp. 243–259, 2015.

[25]M. S. A. Carlo, “An Overview of Privacy and Security Issues in the Internet of Things,” McKinsey Q., vol. 2, p. 6, 2013.

[26]Y. Lee, “Technology Trends of Access Control in IoT and Requirements Analysis,” IEEE, Inf. Commun. Technol. Converg. (ICTC), 2015 Int. Conf., pp. 1031–1033, 2015.

[27]M. O. Onyesolu and A. C. Okpala, “Improving Security Using a Three-Tier Authentication for Automated Teller Machine ( ATM ),” Int. J. Comput. Netw. Inf. Secur., vol. 10, no. October, pp. 50–56, 2017.

[28]C. Langaliya and R. Aluvalu, “Enhancing Cloud Security through Access Control Models?: A Survey,” Int. J. Comput. Appl., vol. 112, no. 7, pp. 8–12, 2015.

[29]D. F. Ferraiolo, J. a Cugini, and D. R. Kuhn, “Role-Based Access Control: Features and Motivations,” Proc. 11th Annu. Comput. Secur. Appl. Conf., pp. 241–248, 1995.

[30]Q. Wang and H. Jin, “Quantified risk-adaptive access control for patient privacy protection in health information systems,” Proc. 6th ACM Symp. Information, Comput. Commun. Secur. - ASIACCS ’11, pp. 406–410, 2011.

[31]Y. Li, H. Sun, Z. Chen, J. Ren, and H. Luo, “Using Trust and Risk in Access Control for Grid Environment,” Secur. Technol. 2008. SECTECH ’08. Int. Conf., pp. 13–16, 2008.

[32]R. A. Shaikh, K. Adi, and L. Logrippo, “Dynamic risk-based decision methods for access control systems,” Comput. Secur., vol. 31, no. 4, pp. 447–464, 2012.

[33]P. Chen, C. Pankaj, P. A. Karger, G. M. Wagner, and A. Schuett, “Fuzzy Multi – Level Security?: An Experiment on Quantified Risk – Adaptive Access Control,” 2007 IEEE Symp. Secur. Privacy(SP’07), pp. 222–227, 2007.

[34]H. F. Atlam, A. Alenezi, R. J. Walters, G. B. Wills, and J. Daniel, “Developing an adaptive Risk-based access control model for the Internet of Things,” in 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2017, no. June, pp. 655–661.

[35]H. F. Atlam, A. Alenezi, A. Alharthi, R. Walters, and G. Wills, “Integration of cloud computing with internet of things: challenges and open issues,” in 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2017, no. June, pp. 670–675.

[36]C. Perera, A. Zaslavsky, P. Christen, and D. Georgakopoulos, “Context aware computing for the internet of things: A survey,” IEEE Commun. Surv. Tutorials, vol. 16, no. 1, pp. 414–454, 2014.

[37]E. L. O. Feitosa, “Security Information Architecture for Automation and Control Networks,” in VIII Brazilian Symposium on Information Security and Computational Systems, 2014, no. March 2017.

[38]J. Li, Y. Bai, and N. Zaman, “A fuzzy modeling approach for risk-based access control in eHealth cloud,” Proc. - 12th IEEE Int. Conf. Trust. Secur. Priv. Comput. Commun. Trust. 2013, pp. 17–23, 2013.

[39]H. F. Atlam, G. Attiya, and N. El-Fishawy, “Comparative Study on CBIR based on Color Feature,” Int. J. Comput. Appl., vol. 78, no. 16, pp. 975–8887, 2013.

[40]K. Christidis and M. Devetsikiotis, “Blockchains and Smart Contracts for the Internet of Things,” IEEE Access, vol. 4, 2016.

[41]H. Watanabe, S. Fujimura, A. Nakadaira, Y. Miyazaki, A. Akutsu, and J. Kishigami, “Blockchain contract: Securing a blockchain applied to smart contracts,” 2016 IEEE Int. Conf. Consum. Electron., pp. 467–468, 2016.

[42]H. F. Atlam, G. Attiya, and N. El-Fishawy, “Integration of Color and Texture Features in CBIR System,” Int. J. Comput. Appl., vol. 164, no. 3, pp. 23–29, 2017.

[43]R. K. Hussein, A. Alenezi, H. F. Atlam, M. Q. Mohammed, R. J. Walters, and G. B. Wills, “Toward Confirming a Framework for Securing the Virtual Machine Image in Cloud Computing,” Adv. Sci. Technol. Eng. Syst., vol. 2, no. 4, pp. 44–50, 2017.

[44]A. Strauss and J. Corbin, “Basics of Qualitative Research,” in Basics of. Qualitatice Research 2nd edition., 1990, pp. 3–14.

[45]B. DiCicco‐Bloom and B. F. Crabtree, “The qualitative research interview,” Med. Educ., vol. 40, no. 4, pp. 314–321, 2006.

[46]V. Lo Iacono, P. Symonds, and D. H. K. Brown, “Skype as a tool for qualitative research interviews,” Sociol. Res. Online, vol. 21, no. 2, pp. 50–57, 2016.

[47]G. Guest, A. Bunce, and L. Johnson, “How Many Interviews Are Enough?? An Experiment with Data Saturation and Variability,” Fam. Heal. Int., vol. 18, no. 1, pp. 23–27, 2006.

[48]A. Bhattacherjee, “Social Science Research: principles, methods, and practices,” 2012.

[49]H. F. Atlam, A. Alenezi, R. J. Walters, and G. B. Wills, “An Overview of Risk Estimation Techniques in Risk-based Access Control for the Internet of Things,” in Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), 2017, pp. 254–260.

[50]T. J. N. Liang Chen, Luca Gasparini, “XACML and risk-aware access control,” in Proc. ICEIS, 2013, pp. 66–75.

[51]C. M. Westphall and G. R. Schmitt, “A Risk Calculus Extension to the XACML Language,” Brazilian Symp. Inf. Syst., pp. 321–328, 2016.