Context-Sensitive Access Control Policy Evaluation and Enforcement Using Vulnerability Exploitation Data

Full Text (PDF, 382KB), PP.58-68

Views: 0 Downloads: 0

Author(s)

Hassan Rasheed 1,*

1. Deanship of Information Technology, Taif, University Taif, Saudi Arabia

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2013.11.08

Received: 9 Jan. 2013 / Revised: 1 Apr. 2013 / Accepted: 17 Jun. 2013 / Published: 8 Sep. 2013

Index Terms

Context Awareness, Adaptive Access Control, Vulnerability Assessment

Abstract

Conventional approaches for adapting security enforcement in the face of attacks rely on administrators to make policy changes that will limit damage to the system. Paradigm shifts in the capabilities of attack tools demand supplementary strategies that can also adjust policy enforcement dynamically. We extend the current research by proposing an approach for integrating real-time security assessment data into access control systems. Critical application scenarios are tested to examine the impact of using risk data in policy evaluation and enforcement.

Cite This Paper

Hassan Rasheed, "Context-Sensitive Access Control Policy Evaluation and Enforcement Using Vulnerability Exploitation Data", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.11, pp.58-68, 2013. DOI:10.5815/ijcnis.2013.11.08

Reference

[1]CERT Coordination Center. Overview of Attack Trends. Technical report, CERT Coordination Center, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2002.
[2]IBM Global Technology Services. IBM Internet Security Systems X-force 2007 Trend Statistics. Technical report, Internet Security Systems - IBM Global Technology Services, 2007.
[3]Peter Mell, Karen Scarfone, and Sasha Romanosky. A complete guide to the common vulnerability scoring system version 2.0. http://www.first.org/cvss/cvss-guide.pdf, June 2007.
[4]M.S. Ahmed, E. Al-Shaer, and L. Khan. A novel quantitative approach for measuring network security. INFOCOM 2008. The 27th Conference on Computer Communications. IEEE, pages 1957–1965, April 2008.
[5]Andreas Hess and Niels Karowski. Automated protection of end-systems against known attacks. In Proceedings of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation, Tuebingen, Germany, 2006.
[6]The MITRE Corporation. Cve - common vulnerabilities and exposures, Retrieved April 18 2012. From http://cve.mitre.org.
[7]Tanya Ryutov, Clifford Neuman, Dongho Kim, and Li Zhou. Integrated access control and intrusion detection for web servers. Parallel and Distributed Systems, IEEE Transactions on, 14:841–850, 2003.
[8]Tanya Ryutov, Clifford Neuman, Dongho Kim, and Li Zhou. Integrated access control and intrusion detection for web servers. Distributed Computing Systems, 2003. Proceedings. 23rd International Conference on, pages 394–401, 2003.
[9]Lawrence Teo, Gail-Joon Ahn, and Yuliang Zheng. Dynamic and risk-aware network access management. SACMAT ’03: Proceedings of the eighth ACM symposium on Access control models and technologies, pages 217–230, 2003.
[10]Nathan Dimmock, András Belokosztolszki, David Eyers, Jean Bacon, and Ken Moody. Using trust and risk in role-based access control policies. SACMAT ’04: Proceedings of the ninth ACM symposium on Access control models and technologies, pages 156–162, 2004.
[11]Natalia Stakhanova, Samik Basu, and Johnny Wong. A taxonomy of intrusion response systems. Int. J. Inf. Comput. Secur., 1(1/2):169–184, 2007.
[12]Kazimierz Kowalski and Mohsen Beheshti. Improving security through analysis of log files intersections. International Journal of Network Security, 7(1):24–30, July 2008.
[13]Hassan Rasheed and Randy Y.C. Chow. Adaptive risk-aware application-level access control. In The 2009 Conference on Security and Management (SAM’09), pages 10–16, Las Vegas, NV, July 2009.
[14]Curtis Carver, Jr. and Udo Pooch. An intrusion response taxonomy and its role in automatic intrusion response. IEEE Workshop on Information Assurance and Security, 2000.
[15]Eric Fisch. Intrusion Damage Control and Assessment: A Taxonomy and Implementation of Automated Responses to Intrusive Behavior. PhD thesis, Texas A&M University, 1996.
[16]Herve Debar, David A. Curry, and Benjamin S. Feinstein. The intrusion detection message exchange format (IDMEF), 2007. Request For Comments (Experimental).
[17]Hassan Rasheed and Randy Y. C. Chow. Automated risk assessment for sources and targets of vulnerability exploitation. In Proceedings of the 2009 WRI World Congress on Computer Science and Information Engineering - Volume 01, CSIE ’09, pages 150–154, Washington, DC, USA, 2009. IEEE Computer Society.
[18]MIT Lincoln Laboratory. 2000 DARPA Intrusion Detection Scenario Specific Data Sets. , http://www.ll.mit.edu/mission/communications/ist/ corpora/ideval/data/2000data.html, Accessed September 2008.
[19]C. Kruegel and W. Robertson. Alert verification: Determining the success of intrusion attempts. In 1st Workshop on the Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA 2004), July 2004.
[20]U. Shankar and Vern Paxson. Active mapping: Resisting nids evasion without altering traffic. In SP ’03: Proceedings of the 2003 IEEE Symposium on Security and Privacy, page 44, Washington, DC, USA, 2003. IEEE Computer Society.