Liang Chen, J. Crampton, M. Kollingbaum, T. Norman
{"title":"风险感知访问控制中的义务","authors":"Liang Chen, J. Crampton, M. Kollingbaum, T. Norman","doi":"10.1109/PST.2012.6297931","DOIUrl":null,"url":null,"abstract":"The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.","PeriodicalId":434948,"journal":{"name":"2012 Tenth Annual International Conference on Privacy, Security and Trust","volume":"136 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"29","resultStr":"{\"title\":\"Obligations in risk-aware access control\",\"authors\":\"Liang Chen, J. Crampton, M. Kollingbaum, T. Norman\",\"doi\":\"10.1109/PST.2012.6297931\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.\",\"PeriodicalId\":434948,\"journal\":{\"name\":\"2012 Tenth Annual International Conference on Privacy, Security and Trust\",\"volume\":\"136 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2012-07-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"29\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 Tenth Annual International Conference on Privacy, Security and Trust\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/PST.2012.6297931\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Tenth Annual International Conference on Privacy, Security and Trust","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PST.2012.6297931","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
The increasing need to share information in dynamic environments has created a requirement for risk-aware access control systems. In this paper, we present a metamodel for risk-aware authorization that captures the key aspects of a system in relation to risk mitigation. In particular, we develop various risk-aware models as instances of the metamodel that broadly differ in the form of risk mitigation that is used (system obligations and user obligations respectively), and study how those obligations are applied to reduce and account for the risk incurred by granting access. Unlike system obligations, an access control system cannot guarantee that user obligations are fulfilled. We propose two approaches to defining risk-aware authorization semantics that takes unfulfilled obligations into account: one is to restrict users' future access because of prior failure to fulfill obligations, and the other is to “reward” users who have been diligent in fulfilling their obligations by permitting risky access requests.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
