A topology and risk-aware access control framework for cyber-physical space
Yan CAO1,2, Zhiqiu HUANG1,2,3(), Yaoshen YU1,2, Changbo KE1,4, Zihao WANG1
1. School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China 2. Key Laboratory of Safety-Critical Software(Ministry of Industry and Information Technology), Nanjing 211106, China 3. Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing 211106, China 4. School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
Cyber-physical space is a spatial environment that integrates the cyber world and the physical world, aiming to provide an intelligent environment for users to conduct their day-to-day activities. The interplay between the cyber space and physical space proposes specific security requirements that are not captured by traditional access control frameworks. On one hand, the security of the physical space and the cyber space should be both concerned in the cyber-physical space. On the other hand, the bad results caused by failure in providing secure policy enforcementmay directly affect the controlled physical world. In this paper, we propose an effective access control framework for the cyber-physical space. Firstly, a topology-aware access control (TAAC) model is proposed. It can express the cyber access control, the physical access control, and the interaction access control simultaneously. Secondly, a risk assessment approach is proposed for the policy enforcement phase. It is used to evaluate the user behavior and ensures that the suspicious behaviors executed by authorized users can be handled correctly. Thirdly, we propose a role activation algorithm to ensure that the objects are accessed only by legal and honest users. Finally, we evaluate our approach by using an illustrative example and the performance analysis. The results demonstrate the feasibility of our approach.
R Rajkumar, I Lee, L Sha, J Stankovic. Cyber-physical systems: the next computing revolution. In: Proceedings of IEEE International Conference on Design Automation Conference. 2010, 731–736 https://doi.org/10.1145/1837274.1837461
C Tsigkanos, L, Pasquale C, Ghezzi B Nuseibeh. On the interplay between cyber and physical spaces for adaptive security. IEEE Transactions on Dependable & Secure Computing, 2018, 15(3): 466–480 https://doi.org/10.1109/TDSC.2016.2599880
4
I, Ray I. RayAccess control challenges for cyber-physical systems. In: Proceedings of NSF Workshop on Cyber-Physical Systems. 2009
5
R Abdunabi, M Al-Lail, I Ray, R B France. Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Systems Journal, 2013, 7(3): 501–515 https://doi.org/10.1109/JSYST.2013.2242751
6
M S, Kirkpatrick M L Damiani, E. Bertino Prox-RBAC: a proximitybased spatially aware RBAC. In: Proceedings of ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems. 2011, 339–348 https://doi.org/10.1145/2093973.2094018
7
M Toahchoodee, I Ray. On the formalization and analysis of a spatiotemporal role-based access control model. Journal of Computer Security, 2011, 19(3): 399–452 https://doi.org/10.3233/JCS-2010-0418
8
X Jin, R Sandhu, R Krishnan. RABAC: role-centric attribute-based access control. In: Proceedings of International Conference on Mathematical Methods, Models and Architectures for Computer Network Security: Computer Network Security. 2012, 84–96 https://doi.org/10.1007/978-3-642-33704-8_8
9
D Unal, M U Caglayan. A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks, 2013, 57(1): 330–350 https://doi.org/10.1016/j.comnet.2012.09.018
10
N Skandhakumar, F, Salim J, Reid E Dawson. Physical access control administration using building information models. In: Proceedings of International Conference on Cyberspace Safety and Security. 2012, 236–250 https://doi.org/10.1007/978-3-642-35362-8_19
11
E Geepalla, B Bordbar, X Du. Spatio-temporal role based access control for physical access control systems. In: Proceedings of IEEE International Conference on Emerging Security Technologies. 2013, 39–42 https://doi.org/10.1109/EST.2013.13
12
D Chen, G Chang, D Sun, J Jia, X Wang. Modeling access control for cyber-physical systems using reputation. Computers & Electrical Engineering, 2012, 38(5): 1088–1101 https://doi.org/10.1016/j.compeleceng.2012.06.002
13
K K Venkatasubramanian, T Mukherjee, S K S Gupta. CAAC – an adaptive and proactive access control approach for emergencies in smart infrastructures. ACM Transactions on Autonomous and Adaptive Systems, 2014, 8(4): 1–18 https://doi.org/10.1145/2555614
14
G, Wu D, Lu F Xia, L Yao. A fault-tolerant emergency-aware access control scheme for cyber-physical systems. Information Technology & Control, 2011, 40(1): 29–40 https://doi.org/10.5755/j01.itc.40.1.190
15
N B, Akhuseyinoglu J Joshi. A risk-aware access control framework for cyber-physical systems. In: Proceedings of IEEE International Conference on Collaboration and Internet Computing. 2017, 349–358 https://doi.org/10.1109/CIC.2017.00052
16
N Baracaldo, J. JoshiAn adaptive risk management and access control framework to mitigate insider threats. Computers & Security, 2013, 39(4): 237–254 https://doi.org/10.1016/j.cose.2013.08.001
17
N Baracaldo, B Palanisamy, J Joshi. G-SIR: an insider attack resilient geo-social access control framework. IEEE Transactions on Dependable & Secure Computing, 2017, 16: 84–98 https://doi.org/10.1109/TDSC.2017.2654438
18
C Tsigkanos, L Pasquale, C Ghezzi, B Nuseibeh. Ariadne: topology aware adaptive security for cyber-physical systems. In: Proceedings of IEEE International Conference on Software Engineering. 2015, 729–732 https://doi.org/10.1109/ICSE.2015.234
19
Y Cao, Z Huang, C, Ke J Xie, J Wang. A topology-aware access control model for collaborative cyber-physical spaces: specification and verification. Computers& Security, 2019 https://doi.org/10.1016/j.cose.2019.02.013
20
D R Kuhn, E J Coyne, T R Weil. Adding attributes to role-based access control. Computer, 2010, 43(6): 79–81 https://doi.org/10.1109/MC.2010.155
21
J D Ultra, S Pancho-Festin . A simple model of separation of duty for access control models. Computers & Security, 2017, 68: 69–80 https://doi.org/10.1016/j.cose.2017.03.012
22
Y Cao, Z Huang, S Kan, H Peng, C Ke. Location-constrained access control model and verification methods. Journal of Computer Research and Development, 2018, 55(8): 1809–1825
23
Y Cao, Z Huang, S Kan, D Fan, Y. YangSpecification and verification of a topology-aware access control model for cyber-physical spaces. Tsinghua Science and Technology, 2019, 24(5): 497–519 https://doi.org/10.26599/TST.2018.9010116
24
S Chakraborty, I Ray. TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: Proceedings of ACM Symposium on Access Control Models and Technologies. 2006, 49–58 https://doi.org/10.1145/1133058.1133067
25
N Baracaldo, J Joshi. Beyond accountability: using obligations to reduce risk exposure and deter insider attacks. In: Proceedings of ACM Symposium on Access Control Models and Technologies. 2013, 213–224 https://doi.org/10.1145/2462410.2462411
26
K Z Bijon, R Krishnan, R Sandhu. A framework for risk-aware role based access control. In: Proceedings of IEEE Communications and Network Security. 2013, 462–469 https://doi.org/10.1109/CNS.2013.6682761
27
L Chen, J Crampton. Risk-aware role-based access control. In: Proceedings of International Conference on Security and Trust Management. 2011, 140–156 https://doi.org/10.1007/978-3-642-29963-6_11
28
D R D Santos, R Marinho, G R, Schmitt C M Westphall, C B Westphall. A framework and risk assessment approaches for risk-based access control in the cloud. Journal of Network & Computer Applications, 2016, 74: 86–97 https://doi.org/10.1016/j.jnca.2016.08.013
