Fabio Martinelli

Formal approach to security metrics.: what does "more secure" mean for you?

Security metrics are the tools for providing correct and up-to-date information about a state of security. This information is essential for managing security efficiently. Although a number of security metrics were proposed we still need reliable ways for assessment of security. First of all, we do not have a widely-accepted and unambiguous definition which defines what it means that one system is more secure than another one. Without this knowledge we cannot show that a metric really measures security. Second, there is no a universal formal model for all metrics which can be used for rigourous analysis. In this paper we investigate how we can define more secure relation and propose our basic formal model for a description and analysis of security metrics.

Risk-Aware Usage Decision Making in Highly Dynamic Systems

Usage control model (UCON) is based on the idea that attributes required for decision-making can be changed over a period of usage. Since it is not always possible to get a fresh and trustworthy value of attributes, a decision has to be done with some uncertainties in mind. Moreover, modern systems become more distributed and dynamic and this evolution aggravates the problem. Such trend demands for the solutions capable of working with imprecise values. Our study concerns analysis of risks to make access decision of usage control more credible. We consider the risks associated with imperfect mechanisms collecting information about an authorization context. To cope with these risks we introduce our approach based on Markov chains, which aims to help in making a decision to allow further access or to deny it. The proposed approach could be useful for designers of the policy enforcement engines based on the UCON model.

Towards modelling adaptive attacker's behaviour

We describe our model for the behaviour of an attacker. In the model, the attacker has uncertain knowledge about a computer system. Moreover, the attacker tries different attack paths if initially selected ones cannot be completed. The model allows finer-grained analysis of the security of computer systems. The model is based on Markov Decision Processes theory for predicting possible attackers decisions.

Risk-Based Usage Control for Service Oriented Architecture

In Service Oriented Architecture (SOA) data belonging to a client (data provider) is often processed by a provider (data consumer). During this processing the data can be compromised. A client wants to be sure that its data is used in the least risky way while is under provider’s control. The risk level should be low when access to the data is granted and should remain low during the whole interaction and, maybe, some time after. Therefore, a client has to consider closely various providers and decide which one provides the service with the smallest risk. More importantly, the risk has to be constantly recomputed after granting the access to the data, i.e., usage of data must be controlled. In this work we propose a method to empower usage control with a risk-based decision making process for more efficient and flexible control of access to data. Employing this idea we show how to select a service provider using risk, re-evaluate the risk level when some changes have happened and how to improve an infrastructure in order to reduce the risk level.

Usage control, risk and trust

In this paper we describe our general framework for usage control (UCON) enforcement on GRID systems. It allows both GRID services level enforcement of UCON as well as fine-grained one at the level of local GRID node resources. In addition, next to the classical checks for usage control: checks of conditions, authorizations, and obligations, the framework also includes trust and risk management functionalities. Indeed, we show how trust and risk issues naturally arise when considering usage control in GRID systems and services and how our architecture is flexible enough to accommodate both notions in a pretty uniform way.

Influence of attribute freshness on decision making in usage control

The usage control (UCON) model demands for continuous control over objects of a system. Access decisions are done several times within a usage session and are performed on the basis of mutable attributes. Values of attributes in modern highly-dynamic and distributed systems sometimes are not up-to-date, because attributes may be updated by several entities and reside outside the system domain. Thus, the access decisions about a usage session are made under uncertainties, while existing usage control approaches are based on the assumption that all attributes are up-to-date. n nIn this paper we propose an approach which helps to make a rational access decision even if some uncertainty presents. The proposed approach uses the continuous-time Markov chains (CTMC) in order to compute the probability of unnoticed changes of attributes and risk analysis for making a decision.

A general method for assessment of security in complex services

We focus on the assessment of the security of business processes. We assume that a business process is composed of abstract services, each of which has several concrete instantiations. Essential peculiarity of our method is that we express security metrics used for the evaluation of security properties as semirings. First, we consider primitive decomposition of the business process into a weighted graph which describes possible implementations of the business process. Second, we evaluate the security using semiring-based methods for graph analysis. Finally, we exploit semirings to describe the mapping between security metrics which is useful when different metrics are used for the evaluation of security properties of services.

Formal analysis of security metrics and risk

Security metrics are usually defined informally and, therefore, the rigourous analysis of these metrics is a hard task. This analysis is required to identify the existing relations between the security metrics, which try to quantify the same quality: security. n nRisk, computed as Annualised Loss Expectancy, is often used in order to give the overall assessment of security as a whole. Risk and security metrics are usually defined separately and the relation between these indicators have not been considered thoroughly. In this work we fill this gap by providing a formal definition of risk and formal analysis of relations between security metrics and risk.

Integration of Quantitative Methods for Risk Evaluation within Usage Control Policies

Usage Control (UCON) enhances traditional access control introducing mutable attributes and continuous policy enforcement. UCON addresses security requirements of dynamic computer environments like Grid and Cloud, but also raises new challenges. This paper considers two problems of usage control. The first problem arises when a value of a mutable attribute required for an access decision is uncertain. The second problem questions when to retrieve fresh values of mutable attributes and to trigger the access reevaluation during the continuous control. We propose quantitative risk-based methods to tackle these problems. The authorisation system grants the access if the security policy is satisfied and the risk level is acceptable. The authorisation system retrieves fresh attribute values following the strategy which minimises the risk of the usage sessions. We integrate the authorisation system based on the U-XACML language with quantitative methods for risk evaluation. We present the architecture, the implementation, and the evaluation of the overhead posed by the risk computation.

Risk-Based auto-delegation for probabilistic availability

Dynamic and evolving systems might require flexible access control mechanisms, in order to make sure that the unavailability of some users does not prevent the system to be functional, in particular for emergency-prone environments, such as healthcare, natural disaster response teams, or military systems. The auto-delegation mechanism, which combines the strengths of delegation systems and break-the-glass policies, was recently introduced to handle such situations, by stating that the most qualified available user for a resource can access this resource. n nIn this work we extend this mechanism by considering availability as a quantitative measure, such that each user is associated with a probability of availability. The decision to allow or deny an access is based on the utility of each outcome and on a risk strategy. We describe a generic framework allowing a system designer to define these different concepts. We also illustrate our framework with two specific use cases inspired from healthcare systems and resource management systems.