Pau-Chen Cheng

Trading in risk: using markets to improve access control

With the increasing need to securely share information, current access control systems are proving too in flexible and difficult to adapt. Recent work on risk-based access control systems has shown promise at resolving the inadequacies of traditional access control systems, and promise to increase information sharing and security. We consider some of the core open problems in risk-based access control systems, namely where and how much risk to take. We propose the use of market mechanisms to determine an organizations risk tolerance and allocation. We show that with the correct incentives, an employee will make optimal choices for the organization. We also comment on how the market can be used to ensure employees behave honestly and detect those who are malicious. Through simulations, we empirically show the advantage of risk-based access control systems and market mechanisms at increasing information sharing and security.

Risk-based security decisions under uncertainty

This paper addresses the making of security decisions, such as access-control decisions or spam filtering decisions, under uncertainty, when the benefit of doing so outweighs the need to absolutely guarantee these decisions are correct. For instance, when there are limited, costly, or failed communication channels to a policy-decision-point. Previously, local caching of decisions has been proposed, but when a correct decision is not available, either a policy-decision-point must be contacted, or a default decision used. We improve upon this model by using learned classifiers of access control decisions. These classifiers, trained on known decisions, infer decisions when an exact match has not been cached, and uses intuitive notions of utility, damage and uncertainty to determine when an inferred decision is preferred over contacting a remote PDP. Clearly there is uncertainty in the predicted decisions, introducing a degree of risk. Our solution proposes a mechanism to quantify the uncertainty of these decisions and allows administrators to bound the overall risk posture of the system. The learning component continuously refines its models based on inputs from a central policy server in cases where the risk is too high or there is too much uncertainty. We have validated our models by building a prototype system and evaluating it with requests from real access control policies. Our experiments show that over a range of system parameters, it is feasible to use machine learning methods to infer access control policies decisions. Thus our system yields several benefits, including reduced calls to the PDP, reducing latency and communication costs; increased net utility; and increased system survivability.

Learning Stochastic Models of Information Flow

An understanding of information flow has many applications, including for maximizing marketing impact on social media, limiting malware propagation, and managing undesired disclosure of sensitive information. This paper presents scalable methods for both learning models of information flow in networks from data, based on the Independent Cascade Model, and predicting probabilities of unseen flow from these models. Our approach is based on a principled probabilistic construction and results compare favourably with existing methods in terms of accuracy of prediction and scalable evaluation, with the addition that we are able to evaluate a broader range of queries than previously shown, including probability of joint and/or conditional flow, as well as reflecting model uncertainty. Exact evaluation of flow probabilities is exponential in the number of edges and naive sampling can also be expensive, so we propose sampling in an efficient Markov-Chain Monte-Carlo fashion using the Metropolis-Hastings algorithm -- details described in the paper. We identify two types of data, those where the paths of past flows are known -- attributed data, and those where only the endpoints are known -- unattributed data. Both data types are addressed in this paper, including training methods, example real world data sets, and experimental evaluation. In particular, we investigate flow data from the Twitter microblogging service, exploring the flow of messages through retweets (tweet forwards) for the attributed case, and the propagation of hash tags (metadata tags) and urls for the unattributed case.

Risk profiles and distributed risk assessment

Risk assessment is concerned with discovering threat paths between potential attackers and critical assets, and is generally carried out during a systems design and then at fixed intervals during its operational life. However, the currency of such analysis is rapidly eroded by system changes; in dynamic systems these include the need to support ad-hoc collaboration, and dynamic connectivity between the systems components. This paper resolves these problems by showing how risks can be assessed incrementally as a system changes, using risk profiles, which characterize the risk to a system from subverted components. We formally define risk profiles, and show that their calculation can be fully distributed; each component is able to compute its own profile from neighbouring information. We further show that profiles converge to the same risks as systematic threat path enumeration, that changes in risk are efficiently propagated throughout a distributed system, and that the distributed computation provides a criterion for when the security consequences of a policy change are local to a component, or will propagate into the wider system. Risk profiles have the potential to supplement conventional risk assessments with useful new metrics, maintain accurate continuous assessment of risks in dynamic distributed systems, link a risk assessment to the wider environment of the system, and evaluate defence-in-depth strategies.

Dynamic security policy learning

Recent research [12] has suggested that traditional top down security policy models are too rigid to cope with changes in dynamic operational environments. There is a need for greater flexibility in security policies to protect information appropriately and yet still satisfy operational needs. Previous work has shown that security policies can be learnt from examples using machine learning techniques. Given a set of criteria of concern, one can apply these techniques to learn the policy that best fits the criteria. These criteria can be expressed in terms of high level objectives, or characterised by the set of previously seen decision examples. We argue here that even if an optimal policy could be learnt automatically, it will eventually become sub-optimal over time as the operational requirements change. The policy needs to be updated continually to maintain its optimality. This paper proposes two dynamic security policy learning frameworks

Modelling Uncertain and Time-Dependent Security Labels in MLS Systems

Traditional multi-level security (MLS) systems associate security clearances with subjects, security classifications with objects, and provide a clear decision mechanism as to whether an access request should be granted or not. Many organisations, especially those in the national security and intelligence arena, are increasingly viewing the inflexibility of such models as a major inhibitor for missions where there is a need to rapidly process, share and disseminate large quantities of sensitive information. One reason for such inflexibility is the fact that subject and object labels are fixed assessments of sensitivity, whereas in practice there will inevitably be some uncertainty about the potential damage caused if a document falls into the wrong hands. Furthermore, the operational reality of many modern systems dictates a temporal element to the actual sensitivity of an object. In this paper we propose to model both security labels and clearances as time-varying probability distributions. We provide practical templates to model both uncertainty and temporally characterised dependencies, and show how these features can be naturally integrated into an access control framework based on quantified risk.