Tatyana Ryutov

Adaptive trust negotiation and access control

Electronic transactions regularly occur between business partners in separate security domains. Trust negotiation is an approach that provides an open authentication and access-control environment for such transactions, but it is vulnerable to malicious attacks leading to denial of service or leakage of sensitive information. This paper introduces an Adaptive Trust Negotiation and Access Control (ATNAC) framework to solve these problems. The framework combines two existing systems, TrustBuilder and GAA-API, to create a system with more flexibility and responsiveness to attack than either system currently provides.

Representation and evaluation of security policies for distributed system services

We present a new model for authorization that integrates both local and distributed access control policies and that is extensible across applications and administrative domains. We introduce a general mechanism that is capable of implementing several security policies including role-based access control, Clark-Wilson, ACLs, capabilities, and lattice-based access controls. The generic authorization and access-control API (GAA API) provides a generic framework by which applications facilitate access control decisions and request authorization information about a particular resource. We have integrated our system with the Prospero resource manager and globus security, infrastructure.

SFINKS: Secure Focused Information, News, and Knowledge Sharing

Cross-agency collaboration and sharing of digital data is critical to respond to or prevent threats to U.S. interests. While traditional hierarchical information sharing approaches ensure that only relevant information is delivered to authorized nodes, the resulting organizational overhead severely impedes timely sharing of critical information. Although alternative approaches to secure data release have previously been proposed, they all have had severe practical limitations. We are developing SFINKS - a flexible collaboration platform that enables secure and focused information sharing across organizations. SFINKS uses two key technologies developed at ISI to support a new concept of fine-grained semantically controlled information visibility. The Hands infrastructure provides a semantic network-based data model, search and filtering capabilities, distributed systems support and fine-grained control of resource visibility. The Adaptive Trust Negotiation and Access Control (ATNAC) provides flexible access control and trust management.

The specification and enforcement of advanced security policies

In a distributed multi-user environment, the security policy must not only specify legitimate user privileges but also aid in the detection of the abuse of the privileges and adapt to perceived system threat conditions. This paper advocates extending authorization policy evaluation mechanisms with a means for generating audit data allowing immediate notification of suspicious application level activity. It additionally suggests that the evaluation of the policies themselves adapt to perceived network threat conditions, possibly affected by the receipt of such audit data by other processes. Such advanced policies assist in detecting and responding to intrusion and misuse and they allow more efficient utilization of security services, such as authentication, audit, and notification. We present an authorization framework, which enables the representation and enforcement of advanced security policies. Our approach is based on expanding the policy evaluation mechanism with the ability to generate real time actions, such as checking the current system threat level and sending a notification.

Adaptive trust negotiation and access control for grids

Access control in computational grids is typically provided by a combination of identity certificates and local accounts. This approach does not scale as the number of users and resources increase. Moreover, identity-based access control is not sufficient because users and resources may reside in different security domains and may not have pre-existing knowledge about one another. Trust negotiation is well-suited for grid computing because it allows participants to establish mutual trust based on attributes other than identity. The adaptive trust negotiation and access control (ATNAC) framework addresses the problem of access control in open systems by protecting itself from adversaries who may want to misuse, exhaust or deny service to resources. ATNAC is based on the GAA-API, which provides adaptive access control capturing dynamically changing system security requirements. The GAA-API utilizes TrustBuilder to establish a sufficient level of trust between the negotiating participants, based on the sensitivity of the access request and a suspicion level associated with the requester. A federated security context allows Grid participants to communicate their security appraisal and make judgments based on collective wisdom and the level of trust among them. We plan to apply ATNAC techniques to negotiation agreements in virtual organizations and P2P environments.

Access Control Policies for Semantic Networks

As web-based technologies mature, dynamic graphs of interlinked resources are replacing hierarchical catalogs as means for storing and organizing information. Such graphs,or semantic networks, often span multiple static and dynamic resources from a variety of sources. It is often highly desirable to give users access only to parts of the semantic network without breaking its logical continuity or consistency.Traditional access control models, such as mandatory, discretionary and role-based access controls, are ill-suited for these new resource structures. New models that allow users to specify access rights in terms of semantic relationships between various objects within semantic networks are needed. In this paper we discuss requirements for an access control model for semantic networks and present our approach and an initial implementation. We also describe end user tools for policy specification and assessment.

Integrated access control and intrusion detection for Web Servers

Current intrusion detection systems work in isolation front access control for the application the systems aim to protect. The lack of coordination and inter-operation between these components prevents detecting and responding to ongoing attacks in real time, before they cause damage. To address this, we apply dynamic authorization techniques to support fine-grained access control and application level intrusion detection and response capabilities. This paper describes our experience with integration of the Generic Authorization and Access Control API (GAA-API) to provide dynamic intrusion detection and response for the Apache Web Server The GAA-API is a generic interface which may be used to enable such dynamic authorization and intrusion response capabilities for many applications.

The Set and Function Approach to Modeling Authorization in Distributed Systems

We present a new model that provides clear and precise semantics for authorization. The semantics is independent from underling security mechanisms and is separate from implementation. The model is capable of representing existing access control mechanisms. Our approach is based on set and function formalism. We focus our attention on identifying issues and use our model as a general basis to investigate the issues.

A Socio-cognitive Approach to Modeling Policies in Open Environments

The richness of todays electronic communications mirrors physical world: activities such as shopping, business and scientific collaboration are conducted online. Current interactions have become a form of social exchange where participants must deal with complexity, uncertainty and risk. We propose a policy specification approach that combines social sciences and trust theory to facilitate ad-hoc interactions of self-interested parties in open environments. Our socio-cognitive approach allows us to reason about uncertainty and risk involved in a transaction, and automatically calculate the minimum trust threshold needed to mitigate the vulnerabilities. The trust threshold comprises the core of security policies that govern the interactions. The threshold calculation is based on balancing objective and subjective trust components, which together predict that a transaction will result in an acceptable outcome. We propose to apply the prospect theory (D. Kahneman and A. Tversky, 1979) to specify policies that determine a set of acceptable outcomes. We present the trust threshold negotiation primitives.

Trust based Approach for Improving Data Reliability in Industrial Sensor Networks

The resource constraints and unattended operation of wireless sensor networks make it difficult to protect nodes against capture and compromise. While cryptographic techniques provide some protection, they do not address the complementary problem of resilience to corrupted sensor data generated by failed or compromised sensors. Trusting data from unattended sensor nodes in critical applications can have disastrous consequences. We propose a behavior-based trust mechanism to address this problem in static sensor networks, in which the location of nodes is known. We take advantage of domain knowledge which includes: (i) physical constraints imposed by the local environment where sensors are located, (ii) expectations of the monitored physical phenomena; and (iii) sensor design and deployment characteristics. The system diagnoses and isolates faulty/malicious nodes even when readings of neighboring nodes are faulty. The goal of this system is to increase work effort and capabilities required by an attacker. The framework and related techniques of behavior-based trust are discussed in this paper.