DYNAMIC ACCESS CONTROL MANAGEMENT USING EXPERT SYSTEM TECHNOLOGY

Transcription

1 DYNAMIC ACCESS CONTROL MANAGEMENT USING EXPERT SYSTEM TECHNOLOGY Prof. G. Pangalos G. Vakaros Ms.C. ( [email protected]), Ch. Georgiadis Ph.D. ( [email protected]) Informatics Lab, Faculty of Technology - Aristotle University Of Thessaloniki, 54006, GREECE I. Nestori ([email protected]), K. Kemalis ([email protected]) "ARROW Technologies" s.a. - Leoforos Nikis 3, Thessaloniki, 54624, GREECE Abstract Advances in computer and communication technologies have resulted in highly distributed systems that allow users to access information and resources from all over the globe. This interconnectivity emphasizes the long-standing problem of providing security in a distributed computer system. The protection of sensitive personal data - stored in database systems - from unauthorized access, illegal modification or system failure is a major concern in information systems. In these systems, access control ensures that accesses to the system resources occur according to the modes and rules fixed by the corresponding security policies. A security policy is expressed by access rules, which determine how access permissions are controlled and access decisions determined. Recently there has been significant interest in applying artificial intelligence (AI) techniques to access control problems. The early research efforts realized the inefficiency of any approach which attempted to require a manual review of a system s audit data. While the information necessary to identify unauthorized access was believed to be present within the often-voluminous audit data, an effective review of the material required the use of an automated and self-controlled system. We believe that the use of expert system techniques in access control mechanisms is going to be a significant milestone in the development of effective detection-based information security systems. The goal of our research is to provide a systemindependent mechanism both for prevention and for real-time detection of security violations, whether they are initiated by outsiders who attempt to break into a system or by insiders who attempt to misuse the privileges of their authorized roles on the system. In this paper we present our approach in addressing the above problem. We also describe how rule-based expert systems can be used for implementing and extending the dynamic characteristics (such as the contexts of specific activities, or the collaborative nature of a particular task) of modern access control models. Keywords Security, Dynamic Access Control, Expert System.

2 1. Introduction One of the primary motivations of our work is the need to provide dynamic access control for certain types of enterprise data. Dynamic access control automatically reacts to these changes, allowing access control decisions to take into consideration factors other than the usual subject, object, and permissions typical of standard access control models. Traditional access control models are characterized as passives and they cannot support efficiently the dynamic aspects of modern information systems. In dynamically changing environments there is a need for active security models, which are capable to control permission activation according to the current needto-know requirements of users. In order to address this problem, we propose in this paper the use of expert system technology, as well as the use of the already known Context-based Team Access Control (C-TMAC) security model, in order to take advantage of their dynamic behavior. The extension of the dynamic behavior of the above approach for access control (C-TMAC), using expert system, makes our proposed Control Access Management Expert System (CAMES). We believe that CAMES is going to be a significant tool in the development of effective detectionbased information security systems. The next two sections provide the background material for our research. Particularly, in section 2, an overview of knowledge-based expert systems is given in detail, as we describe their characteristics, as well as the operation of expert systems. In section 3, we give an overview of access control techniques and we describe two major modern methodologies of access control policies: RBAC and TMAC. In section 4, the design and development of our approach is explained, starting with the description of the model we are based on (section 4.1.) and following with the implementation of our prototype Control Access Management Expert System, CAMES (section 4.2.). In section 5, general conclusions are presented. 2. Expert Systems - An Overview Expert Systems (ESs) is a branch of AI that makes extensive use of specialized knowledge to solve problems at the level of a human expert. The knowledge in ESs may be either expertise, or knowledge which is generally available from books, magazines, and knowledgeable persons. The terms expert system or knowledge-based system are often used synonymously. Most people use expert system simply because it s shorter, even though there may be no expertise in their expert system, only general knowledge [Giarratano & Riley, page 2, 1989]. An ES is a computer program that uses expertise to assist people in performing a wide variety of functions, including diagnosis, planning, scheduling and design. It deals with everything from the diagnosis of human diseases to the diagnosis of a malfunction on a space shuttle. Its programmers

3 use the expertise of one or several human specialists to create a tool that can be used by a layperson to solve difficult or ambiguous problems. An ES can be distinguished from a more conventional application program in that: It allows the change of the existing knowledge ( DYNAMIC BEHAVIOR ). Because sometimes the knowledge for some sector of science is non-stable, but it changes continuously, it must exist the suitable mechanisms for modification of existing knowledge, addition of new one or abstraction of incorrect knowledge from the system. It operates as an interactive system that responds to questions, asks for clarifications, makes recommendations and generally aids the decision-making process. To a user, this interactive interface is what would distinguish an ES from any ordinary computer tool. It solves problems by heuristic or approximate methods which, unlike algorithmic solutions, are not guaranteed to succeed. A heuristic is essentially a rule of thumb, which encodes a piece of knowledge about how to solve problems in some domain. Such methods are approximate in the sense that they do not require perfect data and the solutions derived by the system may be proposed with varying degrees of certainty. [Jackson, page 4] It is capable of explaining and justifying solutions or recommendations to convince the user that its reasoning is in fact correct. Research programs are typically run only by their creators, or by other personnel in similar laboratories. An ES will be run by a wider range of users, and should therefore be designed in such a way that its workings are rather more transparent. [Jackson, page 5] A chief advantage of ESs is their low cost compared with the expense of paying an expert or team of specialists. A user-friendly interface to the system allows the user to specify symptoms and to clarify the problem in response to questions asked by the system. The goal is to lead the user to discover a solution to the problem. The two main components of an ES are: the knowledge base, which differs from a database in that it contains executable program code (instructions) and the inference engine, which interprets and evaluates the instructions and data in the knowledge base.

4 Figure 2.1. [Giarratano & Riley, page 3, 1989] illustrates the basic concept of a knowledge-based expert system. Facts Facts Expertise Of course there are limitations of ESs, such as: and User lack of robustness and flexibility, inability to provide deep explanations, difficulties in verification. Expert System In spite of these limitations, ESs have proved their value in a number of important applications. In our case, characteristics like the "dynamic behavior" and the fact that they are designed for user interaction, as well as the other characteristics described above, have lead us to approach an access control application with expert system technology. Knowledge-Base Inference Engine 3. Access Control Access control in information systems ensures that accesses to the system objects occur according to the modes and rules fixed by the corresponding security policies [Sandhu, 1998]. A security policy is expressed by access rules, which determine how accesses are controlled and access decisions determined [Sandhu, 1997; Castano, 1995]. Access mechanisms can prescribe not only who may have access to a specific resource, but also the type of access that is permitted. In general, there are no security policies that are better than others. This is because, not all systems have the same protection requirements. Policies suitable for a given system may not be suitable for another. The choice of security policy depends on the particular characteristics of the environment to be protected [Sandhu, 1997]. Two major methodologies of security policies that are commonly used in computer systems, are: the role-based policies and the team-based policies Role-Based Access Control (RBAC) With role-based access controls, access rights are grouped by role name. This approach offers significant advantages because of scalability. Each user is assigned one or more roles, and each role is assigned one or more permissions that can be given to users in that role [NIST, 1999]. Users are granted membership into roles based on their competencies, credentials and responsibilities in the organization. User membership in roles can be revoked easily and new memberships established as needed. This simplifies the administration and management of permissions since roles can be updated without updating the permissions for every user on an

5 individual basis [NIST, 1995]. Moreover, the use of role hierarchies provides additional advantages since one role may implicitly include the operations that are associated with another role Team-Based Access Control (TMAC) The TMAC model was originally proposed by Thomas [Thomas, 1997]. TMAC recognized the importance of context information associated with collaborative tasks and the ability to apply this context to decisions regarding permission activation. The collaboration context of a team contains two pieces: the user context, which could be the current members (users) of a team, and the object context, which could be the set of object instances required by the team to accomplish its task. TMAC allows us to create a general structure (class/definition) of a team with role-based permission assignments to object-types. However, when a team is instantiated, the user context can be used to tailor the role-based permissions defined on object types to user-specific permissions on individual object instances considered to be part of a team's resources. By aligning access control to the symbol of teams, TMAC can provide a concept for access control that is natural and non-intrusive to the way users work in collaborative environments. 4. Control Access Management with Expert System An important aspect of access control mechanisms in the area of research has to do with their active or passive nature. The majority of well-known security models are characterized as passive ones in the sense that they include subject-object models for access control, which are implemented using access control matrices. These models do not distinguish between permission assignment and activation. Passive security permission assignment cannot support efficiently the dynamic aspect of many modern information systems. In dynamically changing environments there is a need for active security to control permission activation according to the current needto-know user requirements. One of the primary motivations of our work is the need to provide dynamic access control for certain types of enterprise data. The need for an enterprise user to access a particular piece of enterprise data may change over time due to changes in duties, changes in assignments, or for other reasons. A valid reason for access today may not be valid tomorrow. Dynamic access control automatically reacts to these changes, allowing access control decisions to take into consideration factors other than the usual subject, object, and permissions typical of standard access control models. Dynamic access control adds new dimensions to access decisions, considering not just who and what, but why and when.

6 It is important to note that dynamic access control does not replace other access control models and mechanisms. It instead allows these methods to be used more effectively. In our work, we use a dynamic approach for access control, called C-TMAC [Georgiadis, 2001] and we try to extend its dynamic behavior, using expert system technology Overview of Context-based Team Access Control (C-TMAC) The C-TMAC approach is based on the integration of RBAC [Sandhu, 1998] and the TMAC [Thomas, 1997] approaches. C-TMAC extends the original TMAC proposal [Thomas, 1997] in two key directions. First, it gives a framework to integrate TMAC concepts with RBAC. Second, it extends TMAC to use other contextual information, which can among others things include the time of access, the location from which access is requested, the location where the object to be accessed resides, transaction-specific values that dictate special access policies, etc. So, TMAC is allowed to model a richer set of access policies, which are more closely tied to application needs. C-TMAC consists of five sets of entities called Users, Roles, Permissions, Teams and Contexts, as well as a collection of Sessions, which are shown in the diagram of Figure 4.1. Figure 4.1. The C-TMAC approach Entity User (U) Role (R) Description Is a person Is a job responsibility within the organization with some associated semantics concerning the authority awarded on a member of the role

7 Permissions (P) Team (T) Context (C) Authorizations of a particular mode of access to one or more resources Is used to represent a group of users having specific roles with the objective of completing a specific activity in a particular context Here, is included information regarding the required data objects for a specific activity, as well as contextual information such as locations and time intervals etc The team concept is used also as a mechanism that associates users with contexts. The use of a team as an intermediary to enable a user to obtain a context is similar to the use of roles as an intermediary between users and permissions. Even when a user is acting alone, we may consider the user as the only member of a private team. An important property of a Session (S) is that the user associated with a session, cannot change. The association remains constant for the life of a session. The permissions available to the user are the union of permissions from all roles activated in that session. In addition, active roles in a session can be changed at the user s discretion. During a session, a user can participate in a number of teams. So, each session is also a mapping of one user to a subset of teams that he is a member of. The contexts available to the user are the union of contexts from all teams that he participates in. Moreover, active teams in a session can be changed at the user s discretion, just like his active roles. A team can also be seen as a mapping to multiple users. The roles activated by these users identify the permission set available to the team as the combination of permissions from all roles participating in that team. Users-Roles assignment (URS), Permissions-Roles assignment (PRS), Users-Teams assignment (UTS) and Contexts-Teams assignment (CTS) are many-to-many relations. A role can be assigned to many users and a user can be a member of many roles. Similarly, a role may have many permissions and the same permission can be assigned to many roles. These relations are the fundamental concepts in RBAC [Sandhu, 1998]. Also, a user can be a member of many teams and a team may have many users. Similarly, a team may have many contexts and the same context can be assigned to many teams. Still, there are constraints when assigning user to teams. An obvious constraint is related to the roles already assigned to the user. There are mutually exclusive roles and teams, e.g. a user that has been assigned the roles Physician and Director cannot participate in a care-team as a Director Overview of Control Access Management Expert System (CAMES) In this section, we describe the design and implementation of our prototype Control Access Management Expert System (CAMES). CAMES uses expert systems tools and particularly FLEX to implement the C-TMAC model. FLEX is an expressive and powerful expert system

8 toolkit which supports frame-based reasoning with inheritance, rule-based programming and data-driven procedures fully integrated within a logic programming environment, and contains its own English-like Knowledge Specification Language (KSL). FLEX has its own expressive English-like KSL for defining rules, frames and procedures. The KSL enables developers to write simple and concise statements about the expert's world and produce virtually self-documenting knowledge-bases which can be understood and maintained by non-programmers. In our application, we implement Users, Roles and Teams (see figure 4.1.) as frame hierarchies. Frame hierarchies in FLEX, are similar to object-oriented hierarchies. They allow data to be stored in an abstract manner within a nested hierarchy with common properties automatically inherited through the hierarchy. This avoids the unnecessary duplication of information, simplifies code and provides a more readable and maintainable system. Each frame or instance has a set of slots that contain attributes describing the frame's characteristics. These slots are analogous to fields within records (using database terminology) except that their expressive power is greatly extended. Suggestively we represent a piece of our code. Frame role. Frame medical is a role. Frame ward is a role. Frame admin is a role. Frame head_doctor is a medical. Frame head_nurse is a ward. Frame admin_staff is an admin. Frame user; Default possible_roles is nothing. Instance kwstas is a user; possible_roles are {head_doctor, paramedical_staff}. Frame team; Default available_roles are nothing. Frame care_team1; Default available_roles are { head_doctor, special_doctor } and Default location_contexts are { glab2, office7, office8 } and Default time_contexts are { (07:00-09:00), (11:00-12:00) }. During the login phase, a user has to complete the identification and authentication procedure, presenting suitable credentials (such as user-id and password information for local networks, or present digital certificates for internet/intranet environments). Then, the user has to select a role from the set of roles assigned to him. According to this selection, a particular set of role-based

9 permissions is granted and these are called session-roles permissions. This Users-Roles Assignment, URS (see figure 4.1.), is implemented in CAMES as a classical if-then rule. rule users_roles_assignment if the answer to username is User and the answer to ask_role is Role and User is an instance of user whose possible_roles include Role then remember that User is assigned as Role and display_assign(user, Role) Example: kwstas is assigned as head_doctor. The question ask_role is defined as follow: question ask_role Choose o role..; choose one of a role because I need to know your role. Similarly is defined the question username. FLEX has a built-in question and answer sub-system that allows final applications to query the user for additional input via interactive dialogs and also, a built-in explanation system which supports both how and why explanations. Explanations can be attached to both rules and questions using simple because clauses. After the role selection, the user has to select a subset of teams to participate. Indicatively, we introduce below a part of the implementation code that FLEX toolkit requires, in order to represent the concepts of Teams and Contexts: rule user_teams_assignment if the answer to select_team is Team and User is assigned as Role and Team s available_roles include Role and Team s location_contexts include currentuserlocation and Team s time_contexts include currentusertime then remember tha User is member of Team. Where currentuserlocation and currentusertime are variables that take values, depending on the place and the time that user tries to enter the team. After the team selection procedure is completed, the permission set of the user is combined with the permission set available to the team. As we have mentioned in section 4.1., teams can be seen as groups of current task contexts. This means that when a user participates in a team he gains also the context of his task. The team context is expressed in terms of ranges of values. For every team, there are a variety of system variables that can hold sets of values for chosen contextual information (factors). The binding of these variables to actual values is accomplished during the runtime by the administration subsystem of the organization.

10 5. Conclusion We have presented an approach to integrate access control concepts with expert system technology. The CAMES model introduced in this paper allows the use of general contextual information in access control expert systems and gives C-TMAC the capability to take advantage of the security-critical knowledge of the underlying expert system, as this knowledge changes during runtime. We have also shown in this paper, how CAMES concepts can be implemented over passive and active role-based security policies and mechanisms. We believe that CAMES will prove to be an interesting starting point for further investigations of security models for next generation collaborative applications. 6. References: [1] Castano S., Fugini M., Martella G. & Samarati P. (1995). Database Security, ACM Press, Addison Wesley, Padstow [2] Georgiadis Ch., Mavridis I., Pangalos G. & Thomas R. K. (May 2001). Flexible Teambased Access Control Using Contexts, SACMAT 01, Chantilly, VA [3] Giarratano J. & Riley G. (1989). Expert Systems: Principles and Programming, PWS- KENT Publishing Company, Boston [4] Jackson P.. Introduction to Expert Systems, 2nd ed. [5] NIST (1995). An Introduction to Role-based Access Control, NIST CSL Bulletin on RBAC, National Institute of Standards and Technology (Available in URL: [6] NIST (1999). Role Based Access Control, National Institute of Standards and Technology (Available in URL: [7] Sandhu R. & Samarati P. (1997). Authentication, Access Control and Intrusion Detection, The Computer Science and Engineering Handbook [8] Sandhu R. (1998). Role-Based Access Control, Advances in Computer, Vol.46, Academic Press [9] Thomas R. K. (1997). Team-Based Access Control (TMAC): A Primitive for Applying Role-Based Access Controls in Collaborative Enviroments, Proceedings of the second ACM workshop on Role-based access control, Fairfax, VA USA [10] Vlahavas I, Kefalas P, Vasiliadis N, Refanidis I, Kokkoras F, Sakellariou I. (Thessaloniki 2002). Artificial Intelligence