GENERALIZATION AND ENFORCEMENT OF ROLE-BASED ACCESS CONTROL USING A NOVEL EVENT-BASED APPROACH
Protecting information against unauthorized access is a key issue in information system security. Advanced access control models and mechanisms have now become necessary for applications and systems due to emerging acts, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act. Role-Based Access Control (RBAC) is a viable alternative to traditional discretionary and mandatory access control. RBAC has been shown to be cost effective and is being employed in various application domains on account of its characteristics: rich specification, policy neutrality, separation of duty relations, principle of least privilege, and ease of management. Existing RBAC approaches support time-, content- and purpose-based, as well as context-aware and other forms of access control policies that are useful for developing secure systems. Although considerable amount of effort has been spent on policy specification aspects, relatively much less attention has been paid towards flexible enforcement of various aspects of RBAC approaches. Furthermore, current approaches are inadequate, as many applications and systems require the more dynamic and expressive event pattern constraints.
In this thesis, we have focused on several aspects of RBAC, including generalization and enforcement of RBAC, by exploiting and extending a well-established event-based framework that has a solid theoretical foundation. Specifically, we have addressed the following problems and made the following contributions:
- Enforcement of existing RBAC Approaches: Security mechanisms are required for enforcing security policies. We have provided a flexible event-based technique for enforcing the RBAC standard and other current extensions in a uniform manner using an event framework. We have extended the event specification and detection with interval-based semantics for event operators and alternative actions for active rules.
- Generalization of RBAC and Snoop: We have generalized RBAC policies with expressive event pattern constraints. We have shown how to model diverse constraints, such as precedence, dependency, non-occurrence, and their combinations, using event patterns that are not available in existing RBAC approaches. Event patterns are event expressions that have simple and complex events as constituent events and they control the state change. Snoop, an event specification language, provides the basis for extensions needed to support the generalized RBAC. The generalization of RBAC using constraints based on event patterns can be accomplished by the extended Snoop.
- Enforcement of Generalized RBAC: We have shown the modeling and enforcement of generalized RBAC policies using the extended local event detector (LED). We have introduced event registrar graphs for capturing simple and complex event occurrences and keeping track of event patterns. We have also shown how RBAC with expressive event pattern constraints can be enforced using event registrar graphs. When compared to other mechanisms, the proposed event-based enforcement mechanism has the advantage of using the same framework for both policy specification and enforcement. We have briefly explored identification and handling of policy conflicts.
- Usability in RBAC: We have enhanced the usability of RBAC by adding an intelligent module for discovering roles and guiding (or prompting) the user to acquire appropriate roles for performing operations on objects. This approach relieves the user from the details of role-permission assignment and allows concentrating on their task. We have developed several algorithms for discovering roles, and analyzed their complexity and effectiveness.
- Novel Applications: We have developed various applications for demonstrating the applicability of the results obtained in this thesis. i) We have shown how role-based security policies can be supported in web gateways using a smart push-pull approach. ii) We have shown how event operators based on interval-based semantics can be utilized for information filtering. iii) We provided an integrated model for advanced data stream applications that supports not only stream processing but also complicated event and rule processing. We have also shown how the integrated model can be utilized for a network fault management system.
This thesis is a first step in the direction of bridging the gap that currently exists between policy specification and enforcement. By mapping RBAC policies using a framework (event-based in our case) that can be incorporated with the underlying system in various ways (integrated, layered, wrapper-based, and distributed), we have not only extended RBAC to make it more useful, but also shown how the extended specifications can be mapped and enforced. This combination of specification and enforcement using a common framework forms the core contribution of the thesis.
SNOOP EVENT SPECIFICATION: FORMALIZATION ALGORITHMS, AND IMPLEMENTATION USING INTERVAL-BASED SEMANTICS
Snoop is an event specification language developed for expressing primitive and composite events in Event-Condition-Action rules. A detection-based (using the end time of an event occurrence on the time line) semantics was provided for all the operators in various contexts. The above detection-based semantics does not recognize multiple compositions of some operators-especially Sequence-in the intended way. In order to recognize all the Snoop operators in the intended way, the semantics need to include start time as well as end time for a composite event (i.e., interval-based semantics).
In this thesis, we formalize the occurrence of Snoop event operators and expressions using interval-based semantics for the recent context. We discuss the changes that are made to the parameter contexts that are needed for detection of Snoop operators in interval-based semantics. We present algorithms to detect all Snoop operators in the recent context and unrestricted context conforming to the interval-based semantics.