Quantitative access control with partially-observable Markov decision processes

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy Pub Date : 2012-02-07 DOI:10.1145/2133601.2133623

F. Martinelli, C. Morisset

{"title":"Quantitative access control with partially-observable Markov decision processes","authors":"F. Martinelli, C. Morisset","doi":"10.1145/2133601.2133623","DOIUrl":null,"url":null,"abstract":"This paper presents a novel access control framework reducing the access control problem to a traditional decision problem, thus allowing a policy designer to reuse tools and techniques from the decision theory. We propose here to express, within a single framework, the notion of utility of an access, decisions beyond the traditional allowing/denying of an access, the uncertainty over the effect of executing a given decision, the uncertainty over the current state of the system, and to optimize this process for a (probabilistic) sequence of requests. We show that an access control mechanism including these different concepts can be specified as a (Partially Observable) Markov Decision Process, and we illustrate this framework with a running example, which includes notions of conflict, critical resource, mitigation and auditing decisions, and we show that for a given sequence of requests, it is possible to calculate an optimal policy different from the naive one. This optimization is still possible even for several probable sequences of requests.","PeriodicalId":90472,"journal":{"name":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","volume":"45 1","pages":"169-180"},"PeriodicalIF":0.0000,"publicationDate":"2012-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2133601.2133623","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 22

Abstract

This paper presents a novel access control framework reducing the access control problem to a traditional decision problem, thus allowing a policy designer to reuse tools and techniques from the decision theory. We propose here to express, within a single framework, the notion of utility of an access, decisions beyond the traditional allowing/denying of an access, the uncertainty over the effect of executing a given decision, the uncertainty over the current state of the system, and to optimize this process for a (probabilistic) sequence of requests. We show that an access control mechanism including these different concepts can be specified as a (Partially Observable) Markov Decision Process, and we illustrate this framework with a running example, which includes notions of conflict, critical resource, mitigation and auditing decisions, and we show that for a given sequence of requests, it is possible to calculate an optimal policy different from the naive one. This optimization is still possible even for several probable sequences of requests.

查看原文本刊更多论文

部分可观察马尔可夫决策过程的定量访问控制

本文提出了一种新的访问控制框架，将访问控制问题简化为传统的决策问题，从而使策略设计者能够重用决策理论中的工具和技术。在这里，我们建议在一个框架内表达访问效用的概念，超越传统允许/拒绝访问的决策，执行给定决策效果的不确定性，系统当前状态的不确定性，并针对(概率)请求序列优化此过程。我们展示了包含这些不同概念的访问控制机制可以被指定为(部分可观察的)马尔可夫决策过程，我们用一个运行的例子说明了这个框架，其中包括冲突、关键资源、缓解和审计决策的概念，我们展示了对于给定的请求序列，有可能计算出不同于原始策略的最佳策略。即使对于几个可能的请求序列，这种优化仍然是可能的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

CODASPY : proceedings of the ... ACM conference on data and application security and privacy. ACM Conference on Data and Application Security & Privacy

自引率

0.00%

发文量