Markov anomaly modeling for trust management in variable threat environments

Trust Management (TM) systems are frameworks for managing security in decentralized environments. Recently two TM systems were presented that support authorization in variable-threat environments: the first one deals with unanticipated network activities, the second with unanticipated user behavior. A trust agent is used to monitor the threat levels in each domain of the system. When the level is elevated, access to resources may be revoked, independently of other trust mechanisms that may apply (based on discretionary or mandatory controls). When the threat level is later lowered, services get restored---this is termed rollback access. In this paper we explore the application of Markov chains and hidden Markov models to trace anomalous domain and/or user behavior. Our model for TM in variable-threat environments provides for real-time proactive system defenses, based on anomalous behavior. Such behavior is not necessarily caused by adversarial actions: it is triggered by atypical behavior during a certain time-period. This is because with security critical applications it is not always possible to distinguish malicious from atypical behavior---of course our model also defends against malicious behavior that can be identified (using Intrusion Detection mechanisms). Our approach supports a new control layer, the Threat Level Control (TLC) layer, above the existing MAC and DAC layers, and implements a novel real-time Markov stochastic anomaly analyzer that defends system resources by using threat level controls. This work is part of ongoing research to develop dynamic, real-time trigger mechanisms for rollback-access Trust Management systems.