There are many different types of access control models utilised in computing systems, which offer different properties in regard to policy administration and enforcement. Mandatory Access Control (MAC) is suited to safety critical systems whereby a central authority administers and enforces the policy. The properties of MAC make it suitable for being used in military systems (Ray and Kumar 2006). Role-Based Access Control (RBAC) systems enables the restriction of access based on user’s role within the host organisation, such as management m finance, etc. Sandhu et al. (1996). Discretionary Access Control (DAC) required administration and the enforcement of access control on a per user basis. A central feature to DAC is that resource owners can assign permissions to other users at their discretion. Researchers have studied the safety and complexity of DAC systems and developed algorithms for determining safety (Li and Tripunitara 2005).
A commonality across all systems is that the user will receive an effective permission, which is essentially the resolved permission on a given resource, accounting for role inheritance, conflicts, etc. This work is motivated by end-user challenges in analysing access control systems; thus, we are interested in obtaining the effective permission, irrespective of what access control model is used. The reader should note that this research was motivated by challenges facing analysing Microsoft’s NTFS file system permissions, which is a DAC system combined with MAC, and the combination of the enables the creation of flexible policies, which can be used to represent an RBAC system.
In this section, the effective permission model is presented. The objects (also known as resources), \(OBJECTS = \{o_1,o_2,\ldots o_n\}\), represent components within the system that require controlled access. An object could, for example, be a file system resource, a printer, software service, etc. The users, \(USERS = \{u_1,u_2,\ldots ,u_n\}\) represents those interacting with the system and are granted perspective permissions. For example, a user could be a user, a process, etc. The level of permission, P, will often be described by a series of permissions attributes, \(PERMS = \{p_1,p_2,\ldots ,p_n\}\). The individual permissions will differ dependent on the underlying access control system. In this paper, we are not concerned with how the permissions are allocated to the user, and we assume that in the access control system there is a mechanism to determine a user’s effective permission on an object. The effective permission is the relationships set of:
which is the set of user-role assignments. While conducting an audit, all effective permissions are calculated by considering all user and object permutations; however, entries are not created where there is no implemented permission on an object for a given user.
Each user within the system is assigned a trust value, which is a numeric score between 0 and 1. Similarly, each object is assigned a sensitivity value. Each permission is also assigned a power rating, which is also a score between 0 and 1 as to the capability of the permission. The combination of these values is then used to calculate a final risk rating.
The user-permission-object (UPO) mapping of set items in the form of \((u,p,o),\mu (u,p,o)\) where \(u \in USERS\), \(p \in PERMS\), and \(o \in OBJECTS\). The function \(\mu (u,p,o)\rightarrow [0,1]\) is the expressed as real unit interval between 0 and 1. The function represents the final risk rating, calculated using \(\mu (u)\), \(\mu (p)\), \(\mu (o)\) which represent the real unit interval scores between 0 and 1 for user trust, permission power, and object sensitivity, respectively.
When considering these values in establishing an overall risk rating (\(\mu (u,p,o)\)), it is important to consider the threshold at which a regular permission is identified as irregular and warrants further investigation. As an illustrative aid, Fig. 1a details the binary relationship of whether a user is trustworthy or not based on the threshold of 0.75. Figure 1b illustrates where a resource is deemed to be sensitive at the threshold of 0.8. Although these figures are arbitrary for the example, it does demonstrate that these two measures (trust and sensitivity) are based on binary classification. Using these two values together can help determine whether an effective permission is determined as putting the underlying object as risk.
Fuzzification
Although evaluating an effective permission’s risk rating against a threshold is somewhat useful, it does not adequately describe the relationship between a user’s trustworthiness and an object’s sensitivity. More specifically, the binary representation determining that the metrics are either true or false (0 or 1) lacks sufficient expressiveness. For example, a user does not go from being trustworthy to untrustworthy precisely at the threshold, largely due to the uncertainty with estimation. In practice, a fuzzy representation more accurately models the relationships. Figure 2a illustrates a fuzzy relationship between user trust and Fig. 2b illustrates object sensitivity. It is evident that although the same arbitrary thresholds are used as in the binary classification example (0.75 for trust and 0.8 for sensitivity), the classification is no longer binary and the partial truth, i.e., a user has lower trust but is not completely untrustworthy, is adequately modelled. In this work, we utilise a trapezoidal function to model the different sets. In terms of the construction of the trapezoidal function coverage, 0 to 0.2 would occupy the left ascending section, 0.2 to 0.8 the flat middle section, and 0.8 to 1.0 for the descending right section.
The example in Fig. 2 does represent the cross-over relationship between a user being trustworthy and data as being sensitive. It also only represents two potential classes for both trust and sensitivity; however, it is widely acknowledged that there are many levels of trust and sensitivity (Mhetre et al. 2016). In this paper, we adopt an incremental hierarchy of trust, meaning that a user must meet the criteria of one level before they can progress. We adopt the classification as demonstrated in Neil Normal Group report on Hierarchy of Trust: The 5 Experiential Levels of Commitment (Sherwin 2016), which is built upon Abraham Maslow’s hierarchy of needs (McLeod 2007). The specific five levels of trust are widely adopted as the pyramid of trust, as well as introducing a sixth level to represent that no trust has yet been established. The pyramid is typically used from a user’s perspective, but the viewpoint is changed in this work to be that of the employer, system or data owner. The trust levels are:
-
1.
No trust as trust has yet to be established for the specific user. For example, this could be a new user who has not yet gone through basic IT training to ensure they understand the organisation’s expectations of computer use.
-
2.
Baseline relevance and trust that needs can be met. For example, this could mean that a user has some knowledge of data sensitivity concerning the organisation’s activities and has undertaken basic training.
-
3.
Preferential trust over other options is where a user can determine the most applicable actions to take in regards to correct system use. I.e., they can make conscious decisions to ensure correct system and resource use.
-
4.
Can be trusted with Personal information is where the users have demonstrated with a proven track record that they are trustworthy with personal data within the system.
-
5.
Can be trusted with Sensitive information is where users can be trusted with resources of a sensitive nature, for example, business-critical documentation.
-
6.
Committed to an ongoing trust relationship means that users have demonstrated that they will always act responsibly and in the best interest of the organisation, respecting resource trust.
In terms of sensitivity, five levels of sensitivity are used in this paper. Although it is possible to establish many levels of sensitivity, a five-tier hierarchy is adopted to avoid introducing unnecessary complications by having too many levels. Researchers have proposed the use of resource sensitivity levels to be used in access control systems, authentication and authorisation services (Gaddam et al. 2014). However, although all the published material describes and presents the use of sensitivity levels, they do not explicitly define what levels are to be used. In one recent article, the authors describe that resource sensitivity is identified based upon usage patterns of resources, without any prior knowledge of the resource’s content (Park et al. 2016). Unfortunately, the fine detail of their approach is not available. Other research and guidance utilise the phrase of ‘Data Classification’ in terms of placing it into different classes of sensitivity, based on factors such as their usage (Shaikh and Sasikumar 2015; Lu et al. 2015). In previous research, authors have mined sensitivity levels in large commercial infrastructure, arriving at 11 clearly separate sensitivity levels based on text analysis and document content (Park et al. 2011). A common aspect of these works is that they classify resources sensitivity into discrete levels. For this research, the following five levels of resource sensitivity are adopted:
-
1.
Unclassified is that data has no sensitivity classification, which could either be through no prior consideration or a deliberate assignment that the resource does not need to be classified. This could, for example, be data that is already in the public domain, such as marketing information.
-
2.
Normal represents resources that are not sensitive, yet there should remain a basic level of access control to minimise taking unnecessary risk.
-
3.
Moderately sensitive resources are those that should have their access controlled, but is not business-critical nor requires rigorous enforcement.
-
4.
Highly sensitive resources need strict access control which should be rigorously enforced and monitored. An example of such resources could be an organisation’s employee personal data which must not be released outside of the organisation.
-
5.
Ultra-sensitive where the sensitivity of a resource is such that is cannot and must not be viewed by any user without the necessary permissions. This could, for example, be that legal data is access protected to ensure a legal case is not put into jeopardy
Both Fig. 3a, b provide a graphical illustration of how the different trust and sensitivity levels are modelled. The final contributor to the overall risk value is the permission itself. In this paper, an approach is adopted whereby individual permission attributes have an associated power rating. This power rating is used to assess the potential impact of a user’s permission. For example, a delete permission would be high, whereas the ability to read permission attributes is low. Other researchers have utilised a permission rating alongside user trust and resource sensitivity. For example, in one piece of work, a game-theory approach is taken using user trust and permission risk (Helil et al. 2017).
In this work, a three-stage hierarchy is adopted with low, medium and high-power ratings, which are represented by low, medium, and high, respectively. Figure 3c provides a graphical illustration of the three levels and how they are represented in a fuzzy system. The adopted approach is similar to that presented in other research, where permission risk has been successfully modelled into three discrete levels (Rahmati et al. 2018). In terms of accumulation of attribute power ratings, the power rating is calculated on the effective permission and the most expressive power rating is used. For example, a power rating of high is used if the user can read, write, and delete. The following list explains the three levels of power rating used in this research:
-
1.
Low represents permissions that are of little security concern with regards to the underlying data. This could, for example, be the ability to read a resource’s permission attributes.
-
2.
Medium represents permissions that are a security concern but are not likely to cause a security-related incident should the user remain trustworthy. An example could be the ability to read the resource’s contents.
-
3.
High power represents permissions that have great potential to impact on the resource in terms of confidentiality, integrity, and availability (CIA). An example is the ability to change a resource’s security permissions.
The graphical representations presented in Fig. 3a, b demonstrate the overlap between the different levels of trust and sensitivity. When the continuous values of trust and sensitivity are processed by the system, it is necessary to determine which set they reside within and thus fuzzify the continuous value into a linguistic representation. Fuzzification is the process of converting these numeric input variables to linguistic representations. In the proposed system, fuzzification is performed as the following subsections.
Fuzzy inference process
The first stage is to use the input variables (trust, sensitivity, and power rating) to determine an overall risk rating. Risk is defined as a continuous numeric value in the same way as the trust, sensitivity, and power values. However, to specify the membership functions and model the fuzzy system using linguistic terms, it is necessary to define the levels of risk. In this work, three levels of risk have been defined, and these are:
-
Low risk is where trustworthy users are interacting with resources of a low sensitivity and have a low permission power. Therefore, their permission poses little risk.
-
Medium risk is where a user with anything other than the highest level of trust is interacting with resources with a moderate sensitivity. Such instances of medium risk may warrant further investigation depending on the organisation’s tolerance to risk.
-
High risk is where users with low levels of trust can access resources with high sensitivity levels. Permissions that are of high-risk are those that require further analysis.
The implemented system utilises a risk matrix detailing the relationship between trust, sensitivity, and permission power inputs and the risk output value. Figure 4 provides a graphical illustration of the final risk rating and the contributing resource sensitivity, permission risk and user trust. Risk is shown by the shade of colour (green low-risk to red for high-risk). In this risk model, there are 6 levels of trust, 5 levels of sensitivity, 3 levels of permission power. In total, this would result in 90 linguistic if-then rules. For example, using the table in conjunction with the previously described levels of sensitivity and trust would result in the following three example rules:
-
IF (Notrust & Unclassified & High) THEN risk = high
-
IF (Baseline & Unclassified & Medium) THEN risk = medium
-
IF (Preferential & Unclassified & Low) THEN risk = low
Defuzzification
The final stage of the fuzzy process is to convert the linguistic rules back to a single output, which is the measure of risk. In the presented technique, the Mean of Maxima method is implemented (Patyra and Mlynek 2012). In this method, the defuzzified value is taken as the element with the highest membership values. When there are more than one element having maximum membership values, the mean value of the maxima is taken.
The process adopted is as follows: Let I be a fuzzy set with membership function \(\varphi (x)\) defined over \(x \in X\), where X is a universe of discourse. The defuzzified value, \(x^*\), of a fuzzy set and is defined as:
$$\begin{aligned} x^* \frac{\sum x_{i}\in M x_{i}}{\vert M \vert } \end{aligned}$$
(2)
Here, \(M = \{x_i \vert \varphi (x_i)\}\) is equal to the height of the fuzzy set I and \(\vert M \vert\) is the cardinality of the set M.
The following presents an example output from using this technique for file system access controls:
-
Administrator, 0.83, Research\Homes2, 0.80, 1, 0.5
These values constitute the following comma-separated values in order: the username, user trust value, object name, object sensitivity value, permission risk value, and final risk classification.
Note that in the aforementioned example, user trust, object sensitivity, and permission risk have been converted into percentages. For example, user trust of 0.83 is 5 (sensitive), object sensitivity of 0.8 is 4 (highly), and a permission risk score of 1 is 3 (high). The output score is 0.5, which is 2 (medium risk) as the user has a high level of trust on resources of high sensitivity.