Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Access Control Requirements for Preventing Insider Threats

  • Conference paper
Intelligence and Security Informatics (ISI 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 3975))

Included in the following conference series:

Abstract

Today the Intelligence Community (IC) has faced increasing challenges of insider threats. It is generally accepted that the cost of insider threats exceeds that of outsider threats. Although the currently available access control approaches have a great potential for preventing insider threats, there are still critical obstacles to be solved, especially in large-scale computing environments. In this paper we discuss those requirements with respect to scalability, granularity, and context-awareness. For each requirement we discussed related problems, techniques, and basic approaches to the corresponding countermeasures. Detailed solutions and implementations are not described in this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Anderson, R.H.: Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems. In: Workshop at RAND, Santa Monica, CA (1999)

    Google Scholar 

  2. Brackney, R.C., Anderson, R.H.: Understanding the insider threat. In: ARDA (The Advanced Research and Development Activity) Workshop (2004)

    Google Scholar 

  3. Hayden, M.V.: The insider threat to U.S. government information systems. Technical report, National Security Telecommunications and Information Systems Security Committee (NSTISSAM), INFOSEC 1-99 (1999)

    Google Scholar 

  4. Park, J.S., Costello, K.P., Neven, T.M., Diosomito, J.A.: A composite RBAC approach for large, complex organizations. In: The 9th ACM Symposium on Access Control Models and Technologies (SACMAT), Yorktown Heights, NY (2004)

    Google Scholar 

  5. Lamson, B.W.: Protection. In: The 5th Princeton Symposium in Information Sciences and Systems, pp. 437–443. Princeton University, Princeton (1971)

    Google Scholar 

  6. Graham, G.S., Denning, P.: Protection principles and practice. In: AFIPS Spring Joint Computer Conference, Montvaler, NJ (1972)

    Google Scholar 

  7. Harrison, M.H., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  8. Sandhu, R.S.: The typed access matrix model. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 122–136 (1992)

    Google Scholar 

  9. Bell, D., Lapadula, L.: Secure computer systems: Mathematical foundations. Technical report, The MITRE Corporation, Bedford, MA, MTR-2547 (1973)

    Google Scholar 

  10. Ferraiolo, D.F., Sandhu, R.S., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4(3), 224–274 (2001)

    Article  Google Scholar 

  11. National Institute of Standards and Technology (NIST): The economic impact of role-based access control, Planning Report 02-1 (2002)

    Google Scholar 

  12. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2) (1996)

    Google Scholar 

  13. Thomas, R.K., Sandhu, R.S.: Task-based authorization control (TBAC): a family of models for active and enterprise-oriented authorization management. In: IFIP WG11.3 Workshop on Database Security, Vancouver, Canada (1997)

    Google Scholar 

  14. Ammann, P., Sandhu, R.S.: The extended schematic protection model. Journal of Computer Security 1(3-4), 335–383 (1992)

    Google Scholar 

  15. Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 123–139 (2003)

    Google Scholar 

  16. Minsky, N.H.: Selective and locally controlled transport of privileges. ACM Transactions on Programming Languages and Systems 6(4), 573–602 (1984)

    Article  MATH  Google Scholar 

  17. Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Transactions on Information and System Security (TISSEC) 6(1), 71–127 (2003)

    Article  Google Scholar 

  18. Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Transactions on Information and System Security (TISSEC) 17(2), 101–140 (1999)

    Google Scholar 

  19. Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 31–42 (1997)

    Google Scholar 

  20. Park, J.S., Sandhu, R.: RBAC on the web by smart certificates. In: The 4th ACM Workshop on Role-Based Access Control (RBAC), Fairfax, VA (1999)

    Google Scholar 

  21. Park, J.S., Sandhu, R., Ahn, G.J.: Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC) 4(1), 207–226 (2001)

    Article  Google Scholar 

  22. Park, J.S., Sandhu, R., Ghanta, S.: RBAC on the Web by secure cookies. In: The 13th IFIP WG 11.3 Working Conference on Database Security, Seattle, WA (1999)

    Google Scholar 

  23. Park, J.S., Giordano, J.: Role-based profile analysis for scalable and accurate insider-anomaly detection. In: IEEE Workshop on Information Assurance (WIA), Phoenix, AZ (2006)

    Google Scholar 

  24. Park, J.S., Ho, S.M.: Composite role-based monitoring (CRBM) for countering insider threats. In: Symposium on Intelligence and Security Informatics (ISI), Tucson, AZ (2004)

    Google Scholar 

  25. Berners-Lee, T., Hendler, J., Lassila, O.: The semantic web. Scientific American 284(5), 34–43 (2001)

    Article  Google Scholar 

  26. Hendler, J., Berners-Lee, T., Miller, E.: Integrating applications on the semantic web. Journal of the Institute of Electrical Engineers of Japan 122(10), 676–680 (2002)

    Google Scholar 

  27. Lassila, O.: Web metadata: a matter of semantics. IEEE Internet Computing 2(4), 30–47 (1998)

    Article  Google Scholar 

  28. Park, J.S.: Towards secure collaboration on the semantic web. ACM Computers and Society 32(6) (2003)

    Google Scholar 

  29. Bertino, E., Ferrari, E.: Secure and selective dissemination of XML documents. ACM Transactions on Information and System Security (TISSEC) 5(3), 290–331 (2002)

    Article  Google Scholar 

  30. Bertino, E., Ferrari, E., Squicciarini, A.C.: Trust-X: A peer-to-peer framework for trust establishment. IEEE Transactions on Knowledge and Data Engineering 16(7), 827–842 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Syracuse University, Syracuse, NY, 13244-4100, USA

    Joon S. Park

  2. Information Directorate, Air Force Research Laboratory (AFRL), Rome, NY, 13441-4505, USA

    Joseph Giordano

Authors
  1. Joon S. Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joseph Giordano
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information and Computer Science, University of California, Irvine

    Sharad Mehrotra

  2. MIS Department, University of Arizona, 85721, Tucson, AZ, USA

    Daniel D. Zeng

  3. Department of Management Information Systems, Eller College of Management, The University of Arizona, 85721, AZ, USA

    Hsinchun Chen

  4. University of Texas at Dallas,  

    Bhavani Thuraisingham

  5. Chinese Academy of Sciences, 100190, Beijing, China

    Fei-Yue Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Park, J.S., Giordano, J. (2006). Access Control Requirements for Preventing Insider Threats. In: Mehrotra, S., Zeng, D.D., Chen, H., Thuraisingham, B., Wang, FY. (eds) Intelligence and Security Informatics. ISI 2006. Lecture Notes in Computer Science, vol 3975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11760146_52

Download citation

  • DOI: https://doi.org/10.1007/11760146_52

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34478-0

  • Online ISBN: 978-3-540-34479-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation