Risk-Aware Fine-Grained Access Control in Cyber-Physical Contexts

TL;DR

This paper introduces RASA, a machine learning-based approach for dynamic, risk-aware access control in cyber-physical environments, demonstrated through healthcare data, achieving over 99% consistency with heuristic policies.

Contribution

RASA is a novel, unsupervised method that automatically infers risk-based authorization boundaries using context data, enhancing security policy adaptability in cyber-physical settings.

Findings

RASA achieves over 99% consistency with heuristic policies.

Coupling features effectively reveal risk levels and inform access decisions.

The approach adapts to dynamic environments by analyzing context-specific risks.

Abstract

Access to resources by users may need to be granted only upon certain conditions and contexts, perhaps particularly in cyber-physical settings. Unfortunately, creating and modifying context-sensitive access control solutions in dynamic environments creates ongoing challenges to manage the authorization contexts. This paper proposes RASA, a context-sensitive access authorization approach and mechanism leveraging unsupervised machine learning to automatically infer risk-based authorization decision boundaries. We explore RASA in a healthcare usage environment, wherein cyber and physical conditions create context-specific risks for protecting private health information. The risk levels are associated with access control decisions recommended by a security policy. A coupling method is introduced to track coexistence of the objects within context using frequency and duration of coexistence, and these are clustered to reveal sets of actions with common risk levels; these are used to create authorization decision boundaries. In addition, we propose a method for assessing the risk level and labelling the clusters with respect to their corresponding risk levels. We evaluate the promise of RASA-generated policies against a heuristic rule-based policy. By employing three different coupling features (frequency-based, duration-based, and combined features), the decisions of the unsupervised method and that of the policy are more than 99% consistent.