Towards Learning Risk Estimation Functions for Access Control * Luke Dickens and Alessandra Russo, Pau-Chen Cheng and Jorge Lobo, Imperial College, IBM Watson Research Center, {lwd03,ar3}@doc.ic.ac.uk {pau,jlobo}@us.ibm.com Thursday 11 th February, 2010 Summary The security of access and information flow carries with it the risk that resources will be misused – intentionally or accidentally. Static Access Control (AC) policies based on qualitative judgements are insufficient for scenarios where roles and access requirements are subtle and change frequently. We propose using quantified risk and benefit estimates in the design and management of AC policies. The first step is to build models for estimating risk and benefit. Many factors may affect risk and benefit, and the relationship among them and their impacts are usually complex and hard to determine analytically. Therefore we decided to use machine learning techniques to learn the models from AC data. Due to the sensitive and evolving nature of real AC data, we must generate synthetic data to begin demonstrating the efficacy of our approach. Given that no sets of AC data could cover all possibilities, we must also show that the models learned can be applied to data outside the training sets. We start examining these problems by first creating a parametrised simulation model, designed to capture certain properties related to the risk and benefit of information transfer, including how risk aggregates over time. We then explore how different choices of the model parameters affect our ability to predict this risk, and describe some preliminary results of transferring learning between different instantiations of the model. Motivation Access control has traditionally focused on static sets of roles, and this implies a fixed mapping from users to permissions. The JASON report [7] indicated that this approach is too rigid for modern organisations, and leads to a particularly risk averse approach to resource sharing, while improved yet secure resource sharing is a balance between risk and benefit. Current AC models and policies, such as MLS/Bell-Lapadulla, RBAC, ACL, etc, provide certain structures that allow some control over how resources are managed, but with no quantitative measures by which they can be evaluated [2]. These approaches fix accesses and do not adapt to changing circumstances. Other more recent approaches [2, 9] have tried to address this by showing how assessments of trust or risk might be incorporated into AC policies, allowing them to represent more justifiable behaviour, but these assessments and how they contribute to decisions are explicitly coded into the system. [5] and [6] show how policies might be inferred automatically by mining datasets of contextualised AC decisions and AC settings. These results depend on two factors, that good policies (those that we would like to replicate) are used in practice, and that detailed logs of these decisions and associated context are available for training. Here, instead of mining decisions made to infer policy, we wish to predict the likelihood of subsequent damage or benefit associated with AC decisions. If we can predict the risk of damage and future benefit associated with some AC decision in some context, then we can either develop new AC models and base access decisions on those predictions, or provide a human decision maker with the tools to make an informed choice. Models The problem is how to verify our hypothesis; we cannot know the future and are unlikely to be given access to current and relevant data. Instead we are creating an experimental environment in which we run simulations which are intended to be abstract representations of real situations. The intention being that we learn on these abstractions, and somehow map this learning into a form that can be used to support or make decisions in the related real world scenario. We have started using a relatively simple simulation environment and picked a learning methodology to predict risk. Our aim is to expand the simulation environment, experiment with different learning methodologies and transfer results from simpler to more complex scenarios. A simulation is not perfect to be suitably rich to capture many of the details that can influence a real life situation, there are too many factors, and we can’t be sure that these models are sufficiently accurate and suitably representative of the situation they abstract. However, humans have shown themselves to be very good at abstractly representing real life scenarios. Trainees are regularly tested in abstracted and simplified games before allowing them to practice in the real world – for example, surgeons are trained on software [3], as are pilots [1], soldiers regularly play war-games and even may use abstracted models for mission planning [4]. Our natural intuition when building such abstractions is that we are discarding unessessary information, while retaining important features of the underlying structure of the problem. * This research is continuing through participation in the International Technology Alliance sponsored by the U.S. Army Research Laboratory and U.K. Ministry of Defence. 1