Towards quantitative analysis of proofs of authorization

Applications, framework, and techniques

J. Lee Adam, Ting Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Although policy compliance testing is generally treated as a binary decision problem, the evidence gathered during the trust management process can actually be used to examine these outcomes within a more continuous space. In this paper, we develop a formal model that allows us to quantitatively reason about the outcomes of the policy enforcement process in both absolute (i.e., user to ideal case) and relative (i.e., user to user) terms. Within this framework, it becomes possible to quantify, e.g., the robustness of a user's proof of authorization to possible perturbations in the system, how close an unauthorized user is to satisfying a particular policy, and relative "top-k" style rankings of the best users to carry out a particular task. To this end, we explore several interesting classes of scoring functions for assessing the robustness of authorization decisions, and develop criteria under which these types of functions can be composed with one another. We further show that these types of functions can be extended to quantify how close unauthorized users are to satisfying policies, which can be a useful risk metric for decision making under unexpected circumstances.

Original languageEnglish
Title of host publicationProceedings - IEEE Computer Security Foundations Symposium
Pages139-153
Number of pages15
DOIs
Publication statusPublished - 11 Oct 2010
Externally publishedYes
Event23rd Computer Security Foundations Symposium, CSF 2010 - Edinburgh, United Kingdom
Duration: 17 Jul 201019 Jul 2010

Other

Other23rd Computer Security Foundations Symposium, CSF 2010
CountryUnited Kingdom
CityEdinburgh
Period17/7/1019/7/10

Fingerprint

Chemical analysis
Decision making
Testing
Compliance

Keywords

  • Access control
  • Policy
  • Risk
  • Trust management

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Adam, J. L., & Yu, T. (2010). Towards quantitative analysis of proofs of authorization: Applications, framework, and techniques. In Proceedings - IEEE Computer Security Foundations Symposium (pp. 139-153). [5552647] https://doi.org/10.1109/CSF.2010.17

Towards quantitative analysis of proofs of authorization : Applications, framework, and techniques. / Adam, J. Lee; Yu, Ting.

Proceedings - IEEE Computer Security Foundations Symposium. 2010. p. 139-153 5552647.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Adam, JL & Yu, T 2010, Towards quantitative analysis of proofs of authorization: Applications, framework, and techniques. in Proceedings - IEEE Computer Security Foundations Symposium., 5552647, pp. 139-153, 23rd Computer Security Foundations Symposium, CSF 2010, Edinburgh, United Kingdom, 17/7/10. https://doi.org/10.1109/CSF.2010.17
Adam JL, Yu T. Towards quantitative analysis of proofs of authorization: Applications, framework, and techniques. In Proceedings - IEEE Computer Security Foundations Symposium. 2010. p. 139-153. 5552647 https://doi.org/10.1109/CSF.2010.17
Adam, J. Lee ; Yu, Ting. / Towards quantitative analysis of proofs of authorization : Applications, framework, and techniques. Proceedings - IEEE Computer Security Foundations Symposium. 2010. pp. 139-153
@inproceedings{e5bc8507fb2f446e92b0500e658e14ae,
title = "Towards quantitative analysis of proofs of authorization: Applications, framework, and techniques",
abstract = "Although policy compliance testing is generally treated as a binary decision problem, the evidence gathered during the trust management process can actually be used to examine these outcomes within a more continuous space. In this paper, we develop a formal model that allows us to quantitatively reason about the outcomes of the policy enforcement process in both absolute (i.e., user to ideal case) and relative (i.e., user to user) terms. Within this framework, it becomes possible to quantify, e.g., the robustness of a user's proof of authorization to possible perturbations in the system, how close an unauthorized user is to satisfying a particular policy, and relative {"}top-k{"} style rankings of the best users to carry out a particular task. To this end, we explore several interesting classes of scoring functions for assessing the robustness of authorization decisions, and develop criteria under which these types of functions can be composed with one another. We further show that these types of functions can be extended to quantify how close unauthorized users are to satisfying policies, which can be a useful risk metric for decision making under unexpected circumstances.",
keywords = "Access control, Policy, Risk, Trust management",
author = "Adam, {J. Lee} and Ting Yu",
year = "2010",
month = "10",
day = "11",
doi = "10.1109/CSF.2010.17",
language = "English",
isbn = "9780769540825",
pages = "139--153",
booktitle = "Proceedings - IEEE Computer Security Foundations Symposium",

}

TY - GEN

T1 - Towards quantitative analysis of proofs of authorization

T2 - Applications, framework, and techniques

AU - Adam, J. Lee

AU - Yu, Ting

PY - 2010/10/11

Y1 - 2010/10/11

N2 - Although policy compliance testing is generally treated as a binary decision problem, the evidence gathered during the trust management process can actually be used to examine these outcomes within a more continuous space. In this paper, we develop a formal model that allows us to quantitatively reason about the outcomes of the policy enforcement process in both absolute (i.e., user to ideal case) and relative (i.e., user to user) terms. Within this framework, it becomes possible to quantify, e.g., the robustness of a user's proof of authorization to possible perturbations in the system, how close an unauthorized user is to satisfying a particular policy, and relative "top-k" style rankings of the best users to carry out a particular task. To this end, we explore several interesting classes of scoring functions for assessing the robustness of authorization decisions, and develop criteria under which these types of functions can be composed with one another. We further show that these types of functions can be extended to quantify how close unauthorized users are to satisfying policies, which can be a useful risk metric for decision making under unexpected circumstances.

AB - Although policy compliance testing is generally treated as a binary decision problem, the evidence gathered during the trust management process can actually be used to examine these outcomes within a more continuous space. In this paper, we develop a formal model that allows us to quantitatively reason about the outcomes of the policy enforcement process in both absolute (i.e., user to ideal case) and relative (i.e., user to user) terms. Within this framework, it becomes possible to quantify, e.g., the robustness of a user's proof of authorization to possible perturbations in the system, how close an unauthorized user is to satisfying a particular policy, and relative "top-k" style rankings of the best users to carry out a particular task. To this end, we explore several interesting classes of scoring functions for assessing the robustness of authorization decisions, and develop criteria under which these types of functions can be composed with one another. We further show that these types of functions can be extended to quantify how close unauthorized users are to satisfying policies, which can be a useful risk metric for decision making under unexpected circumstances.

KW - Access control

KW - Policy

KW - Risk

KW - Trust management

UR - http://www.scopus.com/inward/record.url?scp=77957589709&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77957589709&partnerID=8YFLogxK

U2 - 10.1109/CSF.2010.17

DO - 10.1109/CSF.2010.17

M3 - Conference contribution

SN - 9780769540825

SP - 139

EP - 153

BT - Proceedings - IEEE Computer Security Foundations Symposium

ER -