Access control obligation specification and enforcement using behavior pattern language

Abstract

Increasing the use of Internet-based devices offers novel opportunities for users to access and share resources anywhere and anytime so that such a collaborative environment complicates the design of an accountable resource access control system. Relying on only predefined access control policies based on an entity's attributes, as in traditional access control solutions, cannot provide enough flexibility to apply continuous adjustments in order to adapt to any kind of operative run time conditions. The limited scope and precision of the existing policy-based access control solutions have put considerable limitations on adequately satisfying the challenging security aspects of the IT enterprises. In this research, we focus on the obligatory behavior that can play an important role in access control to protect resources and services of a typical system. Since traditional access control is performed only once before the resource is accessed by the subject, the access control system is unable to control the fulfillment of obligation while the access is in progress. Practically, such a requirement is implemented in hard-coded and proprietary ways. Consequently, the lack of sophisticated means for specification and enforcement of obligation in access control system decreases its flexibility and may also lead to the security breach in sensitive environments. We provide a descriptive language that is capable of defining a variety of complex behavior patterns based on a sequence of user actions. Such a description can be used to specify different elements of the obligation in order to attach to a policy language, and it is also used to generate queries for behavior matching purposes. Moreover, we propose a behavior pattern matching framework to approve the fulfillment of the obligation by looking into the audit logs. However, this method is extremely inadequate for ongoing obligations. Therefore, we proposed a compliance engine by utilizing complex event processing in order to make a decision to revoke or continue the access in a timely manner. We implemented both frameworks that can be used to approve the obligation fulfillment as well as to evaluate the expressive power and complexity of our proposed language.