A Dynamic Risk-Based Access Control Approach: Model and Implementation
| dc.contributor.author | Savinov, Sergey | |
| dc.date.accessioned | 2017-05-18T15:17:11Z | |
| dc.date.available | 2017-05-18T15:17:11Z | |
| dc.date.issued | 2017-05-18 | |
| dc.date.submitted | 2017-05-12 | |
| dc.description.abstract | Access control (AC) refers to mechanisms and policies that restrict access to resources, thus regulating access to physical or virtual resources of an information system. AC approaches are used to represent these mechanisms and policies by which users are granted access and specific access privileges to the resources or information of the system for which AC is provided. Traditional AC approaches encompass a variety of widely used approaches, including attribute-based access control (ABAC), mandatory access control (MAC), discretionary access control (DAC) and role-based access control (RBAC). Emerging AC approaches include risk adaptive access control (RAdAC), an approach that suggests that AC can adapt depending on specific situations. However, traditional and emerging AC approaches rely on static pre-defined risk mitigation tasks and do not support the adaptation of an AC risk mitigation process (RMP). There are no provided mechanisms and automated support that allow AC approaches to construct RMPs and to adapt to provide more flexible, custom-tailored responses to specific situations in order to minimize risks. Further, although existing AC approaches can operate in several knowledge domains at once, they do not explicitly take into account the relationships among risks related to different dimensions, e.g., security, productivity. In addition, although in the real world, risks accumulate over time, existing AC approaches do not appropriately provide means for risk resolution in situations in which risks accumulate as different, dangerous tasks impact risk measures. This thesis presents the definition, the implementation, and the application through two case studies of a novel AC risk-mitigation approach that combines dynamic RMP construction and risk assessment extended to include forecasting based on multiple risk-related utilities and events; provides support for a dynamic risk assessment that depends on one or multiple risk dimensions (e.g., security and productivity); offers cumulative risk assessment in which each action of interest can impact the risk-related utilities in a dynamic way; and presents an implementation of an adaptive simulation method based on risk-related utilities and events. | en |
| dc.identifier.uri | http://hdl.handle.net/10012/11917 | |
| dc.language.iso | en | en |
| dc.pending | false | |
| dc.publisher | University of Waterloo | en |
| dc.subject | risk | en |
| dc.subject | RAdAC | en |
| dc.subject | access control | en |
| dc.subject | benefit | en |
| dc.subject | mitigation | en |
| dc.subject | remediation | en |
| dc.subject | dynamic | en |
| dc.subject | adaptive | en |
| dc.subject | implementation | en |
| dc.subject | automated | en |
| dc.subject | utility | en |
| dc.subject | process construction | en |
| dc.subject | quantitative | en |
| dc.subject | obligation | en |
| dc.subject | resources | en |
| dc.subject | process | en |
| dc.subject | task sequence | en |
| dc.subject | forecasting | en |
| dc.subject | projection | en |
| dc.subject | events | en |
| dc.subject | domain | en |
| dc.subject | framework | en |
| dc.subject | software development | en |
| dc.subject | runtime | en |
| dc.subject | real-time | en |
| dc.subject | privacy | en |
| dc.subject | accumulation | en |
| dc.subject | alternative | en |
| dc.subject | critical | en |
| dc.subject | access denial | en |
| dc.subject | deny | en |
| dc.subject | information leak | en |
| dc.subject | social engineering | en |
| dc.subject | XACML | en |
| dc.subject | information security | en |
| dc.subject | risk analysis | en |
| dc.subject | risk assessment | en |
| dc.title | A Dynamic Risk-Based Access Control Approach: Model and Implementation | en |
| dc.type | Doctoral Thesis | en |
| uws-etd.degree | Doctor of Philosophy | en |
| uws-etd.degree.department | David R. Cheriton School of Computer Science | en |
| uws-etd.degree.discipline | Computer Science | en |
| uws-etd.degree.grantor | University of Waterloo | en |
| uws.comment.hidden | Correct thesis title is:A Dynamic Risk-Based Access Control Approach: Model and Implementation. The other title was previously used, however my PhD committee requested a title change and MGO erroneously used old title in their Doctoral thesis acceptance form. I have requested a corrected Doctoral thesis acceptance form, however it will be only ready on May 18'th. Please check everything else, but the title, you will get a new form soon. | en |
| uws.contributor.advisor | Paulo, Alencar | |
| uws.contributor.advisor | Berry, Daniel | |
| uws.contributor.affiliation1 | Faculty of Mathematics | en |
| uws.peerReviewStatus | Unreviewed | en |
| uws.published.city | Waterloo | en |
| uws.published.country | Canada | en |
| uws.published.province | Ontario | en |
| uws.scholarLevel | Graduate | en |
| uws.typeOfResource | Text | en |