Abstract

Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.

Original languageEnglish (US)
Title of host publicationMTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017
PublisherAssociation for Computing Machinery, Inc
Pages39-49
Number of pages11
Volume2017-January
ISBN (Electronic)9781450351768
DOIs
StatePublished - Oct 30 2017
Event4th ACM Workshop on Moving Target Defense, MTD 2017 - Dallas, United States
Duration: Oct 30 2017 → …

Other

Other4th ACM Workshop on Moving Target Defense, MTD 2017
CountryUnited States
CityDallas
Period10/30/17 → …

Fingerprint

Access control
Industry

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Computer Science Applications
  • Computer Networks and Communications

Cite this

Rubio-Medrano, C. E., Lamp, J., Doupe, A., Zhao, Z., & Ahn, G-J. (2017). Mutated policies: Towards proactive attribute-based defenses for access control. In MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017 (Vol. 2017-January, pp. 39-49). Association for Computing Machinery, Inc. https://doi.org/10.1145/3140549.3140553

Mutated policies : Towards proactive attribute-based defenses for access control. / Rubio-Medrano, Carlos E.; Lamp, Josephine; Doupe, Adam; Zhao, Ziming; Ahn, Gail-Joon.

MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017. Vol. 2017-January Association for Computing Machinery, Inc, 2017. p. 39-49.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Rubio-Medrano, CE, Lamp, J, Doupe, A, Zhao, Z & Ahn, G-J 2017, Mutated policies: Towards proactive attribute-based defenses for access control. in MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017. vol. 2017-January, Association for Computing Machinery, Inc, pp. 39-49, 4th ACM Workshop on Moving Target Defense, MTD 2017, Dallas, United States, 10/30/17. https://doi.org/10.1145/3140549.3140553
Rubio-Medrano CE, Lamp J, Doupe A, Zhao Z, Ahn G-J. Mutated policies: Towards proactive attribute-based defenses for access control. In MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017. Vol. 2017-January. Association for Computing Machinery, Inc. 2017. p. 39-49 https://doi.org/10.1145/3140549.3140553
Rubio-Medrano, Carlos E. ; Lamp, Josephine ; Doupe, Adam ; Zhao, Ziming ; Ahn, Gail-Joon. / Mutated policies : Towards proactive attribute-based defenses for access control. MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017. Vol. 2017-January Association for Computing Machinery, Inc, 2017. pp. 39-49
@inproceedings{688fb5a1c04e4c0a81e2275a693e9e4d,
title = "Mutated policies: Towards proactive attribute-based defenses for access control",
abstract = "Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.",
author = "Rubio-Medrano, {Carlos E.} and Josephine Lamp and Adam Doupe and Ziming Zhao and Gail-Joon Ahn",
year = "2017",
month = "10",
day = "30",
doi = "10.1145/3140549.3140553",
language = "English (US)",
volume = "2017-January",
pages = "39--49",
booktitle = "MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017",
publisher = "Association for Computing Machinery, Inc",

}

TY - GEN

T1 - Mutated policies

T2 - Towards proactive attribute-based defenses for access control

AU - Rubio-Medrano, Carlos E.

AU - Lamp, Josephine

AU - Doupe, Adam

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

PY - 2017/10/30

Y1 - 2017/10/30

N2 - Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.

AB - Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.

UR - http://www.scopus.com/inward/record.url?scp=85043392811&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85043392811&partnerID=8YFLogxK

U2 - 10.1145/3140549.3140553

DO - 10.1145/3140549.3140553

M3 - Conference contribution

AN - SCOPUS:85043392811

VL - 2017-January

SP - 39

EP - 49

BT - MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017

PB - Association for Computing Machinery, Inc

ER -