Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.

Original languageEnglish (US)
Title of host publicationMTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017
PublisherAssociation for Computing Machinery, Inc
Number of pages11
ISBN (Electronic)9781450351768
StatePublished - Oct 30 2017
Event4th ACM Workshop on Moving Target Defense, MTD 2017 - Dallas, United States
Duration: Oct 30 2017 → …

Publication series

NameMTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017


Conference4th ACM Workshop on Moving Target Defense, MTD 2017
Country/TerritoryUnited States
Period10/30/17 → …

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Computer Science Applications
  • Computer Networks and Communications


Dive into the research topics of 'Mutated policies: Towards proactive attribute-based defenses for access control'. Together they form a unique fingerprint.

Cite this