RCBAC: A risk-aware content-based access control model for large-scale text data

Abstract

Unstructured data (mostly text data) have become a vital part in the era of big data. Hence, it has become increasingly difficult to identify the internal relations among data and describing the access control object during the design of access control (especially fine-grained access control) policies. Furthermore, in recent years, security incidents have frequently occurred due to the leakage of secrets by insiders, in both enterprises and government agencies around the world. Due to dynamic user behavior, it is difficult to determine “curious accesses” and grant authority based on traditional static access control models. Therefore, we need a dynamic access control model that is content-driven and can be used to find curious users in daily practice. This paper proposes a risk-aware content-based access control model (RCBAC) which can be used to solve over-authorization problems and can grant file-level authority to users. Based on the relevance of the data content and the duties of each user, RCBAC can quantify the risk of both the access behavior and the access history; accordingly, each user's access ability can be adjusted dynamically. The experimental results show that the RCBAC model can separate curious users from normal users and limit the access ability of curious users.

Introduction

In the era of big data, data have become an asset with economic importance. To use data more efficiently, it is important to share data safely. As a key technology for ensuring safe data sharing, access control plays an important role. The traditional access control models include discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC). However, in addition to the convenience big data has brought us, it also generates new challenges, and the traditional access control techniques cannot meet some of the demands of big data. On the one hand, unstructured data (most are text data) have become a vital part of big data, and it is difficult to identify the internal relations among the data, which increases the difficulty of describing the access control object when designing access control (especially fine-grained access control) policies. On the other hand, traditional access control policies cannot be effectively applied to big data because of their large scale and high incremental speed. Policies that are too lax can cause valuable or sensitive private data to be leaked; policies that are too strict can cause access to critical resources to be denied (Bauer and Kerschbaum, 2014). Access control models that can grant appropriate authorities to users are desired.

In recent years, security incidents have frequently occurred due to the leaking of secrets by insiders, both in enterprises and government agencies around the world. For example, a Google engineer spied on the data of four underage teens for months in 2010¹; accounts held by over 100,000 clients and 20,000 offshore companies with HSBC in Geneva were leaked in 2015²; and six employees of Huawei leaked company secrets in 2017.³ These leakages demonstrated the need for solving over-authorization problems for users: it is not enough for access control models to only grant corresponding authority to users; however, they also need to evaluate each user's access behavior and detect potential risks.

Furthermore, faced with large-scale unstructured text data, it is much more difficult to enforce access control policies with traditional access control models. We can use RBAC to assign unstructured data to different roles so that we can grant users corresponding authority based on these relations. However, in big data applications, it is difficult for administrators to assign unstructured data, and this work requires too much labor. Moreover, in access control systems, “who can access what” is typically defined by administrators and this kind of authorization is very labor intensive (Zeng et al., 2014). When facing massive data, it is more difficult for administrators to perform this labor-intensive authorization; as a result, the users might be granted too much or even full authority to ensure the systems can be used well. However, this kind of over-authorization could cause high risk. To further motivate our research, we consider the following example:

Example 1

In a law enforcement agency with highly sensitive case files, a supervisor assigns a case to agent Alice in Department A for investigation. Naturally, Alice also need to access related or similar cases (the concept of related or similar cases is determined according to the semantic content of the files). As an agent in Department A, Alice has the authority to access related files in the database of Department A. However, she cannot access related cases that belong to other departments. When Alice needs to access the data that belong to Department B, it is possible that: (i) the data are unsupervised and Alice can obtain the data directly or (ii) via complex procedures, such as request and approval, Alice obtains the access authorization.

Each of these situations has drawbacks. In Situation (i), there is no security guarantee, and if Alice is a curious user, she can access unrelated data without any restriction, which could cause infinite risk. In Situation (ii), because of the complex procedures, Alice may not be able to obtain related files in time, which would affect Alice's normal work. Furthermore, the manual cost will be high due to the increase in the number of access requests. Without first obtaining related approval, not even the administrators can examine and approve requests to grant users authority, which could result in the same risk as that in Situation (i). We hope that Alice can only access data that are related to her duties and her work, which satisfies the need-to-know principle. Based on this requirement, we need a fine-grained, self-adaptive access control policy that considers the data content and user duties.

In the above example, the problem can be partially solved with ABAC. With ABAC, the character attributes can be compared to grant authority for Alice. For example, Alice can obtain access authority for the messages of suspects who are F feet tall and appeared in position P at time T. However, in ABAC, it is almost impossible to extract attributes from unstructured text data, and it is difficult to identify the internal links between different text files. Furthermore, the traditional access control models often have executions that are too strict, which could lead to insufficient authorization (e.g., Alice can only access the data that belong to Department A), and typical users could obtain low authority, which would reduce its usability.

Beginning with the content-based authorization model for digital libraries that was proposed in 2002 (Adam et al., 2002), researchers have proposed various access control policies that are based on various types of content, including text content in databases (Zeng et al., 2014), social network data (Jadliwala et al., 2014; Paradesi et al., 2013), electronic data (Wu et al., 2010; Wu and Zhuo, 2014), context (Rubart, 2005), and content-centric networks (Mannes et al., 2015; Nagai et al., 2015). However, in a complex big data system, the access authority could be changed frequently, and static access control policies could not satisfy the requirements in dynamic scenarios. If access control is strictly enforced with predefined policies, it might result in insufficient or over authorization.

Break The Glass (BTG)⁴ is a fast technique for which a person who does not have access privileges to certain information can gain access when necessary. Integrated within the NIST/ANSI role-based access control model, Ferreira et al. uses the main strategy of BTG to propose a BTG-RBAC model (Ferreira et al., 2009) that can be used in health care institutions and violate restrictions in a controlled and justifiable manner to grant necessary authorities. In the field of medical privacy, Moura et al. uses the concept of BTG to propose a socio-technical risk-adaptable access control model SoTRAACE, in which if a patient in a hospital is incapable of communicating if he/she is allergic to a specific medication and the nurse treating him/her can have the justified possibility of overriding pre-defined policies and accessing patient's allergy data, before administering it (Moura et al., 2017).

Risk-based access control is another approach to overcoming the problem of insufficient authorization. Zhang et al. propose an access control model that balances the benefits and risks by combining them with each Read/Write operation (Zhang et al., 2006). When unforeseen access behavior occurs, if the risk is acceptable and smaller than the benefit, the access will be permitted. The model increases the usability in the situation of insufficient authorization. The JASON Program Office defines the concept of risk quota, and uses it to compute and manage access requests. In their research on addressing over-authorization in medical big data, Wang and Jin (2011) and Hui et al. (2015) propose risk-based access control models that distinguish between “normal doctors” and “curious doctors” based on their access behaviors so that they can adjust doctors' access abilities adaptively, such that “normal doctors” can access data in the typical manner while the access authority of “curious doctors” is limited.

Machine learning methods have also been applied in access control models to improve authorizations. Reference Molloy et al. (2012) trains on existing access control decisions to optimize its classifier and uses the classifier to determine whether an uncertain new access request should be permitted. Reference Pervaiz et al. (2015) satisfies the privacy requirement of l-diversity generalization of stream data, and uses the sliding window technique to propose a precision-bounded access control approach.

To solve the problem of over-authorization for large-scale text data, this paper proposes a risk-aware content-based access control (RCBAC) model, which uses data content and risk management technology to grant users access authority. In RCBAC, the risk is evaluated according to both access behavior and access history. (i) On the aspect of access behavior, the user duties are compared with the duty attribute of files, and the text content is used to compute the concrete access behavior risk. (ii) On the aspect of access history, sliding windows are defined for each user to store their historical access requests. Then, the information entropy is used to compute their confusion in various access periods and evaluate users' history risk. (iii) RCBAC uses risk quotas to manage users' accesses. Users can consume their risk quota to obtain access authority.

Our contributions in this paper are as follows:

• A content-driven risk-aware access control model for text data: RCBAC uses both the user duty and the semantic content of data to compute the risk that is caused by users. A user will cause much lower risk if he tries to access files that are related to his current work (related duty or related content) compared to curious users. If one user has sufficiently high behavior risk and history risk, RCBAC will identify him and reduce his access ability.

• RCBAC enforcements on different data size: We develop two RCBAC enforcements on a small data set (Google snippets) and a big data set (Amazon product reviews). In both cases, the experimental results show that RCBAC can distinguish curious users from normal users easily.

• A feasible solution for helping to solve over-authorization problems: RCBAC computes behavior risks for each user's access requests and sliding windows are defined for users to compute their history risk in RCBAC. If a user is over-authorized and often tries to access data unrelated to him, he will be tagged “curious” and descriptions of his suspicious behaviors will be sent to administrators. The user's risk quota will be reduced and he could only access a small amount of data at last. Moreover, administrators also can focus on tracking the accesses of these curious users to identify suspicious users and reject their accesses, which can solve over-authorization problems to a certain extent.

The remainder of this paper is organized as follows. Section 2 describes the faced problems. Section 3 presents the proposed model of RCBAC. Section 4 uses two data sets to develop RCBAC enforcement. Related works are presented in Section 5 and the paper is concluded in Section 6.