Skip to main content
SpringerLink
Log in
Book cover

From Database to Cyber Security pp 143–165Cite as

Function-Based Access Control (FBAC): Towards Preventing Insider Threats in Organizations

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11170))

Abstract

Insiders misuse their access to data and are known to pose serious risks to organizations. From a security engineering viewpoint, each insider threat incident is associated to full, or partial, failure of an access control system. Here, we introduce Function-Based Access Control (FBAC). FBAC is inspired by Functional Encryption but takes a system approach towards the problem. Abstractly, access authorizations are n longer stored as a two-dimensional Access Control Matrix (ACM). Instead, FBAC stores access authorizations as a three-dimensional tensor (called Access Control Tensor). Hence, applications no longer give blind folded execution right and users can only invoke commands that have been authorized at different levels such as data segments. Simply put, one might be authorized to use a certain command on one object while being forbidden to use the same command on another object. Evidently, this level of granularity and customization can not be efficently modeled using the classical access control matrix. The theoretical foundations of FBAC are presented along with Policy, Enforcement, and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.

A preliminary version of this work has been published as “Function-Based Access Control (FBAC): From Access Control Matrix to Access Control Tensor.” Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats. ACM, 2016.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Note that the number of different functions one can define with a given finite domain is finite, but too large to have practical value.

References

  1. Emerging technologies that will change the world. MIT Technology Review, January 2001

    Google Scholar 

  2. US State Dept limits military access to its database, November 2010. www.defencetalk.com/us-state-dept-limits-military-access-to-its-database-30387/

  3. Apple’s Apps economy as big as Hollywood. The Telegraph, January 2015. http://www.telegraph.co.uk/technology/apple/11362562/Apples-apps-economy-as-big-as-Hollywood.html

  4. Batane, T.: Turning to Turnitin to fight plagiarism among university students. J. Educ. Technol. Soc. 13(2), 1–12 (2010)

    Google Scholar 

  5. Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations and model. Technical report M74–244, The MITRE Corporation, Bedford, Massachusetts, May 1973

    Google Scholar 

  6. Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: how to remove intractability assumptions. In: Proceedings of the Twentieth Annual ACM Symposium Theory of Computing, STOC, 2–4 May 1988, pp. 113–131 (1988)

    Google Scholar 

  7. Bertino, E., Castano, S., Ferrari, E.: Securing XML documents: the author-X project demonstration. SIGMOD Rec. 30(2), 605 (2001)

    Article  Google Scholar 

  8. Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Specifying and enforcing access control policies for XML document sources. World Wide Web 3(3), 139–151 (2000)

    Article  Google Scholar 

  9. Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Protection and administration of XML data sources. Data Knowl. Eng. 43(3), 237–260 (2002)

    Article  Google Scholar 

  10. Bertino, E., Ferrari, E.: Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(3), 290–331 (2002)

    Article  Google Scholar 

  11. Biba, K.J.: Integrity considerations for secure computer systems. Technical report ESD-TR-76-372, USAF Electronic Systems Division, April 1977

    Google Scholar 

  12. Bird, R., Bird, R., Jain, S.: The Global Challenge of Intellectual Property Rights. Edward Elgar Publishing, Incorporated, Cheltenham (2009)

    Google Scholar 

  13. Bishop, M.: Computer Security. Addison-Wesley, Reading (2003)

    Google Scholar 

  14. Biswas, P., Patwa, F., Sandhu, R.: Content level access control for openstack swift storage. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp. 123–126. ACM (2015)

    Google Scholar 

  15. Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference. AFIPS Conference Proceedings, vol. 48, pp. 313–317 (1979)

    Google Scholar 

  16. Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16

    Chapter  Google Scholar 

  17. Boneh, D., Sahai, A., Waters, B.: Functional encryption: a new vision for public-key cryptography. Commun. ACM 55(11), 56–64 (2012)

    Article  Google Scholar 

  18. Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7(6), 22–29 (2009)

    Article  Google Scholar 

  19. Brdiczka, O., et al.: Proactive insider threat detection through graph learning and psychological context. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 142–149. IEEE (2012)

    Google Scholar 

  20. Caputo, D., Maloof, M., Stephens, G.: Detecting insider theft of trade secrets. IEEE Secur. Priv. 6, 14–21 (2009)

    Article  Google Scholar 

  21. Cole, E., Ring, S.: Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft: Protecting the Enterprise from Sabotage, Spying, and Theft. Syngress, Rockland (2005)

    Google Scholar 

  22. Crampton, J., Huth, M.: Towards an access-control framework for countering insider threats. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds.) Insider Threats in Cyber Security. ADIS, vol. 49, pp. 173–195. Springer, Boston (2010). https://doi.org/10.1007/978-1-4419-7133-3_8

    Chapter  Google Scholar 

  23. Damiani, E., Capitani, D., di Vimercati, S., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2), 169–202 (2002)

    Article  Google Scholar 

  24. Upton, D.M., Creese, S.: The danger from within. Harv. Bus. Rev. 92, 94–101 (2014)

    Google Scholar 

  25. Denning, D.E.R.: Cryptography and Data Security. Addison-Wesley, Reading (1982)

    MATH  Google Scholar 

  26. Desmedt, Y.: Computer security by redefining what a computer is. In: Michael, J.B., Ashby, V., Meadows, C. (eds.) Proceedings on the (1992–1993) New Security Paradigms II Workshop, ACM-SIGSAC, Little Compton, Rhode Island, U.S.A, pp. 160–166. IEEE Computer Society Press (1992, 1993)

    Google Scholar 

  27. Desmedt, Y.: Computer security by redefining what a computer is. In: Proceedings on the 1992–1993 Workshop on New Security Paradigms, pp. 160–166. ACM (1993)

    Google Scholar 

  28. Fadhel, A.B., Bianculli, D., Briand, L.: A comprehensive modeling framework for role-based access control policies. J. Syst. Softw. 107, 110–126 (2015)

    Article  Google Scholar 

  29. Fong, P.W.: Relationship-based access control: protection model and policy language. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 191–202. ACM (2011)

    Google Scholar 

  30. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the Nineteenth Annual ACM Symposium Theory of Computing, STOC, 25–27 May 1987, pp. 218–229 (1987)

    Google Scholar 

  31. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)

    Article  Google Scholar 

  32. Ito, M., Saito, A., Nishizeki, T.: Secret sharing schemes realizing general access structures. In: Proceedings of IEEE Global Telecommunications Conference, Globecom 1987, pp. 99–102. IEEE Communications Society Press (1987)

    Google Scholar 

  33. Jin, X.: Attribute-based access control models and implementation in cloud infrastructure as a service. The University of Texas at San Antonio (2014)

    Google Scholar 

  34. Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_8

    Chapter  Google Scholar 

  35. Joshi, J.B., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)

    Article  Google Scholar 

  36. Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)

    Article  Google Scholar 

  37. Lampson, B.W.: Protection. ACM Oper. Syst. Rev. 8(1), 18–24 (1974). Also. In: Proceedings of the 5th Princeton Symposium of Information Science and Systems (1971)

    Article  Google Scholar 

  38. Latimer, J.: Deception in War. Overlook Press, New York (2001)

    Google Scholar 

  39. Leigh, D., Harding, L.: Wikileaks: Inside Julian Assange’s War on Secrecy. Public Affairs, New York (2011)

    Google Scholar 

  40. Levine, J.: Operation Fortitude: The True Story of the Key Spy Operation of WWII that Saved D-Day. HarperCollins, London (2011)

    Google Scholar 

  41. Morrow, B.: BYOD security challenges: control and protect your most sensitive data. Netw. Secur. 2012(12), 5–8 (2012)

    Article  Google Scholar 

  42. Moses, T., et al.: eXtensible Access Control Markup Language (XACML) version 2.0. Oasis Standard 200502 (2005)

    Google Scholar 

  43. Murphy, J.P., Berk, V.H., Gregorio-de Souza, I.: Decision support procedure in the insider threat domain. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 159–163. IEEE (2012)

    Google Scholar 

  44. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release, vol. 2005 (2001). Located at http://www.cs.cornell.edu/jif

  45. Nurse, J.R.C., et al.: A critical reflection on the threat from human insiders – its nature, industry perceptions, and detection approaches. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 270–281. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_24

    Chapter  Google Scholar 

  46. Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)

    Article  Google Scholar 

  47. Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128–174 (2004)

    Article  Google Scholar 

  48. Park, J.S., Giordano, J.: Access control requirements for preventing insider threats. In: Mehrotra, S., Zeng, D.D., Chen, H., Thuraisingham, B., Wang, F.-Y. (eds.) ISI 2006. LNCS, vol. 3975, pp. 529–534. Springer, Heidelberg (2006). https://doi.org/10.1007/11760146_52

    Chapter  Google Scholar 

  49. Price, D.: Sizing the piracy universe. NetNames (2013). http://copyrightalliance.org/sites/default/files/2013-netnames-piracy.pdf

  50. Sandhu, R., Ranganathan, K., Zhang, X.: Secure information sharing enabled by trusted computing and PEI models. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 2–12. ACM(2006)

    Google Scholar 

  51. Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)

    Article  Google Scholar 

  52. Saunders, G., Hitchens, M., Varadharajan, V.: Role-based access control and the access control matrix. ACM SIGOPS Oper. Syst. Rev. 35(4), 6–20 (2001)

    Article  Google Scholar 

  53. Savage, S.: Staff and student responses to a trial of Turnitin plagiarism detection software. In: Proceedings of the Australian Universities Quality Forum, pp. 2–7. Citeseer (2004)

    Google Scholar 

  54. Schneier, B.: Bruce Schneier on Trust Set. Wiley, New York (2014)

    Google Scholar 

  55. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)

    Article  MathSciNet  Google Scholar 

  56. Smith, T.: 5 Ways to Encourage BYOD and Keep Your Company Data Secure. Entrepreneur, January 2015. http://www.entrepreneur.com/article/241645

  57. Spitzner, L.: Honeypots: catching the insider threat. In: 2003 Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179. IEEE (2003)

    Google Scholar 

  58. Stapleton, P.: Gauging the effectiveness of anti-plagiarism software: an empirical study of second language graduate writers. J. Engl. Acad. Purp. 11(2), 125–133 (2012)

    Article  Google Scholar 

  59. Subramanya, S., Yi, B.K.: Digital rights management. IEEE Potentials 25(2), 31–34 (2006)

    Article  Google Scholar 

  60. The British Broadcasting Corporation (BBC): UK’s families put on fraud alert. http://news.bbc.co.uk/2/hi/uk_news/politics/7103566.stm

  61. The Guardain: Cheating found to be rife in British schools and universities. http://www.theguardian.com/education/2015/jun/15/cheating-rife-in-uk-education-system-dispatches-investigation-shows

  62. The Telegraph: The cheating epidemic at Britain’s universities. http://www.telegraph.co.uk/education/educationnews/8363345/The-cheating-epidemic-at-Britains-universities.html

  63. Thompson, P.: Weak models for insider threat detection. In: Defense and Security, pp. 40–48. International Society for Optics and Photonics (2004)

    Google Scholar 

  64. Thomson, G.: BYOD: enabling the chaos. Netw. Secur. 2012(2), 5–8 (2012)

    Article  Google Scholar 

  65. Erlingsson, U.: Keynote: Advances in Cryptology - ASIACRYPT 2011: Proceedings of the 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, 4–8 December 2011 (2011)

    Google Scholar 

  66. Vandebogart, S., et al.: Labels and event processes in the asbestos operating system. ACM Trans. Comput. Syst. (TOCS) 25(4), 11 (2007)

    Article  Google Scholar 

  67. di Vimercati, S.D.C., Foresti, S., Samarati, P.: Data security issues in cloud scenarios. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2015. LNCS, vol. 9478, pp. 3–10. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26961-0_1

    Chapter  Google Scholar 

  68. Wall, D.S.: Enemies within: redefining the insider threat in organizational security policy. Secur. J. 26(2), 107–124 (2013)

    Article  Google Scholar 

  69. Yao, A.C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science (FOCS), Toronto, Ontario, Canada, 27–29 October 1986, pp. 162–167. IEEE Computer Society Press (1986)

    Google Scholar 

  70. Desmedt, Y.: Keynote: Security and Privacy in Communication Networks: 7th International ICST Conference, SecureComm 2011, London, 7–9 September 2011 (2011)

    Google Scholar 

  71. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making information flow explicit in HiStar. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 263–278. USENIX Association (2006)

    Google Scholar 

  72. Zhang, Z., Pei, Q., Ma, J., Yang, L.: Security and trust in digital rights management: a survey. IJ Netw. Secur. 9(3), 247–263 (2009)

    Google Scholar 

Download references

Acknowledgments

Arash Shaghaghi acknowledges the support provided by his Ph.D. supervisor Prof. Sanjay Jha at UNSW Sydney. A/Prof. Salil Kanhere also provided useful insights and suggestions in designing deployment scenarios for FBAC.

Author information

Authors and Affiliations

  1. University of Texas at Dallas, Richardson, USA

    Yvo Desmedt

  2. University College London (UCL), London, UK

    Yvo Desmedt

  3. The University of New South Wales (UNSW Sydney), Kensington, Australia

    Arash Shaghaghi

  4. Data61, CSIRO, Eveleigh, Australia

    Arash Shaghaghi

Authors
  1. Yvo Desmedt
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arash Shaghaghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arash Shaghaghi .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milano, Italy

    Pierangela Samarati

  2. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray

  3. Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Desmedt, Y., Shaghaghi, A. (2018). Function-Based Access Control (FBAC): Towards Preventing Insider Threats in Organizations. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04834-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04833-4

  • Online ISBN: 978-3-030-04834-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation