R2Q: A Risk Quantification Framework to Authorize Requests in Web-Based Collaborations
Web-based collaboration provides a platform which allows users from different domains to share and access information. In such an environment, mitigating threats from insider attacks is challenging, particularly if state-of-the-art token-based access control is used to authorize (permit or deny) requests. This entails the need for an additional layer of authorization based on soft-security factors such as the reputation of the requesters, risks involved in requests, and so on to make the final decision. In this paper, we propose a novel risk quantification framework, called R2Q, which exploits a weighted regression approach to compute the expected threat related to a collaboration request. Our model combines the shared object's sensitivity, access mode of the request, requester's security level and reputation, and maps the expected threat to a risk score using the prospect theory (PT) inspired value functions to actualize decision making under uncertainty of economic outcomes (loss or gain). Simulation-based performance evaluation validates the efficacy of our framework and demonstrates that it can classify requesters based on their past behaviours, and also enables the collaboration platform to achieve higher rates of successful authorization.
N. Ghosh et al., "R2Q: A Risk Quantification Framework to Authorize Requests in Web-Based Collaborations," Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security (2019, Auckland, New Zealand), pp. 247-254, Association for Computing Machinery (ACM), Jul 2019.
The definitive version is available at https://doi.org/10.1145/3321705.3329852
2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019 (2019: Jul. 9-12, Auckland, New Zealand)
Keywords and Phrases
Access request; Authorization; Collaboration; Prospect theory; Risk
International Standard Book Number (ISBN)
Article - Conference proceedings
© 2019 Association for Computing Machinery (ACM), All rights reserved.