Cost-Sensitive Access Control for Illegitimate Confidential Access by Insiders
In many organizations, it is common to control access to confidential information based on the need-to-know principle; The requests for access are authorized only if the content of the requested information is relevant to the requester’s current information analysis project. We formulate such content-based authorization, i.e. whether to accept or reject access requests as a binary classification problem. In contrast to the conventional error-minimizing classification, we handle this problem in a cost-sensitive learning framework in which the cost caused by incorrect decision is different according to the relative importance of the requested information. In particular, the cost (i.e., damaging effect) for a false positive (i.e., accepting an illegitimate request) is more expensive than that of false negative (i.e., rejecting a valid request). The former is a serious security problem because confidential information, which should not be revealed, can be accessed. From the comparison of the cost-sensitive classifiers with error-minimizing classifiers, we found that the costing with a logistic regression showed the best performance, in terms of the smallest cost paid, the lowest false positive rate, and the relatively low false negative rate.
KeywordsAccess Control Linear Discriminant Analysis False Negative Rate Lower False Positive Rate Access Request
Unable to display preview. Download preview PDF.
- 1.Aleman-Meza, B., Burns, P., Eavenson, M., Palaniswami, D., Sheth, A.: An ontological approach to the document access problem of insider threat. In: Proceedings of IEEE International Conference on Intelligence and Security Informatics (ISI 2005), pp. 486–491 (2005)Google Scholar
- 2.Domingos, P.: MetaCost: A general method for making classifiers cost-sensitive. In: Proceedings of International Conference on Knowledge Discovery and Data Mining (KDD 1999), pp. 155–164 (1999)Google Scholar
- 3.Elkan, C.: The foundations of cost-sensitive learning. In: Proceedings of International Joint Conference on Artificial Intelligence (IJCAI 2001), pp. 973–978 (2001)Google Scholar
- 4.Fawcett, T.: ROC graphs: Notes and practical considerations for researchers, HP Lab Palo Alto, HPL-2003-4 (2003)Google Scholar
- 5.Giuri, L., Iglio, P.: Role templates for content-based access control. In: Proceedings of ACM Workshop on Role Based Access Control, pp. 153–159 (1997)Google Scholar
- 6.Lee, W., Miller, M., Stolfo, S., Jallad, K., Park, C., Zadok, E., Prabhakar, V.: Toward cost-sensitive modeling for intrusion detection. ACM Journal of Computer Society 10(1-2), 5–22 (2002)Google Scholar
- 8.Schutze, H., Hull, D.A., Pedersen, J.O.: A comparison of classifiers and document representations for the routing problem. In: Proceedings of International ACM Conference on Research and Development in Information Retrieval (SIGIR 1995), pp. 229–237 (1995)Google Scholar
- 9.Seo, Y.-W., Giampapa, J., Sycara, K.: A multi-agent system for enforcing Need-To-Know security policies. In: Proceedings of International Conference on Autonomous Agents and Multi Agent Systems (AAMAS) Workshop on Agent Oriented Information Systems (AOIS 2004), pp. 163–179 (2004)Google Scholar
- 10.Symonenko, S., Liddy, E.D., Yilmazel, O.: Semantic analysis for monitoring insider threats. In: Proceedings of Symposium on Intelligence and Security Informatics (2004)Google Scholar
- 11.Torkkola, T.: Linear discriminant analysis in document classification. In: IEEE Workshop on TextMining (2001)Google Scholar
- 12.Weippl, E., Ibrahim, K.: Content-based management of document access control. In: Proceedings of the 14th International Conference on Applications of Prolog (2001)Google Scholar
- 13.Zadrozny, B., Langford, J., Abe, N.: A simple method for cost-sensitive learning. IBM Tech Report (2002)Google Scholar