Access Control Requirements for Preventing Insider Threats

  • Joon S. Park
  • Joseph Giordano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)


Today the Intelligence Community (IC) has faced increasing challenges of insider threats. It is generally accepted that the cost of insider threats exceeds that of outsider threats. Although the currently available access control approaches have a great potential for preventing insider threats, there are still critical obstacles to be solved, especially in large-scale computing environments. In this paper we discuss those requirements with respect to scalability, granularity, and context-awareness. For each requirement we discussed related problems, techniques, and basic approaches to the corresponding countermeasures. Detailed solutions and implementations are not described in this paper.


Access Control Access Control Model Intelligence Community Inside Threat Critical Obstacle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R.H.: Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems. In: Workshop at RAND, Santa Monica, CA (1999)Google Scholar
  2. 2.
    Brackney, R.C., Anderson, R.H.: Understanding the insider threat. In: ARDA (The Advanced Research and Development Activity) Workshop (2004)Google Scholar
  3. 3.
    Hayden, M.V.: The insider threat to U.S. government information systems. Technical report, National Security Telecommunications and Information Systems Security Committee (NSTISSAM), INFOSEC 1-99 (1999)Google Scholar
  4. 4.
    Park, J.S., Costello, K.P., Neven, T.M., Diosomito, J.A.: A composite RBAC approach for large, complex organizations. In: The 9th ACM Symposium on Access Control Models and Technologies (SACMAT), Yorktown Heights, NY (2004)Google Scholar
  5. 5.
    Lamson, B.W.: Protection. In: The 5th Princeton Symposium in Information Sciences and Systems, pp. 437–443. Princeton University, Princeton (1971)Google Scholar
  6. 6.
    Graham, G.S., Denning, P.: Protection principles and practice. In: AFIPS Spring Joint Computer Conference, Montvaler, NJ (1972)Google Scholar
  7. 7.
    Harrison, M.H., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Sandhu, R.S.: The typed access matrix model. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 122–136 (1992)Google Scholar
  9. 9.
    Bell, D., Lapadula, L.: Secure computer systems: Mathematical foundations. Technical report, The MITRE Corporation, Bedford, MA, MTR-2547 (1973)Google Scholar
  10. 10.
    Ferraiolo, D.F., Sandhu, R.S., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Transactions on Information and System Security (TISSEC) 4(3), 224–274 (2001)CrossRefGoogle Scholar
  11. 11.
    National Institute of Standards and Technology (NIST): The economic impact of role-based access control, Planning Report 02-1 (2002)Google Scholar
  12. 12.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29(2) (1996)Google Scholar
  13. 13.
    Thomas, R.K., Sandhu, R.S.: Task-based authorization control (TBAC): a family of models for active and enterprise-oriented authorization management. In: IFIP WG11.3 Workshop on Database Security, Vancouver, Canada (1997)Google Scholar
  14. 14.
    Ammann, P., Sandhu, R.S.: The extended schematic protection model. Journal of Computer Security 1(3-4), 335–383 (1992)Google Scholar
  15. 15.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 123–139 (2003)Google Scholar
  16. 16.
    Minsky, N.H.: Selective and locally controlled transport of privileges. ACM Transactions on Programming Languages and Systems 6(4), 573–602 (1984)MATHCrossRefGoogle Scholar
  17. 17.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. ACM Transactions on Information and System Security (TISSEC) 6(1), 71–127 (2003)CrossRefGoogle Scholar
  18. 18.
    Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Transactions on Information and System Security (TISSEC) 17(2), 101–140 (1999)Google Scholar
  19. 19.
    Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 31–42 (1997)Google Scholar
  20. 20.
    Park, J.S., Sandhu, R.: RBAC on the web by smart certificates. In: The 4th ACM Workshop on Role-Based Access Control (RBAC), Fairfax, VA (1999)Google Scholar
  21. 21.
    Park, J.S., Sandhu, R., Ahn, G.J.: Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC) 4(1), 207–226 (2001)CrossRefGoogle Scholar
  22. 22.
    Park, J.S., Sandhu, R., Ghanta, S.: RBAC on the Web by secure cookies. In: The 13th IFIP WG 11.3 Working Conference on Database Security, Seattle, WA (1999)Google Scholar
  23. 23.
    Park, J.S., Giordano, J.: Role-based profile analysis for scalable and accurate insider-anomaly detection. In: IEEE Workshop on Information Assurance (WIA), Phoenix, AZ (2006)Google Scholar
  24. 24.
    Park, J.S., Ho, S.M.: Composite role-based monitoring (CRBM) for countering insider threats. In: Symposium on Intelligence and Security Informatics (ISI), Tucson, AZ (2004)Google Scholar
  25. 25.
    Berners-Lee, T., Hendler, J., Lassila, O.: The semantic web. Scientific American 284(5), 34–43 (2001)CrossRefGoogle Scholar
  26. 26.
    Hendler, J., Berners-Lee, T., Miller, E.: Integrating applications on the semantic web. Journal of the Institute of Electrical Engineers of Japan 122(10), 676–680 (2002)Google Scholar
  27. 27.
    Lassila, O.: Web metadata: a matter of semantics. IEEE Internet Computing 2(4), 30–47 (1998)CrossRefGoogle Scholar
  28. 28.
    Park, J.S.: Towards secure collaboration on the semantic web. ACM Computers and Society 32(6) (2003)Google Scholar
  29. 29.
    Bertino, E., Ferrari, E.: Secure and selective dissemination of XML documents. ACM Transactions on Information and System Security (TISSEC) 5(3), 290–331 (2002)CrossRefGoogle Scholar
  30. 30.
    Bertino, E., Ferrari, E., Squicciarini, A.C.: Trust-X: A peer-to-peer framework for trust establishment. IEEE Transactions on Knowledge and Data Engineering 16(7), 827–842 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Joon S. Park
    • 1
  • Joseph Giordano
    • 2
  1. 1.Syracuse UniversitySyracuseUSA
  2. 2.Information DirectorateAir Force Research Laboratory (AFRL)RomeUSA

Personalised recommendations