Modeling Chinese Wall Access Control Using Formal ... - IEEE Xplore

Modeling Chinese Wall Access Control Using Formal Concept Analysis S. Chandra Mouliswaran School of Information Technology and Engineering VIT University Vellore, India

[email protected]

Ch. Aswani Kumar

[email protected]

Abstract— Chinese wall access control (CWAC) is a well known and suitable access control model for secured sharing of commercial consultancy services. It is to avoid the information flow which causes conflict of interest for every individual consultant in these services. The main objective is to model the Chinese wall access control policy using formal concept analysis which extends and restructures the lattice theory. To attain this goal, we develop a formal context in the security aspects of Chinese wall access permissions. We experiment the proposed method in a common commercial consultancy service sharing scenario. The analysis results confirms that the proposed method satisfies the constraints of Chinese wall security policy and its properties such as simple security and *-property. Keywords—access control; chinese wall security policy; concept lattice; triadic context;

I.

INTRODUCTION

Every organization requires monitoring and controlling the access of their network, information system, and other shared resources along with their business activity. To ensure their security, any standard information system requires the support of access control. The access control is to prevent the unintended access of information in a system and ensure only the authorized users are allowed to use the information or data resources with their access permissions. An access control matrix first introduced by B. Lampson is a fundamental model for various types of access control models available in the literature such as mandatory access control model, discretionary access control model, lattice-based access control model and role based access control model [1, 2]. The detailed description of various access control models and their security policies are available in [3, 4]. Among the various access control strategies and security policies, Chinese wall security policy introduced by Brewer and Nash [5] in 1989 is essential for the financial division of various commercial consultant services such as stock exchange, investment consultants of banks and insurance, computer consultants etc. The main objective of this policy is to stop the information flow which causes conflict of interest for every individual consultant. In this model, Brewer and Nash introduced the mandatory rules for information flow which are known as read and write rule. Sandhu [6] has presented a lattice based access control model for this Chinese wall policy. The

c 978-1-4799-6629-5/14/$31.00 2014 IEEE

C. Chandrasekar

School of Information Technology and Engineering VIT University Vellore, India

Department of Computer Science Periyar University Salem, India

[email protected]

literature also shows that various other access control policies have been implemented as lattice [7, 8]. In recent times, lattice theory created its attraction in the domain of formal concept analysis (FCA). FCA is a restructured lattice theory which derives formal concepts from the given formal context and investigates the hierarchical order among them. Ch. Aswani Kumar has used the formal concept analysis to model the access permission of role based access control (RBAC) [9]. Obiedkov et al [10, 11] have constructed a lattice structure based access control model with the help of attribute exploration process from FCA. Knechtel [12] have used the descriptive logic to formalize the role based access control matrix as a triadic context. From this triadic context, they have derived the dyadic contexts and perform their attribute exploration. Dau and Knechtel [13] have described the support of FCA methods in access policy design. Based on the fruitful results of Sandhu [6], Ch. Aswani Kumar [8], Obiedkov et al [11] and Dau and Knechtel [13], we are motivated to propose a formal context for Chinese wall security policy. The lattice structure derived from this formal context is able to implement the access permissions of Chinese wall security policy and its access rules such as read and write rule. The rest of the paper is organized as follows: Section II presents the concise description of Chinese wall access control model. The terminology and conceptual definitions behind the FCA is described under section III. We propose the modeling of CWAC using FCA in section IV. We illustrate and evaluate our experimental results in section V. II.

BACKGROUND

The detailed study on access control policies, models and mechanisms is available in [4]. The features, merits and demerits of various access control security models for web based application are available in [14]. In 1989, Brewer and Nash customized the properties of Bell-LaPadula model (BLP) and introduced their security policy as CWAC security policy to suit the financial sector of commercial environment [5]. Often, the properties of Chinese wall policies are explicitly compared with properties of BLP. An aggressive model for Chinese wall security policy also evolved [15]. Tsau Young Lin [16] has reexamined CWAC policy through social public networks and granular computing and presented a small proof about the strong CWAC policy. Sandhu [17] has described the lattice based

811

enforcement of CWAC and compares it with the lattice based structure of BLP. A. The Chinese wall access control Depending upon the practical access control scenario behind the organization and the type of service they provide, the organizations define their security policy either towards confidentiality or integrity. Chinese wall access control model supports both confidentiality and integrity equally. So, it has been recognized as the hybrid access control model. To discuss the terms and policy behind the CWAC, we consider an online commercial domain where the consultants or analysts of the companies are interested in accessing the set of data resources of various group of companies that provide different types of services. Based on their type of service, companies are classified under various domains. The companies classified under the same domain forms a conflict of interest (COI) class and they are in the direct competition with each other. In addition to that these COI classes are mutually disjoint in nature. The companies grouped under different domain of services can be classified as nonconflict of interest (NCI) class. Companies in the same COI class cannot be in the same NCI class. Similarly, the companies in the same NCI class cannot be in the same COI class. The companies in the same NCI class are not in the competition and it does not require any special entities to monitor their consultants and their information. Here, the data resources of the individual company are referenced as objects and objects can be either a database or a file which contains information relevant to the company. The set of data resources or objects relevant to a single company is known as company data resources (CDR). For better understanding of COI classes, we consider the scenario behind the Fig. 1 where the data resources or objects of Banks, Cements and Pharmaceutical companies are classified into three different COI classes namely COI-A, COI-B and COI-C respectively . Under the COI class COI-A, there are three companies namely A1, A2 and A3. The COI-B class contains two companies namely B1 and B2 and COI-C class contains the three companies namely C1, C2 and C3. The ovals below the individual company represent the different set of objects or data resources related to CDR. Here, every object is mutually disjoint to each other in nature. The main purpose of CWAC policy is to prevent the leakage of one company’s sensitive information to other companies belonging to the same COI class. It insists that the same consultant should not have the read access to two or more companies in the same COI class. Formally, CWAC defines its access policy through two mandatory properties namely simple security and *-property. Those properties are as follows: •

812

Simple Security Property [18]: Any consultant C can read the object O if and only if any of the following condition holds.

Fig. 1 Classification of conflict of interest classes.

1) There is an object O' such that C has accessed O' and CDR(O') = CDR(O). 2) For all objects O', O' ȯ PR(C) implies COI(O')  COI(O). Initially, PR(C) = Ø, and the initial read request by C is assumed to be granted. 3) O is a sanitized object. •

*-Property [18]: A consultant C may write to an object O if and only if both of the following conditions hold. 1) The simple security condition permits C to read O. 2) For all unsanitized objects O', C can read O' ĺ CDR(O') = CDR(O).

Here, as per simple security property, sanitized objects are the objects belong to any CDR of any COI class for which the particular consultant C already has the read permission or able to get the read permission. The earlier access permission of sanitized objects belongs to the consultant C is maintained in PR(C). Unsanitized objects are the objects belong to any CDR of any COI class for which consultant C do not have any access permission earlier. The simple security and *-property resembles the read and write rule of CWAC model. III.

FORMAL CONCEPT ANALYSIS

In the early 1980’s, from an attempt to restructure the lattice theory, Rudolf Wille introduced the formal concept analysis in Darmstadt [19]. FCA has been successfully applied in major research fields such as concept clustering, concept mining, information retrieval, knowledge representation and so on [20, 21, 22]. It is widely used in the research of computer science for analysis of data and management of information [23]. FCA is a mathematical theory which brings the conceptual representation of knowledge in tables and performs the hierarchical analysis among the concepts by generating the lattices. A formal context is a cross table which contains the set of objects as rows and the set of attributes as columns and entries in the table represents the relationship between objects and attributes. It helps to check whether the object contains the particular attribute or not. The

2014 International Conference on Contemporary Computing and Informatics (IC3I)

formal concept of a context is an ordered pair where one is a subset of all objects in the given context and called as “extent” and the other one is a subset of all attributes in the context and called as “intent”. The hierarchical ordering among the concepts represents sub concept – super concept partial ordering among the concepts. The objects and attributes in the context are twofold in nature and they form the Galois connections among them. The connections represent the closure relation among objects and attributes. The set of all formal concepts in a context connected with super concept – sub concept partial ordering is called as concept lattice. In FCA, attribute dependencies are known as implications. The implication among attributes is pair of set of attributes named X and Y and it can be written as the expression XĺY. These attribute implications are similar to functional dependencies in the database field [24]. If there are “n” attributes, there are some 22n possible implications exist. The set of implications without any duplicates forms the implication base of the context. The concept Explorer or ConExp [25] is a famous and widely accepted software tool which is useful to implement the FCA. It is mainly used to build the lattices from the given formal contexts. It helps to implement the basic functionalities of FCA such as concept generation and attribute exploration. The calculation of implications and association rules is also possible with the support of ConExp. The above features ConExp is much helpful to perform the fruitful research in the field of formal concept analysis. In the recent times, fuzzy formal contexts are becoming popular and create its attraction in field of formal concept analysis [26, 27]. IV.

CHINESE WALL ACCESS CONTROL USING FORMAL CONCEPT ANALYSIS

In access control table, rows represent subjects, columns represent objects and the elements of the matrix represent the actions or access permissions between the subjects and objects. The Chinese wall access control (CWAC) matrix contains the set of consultants (C), data resources of set of COI class companies (D) and the set of access permissions (P). Since, it hold three sets of components, it is formalized as a triadic context. The sample triadic context for a CWAC is shown in Table-I. To compare and comfortably visualize the relation among these components, it is better to deduce the dyadic context from the triadic context. Our objective is to model the CWAC using FCA. To deduce the CWAC matrix as dyadic formal context, the set of consultants are the formal objects and the cross product of set of access permissions and the set of companies data resources (P x D) are the attributes. The procedure to derive the proposed formal context using FCA is described below. 1) Identify the consultants (C), companies data resources (D) belongs to different COI classes and access permissions (P) in the Chinese wall access control security policy. 2) Organize those components identified in step-1 as the three dimensional matrix as shown in Table-I.

TABLE I.

A SAMPLE TRIADIC CHINESE WALL ACCESS CONTROL SECURITY CONTEXT

In this table, Consultants are named as C1 to C6 and listed in rows. The data resource of COI class A’s first company is named as A1. Similarly, the other data resources of different companies are named and listed in columns of the Table-I. The entries in the table represent the access permission of the particular consultant associated with data resources of different COI class companies. 3) From the set of consultants (C), set of data resources of COI class companies (D) and set of access permissions (P) obtained in Step 2, formalize a three dimensional matrix. This three dimensional matrix is again formalized as the triadic formal context of the form KC,D,P = (C,D,P,I) where I is the ternary relation between C,D and P. 4) Obtain the various dyadic formal contexts from the triadic formal context formalized in Step-3, where anyone of the three sets C, D and P is considered as objects (rows) and the cross product of other two is considered as attributes (columns). Totally, we can deduce six different dyadic contexts which includes KC, P x D , KC x D, P and KP x C, D and the respective named components with equal cross tables KC, D x P , KD x C, P and KC x P, D. Here, Formal Context KC,D,P = (C,D,P,I) with (C,(D x P) ) ȯ I C,DxP ֞ (C,D,P) ȯ I is preferred for our CWAC. In this context, consultants (C) are the formal objects and access permissions of data resources of companies of different COI class are the formal attributes. 5) Construct the concept lattice structure from the formal context obtained in step-4. Here, the formal objects or consultants are organized in various levels of the lattice depends upon the object or consultant associated with single attribute or multiple attributes or single company data resources or multiple data resources of different COI class companies. The consultants or objects associated with single attribute or single company data resources are at level-1 i.e. L(C)=1 and the consultants or objects associated with two attributes or two data resources of different COI class companies are at level-2 i.e. L(C)=2 and so on. 6) The resultant CWAC lattice structure arranges the nodes at different levels and defines the CWAC rules in such a way that the nodes which equal L(C) with one, gets write permission and the nodes which equal L(C) with more than one gets the read permission. It means that consultants associated with single data resource of company gets read permission and consultants

2014 International Conference on Contemporary Computing and Informatics (IC3I)

813

associated with more than one data resources of different COI class of companies gets read permission.

TABLE II.

TRIADIC FORMAL CONCEPT OF A COMMERCIAL CONSULTANCY SHARING SCENARIO

7) Even, further updates into the existing context either by extending access permission to one or more data resources of different COI class companies to the existing consultant or by adding the new consultants with their access permission to different COI class companies effects the reformation of nodes in the concept lattice by changing the position of the consultant nodes at different levels or by adding the new nodes at the appropriate level in such a way that the same access rule described in step-6 gets applied. In the next section, we illustrate CWAC policy, based on a common commercial consultancy service sharing scenario and FCA. V.

EXPERIMENTAL RESULTS

To illustrate our proposed work, we consider a scenario in a commercial sector where there are consultants who are making their consultancy services in 3 distinct domains of organizations such as Banks, Cements and Pharmaceuticals by accessing their company or organization online data repositories and resources. For simplicity, we have assumed only 3 banks in the banks domain, 2 cement factories in cements domain and 1 pharmaceutical company in the pharmaceuticals domain. Here, the 3 banks are named as A1, A2 and A3. Next, the 2 cement factories are named by B1 and B2. Further, the pharmaceutical company in pharmaceuticals domain is named as C1. The access permissions to the consultants are either read or write. The read permission allows the consultants to perform only the read operation. But, the write permission allows both read and write operations. By considering the above commercial consultancy sharing scenario of 6 companies, to meet the requirement of CWAC policy and to discuss all different possibilities of choosing the unique pattern of choosing the companies by consultants, we have identified some 23 consultants. These consultants are referenced as consultant1 to consultant23 and these consultants are making the consultancy services to the above mentioned industries or organizations depend upon their availability and demand of the industries. So that, consultant accesses the resources of their consulting industries either by read or write. Here, it is the responsibility of industry manager or information system management tool to identify the right consultant for their industry without any conflict of interest especially while choosing the consultants who are making the consultancy to more than one industry at the same time. Similarly, to avoid the conflict of interest, the consultant also needs to select the industries which do not fall in the same category or domain. Once the consultant is fixed for an industry, the consultant is able to access the data resources of the industry depend upon their access permission. By considering the consultants as C, data resources of different COI class companies as D and access permissions as P,

814

formalize the triadic context of above described commercial consultancy sharing scenario as shown in the Table-II. From the triadic context in Table-II, the dyadic formal context KC,(DxP) is constructed for the above commercial consultancy sharing scenario with the support of ConExp tool as shown in Table-III. In FCA terminology, we consider C as objects and DxP i.e. D and P as attributes. An entry in the formal context shows grants permission to the consultant to access the resources of the company. The missing entry in the context denies the concerned access permissions on the corresponding data resources. The context in Table-III shows the different access permissions obtained by various consultants. As per the CWAC properties, the consultant accesses one company data resources performs write operation and the consultant accesses more than one company data resources performs only the read operation. With the support of the ConExp tool, we generate the concepts for the context shown in Table-III. Totally, it generates 25 concepts and those concepts are listed in Table- IV. Similarly, we generate the corresponding CWAC lattice structure shown in Fig. 2 with the support of ConExp tool. In this lattice structure, nodes represent the concepts and the nodes are associated with anyone consultant. No one node is having more than one object. So, there are no duplicate objects or every consultant accesses the unique set of data resources of companies in our scenario. In this lattice, all nodes are associated with at least one consultant or object and the lattice visualizes the nodes assembled in three levels.

2014 International Conference on Contemporary Computing and Informatics (IC3I)

TABLE III.

DYADIC FORMAL CONTEXT OF A COMMERCIAL CONSULTANCY SHARING SCENARIO

Fig. 2 Lattice model for Chinese wall access control of commercial consultancy sharing scenario.

In FCA context, the consultant has access permission to single CDR performs the write operation and satisfy both the properties of CWAC and the consultant has access permission to more than one CDR has only the read permission and satisfy only the simple security property. The level 1 contains the object nodes Consultant 5, Consultant 3, Consultant 6, Consultant 2, Consultant 1 and Consultant 4. Here, each consultant is associated with single company and those companies are from different COI groups. The level 2 contains the object nodes Consultant 12, Consultant 17, Consultant 11, Consultant 15, Consultant 10, Consultant 14, Consultant 9, Consultant 13, Consultant 16, Consultant 8 and Consultant 7. Here, every consultant is associated with two data resources of companies from different COI groups. The level 3 contains the object nodes Consultant 23, Consultant 21, Consultant 19, Consultant 22, Consultant 20 and Consultant 18. Here, each consultant is associated with three data resources of companies from different COI groups.

TABLE IV.

LIST OF CONCEPTS GENERATED FROM THE FORMAL CONTEXT

Even if we add or drop the entries in our context, the lattice structure again formalizes itself by adding the nodes into suitable level or moving the nodes between the appropriate levels. The nodes or consultants in the level1 satisfy the simple security property and *-property of CWAC and get the write permission. The nodes or consultants at level2 and level3 satisfies only simple security property and get only the read permission. In addition to that the structure of this lattice again proves that object or consultant hierarchy is not possible in CWAC policy as mentioned by Sandhu [17]. It means that consultant or objects mentioned higher in the hierarchy could not possess more permission (i.e. read and write) than the lower ones (i.e. read only). This is another significant observation in our analysis.

2014 International Conference on Contemporary Computing and Informatics (IC3I)

815

However, verifying whether these CDR groups falls into the same COI class or into different COI class is done by a domain expert. So, this is not considered in our model and we have kept it for the future research. In addition to that, in our model, we account the set of objects or data resources of a single CDR as one attribute instead of considering individual object as separate and single attribute in our context. Considering every individual object in a CDR as a separate attribute in FCA context is another challenging task. VI.

CONCLUSIONS

In this research work, we propose modeling of CWAC using FCA. To accomplish this, a common commercial consultancy sharing scenario in the business sector is considered. From this scenario, we consider the consultants, data resources of different COI classes and access permission as objects or attributes to formalize a triadic context which incorporates CWAC properties. To visualize the formal concepts, the original triadic context is transformed into the dyadic context and the equivalent lattice structure is constructed. We have shown that the resultant context and lattice structure helps to classify the access permission of consultants based on the CWAC policy and understand the CWAC access permission of every individual consultant depends upon their level in the lattice structure. It proves that it is possible to model CWAC properties and rules using FCA. As discussed, considering every individual object of a CDR of different COI class companies as a separate attribute in the formal context and classifying the CDR of two different companies which falls into the same COI in terms of formal concepts is left for future research work. REFERENCES [1] [2]

[3] [4]

[5] [6] [7]

[8]

[9]

816

B.Lampson. “Protection”, in Proceedings of the 5th Annual Princeton Conference on Information Sciences and Systems, pp. 437-443, 1971. Vincent C. Hu, David F. Ferraiolo and D. Rick Kuhn, Assessment of Access Control Systems, NIST Interagency Report 7316, Computer Security Division, NIST, MD 20899-8930, September, 2006. Ross J. Anderson, Frank Stajano, Jong-Hyeon Lee, “Security Policies”, Adavances in computers, vol. 55, pp. 185-235, 2001. F P. Samarati, S. De Capitani di Vimercati, “Access Control: Policies, Models and Mechanisms” in Foundations of Security Analysis and Design, R. Focardi, R. Gorrieri (eds.), Springer-Verlag, 2001. D. F. C. Brewer, M.J.Nash, “The Chinese Wall Security Policy”, IEEE Symposium on Security and Privacy, pp. 206-214, 1989. Ravi S. Sandhu, “Lattice-Based Access Control Models”, IEEE Computer vol. 26, issue 11, pp. 9-19, 1993. Ravi S. Sandhu, “Role Hierarchies and Constraints for Lattice-Based Access Controls” in Proceedings of European Symposium on Research in Computer Security, pp. 65-79, 1996. Ch. Aswani Kumar “Designing role-based access control using formal concept analysis”, Security and Communication Networks, vol. 6, issue 3, pp. 373–383, March, 2013. Ch. Aswani Kumar, “Modeling Access Permissions in Role Based Access Control Using Formal Concept Analysis”, Wireless Networks and Computational Intelligence Communications in Computer and Information Science, vol. 292, part 7, pp. 578-583, 2012.

[10] Sergei A. Obiedkov, Derrick G. Kourie and Jan H. P. Eloff, “Building access control models with attribute exploration” Computers & Security, vol. 28, issue 1-2, pp. 2-7, 2009. [11] Sergei A. Obiedkov, Derrick G. Kourie, and Jan H. P. Eloff, “On lattices in access control models”, in Proceedings of the 14th International Conference on Conceptual Structures, pp. 374-387, 2006. [12] Martin Knechtel, “Access restrictions to and with description logic web ontologies”, Dresden University of Technology, pp. 1-139, 2010. [13] Frithjof Dau and Martin Knechtel, “Access Policy Design Supported by FCA Methods”, in Proceedings of 17th International Conference on Conceptual Structures, pp. 141-154, 2009. [14] James Joshi, Walid G. Aref, Arif Ghafoor and Eugene H. Spafford “Security models for web-based applications”, Communications of ACM, vol.44 no. 2, pp. 38-44, 2001. [15] Tsau Young Lin, “Chinese Wall Security Policy-An Aggressive Model”, in Proceedings of the Fifth Aerospace Computer Security Application Conference, pp. 286-293, December 4-8, 1989. [16] Tsau Young Lin, “Chinese wall security policy-revisited a short proof”, IEEE International Conference on Systems, Man and Cybernetics, pp. 3027-3028, 2007. [17] Ravi S. Sandhu, “Lattice-based enforcement of Chinese Walls. Computers & Security, vol. 11, issue 8, pp.753-763, 1992. [18] Matt Bishop, Computer Security: Art and Science, Addison-Wesley Professional, December, 2002. [19] Wille, R., “Restructuring Lattice Theory: An Approach based on Hierarchies of Concepts”, reprint in: Proceedings of the 7th International Conference on Formal Concept Analysis, Springer-Verlag Berlin/Heidelberg, pp. 314-339, 2009. [20] Jonas Poelmans, Sergi O. Kuznetsov, Dmitry I. Ignatov and Guido Dedene, “Formal Concept Analysis in knowledge processing: A survey on models and techniques” Expert Systems with Applications, vol. 40, issue 16, pp. 6601-6623, 2013. [21] Aswani Kumar Ch., “Mining Association Rules Using Non-Negative Matrix Factorization and Formal Concept Analysis”, ICIP, Communications in Computer and Information Science, vol. 157, pp.3139, 2011. [22] Ch. Aswani Kumar and Prem Kumar Singh,“Knowledge Representation Using Formal Concept Analysis: A study on Concept Generation”, Global Trends in Intelligent Computing Research and Development, chapter 11, 2014. [23] Ganter, B. and Stumme, G., Formal Concept Analysis: Methods and Applications in Computer Science, TU Dresden, Germany, Tech. Rep., 2003. [24] Jinhai Li,Changlin Mei,Cherukuri Aswani Kumar and Xiao Zhang,“On rule acquisition in decision formal contexts” International journal of machine learning and cybernetics, vol.4, pp. 721 -731, 2013. [25] http://conexp.sourceforge.net. [26] Ch. Aswani Kumar and S.Srinivas “Concept lattice reduction using fuzzy k means clustering”, Expert Systems with Applications, vol. 37, issue 3, pp. 2696–2704, March 2010. [27] Ch. Aswani Kumar, “Fuzzy clustering based formal concept analysis for association rules mining”, Applied Artificial Intelligence, vol. 26, issue 3, pp. 274-301, 2012.

2014 International Conference on Contemporary Computing and Informatics (IC3I)