Context-aware access control

Shizra Sultan: Video surveillance has become a necessary and unavoidable part of this modern era. It is widely adopted and has large area of applications including intelligent traffic management, healthcare, public safety, wildlife tracking, environment/weather monitoring and much more.

Video surveillance systems typically include of a camera and a storage medium, but now additional information can be included to make it more efficient, such as sound, location, infrared and many other types of metadata. During the past decade, Video Surveillance Systems (VSS) have evolved from simple video acquisition and display systems to intelligent automated systems, capable of performing complex procedures such as object detection and tracking, pattern recognition etc.

In this era of information driven management systems, it is imperative to handle data in a way so it is not misused. Measures against unwanted Information disclosure (confidentiality) and modification (integrity) can be achieved by a suitable access control mechanism, which in most cases requires verification of the requesting user (authentication). Access control defines who is authorized (user, subject) to access data (objects) and how it is controlled for different users. With such pervasive computing, access control has become complex as access decisions may depend on the context in which access requests are made. The contextual information represents a measurable contextual primitive and may entail such information being associated with a user, an object and the environment. The Attribute-Enhanced Role-Based Access Control model (AERBAC) combines the flexibility of enforcement from the attribute based access control model with the convenient specification of policies from the role-based access control model. Attributes, such as current location; time; task; or status of alarms, may be considered as part of the access control decision, thus supporting context-aware access control policies.

The Singapore Smart Nation Project is installing surveillance cameras for a number of applications ranging from traffic monitoring to crime prevention, thus requiring either duplication of infrastructure or a context-aware access control model that support multiple constituencies and "break glass" policies in emergency situations. The proposed project is to model the security requirements for access to the video surveillance system in the Singapore Smart Nation application scenarios using AERBAC. This requires identification of all stakeholders, both authorized users and potential attackers, definition of a framework to specify and enforce access control policies that meet the security requirements and development of a proof of concept prototype of the proposed framework. The AERBAC model provides many of the fundamental artifacts for this access control framework, but there is currently no dedicated language to specify context-aware access control policies for video surveillance systems. This specification language must be general, because it must capture the security policies of multiple organizations, and intuitive, because many video surveillance systems are installed and configured by electricians or other staff with limited computer security experience, so a graphical representation of (some of) the artifacts should be considered.

The access control framework developed in the proposed project, will be evaluated both analytically, through a security analysis of the framework, and empirically, through a proof of concept implementation of the framework using a subset of the Singapore Smart Nation research testbed. The security analysis will examine the coverage of the security model (does it cover all essential security requirements), the expressiveness of the developed access control policy specification language (is it easy to express and understand all the necessary access control policies), and the performance of the developed prototype (does it efficiently, effectively enforce all specified policies).

PhD project title: Context-Aware Access Control

Effective start/end date 01/02/2018 → 31/01/2021

Supervised by Christian D. Jensen from the section for Cyber Security at DTU Compute.

 

PhD Project by Shizra Sultan

Research section:  Cyber Security

Principal supervisor: Christian D. Jensen

Co-supervisors: Weizhi Meng

Title of project:  Context-Aware Access Control

Project start: 01/02/2018 → 31/01/2021

Contact

Shizra Sultan
PhD student
DTU Compute
+45 45 25 36 40

Contact

Christian D. Jensen
Associate Professor, Head of Section
DTU Compute
+45 45 25 37 24