Trust-aware access control: How recent is your transaction history?

Establishing trust in a subject requesting access to a sensitive resource object is fundamental in history-aware access control models. A subject´s past behaviour could be used as an indication about the subject´s trustworthiness. In fact, a subject´s trust plays a significant role in deciding the associated access rights in, for example, context-aware access control models. Recently, there have been efforts to accommodate the subject´s trust level to provide smart security services including access control. Some proposals utilise data mining techniques, whereas some incorporate statistical methods to compute the subject´s trust value. Most of the models fail to identify malicious attempts from genuine subjects. In this paper, we propose a new model that bridges the gap by incorporating the concepts of Recency, Frequency and Sensitivity (RFS) in trust computation. The model is formally defined and prototyped in Java using the XACML RBAC profile and its run-time performance is investigated. The results show the model adds a significant overhead on top of the RBAC core model. However, the trust computation process could be done off-line cutting down that overhead dramatically, thus providing an affordable solution.