Introduction and Motivation

As more and more enterprises make their critical information available on the Internet, whether only to employees or to end-customers, they are exposed to significant risks such as theft, fraud, and denial of service attacks. In general, the most significant consequences result from attacks within the system by otherwise legitimate users (or attackers posing as such users) performing unauthorized activities.

Detecting these kinds of attacks can require instrumenting applications to generate audit records based on activity that is only understood at the application layer.

In addition to having a means to detect attacks (the role of an intrusion detection system) it is essential to have well defined policies that indicate what to do under perceived attack conditions, or for that matter under suspicion of attack conditions so that data can be gathered to make an actual determination of whether an attack is present.

Countermeasures to such attacks must similarly be implemented at the application layers through enforcement of policies that can distinguish legitimate and illegitimate activities - a distinction that often requires application level knowledge.

While users might not be prevented from using resources to which they have legitimate access, protective measures, such as audit analysis along with the threshold control can be used to examine user actions. Consider an authorization policy: ``Members of department 1#1 can access the printer 2#2. If the number of print jobs created during the day is higher than 20, activate audit to log time, file and account names''. In this policy the threshold is used to detect suspicious use of resources. An audit log can reveal that an individual is printing far more records than the average user, which could indicate the running of a covert business.

The policies themselves must automatically adapt to meet the changing security requirements in the event of possible intrusion while allowing users to operate in the changing environment. For example, consider authorization policy: ``Tom can connect to host 3#3 if the system threat level is low (normal operational state). If the system threat level is medium (indicates suspicious behavior), Tom can connect only from a host within the administrative domain 4#4. The connection duration time should not exceed 2 hours. If the system threat level is high (system is under attack), Tom can not connect.''

Current access control systems are based on the premise that once a user is authorized to perform some operation, the access is granted unconditionally. This practice is not likely to detect the abuse of user privileges. To provide additional level of security checks, close monitoring of authorized actions may be necessary. Policies can be applied to controlling execution of the requested actions.

The points of the policy enforcement may include three time phases:

1. Before requested operation starts; to decide whether this operation is authorized.

2. During the execution of the authorized operation; to detect malicious behavior in real-time (e.g., a user process consumes excessive system resources).

3. When the operation is completed; to activate post execution actions, such as logging and notification whether the operation succeeds/fails.

To protect sensitive and critical system resources in distributed environments, a system must be capable of supporting advanced security policies:

1. The policies must be adaptive ¹ to accommodate changes in the security requirements and assist in detecting and responding to intrusion and misuse. To do so, the policies should indicate not only what activities are authorized, but also provide the means to detect abuse of user privileges. In particular, the policy should specify when audit records should be generated and allow for immediate notification.

2. Policy enforcement can be required at various time stages of the requested action. Thus, the policies should indicate when the policy has to be enforced.

The ability to enforce advanced policies has practical importance, for example, in computational Grids [5]. Grids are large-scale distributed computing environments that enable applications to use scientific instruments, computational and information resources that are managed by diverse organizations.

System administrators contributing their resources to a Grid will require assurance that the resources are adequately protected. In a Grid setting, the security requirements include:

1. User authentication.
   Authenticated user identity is used to determine who gains access to local resources ².

2. Resource usage limits (quotas).
   A site-specific resource allocation policy specifies limits on the computational or storage resources to be consumed, such as CPU load, memory usage and disk space. The limits are taken into account when deciding whether to initiate the requested computation. Monitoring execution of the computation on a particular node must be supported to ensure that the process keeps strictly to the limits imposed by the local policy.

3. Accounting and payment.
   Owners of the resources may hold users accountable for the consumed resources. Accounting may include gathering information about executed computations and consumed resources. The accounting information can be used in payment models for remote service providers.

4. Audit.
   Audit can provide a means to help accomplish individual accountability and provide data to be analyzed by intrusion or misuse detection systems.

5. Intrusion and misuse detection.
   Grids are vulnerable to a large-scale malicious attacks that could cause disruption of the Grid services. Thus, it is essential for Grids to support detection and automatic response to intrusion attempts.

6. Event notification.
   Tools for intrusion detection and fault tolerance can be driven by event services. Alert-level notification messages permit cooperative responses. For example, notification about a computation that exceeds the quotas can signal ongoing denial of service attack. The adequate preventive measures can be taken if the attack is confirmed.

Authentication, authorization, audit, notification and intrusion detection systems are interrelated and should be used together to support effective system security.

The goal of this work is to design an authorization system that supports the advanced security policies.