Location-Aware RBAC Based on Spatial Feature Models and Realistic Positioning

摘要

The location of a mobile user presents valuable information when deriving access control decisions. Hence, several location-aware extensions to role-based access control (RBAC) exist in literature. However, these approaches do not consider positioning errors. This leads to unexpected security breaches, when the user's ground truth differs from the reported location. Further, most approaches simply define a polygon as authorized zone and authorize when the reported position lies inside. To overcome these limitations, this paper presents a risk-optimal approach to RBAC. Position estimates are represented as probability distributions instead of points. Location constraints are assigned to RBAC elements and include cost functions for false positive and false negative decisions as well as feature models, which replace traditionally used polygons. Feature models describe for each location the likelihood that a specific feature can be observed. The evaluation shows that such risk-optimal RBAC outperforms risk-ignoring, polygon-based approaches. However, this risk-optimality is bought at the expense of a runtime highly increasing with the number of applied location constraints.