Dynamic Access Control Framework for Internet of Things
In the near future, IoT ecosystems will enable billions of smart things to interconnect and communicate information about themselves and their physical environments. The high density of smart things in these environments allows for fine-grained data acquisition, enabling the development of advanced services and new kinds of applications ranging from wearable devices to air conditioners to fully automated cars. However, the dense and pervasive collection, processing and dissemination of data can unleash sensitive information about individuals, raising non-trivial security and privacy concerns. One solution for IoT security and privacy is to restrict access to sensitive data using access control and authorization techniques. Although many basic principles of standard access control models continue to apply, the high dynamic nature of IoT environments, resources limitation of IoT devices and vulnerability to physical and virtual attacks present unique challenges that render existing access control schemes unfit for IoT. This research introduces a holistic and dynamic access control framework for IoT environments. The framework consists of three components: an automatic and context-aware policy specification method, continuous policy enforcement mechanism and an adaptive policy adjustment technique. In response to access requests, the automatic policy specification component dynamically generates access control rules that grant access permissions based on predefined primitive facts. The primitive facts describe the attributes of the IoT devices registered to the system and the operational contexts under which these devices can interact. The continuous policy enforcement mechanism constantly monitors the compliance of the operational context while resource is in use, and re-evaluates ongoing access sessions in response to changes in operational contexts and/or access policies. The adaptive policy adjustment component assesses the access behavior of the IoT devices, adjusts the access control policies based on device behavioral patterns and recommends policy adjustments to the policy administrator for final approval. Experimental results show that the proposed framework provides higher adaptability to the dynamic security and privacy requirements of IoT deployments as well as better flexibility in access control policy management.