Change Types and Changes

This section describes the relevant change types applicable to an authorisation infrastructures, followed by example instantiations of change types, referred to as changes.

CHAPTER 5. SIMULATING INSIDER THREAT 126

Change Types

Change types affect either identity services or authorisation services, which are characterised as part of an authorisation infrastructure, or its environment, con- sisting mainly of protected resources. Change types are defined as a vector of ‘attributes’ that describe a change and the dynamics of a change.

Note that the domain of authorisation infrastructures refer to ‘attributes’ as a piece of information that expresses something about the subject or the current conditions within an accessed resource. This is not to be confused with attributes of a formal model of change (i.e., changeload). However, authorisation attributes can exist as vector attributes within such a formal model.

Definition 23 (Change Type [24]) “A change type, given a set of architec- tural types T , is defined as a tuple (src, A, B ) that characterises a change, where:

• src ∈ T identifies the source of the change;

• A = ha1, . . . , aki is a vector of attributes that hold information about the

specific properties (variables) associated with the change type;

• B = hb1, . . . , bki describes the dynamics of the attributes in A (how they

evolve over time, e.g., through a polynomial, exponential, or step function).”

In application to authorisation infrastructures, a change type describes an observable event within identity services, authorisation services, or protected re- sources. Essentially, the observation of such change will have a consequence on properties contained within the system and environment model.

Definition 24 (Environment Change Model [24]) “An environment change model CMenv is a set of change types applicable to the environment properties

(Γenv) of a system family with some degree of commonality ( e.g, common subset

of architectural types).”

Example 7 In the following, several examples of low level environment change types are exemplified, depicting the process of a subject requesting access to a resource. The instantiation of these change types will have a consequence on one or more environment properties.

(i) Authentication request type captures (within an identity service) the identity service receiving a request for authentication of a user.

auth request type = hidentity service,

hauthRequest (username, password )i, hevent ii

(ii) Attribute release request type captures a request received by the identity service made by a service provider for a subject’s identity attributes.

attr release request type = hidentity service, hattr Request (identity,

hiAttribute type1, ..., iAttribute typeni, target )i,

hevent ii identity = hidentity type, identity valuei

It describes the request of a service provider (target) for a set of identity attributes (iAttribute type) that have been issued to a subject (identity). The set of attributes requested can be a null set, therefore requesting all releasable attribute types for the subject identity. Note that an identity is referred to by a type of identifier and a value. For example, identity type may be an LDAP distinguished name.

(iii) Credential validation request type is the receipt of a credential valida- tion request within an authorisation service.

cred validation request type = hauth service,

hvalRequest (identity, issuer , hiCondition1, ..., iConditionni,

hiAttribute1, ..., iAttributeni)i,

hevent ii

It contains attributes issued by a given identity provider (issuer) for a re- questing subject, detailing a request to validate a subject’s attributes. A set of conditions specified by the issuer can also be contained, whereby a condition refers to a type / value tuple, such as a single use declaration, or validity time. A credential validation request can either push the subject’s known attributes, or (given a null set) require the authorisation service to pull the subject’s known attributes from the subject’s identity provider. In the latter case, the authorisation service invokes an attribute release request.

(iv) Access request type is the request, received by an authorisation service, and made by a resource on behalf of a subject.

CHAPTER 5. SIMULATING INSIDER THREAT 128

access request type = hauth service,

haccessRequest (hiAttribute1, ..., iAttributeni, resource,

action, hrAttribute1, ..., rAttributeni, identity)i,

hevent ii

iAttribute = hiAttribute type, iAttribute valuei rAttribute = hrAttribute type, rAttribute valuei

The request contains 1) the subject’s identity attributes (iAttribute), 2) the resource and action to be carried out by the subject, 3) a set of re- source environment attributes (rAttribute) provided by the resource (e.g., htimeOfDay type, 11ami), and 4) the requesting subject’s identity.

(v) Resource action step type models an action that has occurred within any protected resource. The type is generic as resources are generally unique to the organisation and their purpose, unlike with an authorisation service type that exists to fulfil access control requirements.

resource action step type = hresource, hrAttributei, hstep functionii

The type identifies an attribute modification by means of a step function. The attribute modified (rAttribute) is a tuple of type / value, and can rep- resent anything modelled within the resource type, be it generic or specific. For example, this type could be instantiated to increase the total amount of bandwidth consumed by a subject, within a given session.

Definition 25 (System Change Model [24]) “A system change model CMsys

is a set of change types applicable to the system properties (Γsys) of a family of sys-

tems that share some degree of commonality (e.g., common subset of architectural types).”

Example 8 In the following, several examples of system change types are de- scribed, conveying the system’s response to a subject requesting access.

(i) Authentication decision type captures the consequence (within an iden- tity service) of an authentication request being responded to.

auth decision type = hidentity service,

hauthDecision(auth request )i, hevent ii

(ii) Attribute release type is the consequence of an attribute release request, within an identity service.

attr release type = hidentity service,

hattrRelease(attr release request )i, hevent ii

attrRelease(attr release request) = hissuer , identity,

hiCondition1, ..., iConditionni

hiAttribute1, ..., iAttributenii

It details the releasable identity attributes (iAttribute) as a tuple stating the type of identity attribute and its value. Identity attributes are released along with the issuer of the attributes (i.e., an ID of the identity provider or in- dividual whom assigned these attributes), the identity of the subject (i.e., a persistent ID), and a set of conditions. Conditions are a type value tuple, detailing the use of the released attributes. For example, a condition may assert the released attributes may only be used once, or can only be used in a given time frame.

(iii) Credential validation type is the consequence of a credential validation request, within an authorisation service.

cred validation type = hauth service,

hvalCredentials(cred validation request )i, hevent ii

valCredentials(cred validation request) =

hviAttribute1, ..., viAttributeni

It returns valid attributes (viAttribute) for a subject if the provided iAt- tributes conform to the authorisation service’s credential validation policy. These are effectively the same as identity attributes, however, they are re- ferred to as valid because an authorisation service has checked that the iden- tity service is trusted to issue them.

(iv) Access decision type is the consequence of an access request, providing a decision based on the attributes within an access request, and an authorisa- tion service’s access control policy.

access decision type = hauth service, haccessDecision(access request )i, hevent ii

CHAPTER 5. SIMULATING INSIDER THREAT 130

Changes

A change is an instantiation of a change type. Once enacted, the perception of state (either system or environment) has changed.

Definition 26 (Change [24]) “Given a set of change types CT defined for a set of architecture types T , and an architecture model A = (T , G, Γ), a change is a tuple (ct , srcinst , VA, VB, ti , d ) that corresponds to an instantiation of a change

type, where:

• ct = (src, A, B ) ∈ CT determines the change type to be instanced as a change;

• srcinst ∈ N , such that G = (N , E), where Λ(srcinst ) = src, is the instance of the source of change (i.e., where it actually occurs);

• VA= hvA1, . . . , vAki is a vector of attribute values instantiating the attributes

in A;

• VB = hvB 1, . . . , vBki is a vector of behavior instances of the elements in B

(i.e., a behavior instance vBi, i ∈ {1, . . . , k } is a function of type bi ∈ B ,

describing the evolution over time of the attribute vAi ∈ VA);

• ti ∈ R+

0 determines the time instant in which the change instance is trig-

gered;

• d ∈ R+

0 is the duration associated with the change.”

A set of exemplified changes are described in Appendix B.1. These changes demonstrate the instantiation of change types for both environment and system change, detailing the progression of a subject authenticating, requesting, and gain- ing access to a resource.