IntroductionCost-Sensitive ClassificationMethods for Cost-Sensitive ClassificationExperimentsCost AssignmentExperimental ResultsRelated WorkConclusion and Future WorkCost-Sensitive Access Control for IllegitimateConfidential Access by InsidersYoung-Woo Seo and Katia SycaraRobotics InstituteCarnegie Mellon UniversityPittsburgh PA 15213, USA{ywseo, katia}@cs.cmu.eduAbstract. In many organizations, it is common to control access to con-fidential information based on the need-to-know principle; The requestsfor access are authorized only if the content of the requested informationis relevant to the requester’s current information analysis project. Weformulate such content-based authorization, i.e. whether to accept or re-ject access requests as a binary classification problem. In contrast to theconventional error-minimizing classification, we handle this problem in acost-sensitive learning framework in which the cost caused by incorrectdecision is different according to the relative importance of the requestedinformation. In particular, the cost (i.e., damaging effect) for a false pos-itive (i.e., accepting an illegitimate request) is more expensive than thatof false negative (i.e., rejecting a valid request). The former is a serioussecurity problem because confidential information, which should not berevealed, can be accessed. From the comparison of the cost-sensitive clas-sifiers with error-minimizing classifiers, we found that the costing witha logistic regression showed the best performance, in terms of the small-est cost paid, the lowest false positive rate, and the relatively low falsenegative rate.1 IntroductionIllegitimate access to confidential information by insiders poses a great risk toan organization. Since malicious insiders are well aware of where the valuableinformation resides and which cause damaging effects, the results of illegitimateconfidential access are far more costly. Illegitimate access is difficult to effec-tively prohibit or detect because malevolent actions are done by already trustedpersons.One of the most common approaches to handle this problem is access controlbased on the need-to-know principle; The requests for access are authorized onlyif the content of the requested information is relevant to the requester’s project.For example, if an information analyst’s current project concerns the develop-ment of nuclear weapon by Iran, it would be illegitimate for the analyst to haveaccess to documents on other aspects, e.g., feminist activities in Iran. However,since documents on these different aspects of Iranian politics and welfare are notS. Mehrotra et al. (Eds.): ISI 2006, LNCS 3975, pp. 117–128, 2006.c Springer-Verlag Berlin Heidel berg 2006118 Y.-W. Seo and K. Sycaranecessarily a priori separated in different secured data bases, the issue of allowingaccess on a need-to-know basis on particular documents is very challenging.Requests to access the confidential information may occur, for example, whenan employee is assigned to a new project and needs to access background knowl-edge. The project manager will either hand select only those confidential infor-mation that he will let the employee see, or completely bar access to the entirecollection rather than exposing information that should not be exposed. Howeverthis approach is quite inflexible. It does not allow easy adjustment to frequentchanges of a user’s task assignment. Project assignments for an employee may bechanged quite often and hence the employee needs to access confidential informa-tion related to the newly assigned project. Alternatively, since the organizationwants to make sure that the employee accesses only pertinent information, aset of access control lists (ACL) may be compiled manually to control those re-quests. Each item of confidential information is associated with an ACL, whichensures a corresponding level of security and can be accessed by anyone who hasbeen authorized. However this approach has a crucial security weakness. Since,for the purpose of indexing and security, confidential information is grouped intocontainers by project-basis, a user who is authorized to a segment of confidentialinformation in a container is actually able to access the entire container.As a solution for these problems, we developed a multi-agent system that han-dles the authorization of requests for confidential information as a binary clas-sification problem [9]. Instead of relying on hand-picked information or coarse-grained ACLs, our system classifies on-the-fly the content of each requestedinformation access as positive or negative with respect to the content of therequester’s project and authorizes the request if the requested information isclassified as positive to the requester’s project. Otherwise the request is rejectedbecause the requester’s project description is not similar to the information. Ourapproach is quite flexible and adaptive to changes of project assignment becauseonly an updated description of newly assigned projects is necessary to re-trainthe classifiers, instead of re-compiling the ACL on all changing relevant infor-mation. Therefore, it is much less expensive, both computationally, and also interms of human time and effort, than an ACL-based approach.Although our approach showed a relatively good performance [9], we believethere is room for improvement. Previously we made use of five different error-minimizing classifiers for authorizing the requests to access confidential informa-tion. However, in domains where there is differential cost for misclassification ofexamples, an error-minimizing approach may not give results that reflect the real-ity of the domain. For example, suppose that there are 100 medical cases that arecomprised of 5 cancer cases and 95 flu cases. Without considering the cost for mis-classification (e.g., compensation for misdiagnosis), an error-minimizing classifierwould simply achieve the lower error rate by ignoring the minority class, eventhough the actual result of misdiagnosis on cancer is far worse than that of flu.Thus, it is undesirable to use an error-minimizing classification method, whichtreats all mis-classification costs equally for such a cost-sensitive scenario becauseprimarily it classifies every example as belonging to the most probable class.Cost-Sensitive Access Control for Illegitimate Confidential Access by Insiders 119In this paper we present our works for testing