{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,21]],"date-time":"2026-04-21T13:20:25Z","timestamp":1776777625397,"version":"3.51.2"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2022,12,5]],"date-time":"2022-12-05T00:00:00Z","timestamp":1670198400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Ontario Centres of Excellence Voucher for Innovation Productivity 1 program"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2022,12,31]]},"abstract":"<jats:p>Access to resources by users may need to be granted only upon certain conditions and contexts, perhaps particularly in cyber-physical settings. Unfortunately, creating and modifying context-sensitive access control solutions in dynamic environments creates ongoing challenges to manage the authorization contexts. This article proposes RASA, a context-sensitive access authorization approach and mechanism leveraging unsupervised machine learning to automatically infer risk-based authorization decision boundaries. We explore RASA in a healthcare usage environment, wherein cyber and physical conditions create context-specific risks for protecting private health information. The risk levels are associated with access control decisions recommended by a security policy. A coupling method is introduced to track coexistence of the objects within context using frequency and duration of coexistence, and these are clustered to reveal sets of actions with common risk levels; these are used to create authorization decision boundaries. In addition, we propose a method for assessing the risk level and labelling the clusters with respect to their corresponding risk levels. We evaluate the promise of RASA-generated policies against a heuristic rule-based policy. By employing three different coupling features (frequency-based, duration-based, and combined features), the decisions of the unsupervised method and that of the policy are more than 99% consistent.<\/jats:p>","DOI":"10.1145\/3480468","type":"journal-article","created":{"date-parts":[[2021,8,13]],"date-time":"2021-08-13T21:20:38Z","timestamp":1628889638000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Risk-aware Fine-grained Access Control in Cyber-physical Contexts"],"prefix":"10.1145","volume":"3","author":[{"given":"Jinxin","family":"Liu","sequence":"first","affiliation":[{"name":"University of Ottawa, Ottawa, ON, Canada"}]},{"given":"Murat","family":"Simsek","sequence":"additional","affiliation":[{"name":"University of Ottawa, Ottawa, ON, Canada"}]},{"given":"Burak","family":"Kantarci","sequence":"additional","affiliation":[{"name":"University of Ottawa, Ottawa, ON, Canada"}]},{"given":"Melike","family":"Erol-kantarci","sequence":"additional","affiliation":[{"name":"University of Ottawa, Ottawa, ON, Canada"}]},{"given":"Andrew","family":"Malton","sequence":"additional","affiliation":[{"name":"BlackBerry Ltd., Waterloo, ON, Canada"}]},{"given":"Andrew","family":"Walenstein","sequence":"additional","affiliation":[{"name":"BlackBerry Ltd., BlackBerry, Bellevue WA, Canada"}]}],"member":"320","published-online":{"date-parts":[[2022,12,5]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"1","volume-title":"Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec\u201913)","author":"Andriotis Panagiotis","year":"2013","unstructured":"Panagiotis Andriotis, Theo Tryfonas, George Oikonomou, and Can Yildiz. 2013. A pilot study on the security of pattern screen-lock methods and soft side channel attacks. In Proceedings of the 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec\u201913). Association for Computing Machinery, New York, NY, 1\u20136. DOI:10.1145\/2462096.2462098"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2719706"},{"key":"e_1_3_2_4_2","first-page":"1","volume-title":"Proceedings of the IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE\u201917)","author":"Ashibani Yosef","year":"2017","unstructured":"Yosef Ashibani, Dylan Kauling, and Qusay H. Mahmoud. 2017. A context-aware authentication framework for smart homes. In Proceedings of the IEEE 30th Canadian Conference on Electrical and Computer Engineering (CCECE\u201917). 1\u20135. DOI:10.1109\/CCECE.2017.7946657ISSN: null."},{"key":"e_1_3_2_5_2","doi-asserted-by":"crossref","first-page":"100052","DOI":"10.1016\/j.iot.2019.100052","article-title":"An efficient security risk estimation technique for risk-based access control model for IoT","volume":"6","author":"Atlam Hany F.","year":"2019","unstructured":"Hany F. Atlam and Gary B. Wills. 2019. An efficient security risk estimation technique for risk-based access control model for IoT. Internet Things 6 (2019), 100052.","journal-title":"Internet Things"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.5555\/1925004.1925009"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420957"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2868726"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2812844"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/MITP.2013.50"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2905846"},{"key":"e_1_3_2_12_2","first-page":"1052","volume-title":"Proceedings of the IEEE 2nd Ukraine Conference on Electrical and Computer Engineering (UKRCON\u201919)","author":"Dundua Besik","year":"2019","unstructured":"Besik Dundua and Mikheil Rukhaia. 2019. Towards integrating attribute-based access control into ontologies. In Proceedings of the IEEE 2nd Ukraine Conference on Electrical and Computer Engineering (UKRCON\u201919). 1052\u20131056. DOI:10.1109\/UKRCON.2019.8879922"},{"key":"e_1_3_2_13_2","first-page":"750","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201914)","author":"Egelman Serge","year":"2014","unstructured":"Serge Egelman, Sakshi Jain, Rebecca S. Portnoff, Kerwell Liao, Sunny Consolvo, and David Wagner. 2014. Are you ready to lock? In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201914). Association for Computing Machinery, 750\u2013761. DOI:10.1145\/2660267.2660273"},{"key":"e_1_3_2_14_2","volume-title":"Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD\u201996)","author":"Ester Martin","year":"1996","unstructured":"Martin Ester, Hans-Peter Kriegel, J\u00f6rg Sander, and Xiaowei Xu. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD\u201996). AAAI Press, Portland, Oregon, 226\u2013231."},{"key":"e_1_3_2_15_2","first-page":"43","volume-title":"Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI\u201916)","author":"Floyd Travis","year":"2016","unstructured":"Travis Floyd, Matthew Grieco, and Edna F. Reid. 2016. Mining hospital data breach records: Cyber threats to U.S. hospitals. In Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI\u201916). 43\u201348. DOI:10.1109\/ISI.2016. 7745441"},{"key":"e_1_3_2_16_2","unstructured":"Kevin Fu Tadayoshi Kohno Daniel Lopresti Elizabeth Mynatt Klara Nahrstedt Shwetak Patel Debra Richardson and Ben Zorn. 2020. Safety Security and Privacy Threats Posed by Accelerating Trends in the Internet of Things. Retrieved from arxiv:cs.CY\/2008.00017."},{"issue":"2","key":"e_1_3_2_17_2","article-title":"Smart city system design: A comprehensive study of the application and data planes","volume":"52","author":"Habibzadeh Hadi","year":"2019","unstructured":"Hadi Habibzadeh, Cem Kaptan, Tolga Soyata, Burak Kantarci, and Azzedine Boukerche. 2019. Smart city system design: A comprehensive study of the application and data planes. ACM Comput. Surv. 52, 2 (May2019). DOI:10.1145\/3309545","journal-title":"ACM Comput. Surv."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2018.08.001"},{"key":"e_1_3_2_19_2","first-page":"3:1\u20133:10","volume-title":"Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS\u201913)","author":"Hayashi Eiji","year":"2013","unstructured":"Eiji Hayashi, Sauvik Das, Shahriyar Amini, Jason Hong, and Ian Oakley. 2013. CASA: Context-aware scalable authentication. In Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS\u201913). ACM, New York, NY, 3:1\u20133:10. DOI:10.1145\/2501604.2501607"},{"key":"e_1_3_2_20_2","first-page":"85","volume-title":"Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct (UbiComp\u201916)","author":"Hintze Daniel","year":"2016","unstructured":"Daniel Hintze, Eckhard Koch, Sebastian Scholz, and Ren\u00e9 Mayrhofer. 2016. Location-based risk assessment for mobile authentication. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct (UbiComp\u201916). ACM, New York, NY, 85\u201388. DOI:10.1145\/2968219.2971448"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2015.33"},{"key":"e_1_3_2_22_2","first-page":"111","volume-title":"Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT\u201905)","author":"Hulsebosch R. J.","year":"2005","unstructured":"R. J. Hulsebosch, A. H. Salden, M. S. Bargh, P. W. G. Ebben, and J. Reitsma. 2005. Context sensitive access control. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT\u201905). Association for Computing Machinery, 111\u2013119. DOI:10.1145\/1063979.1064000"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.2196\/12644"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.03.010"},{"key":"e_1_3_2_25_2","first-page":"225","volume-title":"Proceedings of the 11th USENIX Conference on Usable Privacy and Security (SOUPS\u201915)","author":"Khan Hassan","year":"2015","unstructured":"Hassan Khan, Urs Hengartner, and Daniel Vogel. 2015. Usability and security perceptions of implicit authentication: Convenient, secure, sometimes annoying. In Proceedings of the 11th USENIX Conference on Usable Privacy and Security (SOUPS\u201915). USENIX Association, 225\u2013239."},{"key":"e_1_3_2_26_2","first-page":"1","volume-title":"Proceedings of the International Symposium on Networks, Computers and Communications (ISNCC\u201915)","author":"Khan M. Fahim Ferdous","year":"2015","unstructured":"M. Fahim Ferdous Khan and Ken Sakamura. 2015. Fine-grained access control to medical records in digital healthcare enterprises. In Proceedings of the International Symposium on Networks, Computers and Communications (ISNCC\u201915). 1\u20136. DOI:10.1109\/ISNCC.2015.7238590"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2012.05.068"},{"key":"e_1_3_2_28_2","first-page":"297","volume-title":"Proceedings of the 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201917)","author":"Lee Wei-Han","year":"2017","unstructured":"Wei-Han Lee and Ruby B. Lee. 2017. Implicit smartphone user authentication with sensors and contextual machine learning. In Proceedings of the 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN\u201917). 297\u2013308. DOI:10.1109\/DSN.2017.24"},{"key":"e_1_3_2_29_2","first-page":"312","volume-title":"Proceedings of the IFIP 9th International Conference on Embedded and Ubiquitous Computing","author":"Lima Joao Carlos D.","year":"2011","unstructured":"Joao Carlos D. Lima, Cristiano C. Rocha, Iara Augustin, and M\u00e1rio A. R. Dantas. 2011. A context-aware recommendation system to behavioral based authentication in mobile and pervasive environments. In Proceedings of the IFIP 9th International Conference on Embedded and Ubiquitous Computing. 312\u2013319. DOI:10.1109\/EUC.2011.2"},{"key":"e_1_3_2_30_2","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Maaten Laurens van der","year":"2008","unstructured":"Laurens van der Maaten and Geoffrey Hinton. 2008. Visualizing data using t-SNE. J. Mach. Learn. Res. 9, Nov. (2008), 2579\u20132605.","journal-title":"J. Mach. Learn. Res."},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.2555335"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3078861.3078872"},{"key":"e_1_3_2_33_2","doi-asserted-by":"crossref","DOI":"10.1109\/MIC.2019.2941391","article-title":"Contextual, behavioral and biometric signatures for continuous authentication","author":"Quintal Kyle","year":"2019","unstructured":"Kyle Quintal, Burak Kantarci, Melike Erol-Kantarci, Andrew Malton, and Andrew Walenstein. 2019. Contextual, behavioral and biometric signatures for continuous authentication. IEEE Internet Comput. (2019). DOI:10.1109\/MIC.2019.2941391","journal-title":"IEEE Internet Comput."},{"key":"e_1_3_2_34_2","first-page":"1","volume-title":"Proceedings of the 21st Africa Week Conference (IST-Africa)","author":"Ramatsakane K. I.","year":"2017","unstructured":"K. I. Ramatsakane and W. S. Leung. 2017. Pick location security: Seamless integrated multi-factor authentication. In Proceedings of the 21st Africa Week Conference (IST-Africa). 1\u201310. DOI:10.23919\/ISTAFRICA.2017.8102391"},{"key":"e_1_3_2_35_2","volume-title":"Proceedings of the Eurographics\/IEEE VGTC Conference on Visualization: Short Papers (EuroVis\u201916)","author":"E. Rauber Paulo","year":"2016","unstructured":"Paulo E. Rauber, Alexandre X. Falcao, and Alexandru C. Telea. 2016. Visualizing time-dependent data using dynamic t-SNE. In Proceedings of the Eurographics\/IEEE VGTC Conference on Visualization: Short Papers (EuroVis\u201916). Eurographics Association, Goslar, DEU, 73\u201377."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3265863.3265873"},{"key":"e_1_3_2_37_2","unstructured":"D. A. Reynolds. 1993. A Gaussian mixture modeling approach to text-independent speaker identification. (1993). Retrieved from https:\/\/elibrary.ru\/item.asp?id=5779793."},{"key":"e_1_3_2_38_2","unstructured":"Matthew Rossi Dario Facchinetti Enrico Bacis Marco Rosa and Stefano Paraboschi. 2021. SEApp: Bringing mandatory access control to Android apps. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/rossi."},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2506542"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2911170"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966969"},{"issue":"10","key":"e_1_3_2_42_2","first-page":"e2","article-title":"How to use t-SNE effectively","volume":"1","author":"Wattenberg Martin","year":"2016","unstructured":"Martin Wattenberg, Fernanda Vi\u00e9gas, and Ian Johnson. 2016. How to use t-SNE effectively. Distill 1, 10 (Oct.2016), e2. DOI:10.23915\/distill.00002","journal-title":"Distill"},{"issue":"3","key":"e_1_3_2_43_2","doi-asserted-by":"crossref","first-page":"216","DOI":"10.1016\/j.mattod.2018.01.006","article-title":"Keystroke dynamics enabled authentication and identification using triboelectric nanogenerator array","volume":"21","author":"Wu Changsheng","year":"2018","unstructured":"Changsheng Wu, Wenbo Ding, Ruiyuan Liu, Jiyu Wang, Aurelia C. Wang, Jie Wang, Shengming Li, Yunlong Zi, and Zhong Lin Wang. 2018. Keystroke dynamics enabled authentication and identification using triboelectric nanogenerator array. Mater. Today 21, 3 (Apr.2018), 216\u2013222. DOI:10.1016\/j.mattod.2018.01.006","journal-title":"Mater. Today"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1145\/235968.233324"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3480468","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3480468","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:31:17Z","timestamp":1750188677000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3480468"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,5]]},"references-count":43,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2022,12,31]]}},"alternative-id":["10.1145\/3480468"],"URL":"https:\/\/doi.org\/10.1145\/3480468","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,12,5]]},"assertion":[{"value":"2021-02-11","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-08-05","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}