Enhanced Multilevel Fuzzy Inference System for Risk Adaptive Hybrid RFID Access Control System

d.suleiman@psut.edu.jo Abstract— Risk-based access control systems are part of identity manage-ment systems used to accommodate environments with needs for dynamic access control decisions. The risk value is subjected to overestimation or underestimation since it is measured qualitatively, thus; causing uncertainty problems, which was apparent in a previously proposed hybrid risk adaptive (HRA) access control system. Conversely, Fuzzy Inference Systems can deal with the uncertainty of measures and control the outcomes more precisely; therefore, a multilevel fuzzy inference system (HRA-MFIS) was proposed to replace the risk assessment model in HRA. This paper continues to improve the previous model by introducing an enhanced multilevel fuzzy inference system (EHRA-MFIS), which utilizes user behaviour and time analysis to detect anomalous access behaviour. Moreover, it improves the hybrid adaptive risk calculation module by adding authentication, classification and the degree of user anomalous behaviour to the risk calculation algorithm. The results show that the proposed model has smoothed out the transition between the different risk levels and enhanced the system's overall security by considering the failed authorization attempts and failed authentication attempts, asset classification, and user behaviour when calculating the risk


Introduction
One of the security control systems is the access control system that can prevent unauthorized access of resources by keeping the access points secure. Risk-based access control systems can adapt to the dynamic changes that may require permission changes by updating these permission-based on several factors. The factors may be environmental, operational or situational [1] [2]. Furthermore, risk adaptive access control models can be used to balance the benefits and the risks of granting or revoking permission [3].
Radio Frequency Identification (RFID) is a wireless, contactless device that consists of a reader and a tag that can be used in several applications such as personal identification, inventory tracking, e-shipment and gaming [4].
Fuzzy logic can be used in risk-based access control since Fuzzy Inference Systems (FIS) provide significant results with the systems that suffer from uncertainty in risk factors and the imprecise of the assessment process [5] [6][7] [8]. On the other hand, several problems may emerge because of using fuzzy. The first problem is the scalability that fuzzy inference-based access control uses, where the needed time to calculate the risk value is proportional to the number of variables-another problem related to the damages that the illegitimate users granted access due to underestimating the risk [9]. Also, the time required to deal with tens of parameters and hundreds of fuzzy rules will be high when complex relationships between variables exist.
In this research, an enhanced access control system, which utilizes user behaviour and time analysis to detect anomalous access behaviour and quantifies the risk value using a multilevel fuzzy inference system, is proposed (EHRA-MFIS). The proposed EHRA-MFIS system extends previous hybrid RFID risk adaptive access control systems [10] [11] called HRA and HRA-MFIS, respectively. It uses the same systems proposed in [10] and [11]. However, the new model is based on multilayer fuzzy logic [12]. A new layer of fuzzy logic called anomaly FIS has been added. The input of the anomaly FIS is the user behaviour and the time, while the output is the anomaly degree. The anomaly degree fuzzy value and the output of the authorization FIS, the Failed Authorization in addition to the failed authentication and the Classification Level, are fed as input to risk FIS to produce the risk value.
The rest of this paper is organized as follows: the literature is covered in Section 2, while Section 3 provides a brief explanation of the previous models. The proposed model is discussed in Section 4. Section 5 evaluates the proposed model and compares it with the previous models. Finally, the conclusion is presented in section 6.

Literature review
Access control is used to control and prevent the access of unauthorized users to the systems and their resources to control the security. In this section, a summary of the related work for both risk-based and fuzzy-based access control is covered.

Risk-based access control methods
User access privileges remain rigid and static in the Role-Based Access Control (RBAC) model [13]. On the other hand, the model presented in [2] is based on RBAC, allowing dynamic privileges changes by modifying the rules to access remote labs following the VDI/VDE 2182 guideline. The access decision depends on the value of risk and trust. These values were calculated using clearance subject level, history of rewards and penalties and the sensitivity level.
A standard for Extensible Access Control Markup language (XACML) to express access control policies was proposed in [14]. XACML could not quantify the risk directly, and this problem was addressed in [15], where a Risk adaptive eXtensible Access Control Markup Language (RXACML) was proposed. In RXACML, the quantified risk was used to measure the sensitive access request risk. RXACML may cause several problems, such as evaluating unclear performance, managing the permission denied access, and combining the rules and policies results.
The risk of access control was measured using the risk, trust and access metrics as in [16]; also, access control was determined using the combination between the metrics of risk and the trust by proposing Access Control in Cloud Federation using Learning Automata (ACCFLA). The security level was divided into four values including {secret, top-secret, classified and unclassified}. The security level was determined by sorting the sensitivity values determined for each security level. Furthermore, to determine whether to grant the users rewards or penalties, the user's experience of utilizing resources must be determined.
The level of the risk was used to determine the model of a risk adaptive hybrid RFID access control, whether it is serverless or server-based access modes [10]. The risk value was determined based on five factors: time, classification level, number of failed authentications, clearance level, and number of failed authorizations.
A multi-keyed model enhanced the security by using dynamic symmetric encryption was proposed in [17]. Their work utilized the same structure, authentication and identification, which was proposed in [11]. The experimental results showed enhanced security; on the other hand, there was a delay in processing time.

Fuzzy logic access control methods
In order to increase the information sharing while keeping the accountability of the users, the fuzzy Multi-Level Security (MLS) was used in [18]. Using MLS helps facilitate the risk information flow and quantify the risk efficiently.
The risk can be classified according to the difference between the subject and object security levels. If the difference between them is high, then the risk will be classified as high, while if the difference between them is low, the risk will be low. The model of MLS that considered this classification of the security level was proposed in [9]. There are four categories of security labels, including secret, top-secret, classified and unclassified. Fuzzy logic was used to define the values of security categories to overcome the problems of overestimation and underestimation that may occur by using crisp values.
The access control of medical information in a cloud environment had a high risk assessed using fuzzy logic was proposed in [19]. The component of the fuzzy logic module consists of three input variables and one output variable. The input variables are the past risk, the data sensitivity and the action consequences severity, while the output variable is the risk. Each of the past risk and action consequences severity variables had three linguistic values: low, medium and high, whereas the data sensitivity had three values that were not sensitive, sensitive, or highly sensitive. On the other hand, the risk variable had five linguistic values: unacceptable high, high, moderate, low, and negligible. Trapezoidal and triangle are used as membership functions. Also, Mamdani's fuzzy inference method is used with a total number of rules equal to 27, and finally, for the defuzzification, a centroid is used. The proposed fuzzy model was evaluated using a set of services such as SOAP-based web service, Amazon EC2 cloud service, and Health Level Seven (HL7) protocol for message transfer.
In [20], the risk value was calculated by modifying the risk assessment phase in the RIPRAN (Risk Project Analysis) methodology. The model consisted of two input variables: the number of sub-risk and the total value of sub-risks and one output variable, the total value of project risk. Also, the model variables had five linguistic values: very low, low, middle, high and very high. The membership function that was used is trapezoidal. Furthermore, Mamdani's is used with 25 rules.
The risk of different cyber security threats was assessed in [21]. The assessment was made using a multilevel fuzzy inference system, where three fuzzy controllers were used. The first controller used the potential capabilities, target and intent of the threat agent to calculate the overall capabilities of that threat. The second controller had three input variables, the first input was the vulnerabilities, the second input was action, and the last one was the success likelihood; the output of the second controller was the threat likelihood. The last controller took the input from the previous controllers and the impact of the threat as another input; the output of this controller was the scale of the risk.
A binary decision of whether to grant or deny access using FIS was proposed in [22]. Since the access decision is binary, Mamdani FIS was used because it is the most adaptable tool for binary decisions. A comparative study between the previously mentioned approaches is presented in Table 1. The factors that affect the risk must be considered by tuning the parameters

Previous design
This research extends the previous work in [10], which proposed a risk adaptive hybrid system (HRA) based on RFID access control. The main idea was to keep the high availability and simplicity of the system by decreasing the restriction of security level control when the risk level is low [23]. On the other hand, when the risk level is high, a high level of authentication is required. The system used a new multi-modules subsystem in the enterprise subsystem [24] called the Risk Engine subsystem.
Risk Engine is used to implement the adaptive risk features of the access control system. This subsystem comprises three modules: Risk Analysis, Risk Rule, and Decision Making. The Risk Analysis module calculates the risk value using Equation (1). The calculation is based on five risk factors: the number of failed authentication attempts, the number of failed authorization, the level of location classification, the time indicator, and the user clearance. Furthermore, the risk policy is defined by the Risk Rule Module, which consists of a set of rules, the risk acceptable level, and the risk scale. Finally, the outputs of the previous modules are fed as input to the Decision Making Module, which is responsible for alternating between offline and online access modes and granting and revoking the permissions of accessing the system.
In addition, the proposed model extends the HRA-MFIS model proposed in [11]. Their work used the fuzzy logic system to change the risk rule module. They used two layers of fuzzy inference systems: the authorization FIS and the risk FIS. The inputs of the authorization FIS are the clearance and classification levels. The inputs for the risk FIS are the authentication, classification level, and the authorization FIS output, which is the authorization.

Proposed design
Fuzzy logic can solve the problem of the imprecise value of the access control risk factors and their uncertainty. This paper proposes a new access control model (EHRA-MFIS) based on the previous model proposed by [11], which also uses multilayer fuzzy logic. Instead of using two FIS, the proposed model uses three FIS: authorization FIS, anomaly FIS, and risk FIS. The proposed EHRA-MFIS model makes enhancements in terms of efficiency and deals with the uncertainty of the risk value. More details about the new design are discussed in the following subsections.

Fuzzy system architecture
The risk access control is designed using the Fuzzy Logic Controller. The EHRA-MFIS consists of two layers of fuzzy logic where the first layer has two FIS: the authorization FIS and the anomaly FIS, while the second layer has the risk FIS. The system consists of six variables which are five inputs and one output. The number of rules of the proposed systems will be determined based on the number of values of each variable where the generated rules are stored in the knowledge-based system.
After generating the rules, the Mamdani model aggregates all generated rules in the three FIS. Finally, the Mean of Max (MOM) defuzzification converts the fuzzy values into crisp values. The proposed access control model architecture can be seen in Figure  1. The proposed model consists of two layers: the first layer consists of two FIS, the authorization FIS and the anomaly FIS, while the second layer consists of the risk FIS. The model is implemented using MATLAB. Table 2 shows the details of the FIS variables, their values, and the universe of discourse.

Fuzzy linguistic variables
The proposed EHRA-MFIS model consists of five inputs: Clearance, Classification, User behaviour, Time, and Authentication (failed attempts). It also consists of one output which is the Risk value. The inputs of the authorization FIS are the Clearance and the Classification, while the output is the failed authorization level. On the other hand, the inputs of the anomaly FIS are user behaviour and time, while the output is the Anomaly Degree. The output of the authorization FIS, the anomaly FIS, the classification level, and the failed authentication attempts is fed as input to the risk FIS.
In authorization FIS, the values of the two membership variables (Clearance and Classification) are {unclassified, public, confidential, secret, and top secret} where each value is represented using Trapezoidal as shown in Figures 2, 3 and 4. The output of the authorization FIS is the fuzzy variable authorization that has four values {None, Low, Medium, High} which are also represented by Trapezoidal as shown in Figure 5. After determining the input and output variables and their values, we used the Mamdani model and maximum function for aggregation. Finally, for defuzzification, we used Mean of Max (MOM). The total number of rules resulting from the Authentication FIS is 18 rules shown in Table 3.   Figure 7. In addition, the Triangle membership function represents the values of the time, as shown in Figure 8. Furthermore, the Triangle membership function is used to represent the values of the Anomaly degree output which has three values {Low, Medium, High} as shown in Figure 9. Also, in anomaly FIS, Mamdani is used for aggregation and MOM is used for defuzzification. The total number of rules resulting from the anomaly FIS is eight, as shown in Table 4.   Figure 11. Again, in this layer, Mamdani is used for aggregation and MOM is used for the defuzzification process, as shown in Figure 12.

Evaluation
This section provides a brief description of the proposed EHRA-MFIS access control model. After that, we evaluate and discuss the results of the proposed model. Finally, comparisons between it and the previous models have been performed. The proposed model was designed using Matlab Fuzzy Logic Toolbox. Each FIS model is implemented separately; since Matlab does not support the multilayer fuzzy system.
Firstly, both the authorization FIS and anomaly FIS are evaluated; after that, the risk FIS is engaged to give an access decision based on the authorization and anomaly FISs. The output of the authorization FIS is the failed authorization which indicates the degree of failed authorization and if it occurs or not. Furthermore, failed authorization occurs when lower-level clearance tries to access higher-level classification. On the other hand, the second input of risk FIS, the failed authentication, occurs when invalid identifications such as fingerprint or passcode are used.

Risk visualization
Firstly, we studied the effect of changing the anomaly and the classification values on the risk, where the authentication and authorization values are set to "None", then to "High", and the results are shown in Figures 13, 14 respectively, using risk heat maps. In Figure 13, the authentication and authorization values were set to the lowest (i.e., "None"). In this case, the risk value varies from insignificant to high. The risk value is insignificant when the object is unclassified, and the anomalous behaviour is at its lowest value. On the other hand, when the object is classified as top-secret, and the anomalous behaviour is high, the risk value is high. In Figure 14, both the authentication and the authorization values were set to "high". In this case, the risk value is always set to "extreme"; regardless of the degree of anomaly or the classification level.
Secondly, we studied the impact of the change in authentication and authorization on the risk value, where the classification level is at its highest value (i.e., top-secret). Three use cases were developed: 1) when the anomaly degree is at its lowest value (i.e., a= 0.0). 2) when the anomaly degree is medium (i.e., a=0.5). 3) when the anomaly degree is at the highest value possible (i.e., a=1). The results are shown in Figures 15-17, respectively, using risk heat maps to show the change in risk value.
The first case covers the risk when the required access classification is top-secretthat is, the highest-and there is no apparent anomalous behaviour. In this case, the risk value varies from low to critical, mainly based on the authentication failure where it dictates the risk value when the authorization level is < 2.25, as shown in Figure 15. In Figure 16, the second case where the access behaviour is considered moderately anomalous (i.e., medium, a=0.5) and the access classification level is at the highest level (i.e., top-secrete). Based on the access authentication and authorization values, the access risk value ranges from moderate to extreme, where the latter occurs when authentication fails with high certainty and the authorization level is at the highest degree.
Finally, the most extreme case, where the access classification level is the highest (i.e., top-secrete) and the access behaviour is considered anomalous to a high degree of certainty (i.e., high, a=1), is presented in Figure 17. In this case, the risk value ranges between High and Extreme based on the clearance level (i.e., authorization) and the level at which the authentication failed.

Comparison with previous models
As shown in Figure 18, when comparing the three risk-based systems (i.e., HRA, HRA-MFIS, and EHRA-MFIS), one can conclude that the newly proposed EHRA-MFIS system provides a smoother transition between the different risk levels as well as improved security by introducing the degree of anomalous behaviour as an input to the system. Furthermore, EHRA-MFIS cover the risk at a more significant range than HRA and HRA-MFIS at each classification level; thus, being more inclusive than the other two models. The addition of the anomalous FIS allows the proposed model to calculate the risk value more precisely by considering the user behaviour while calculating the risk value.

Conculsion
In this research, an enhanced multilayer fuzzy system, namely EHRA-MFIS, was proposed for risk access control systems. Fuzzy logic provided significant results when dealing with imprecise and uncertain risk values. The proposed EHRA-MFIS model consists of two layers. The first layer has two FIS: authorization and anomaly FISs. On the other hand, the second layer consists of risk FIS. The proposed system results showed that the uncertainty of the risk value was addressed using dynamic factors. The difference between this model and the previous model is the anomaly FIS added to the first layer. This addition enhanced the smooth transition between the risk levels and improved the overall security of the access control system. from Princess Sumaya University for technology, focusing on intelligence and security informatics (email: m.alzewairi@jisdf.org).
Adnan Shaout is a full professor in the Electrical and Computer Engineering Department at the University of Michigan -Dearborn. At present, he teaches courses in embedded systems, cloud computing, software engineering methods, fuzzy logic and engineering applications and computer engineering (hardware and software) (email: shaout@umich.edu).