Quantitative access control with partially observable Markov sdecision process

This paper presents a novel access control framework reduc- ing the access control problem to a traditional decision problem, thus allowing a policy designer to reuse tools and techniques from the decision theory.We propose here to express, within a single framework, the notion of utility of an access, decisions beyond the traditional allowing/denying of an access, the uncertainty over the e ect of executing a given decision, the uncertainty over the current state of the system, and to optimize this process for a (probabilistic) sequence of requests. We show that an access control mechanism including these di erent concepts can be speci ed as a (Partially Observable) Markov Decision Process, and we illustrate this framework with a running example, which includes notions of con ict, critical resource, mitigation and auditing decisions, and we show that for a given sequence of requests, it is possible to calculate an optimal policy di erent from the naive one. This optimization is still possible even for several probable sequences of requests.