In Usage CONtrol (UCON) access decisions rely on mutable attributes. A reference monitor should re-evaluate security policies each time when attributes change their values. Catching timely all attribute changes is a challenging issue, especially if the attribute provider and the reference monitor reside in different security domains. Some attribute changes might be missed, corrupted, and delayed. As a result, the reference monitor may erroneously grant the access to malicious users and forbid

more »

... for eligible users. This paper proposes a set of policy enforcement models which help to tolerate uncertainties associated with mutable attributes. In our model the reference monitor as usually evaluates logical predicates over attributes and additionally makes some estimates on how much observed attribute values differ from the real state of the world. The final access decision counts both factors. We assign monetary outcomes for granting and revoking access to legitimate and malicious users and compare the proposed policy enforcement models in terms of cost-efficiency.