Optimising distributed access control systems using associative rules.

Gams, Matjaz ; Vlad, Madalin Stefan ; Mircevska, Violeta 等

1. INTRODUCTION

In artificial intelligence, an intelligent agent (IA) is an autonomous entity, which observes and acts upon an environment and directs its activity towards achieving goals. Intelligent agents may also learn or use knowledge to achieve their goals. They may be very simple or very complex: a reflex machine such as a thermostat is an intelligent agent, as is a human being, as is a community of human beings working together towards a goal.

Intelligent agents are often described schematically as an abstract functional system similar to a computer program. For this reason, intelligent agents are sometimes called abstract intelligent agents (AIA) to distinguish them from their real world implementations as computer systems, biological systems, or organizations. Some definitions of intelligent agents emphasize their autonomy, and so prefer the term autonomous intelligent agents.

Intelligent agents in artificial intelligence are closely related to agents in economics, and versions of the intelligent agent paradigm are studied in cognitive science, ethics the philosophy of practical reason as well as in many interdisciplinary socio-cognitive modeling and computer social simulations.

Intelligent agents are also closely related to software agents (an autonomous software program that carries out tasks on behalf of users). In computer science, the term intelligent agent may be used to refer to a software agent that has some intelligence, regardless if it is not a rational agent by Russell and Norvig's definition. For example, autonomous programs used for operator assistance or data mining (sometimes referred to as bots) are also called "intelligent agents".

Clases of intelligent agents:

1. simple reflex agents

2. model-based reflex agents

3. goal-based agents

4. utility-based agents

5. learning agents

In data mining, association rule learning is a popular and well-researched method for discovering interesting relations between variables in large databases. Based on the concept of strong rules, Agrawal et al. introduced association rules for discovering regularities between products in large-scale transaction data recorded by point-of-sale (POS) systems in supermarkets. For example, the rule found in the sales data of a supermarket would indicate that if a customer buys onions and potatoes together, he or she is likely to also buy beef. Such information can be used as the basis for decisions about marketing activities such as, e.g., promotional pricing or product placements. In addition to the above example from market basket analysis association rules are employed today in many application areas including Web usage mining, intrusion detection and bioinformatics.

Following the original definition by Agrawal et al. the problem of association rule mining is defined as: Let I = {[[I.sub.1], [I.sub.2] ... [I.sub.n]} be a set of n binary attributes called items. Let D = {[t.sub.1], [t.sub.2] ... [t.sub.m]} be a set of transactions called the database. Each transaction in D has a unique transaction ID and contains a subset of the items in I. A rule is defined as an implication of the form X = > Y where X, Y [subset] I and X [intersection] Y = [phi]. The sets of items (for short itemsets) X and Y are called antecedent (left-hand-side or LHS) and consequent (right-hand-side or RHS) of the rule.

To select interesting rules from the set of all possible rules, constraints on various measures of" significance and interest can be used. The best-known constraints are minimum thresholds on support and confidence. The support supp(X) of an itemset X is defined as the proportion of transactions in the data set which contain the itemset. In the example database, the itemset {milk, bread} has a support of 2 / 5 = 0.4 since it occurs in 40% of all transactions (2 out of 5 transactions).

The confidence of a rule is defined conf (X = > Y) = sup p(X [union] Y)/sup p(x). For example, the rule {milk, bread} = > {butter} has a confidence of 0.2 / 0.4 = 0.5 in the database, which means that for 50% of the transactions containing milk and bread the rule is correct. Confidence can be interpreted as an estimate of the probability P(Y | X), the probability of finding the RHS of the rule in transactions under the condition that these transactions also contain the LHS.

Next, we will introduce some notions of biometric identification methods. The problem of personal identification in the Digital Era has many aspects and many developments. Most of them are based on secure authentication, authentication over secure channels, and the physical ways of implementing these concepts are web servers, smart cards, and biometrics and so on.

Smartcards and biometrics by themselves each provide a considerable boost to the Identification and Authentication (I&A) mechanism of any system. Together, they can provide a comprehensive solution of the three principles described above A common understanding of the underlying technologies is required to fully grasp how each component contributes toward a comprehensive I&A solution.

The advantages of using a biometric for identification are obvious. Each of us has forgotten our password and, in an effort not to forget it the next time, written it down, or chosen one that was easy to remember. In essence we have undermined security for the sake of convenience. The use of biometrics changes all of this. Instead of using what we know to prove who we are, we use some unique feature of ourselves such as a fingerprint, handprint or the sound of our voice. A world that replaces a memory test with a fingerprint scanner is quiet attractive, and there are numerous devices available today that provide secure access based solely on a biometric (Vlad et al., 2006).

2. THE PROBLEM

Some of the major problems with biometric based identification consist in:

1. What happens when the client-server communication is interrupted

2. Biometric processing speed

A access-control system based on a client-server architecture is described below. A central server has a large database of biometric identification features and is connected to a large set of terminals. When a person will want to access a certain door, he will use his biometric features (either fingerprint recognition or retina scan or face recognition) on the door terminal. The terminal will extract the data (e.g. fingerprint) and will send a query to the central server containing this data. The server will check against its database and will reply with a yes/no answer. One of the major issues with a client server architecture is when the server is temporary disconnected from the network, which can lead to blocking all doors. A frequent solution proposed to address this problem is to store biometric data directly on the terminals, which will lead to a increased price form the terminals. Other solutions include storing biometric data on the terminals, but not the entire database. We will present a method which intelligently selects which data should be stored on the terminal and which can be stored on the server, and even which terminal should be completely deactivated when a server is disconnected.

3. PROPOSED METHOD

Our solution for this problem is the use of intelligent agents. When the access-control system is installed, also an intelligent agent will be activate and will monitor every operation that happens in the system. After a month or two, a database of access-logs will be available and the agent will be able to take decisions.

Instead of using just a client-server architecture, which slows down the process, the biometric database can be stored locally, on the identification terminal. Using performan terminals is also an expensive task, so our method will be to selectively store biometric data on the identification terminals.

Using association rules, the agent will be able to generate rules like "90% of the personell accesed door 1" or "door one was accesed 10% of the time by person x". Using these rules, the agent will be able to determine which rules will leave open during a client-server communication interruption, and which terminals should keep biometric information locally.

Our agent will determine association rules using the apriori algorithm:

For each attribute A:

For each value V of that attribute, create a rule:

1. count how often each class appears

2. find the most frequent class, c

3. make a rule "if A=V then C=c"

Calculate the error rate of this rule

Pick the attribute whose rules produce the lowest error rate

4. RESULTS

As an experiment, we used the acces-control system implemented in University "Politehnica" in Bucharest, which has a client-server artchitecture. The terminals used do not have the capability of storing biometric data. We took the logs of the system (questions and answers from the server) and extracted some association rules using the apriori algorithm.

The first conclusion we found is that there is necessary less than two months of analysis until the agent will be able to decide which data should be kept on the terminals.

Another conclusion is that the system was able to determine that 99% percent of the time, some laboratories were used only by the laboratory administrator which means that using a single biometric feature stored locally would assure the system functionality even if the server were to be disconnected, and also terminals able to store just a few contacts are actually cheap (when compared to terminals able to store the entire database).

The entire system was using 65 terminals. Our tests indicate that with a cost increase of 10% would completely secure the system and would dramatically increase the speed of the dataflow.

Another rule found was that 50% of the rooms secured with this acces-controll system were used by exactly 3 persons, and 1 of these persons was accesing the rooms only on Sunday.

We believe that now, if we were to change exactly 23 terminals, we would optimise our acces-controll system's dataflow and provide protection against server failures.

5. CONCLUSION

In this paper the authors try to check the advantages and disadvantages of using an intelligent agent in order to optimise the client-server architecture of an acces-controll system data flow.

The proposed method is to use an intelligent agent, which monitors the terminal activity, and to use association rules in order to temporary store biometric profiles on the network's terminals.

The experiment used shows that a 10% increase of the costs of the entire system brings optimality in the system's data flow and provides protection against server failures.

6. REFERENCES

Chan C. (2000). A secured globally access control system using smart card, Smart Card Department, Department of Electronic Engineering, City University of Hong Kong

Du Y., Ives R., Etter D., Welch B. (2002). Biometrical signal processing laboratory, Biometrical signal processing laboratory, Department of electrical engineering

Figueroa A., Goldstein A., Jiang T., Kurowski M. (2007). Aproximate Clustering of Fingerprint Vectors with missing values, Computer Science Department, University of California Riverside, Riverside, CA 92521., Department of Mathematics, Yeshiva University, New York, NY 10033, Institute of Informatics, Warsaw University, Banacha 2, 02097 Warsaw, Poland

Gour B., Bandopadhyaya T., Sharma S. (2007). High Quality Cluster Generation of Feature Points of Fingerprint Using Neutral Network, Asst. Prof. Dept. of Computer Sc. & Engg All Saints' College of Technology, Bhopal, Professor, Bansal Institute of Science and Technology, Bhopal, Professor, RGPV, Bhopal

Marcialis G., Roli F., Frasconi P (2005). Fingerprint classification by Combination of Flat and Structural Approaches, Dept. of Electrical and Electronic Eng., University of Cagliari

Vlad M. S., Tatoiu R., Sgarciu V. (2006). Smart Card And Biometrics Used For Secured Personal Identification System Development, RAAD 2006--Hungary