Efficient Security Policy Management Using Suspicious Rules Through Access Log Analysis

  • Maryem Ait El HadjEmail author
  • Ahmed Khoumsi
  • Yahya Benkaouz
  • Mohammed Erradi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11704)


Logs record the events and actions performed within an organization’s systems and networks. Usually, log data should conform with the security policy in use. However, access logs may show the occurrence of unauthorized accesses which may be due to security breaches, such as intrusions or conflicting rules in security policies. Due to the huge amount of log data generated every day and presumed to grow over time, analyzing access logs becomes a hard task that requires enormous computational resources. In this paper, we suggest a method that analyses an access log, and uses the obtained results to determine whether an Attribute-Based Access Control (ABAC) security policy contains conflicting rules. This access log-based approach allows to obtain an efficient conflict detection method, since conflicts are searched among suspicious rules, instead of all the rules of the policy. Those suspicious rules are identified by analyzing the access log. To improve efficiency even more, the access log is decomposed into clusters which are analyzed separately. Furthermore, cluster representatives make the proposed approach scalable for continuous access log case. The scalability is confirmed by experiment results, and our approach effectively identifies conflicts with an average recall of 95.65%.


ABAC policies Access log clustering and analysis Cluster representative Suspicious rule Conflict detection 


  1. 1.
    Ayache, M., Erradi, M., Khoumsi, A., Freisleben, B.: Analysis and verification of XACML policies in a medical cloud environment. Scalable Comput. Pract. Experience 17(3), 189–206 (2016)Google Scholar
  2. 2.
    Breier, J., Branišová, J.: A dynamic rule creation based anomaly detection method for identifying security breaches in log records. Wireless Pers. Commun. 94(3), 497–511 (2017). Scholar
  3. 3.
    Celebi, M.E., Kingravi, H.A., Vela, P.A.: A comparative study of efficient initialization methods for the k-means clustering algorithm. Expert Syst. Appl. 40(1), 200–210 (2013)CrossRefGoogle Scholar
  4. 4.
    Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1285–1298 (2017)Google Scholar
  5. 5.
    Dunlop, N., Indulska, J., Raymond, K.: Dynamic conflict detection in policy-based management systems. In: Proceedings Sixth International Enterprise Distributed Object Computing Conference, 2002, EDOC 2002, IEEE, pp. 15–26 (2002)Google Scholar
  6. 6.
    Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: LEAPS: detecting camouflaged attacks with statistical learning guided by program analysis. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 57–68 (2015)Google Scholar
  7. 7.
    Guo, S.: Analysis and Evaluation of Similarity Metrics in Collaborative Filtering Recommender System. Master’s thesis, Lapland University of Applied Sciences (2014)Google Scholar
  8. 8.
    He, P., Zhu, J., Zheng, Z., Lyu, M.R.: Drain: an online log parsing approach with fixed depth tree. In: 2017 IEEE International Conference on Web Services (ICWS), IEEE, pp. 33–40 (2017)Google Scholar
  9. 9.
    Hong, J., Liu, C.C., Govindarasu, M.: Integrated anomaly detection for cyber security of the substations. IEEE Trans. Smart Grid 5(4), 1643–1653 (2014)CrossRefGoogle Scholar
  10. 10.
    Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. 10(6), 341–354 (2013)CrossRefGoogle Scholar
  11. 11.
    Kent, K., Souppaya, M.: Guide to computer security log management. NIST special publication 92 (2006)Google Scholar
  12. 12.
    Khoumsi, A., Erradi, M., Krombi, W.: A formal basis for the design and analysis of firewall security policies. J. King Saud Univ. Comput. Inf. Sci. 30(1), 51–66 (2016)Google Scholar
  13. 13.
    Kriegel, H.P., Kröger, P., Sander, J., Zimek, A.: Density-based clustering. Wiley Interdisc. Rev. Data Min. Knowl. Discov. 1(3), 231–240 (2011)CrossRefGoogle Scholar
  14. 14.
    Lin, Q., Zhang, H., Lou, J.G., Zhang, Y., Chen, X.: Log clustering based problem identification for online service systems. In: Proceedings of the 38th International Conference on Software Engineering Companion, ACM, pp. 102–111 (2016)Google Scholar
  15. 15.
    Lou, J.G., Fu, Q., Yang, S., Xu, Y., Li, J.: Mining invariants from console logs for system problem detection. In: USENIX Annual Technical Conference (2010)Google Scholar
  16. 16.
    Nagaraj, K., Killian, C., Neville, J.: Structured comparative analysis of systems logs to diagnose performance problems. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, USENIX Association, p. 26 (2012)Google Scholar
  17. 17.
    Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: 9th International Conference on Information Assurance and Security, IEEE, pp. 25–30 (2013)Google Scholar
  18. 18.
    Shang, W., Nagappan, M., Hassan, A.E., Jiang, Z.M.: Understanding log lines using development knowledge. In: 2014 IEEE International Conference on Software Maintenance and Evolution (ICSME), IEEE, pp. 21–30 (2014)Google Scholar
  19. 19.
    St-Martin, M., Felty, A.P.: A verified algorithm for detecting conflicts in XACML access control rules. In: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, ACM, pp. 166–175 (2016)Google Scholar
  20. 20.
    Studiawan, H., Payne, C., Sohel, F.: Graph clustering and anomaly detection of access control log for forensic purposes. Digit. Invest. 21, 76–87 (2017)CrossRefGoogle Scholar
  21. 21.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2015)CrossRefGoogle Scholar
  22. 22.
    Yagoub, I., Khan, M.A., Jiyun, L.: IT equipment monitoring and analyzing system for forecasting and detecting anomalies in log files utilizing machine learning techniques. In: 2018 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD), IEEE, pp. 1–6 (2018)Google Scholar
  23. 23.
    Yuan, D., et al.: Be conservative: enhancing failure diagnosis with proactive logging. OSDI 12, 293–306 (2012)Google Scholar
  24. 24.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services (ICWS 2005), IEEE (2005)Google Scholar
  25. 25.
    Zhu, J., He, P., Fu, Q., Zhang, H., Lyu, M.R., Zhang, D.: Learning to log: helping developers make informed logging decisions. In: Proceedings of the 37th International Conference on Software Engineering, IEEE Press, vol. 1, pp. 415–425 (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Maryem Ait El Hadj
    • 1
    Email author
  • Ahmed Khoumsi
    • 2
  • Yahya Benkaouz
    • 3
  • Mohammed Erradi
    • 1
  1. 1.ITM Team, ENSIASMohammed V University in RabatRabatMorocco
  2. 2.Department of Electrical and Computer EngineeringUniversity of SherbrookeSherbrookeCanada
  3. 3.Conception and Systems Laboratory, FSRMohammed V University in RabatRabatMorocco

Personalised recommendations