Advertisement

Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

  • Thang Bui
  • Scott D. StollerEmail author
  • Jiajie Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11358)

Abstract

Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

References

  1. 1.
    Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets–From goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS), pp. 2:1–2:11. ACM (2013)Google Scholar
  2. 2.
    Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of 31st Annual Computer Security Applications Conference (ACSAC), pp. 291–300. ACM (2015)Google Scholar
  3. 3.
    Bui, T., Stoller, S.D., Li, J.: Greedy and evolutionary algorithms for mining relationship-based access control policies. Comput. Secur. 80, 317–333 (2019)CrossRefGoogle Scholar
  4. 4.
    Cotrini, C., Weghorn, T., Basin, D.: Mining ABAC rules from sparse logs. In: Proceedings of 3rd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 2141–2148 (2018)Google Scholar
  5. 5.
    Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014Google Scholar
  6. 6.
    Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The workforce management case study: functional analysis and access control requirements. CW Reports CW655, Department of Computer Science, KU Leuven, February 2014Google Scholar
  7. 7.
    Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-15934-8_24CrossRefGoogle Scholar
  8. 8.
    Molloy, I., Li, N., Qi, Y.A., Lobo, J., Dickens, L.: Mining roles with noisy data. In: Proceedings of 15th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 45–54. ACM (2010)Google Scholar
  9. 9.
    Molloy, I., Park, Y., Chari, S.: Generative models for access control policies: applications to role mining over logs with attribution. In: Proceedings of 17th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM (2012)Google Scholar
  10. 10.
    Munakami, M.: Developing an ABAC-based grant proposal workflow management system. Master’s thesis, Boise State University, December 2016Google Scholar
  11. 11.
    Vaidya, J., Atluri, V., Guo, Q., Lu, H.: Role mining in the presence of noise. In: Foresti, S., Jajodia, S. (eds.) DBSec 2010. LNCS, vol. 6166, pp. 97–112. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13739-6_7CrossRefGoogle Scholar
  12. 12.
    Vavilis, S., Egner, A.I., Petkovic, M., Zannone, N.: Role mining with missing values. In: Proceedings of 11th International Conference on Availability, Reliability and Security (ARES) (2016)Google Scholar
  13. 13.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43936-4_18. Extended version http://arxiv.org/abs/1403.5715
  14. 14.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceStony Brook UniversityStony BrookUSA

Personalised recommendations