Detecting and resolving policy misconfigurations in access-control systems

Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration and, in the context of particular applications (e.g., health care), very severe consequences. In this paper we apply association rule mining to the history of accesses to predict changes to access-control policies that are likely to be consistent with users' intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires consent of the appropriate administrator, of course, and so a primary contribution of our work is to automatically determine from whom to seek consent and to minimize the costs of doing so. We show using data from a deployed access-control system that our methods can reduce the number of accesses that would have incurred costly time-of-access delays by 44%, and can correctly predict 58% of the intended policy. These gains are achieved without increasing the total amount of time users spend interacting with the system.

[1]  Khalid El-Arini,et al.  Bayesian detection of router configuration anomalies , 2005, MineNet '05.

[2]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[3]  Yubo Yuan,et al.  A Matrix Algorithm for Mining Association Rules , 2005, ICIC.

[4]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[5]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[6]  Elisa Bertino,et al.  Trust-/spl Xscr/;: a peer-to-peer framework for trust establishment , 2004, IEEE Transactions on Knowledge and Data Engineering.

[7]  Rafae Bhatti,et al.  Towards Improved Privacy Policy Coverage in Healthcare Using Policy Refinement , 2007, Secure Data Management.

[8]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Lujo Bauer,et al.  Efficient Proving for Practical Distributed Access-Control Systems , 2007, ESORICS.

[10]  Sean W. Smith,et al.  Greenpass: Decentralized, PKI-based Authorization for Wireless LANs , 2004 .

[11]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[13]  Avishai Wool,et al.  Firmato: A novel firewall management toolkit , 2004, TOCS.

[14]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[15]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[16]  Lujo Bauer,et al.  Lessons learned from the deployment of a smartphone-based access-control system , 2007, SOUPS '07.

[17]  Franck Le,et al.  Minerals: using data mining to detect router misconfigurations , 2006, MineNet '06.

[18]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[19]  Angelos D. Keromytis,et al.  The STRONGMAN architecture , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[20]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[21]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[22]  Marianne Winslett,et al.  PeerAccess: a logic for distributed authorization , 2005, CCS '05.

[23]  Trent Jaeger,et al.  Policy management using access control spaces , 2003, TSEC.

[24]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[25]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[26]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[27]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[28]  Avishai Wool Architecting the Lumeta Firewall Analyzer , 2001, USENIX Security Symposium.

[29]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[30]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[31]  Lujo Bauer,et al.  Device-Enabled Authorization in the Grey System ¶ , 2006 .

[32]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[33]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.