Adaptive ABAC Policy Learning: A Reinforcement Learning Approach

With rapid advances in computing systems, there is an increasing demand for more effective and efficient access control (AC) approaches. Recently, Attribute Based Access Control (ABAC) approaches have been shown to be promising in fulfilling the AC needs of such emerging complex computing environments. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with a higher cost. Further, increasing complexities of organizational systems and the need for federated accesses to their resources make the task of AC enforcement and management much more challenging. In this paper, we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interacting with users/administrators of the system to receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. We focus on developing an adaptive ABAC policy learning model for a home IoT environment as a running example. We evaluate our proposed approach over real and synthetic data. We consider both complete and sparse datasets in our evaluations. Our experimental results show that the proposed approach achieves performance that is comparable to ones based on supervised learning in many scenarios and even outperforms them in several situations.

[1]  Vladimiro Sassone,et al.  Towards Adaptive Access Control , 2018, DBSec.

[2]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[3]  Mai Abdelhakim,et al.  An Automatic Attribute-Based Access Control Policy Extraction From Access Logs , 2020, IEEE Transactions on Dependable and Secure Computing.

[4]  Yuan Tian,et al.  IVD: Automatic Learning and Enforcement of Authorization Rules in Online Social Networks , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  John Langford,et al.  Taming the Monster: A Fast and Simple Algorithm for Contextual Bandits , 2014, ICML.

[6]  Yuan Tian,et al.  SmartAuth: User-Centered Authorization for the Internet of Things , 2017, USENIX Security Symposium.

[7]  Srikanth Kandula,et al.  Resource Management with Deep Reinforcement Learning , 2016, HotNets.

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  Michael L. Littman,et al.  Packet Routing in Dynamically Changing Networks: A Reinforcement Learning Approach , 1993, NIPS.

[10]  John Langford,et al.  The Epoch-Greedy Algorithm for Multi-armed Bandits with Side Information , 2007, NIPS.

[11]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[12]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[13]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[14]  Antonio Liotta,et al.  Towards ABAC Policy Mining from Logs with Deep Learning , 2015 .

[15]  James B. D. Joshi,et al.  An Unsupervised Learning Based Approach for Mining Attribute Based Access Control Policies , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[16]  David A. Basin,et al.  Mining ABAC Rules from Sparse Logs , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Blase Ur,et al.  The Current State of Access Control for Smart Devices in Homes , 2013 .

[18]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[19]  Manar Alohaly,et al.  Towards an Automated Extraction of ABAC Constraints from Natural Language Policies , 2019, SEC.

[20]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[21]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[22]  James B. D. Joshi,et al.  Multi-Owner Multi-Stakeholder Access Control Model for a Healthcare Environment , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).

[23]  BARSHA MITRA,et al.  A Survey of Role Mining , 2016, ACM Comput. Surv..

[24]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[25]  Shane Legg,et al.  Human-level control through deep reinforcement learning , 2015, Nature.

[26]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[27]  Atul Prakash,et al.  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks , 2016, USENIX Security Symposium.

[28]  Geoffrey Ye Li,et al.  Deep Reinforcement Learning Based Resource Allocation for V2V Communications , 2018, IEEE Transactions on Vehicular Technology.

[29]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[30]  Gail-Joon Ahn,et al.  Patient-centric authorization framework for sharing electronic health records , 2009, SACMAT '09.

[31]  James B. D. Joshi,et al.  An adaptive risk management and access control framework to mitigate insider threats , 2013, Comput. Secur..

[32]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[33]  John Langford,et al.  Beating the hold-out: bounds for K-fold and progressive cross-validation , 1999, COLT '99.

[34]  Amirreza Masoumzadeh,et al.  Mining Positive and Negative Attribute-Based Access Control Policy Rules , 2018, SACMAT.

[35]  Qi Alfred Chen,et al.  ContexloT: Towards Providing Contextual Integrity to Appified IoT Platforms , 2017, NDSS.

[36]  Mo Dong,et al.  PCC: Re-architecting Congestion Control for Consistent High Performance , 2014, NSDI.