Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

[1]  Wouter Joosen,et al.  The e-document case study: functional analysis and access control requirements , 2014 .

[2]  Vijayalakshmi Atluri,et al.  Role Mining in the Presence of Noise , 2010, DBSec.

[3]  Wouter Joosen,et al.  The workforce management case study: functional analysis and access control requirements , 2014 .

[4]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies from Logs , 2014, DBSec.

[5]  Ian Molloy,et al.  Generative models for access control policies: applications to role mining over logs with attribution , 2012, SACMAT '12.

[6]  Nicola Zannone,et al.  Role Mining with Missing Values , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[7]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[8]  Milson Munakami Developing an ABAC-Based Grant Proposal Workflow Management System , 2016 .

[9]  Yuan Qi,et al.  Mining roles with noisy data , 2010, SACMAT '10.

[10]  Scott D. Stoller,et al.  Greedy and evolutionary algorithms for mining relationship-based access control policies , 2019, Comput. Secur..

[11]  Scott D. Stoller,et al.  Mining Relationship-Based Access Control Policies , 2017, SACMAT.

[12]  Leonardo A. Martucci,et al.  Formal definitions for usable access control rule sets from goals to metrics , 2013, SOUPS.

[13]  Eric Medvet,et al.  Evolutionary Inference of Attribute-Based Access Control Policies , 2015, EMO.

[14]  Wouter Joosen,et al.  Entity-Based Access Control: supporting more expressive access control policies , 2015, ACSAC.

[15]  David A. Basin,et al.  Mining ABAC Rules from Sparse Logs , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).