Mining Attribute-Based Access Control Policies

Attribute-based access control (ABAC) provides a high level of flexibility that promotes security and information sharing. ABAC policy mining algorithms have potential to significantly reduce the cost of migration to ABAC, by partially automating the development of an ABAC policy from an access control list (ACL) policy or role-based access control (RBAC) policy with accompanying attribute data. This paper presents an ABAC policy mining algorithm. To the best of our knowledge, it is the first ABAC policy mining algorithm. Our algorithm iterates over tuples in the given user-permission relation, uses selected tuples as seeds for constructing candidate rules, and attempts to generalize each candidate rule to cover additional tuples in the user-permission relation by replacing conjuncts in attribute expressions with constraints. Our algorithm attempts to improve the policy by merging and simplifying candidate rules, and then it selects the highest-quality candidate rules for inclusion in the generated policy.

[1]  Stephen Muggleton,et al.  Theory Completion Using Inverse Entailment , 2000, ILP.

[2]  Alessandro Colantonio,et al.  A business-driven decomposition methodology for role mining , 2012, Comput. Secur..

[3]  Leonardo A. Martucci,et al.  Formal definitions for usable access control rule sets from goals to metrics , 2013, SOUPS.

[4]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[5]  Jorge Lobo,et al.  Adversaries' Holy Grail: access control analytics , 2011, BADGERS '11.

[6]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[7]  Lujo Bauer,et al.  Detecting and resolving policy misconfigurations in access-control systems , 2008, SACMAT '08.

[8]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[9]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[10]  Jorge Lobo,et al.  Automating role-based provisioning by learning from examples , 2009, SACMAT '09.

[11]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[12]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Yuan Qi,et al.  Mining roles with noisy data , 2010, SACMAT '10.

[15]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[16]  Nora Cuppens-Boulahia,et al.  Role Mining to Assist Authorization Governance: How Far Have We Gone? , 2012, Int. J. Secur. Softw. Eng..

[17]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[18]  Stephen Muggleton,et al.  Relational Rule Induction with CProgol4.4: A Tutorial Introduction , 2001 .

[19]  Scott D. Stoller,et al.  Mining parameterized role-based policies , 2013, CODASPY '13.

[20]  Yow Tzu Lim,et al.  Evolving security policies , 2010 .

[21]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.