Semantic analysis of role mining results and shadowed roles detection

The use of role engineering has grown in importance with the expansion of highly abstracted access control frameworks in organizations. In particular, the use of role mining techniques for the discovery of roles from previously deployed authorizations has facilitated the configuration of such frameworks. However, the literature lacks from a clear basis for appraising and leveraging the learning outcomes of the role mining process. In this paper, we provide such a formal basis. We compare sets of roles by projecting roles from one set into the other set. This approach is useful to measure how comparable the two configurations of roles are, and to interpret each role. We formally define the problem of comparing sets of roles, and prove that the problem is NP-complete. Then, we propose an algorithm to map the inherent relationship between the sets based on Boolean expressions. We demonstrate the correctness and completeness of our solution, and investigate some further issues that may benefit from our approach, such as detection of unhandled perturbations or source misconfiguration. In particular, we emphasize that the presence of shadowed roles in the role configuration increases the time complexity of sets of roles comparison. We provide a definition of the shadowed roles problem and propose a solution that detects different cases of role shadowing.

[1]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[2]  H. Sebastian Seung,et al.  Algorithms for Non-negative Matrix Factorization , 2000, NIPS.

[3]  Alessandro Colantonio,et al.  Leveraging Lattices to Improve Role Mining , 2008, SEC.

[4]  Naren Ramakrishnan,et al.  Nonorthogonal decomposition of binary matrices for bounded-error data compression and analysis , 2006, TOMS.

[5]  Joachim M. Buhmann,et al.  Multi-assignment clustering for Boolean data , 2009, ICML '09.

[6]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[7]  Alessandro Colantonio,et al.  Mining Stable Roles in RBAC , 2009, SEC.

[8]  Alessandro Colantonio,et al.  A new role mining framework to elicit business roles and to mitigate enterprise risk , 2011, Decis. Support Syst..

[9]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[10]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[11]  A. P. Bowran A Boolean Algebra , 1965 .

[12]  M. Gallaher,et al.  The Economic Impact of Role-Based Access Control , 2002 .

[13]  Nora Cuppens-Boulahia,et al.  An extended RBAC profile of XACML , 2006, SWS '06.

[14]  Hassan Takabi,et al.  StateMiner: an efficient similarity-based approach for optimal mining of role hierarchy , 2010, SACMAT '10.

[15]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[16]  Nora Cuppens-Boulahia,et al.  Role Mining to Assist Authorization Governance: How Far Have We Gone? , 2012, Int. J. Secur. Softw. Eng..

[17]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[18]  Anne Baumgraß,et al.  Deriving Current State RBAC Models from Event Logs , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[19]  Alessandro Colantonio,et al.  Role engineering: from theory to practice , 2012, CODASPY '12.

[20]  Vijayalakshmi Atluri,et al.  Migrating to optimal RBAC with minimal perturbation , 2008, SACMAT '08.

[21]  Stefan Meier,et al.  The Role Mining Process Model - Underlining the Need for a Comprehensive Research Perspective , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[22]  Alessandro Armando,et al.  Efficient run-time solving of RBAC user authorization queries: pushing the envelope , 2012, CODASPY '12.

[23]  Hsinchun Chen,et al.  Enterprise risk and security management: Data, text and Web mining , 2011, Decis. Support Syst..

[24]  Mark Strembeck,et al.  An Approach to Bridge the Gap between Role Mining and Role Engineering via Migration Guides , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[25]  Alessandro Armando,et al.  Automated and Efficient Analysis of Role-Based Access Control with Attributes , 2012, DBSec.

[26]  Luca Viganò,et al.  Workflow and Access Control Reloaded: a Declarative Specification Framework for the Automated Analysis of Web Services , 2011, Scalable Comput. Pract. Exp..

[27]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[28]  Yuan Qi,et al.  Mining roles with noisy data , 2010, SACMAT '10.

[29]  Nora Cuppens-Boulahia,et al.  Towards Automated Assistance for Mined Roles Analysis in Role Mining Applications , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[30]  Ravi S. Sandhu,et al.  Roles in information security - A survey and classification of the research area , 2011, Comput. Secur..

[31]  Mao Bi,et al.  Role based Access Control Model , 2003 .

[32]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[33]  Gail-Joon Ahn,et al.  Towards realizing a formal RBAC model in real systems , 2007, SACMAT '07.

[34]  Joachim M. Buhmann,et al.  On the definition of role mining , 2010, SACMAT '10.