Role Mining with Probabilistic Models

Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role-mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this article, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix. Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role-mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models’ generalization abilities depend on the dataset given.

[1]  Vijayalakshmi Atluri,et al.  Constraint-Aware Role Mining via Extended Boolean Matrix Decomposition , 2012, IEEE Transactions on Dependable and Secure Computing.

[2]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[3]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[4]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[5]  Joachim M. Buhmann,et al.  Multi-assignment clustering for Boolean data , 2009, ICML '09.

[6]  Thomas L. Griffiths,et al.  Infinite latent feature models and the Indian buffet process , 2005, NIPS.

[7]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[8]  BasinDavid,et al.  Role Mining with Probabilistic Models , 2013 .

[9]  Pauli Miettinen,et al.  The Discrete Basis Problem , 2006, IEEE Transactions on Knowledge and Data Engineering.

[10]  Alessandro Colantonio,et al.  Mining Stable Roles in RBAC , 2009, SEC.

[11]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[12]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[13]  Alessandro Colantonio,et al.  A cost-driven approach to role engineering , 2008, SAC '08.

[14]  Alessandro Colantonio,et al.  A new role mining framework to elicit business roles and to mitigate enterprise risk , 2011, Decis. Support Syst..

[15]  T. Ferguson A Bayesian Analysis of Some Nonparametric Problems , 1973 .

[16]  Jorge Lobo,et al.  Role Mining for Engineering and Optimizing Role Based Access Control Systems , 2007 .

[17]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[18]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[19]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[20]  Joachim M. Buhmann,et al.  On the definition of role mining , 2010, SACMAT '10.

[21]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[22]  Thomas L. Griffiths,et al.  Learning Systems of Concepts with an Infinite Relational Model , 2006, AAAI.

[23]  Ravi S. Sandhu,et al.  Engineering of role/permission assignments , 2001, Seventeenth Annual Computer Security Applications Conference.

[24]  Ata Kabán,et al.  Factorisation and denoising of 0-1 data: A variational approach , 2008, Neurocomputing.

[25]  Joachim M. Buhmann,et al.  The Minimum Transfer Cost Principle for Model-Order Selection , 2011, ECML/PKDD.

[26]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[27]  Josep Domingo-Ferrer,et al.  A measure of variance for hierarchical nominal attributes , 2008, Inf. Sci..

[28]  Eric R. Ziegel,et al.  The Elements of Statistical Learning , 2003, Technometrics.

[29]  Vijayalakshmi Atluri,et al.  The role mining problem: A formal perspective , 2010, ACM Trans. Inf. Syst. Secur..

[30]  Vijayalakshmi Atluri,et al.  Role Engineering via Prioritized Subset Enumeration , 2010, IEEE Transactions on Dependable and Secure Computing.

[31]  Vijayalakshmi Atluri,et al.  Optimal Boolean Matrix Decomposition: Application to Role Engineering , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[32]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[33]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[34]  C. Antoniak Mixtures of Dirichlet Processes with Applications to Bayesian Nonparametric Problems , 1974 .

[35]  Joachim M. Buhmann,et al.  A class of probabilistic models for role engineering , 2008, CCS.

[36]  Günther Pernul,et al.  HyDRo - Hybrid Development of Roles , 2008, ICISS.

[37]  Alessandro Colantonio,et al.  A formal framework to elicit roles with business meaning in RBAC systems , 2009, SACMAT '09.

[38]  Thomas L. Griffiths,et al.  A Non-Parametric Bayesian Method for Inferring Hidden Causes , 2006, UAI.

[39]  Yuan Qi,et al.  Mining roles with noisy data , 2010, SACMAT '10.

[40]  Vijayalakshmi Atluri,et al.  The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[41]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.