An Unsupervised Learning Based Approach for Mining Attribute Based Access Control Policies

An Attribute-Based Access Control (ABAC) model provides a flexible and promising approach for large, dynamic systems/applications and helps overcome the limitations of other prevalent AC approaches. However, the cost of migrating to an ABAC based system is a significant obstacle for organizations. Many large enterprises/applications need to grant access privileges to a huge number of users distributed across disparate computing environments and applications including legacy systems. Each of these applications may have its own access control model. Manual development of a single access control policy through a set of attribute-based policy rules is expensive and time consuming. In this paper, we present a methodology for automatically learning ABAC policy rules from access logs in a system to facilitate the AC policy development process. The proposed approach uses an unsupervised learning-based technique for detecting patterns in a set of access records and extracting ABAC policy rules from these patterns. We present two algorithms, rule pruning, and policy refinement, to improve the quality of the mined policy. Policy refinement algorithms are useful in ABAC policy maintenance, as well. We evaluate our proposed approach on three different sample policies as well as a randomly synthesized policy to show its effectiveness.

[1]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[2]  Hassan Takabi,et al.  StateMiner: an efficient similarity-based approach for optimal mining of role hierarchy , 2010, SACMAT '10.

[3]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Eric Medvet,et al.  Evolutionary Inference of Attribute-Based Access Control Policies , 2015, EMO.

[5]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies from Logs , 2014, DBSec.

[6]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[7]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[8]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[9]  Ulrike Steffens,et al.  Role mining with ORCA , 2005, SACMAT '05.

[10]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[11]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[12]  Joshua Zhexue Huang,et al.  Extensions to the k-Means Algorithm for Clustering Large Data Sets with Categorical Values , 1998, Data Mining and Knowledge Discovery.

[13]  Leonardo A. Martucci,et al.  Formal definitions for usable access control rule sets from goals to metrics , 2013, SOUPS.

[14]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[15]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[16]  Jorge Lobo,et al.  Automating role-based provisioning by learning from examples , 2009, SACMAT '09.

[17]  Scott D. Stoller,et al.  Mining attribute-based access control policies from RBAC policies , 2013, 2013 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT).

[18]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[19]  Vijayalakshmi Atluri,et al.  The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[20]  Nora Cuppens-Boulahia,et al.  Role Mining to Assist Authorization Governance: How Far Have We Gone? , 2012, Int. J. Secur. Softw. Eng..

[21]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[22]  L. K. Hansen,et al.  On Clustering fMRI Time Series , 1999, NeuroImage.

[23]  Vijayalakshmi Atluri,et al.  The role mining problem: finding a minimal descriptive set of roles , 2007, SACMAT '07.

[24]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[25]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[26]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[27]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .