Mining Hierarchical Temporal Roles with Multiple Metrics

Temporal role-based access control (TRBAC) extends role-based access control to limit the times at which roles are enabled. This paper presents a new algorithm for mining high-quality TRBAC policies from timed ACLs (i.e., ACLs with time limits in the entries) and optionally user attribute information. Such algorithms have potential to significantly reduce the cost of migration from timed ACLs to TRBAC. The algorithm is parameterized by the policy quality metric. We consider multiple quality metrics, including number of roles, weighted structural complexity (a generalization of policy size), and (when user attribute information is available) interpretability, i.e., how well role membership can be characterized in terms of user attributes. Ours is the first TRBAC policy mining algorithm that produces hierarchical policies, and the first that optimizes weighted structural complexity or interpretability. In experiments with datasets based on real-world ACL policies, our algorithm is more effective than previous algorithms at their goal of minimizing the number of roles.

[1]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[2]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[3]  Elisa Bertino,et al.  TRBAC: a temporal role-based access control model , 2000, RBAC '00.

[4]  Vijayalakshmi Atluri,et al.  Migrating from DAC to RBAC , 2015, DBSec.

[5]  Ian Molloy,et al.  Generative models for access control policies: applications to role mining over logs with attribution , 2012, SACMAT '12.

[6]  Nora Cuppens-Boulahia,et al.  Role Mining to Assist Authorization Governance: How Far Have We Gone? , 2012, Int. J. Secur. Softw. Eng..

[7]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[8]  Jorge Lobo,et al.  Mining Roles with Multiple Objectives , 2010, TSEC.

[9]  Vijayalakshmi Atluri,et al.  The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[10]  Scott D. Stoller,et al.  Mining hierarchical temporal roles with multiple metrics , 2018, J. Comput. Secur..

[11]  Vijayalakshmi Atluri,et al.  Mining temporal roles using many-valued concepts , 2016, Comput. Secur..

[12]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[13]  Vijayalakshmi Atluri,et al.  The generalized temporal role mining problem , 2015, J. Comput. Secur..

[14]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[15]  Eric Medvet,et al.  Evolutionary Inference of Attribute-Based Access Control Policies , 2015, EMO.

[16]  Kotagiri Ramamohanarao,et al.  Role engineering using graph optimisation , 2007, SACMAT '07.

[17]  Vijayalakshmi Atluri,et al.  Migrating to optimal RBAC with minimal perturbation , 2008, SACMAT '08.

[18]  Vijayalakshmi Atluri,et al.  Toward Mining of Temporal Roles , 2013, DBSec.