Polisma - A Framework for Learning Attribute-Based Access Control Policies

Attribute-based access control (ABAC) is being widely adopted due to its flexibility and universality in capturing authorizations in terms of the properties (attributes) of users and resources. However, specifying ABAC policies is a complex task due to the variety of such attributes. Moreover, migrating an access control system adopting a low-level model to ABAC can be challenging. An approach for generating ABAC policies is to learn them from data, namely from logs of historical access requests and their corresponding decisions. This paper proposes a novel framework for learning ABAC policies from data. The framework, referred to as Polisma, combines data mining, statistical, and machine learning techniques, capitalizing on potential context information obtained from external sources (e.g., LDAP directories) to enhance the learning process. The approach is evaluated empirically using two datasets (real and synthetic). Experimental results show that Polisma is able to generate ABAC policies that accurately control access requests and outperforms existing approaches.

[1]  Elisa Bertino,et al.  On the Quality of Classification Models for Inferring ABAC Policies from Access Logs , 2019, 2019 IEEE International Conference on Big Data (Big Data).

[2]  Jorge Lobo,et al.  Representing and Learning Grammars in Answer Set Programming , 2019, AAAI.

[3]  Elisa Bertino,et al.  Access Control for Databases: Concepts and Systems , 2011, Found. Trends Databases.

[4]  James B. D. Joshi,et al.  An Unsupervised Learning Based Approach for Mining Attribute Based Access Control Policies , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[5]  Scott D. Stoller,et al.  Mining Attribute-Based Access Control Policies from Logs , 2014, DBSec.

[6]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[7]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[8]  Ron Kohavi,et al.  Feature Subset Selection Using the Wrapper Method: Overfitting and Dynamic Search Space Topology , 1995, KDD.

[9]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[10]  Robert W. Reeder,et al.  Improving user-interface dependability through mitigation of human error , 2005, Int. J. Hum. Comput. Stud..

[11]  Luc De Raedt,et al.  Inducing Probabilistic Relational Rules from Probabilistic Examples , 2015, IJCAI.

[12]  Jorge Lobo,et al.  Automating role-based provisioning by learning from examples , 2009, SACMAT '09.

[13]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[14]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[15]  Branko Kavsek,et al.  APRIORI-SD: ADAPTING ASSOCIATION RULE LEARNING TO SUBGROUP DISCOVERY , 2006, IDA.

[16]  David A. Basin,et al.  Mining ABAC Rules from Sparse Logs , 2018, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[17]  Antonio Liotta,et al.  Towards ABAC Policy Mining from Logs with Deep Learning , 2015 .

[18]  Eric Medvet,et al.  Evolutionary Inference of Attribute-Based Access Control Policies , 2015, EMO.

[19]  Lorrie Faith Cranor,et al.  Understanding and capturing people’s privacy policies in a mobile social networking application , 2009, Personal and Ubiquitous Computing.

[20]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[21]  AgrawalRakesh,et al.  Mining association rules between sets of items in large databases , 1993 .

[22]  R. V. Krejcie,et al.  Determining Sample Size for Research Activities , 1970 .