Active Learning of Relationship-Based Access Control Policies

Iyer, Padmavathi; Masoumzadeh, Amirreza

doi:10.1145/3381991.3395614

Cited by 10 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The latter suggests also learning from access enforcement, except in the somewhat different situation that the policy impacts particular entities, e.g., users in a social network, to whom the policy is not made explicit. The more recent work of Iyer and Masoumzadeh [12,13] leverages these motivations to then construct an approach to learning a policy in such "black box" settings, i.e., from information that is generated during access enforcement.…”

Section: The Learning Problemmentioning

confidence: 99%

The Hardness of Learning Access Control Policies

Lei

Tripunitara

2023

Proceedings of the 28th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

The problem of learning access control policies is gaining significant attention in research. We contribute to the foundations of this problem by posing and addressing meaningful questions on computational hardness. Our study focuses on learning access control policies within three different models: the access matrix, Role-Based Access Control (RBAC), and Relationship-Based Access Control (ReBAC), as described in existing literature. Our approach builds upon the well-established concept of Probably Approximately Correct (PAC) theory, with careful adaptations for our specific context. In our setup, the learning algorithm receives data or examples associated with access enforcement, which involves deciding whether an access request for resource should be accepted or denied. For the access matrix, we pose a learning problem that turns out to be computationally easy, and another that we prove is computationally hard. We generalize the former result so we have a sufficient condition for establishing other problems to be computationally easy. Building upon these findings, we examine five learning problems in the context of RBAC, of which three are identified as computationally easy and two are proven to be computationally hard. Finally, we consider four learning problems in the context of Re-BAC, all of which are found to be computationally easy. Every proof for a problem that is computationally easy is constructive, in that we propose a learning algorithm for the problem that is efficient, and probably, approximately correct. As such, our work makes contributions at the foundations of an important, emerging aspect of access control, and thereby, information security.I would also like to thank my loving boyfriend, whose belief in me has been a constant source of motivation. His support, understanding, and encouragement have provided me with the strength to overcome challenges and pursue my academic goals.Furthermore, I would like to thank my parents, whose endless love and unwavering support have been the foundation of my educational journey. v

show abstract

Section: The Learning Problemmentioning

confidence: 99%

The Hardness of Learning Access Control Policies

Lei

Tripunitara

2023

Proceedings of the 28th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

show abstract

“…Iyer et al [35] proposed a ReBAC mining algorithm in evolving systems for mining graph transitions. The authors later proposed a method for active learning [36] of ReBAC policies from a black-box access control decision engine using authorization and equivalence queries. A universal access control policy mining, called Unicorn, was proposed by Cotrini et al [18], which builds policies in a class of access control models including RBAC, ABAC, and ReBAC.…”

Section: Related Workmentioning

confidence: 99%

Toward Deep Learning Based Access Control

Nobi,

Krishnan,

Huang

et al. 2022

Preprint

View full text Add to dashboard Cite

A common trait of current access control approaches is the challenging need to engineer abstract and intuitive access control models. This entails designing access control information in the form of roles (RBAC), attributes (ABAC), or relationships (ReBAC) as the case may be, and subsequently, designing access control rules. This framework has its benefits but has significant limitations in the context of modern systems that are dynamic, complex, and large-scale, due to which it is difficult to maintain an accurate access control state in the system for a human administrator. This paper proposes Deep Learning Based Access Control (DLBAC) by leveraging significant advances in deep learning technology as a potential solution to this problem. We envision that DLBAC could complement and, in the long-term, has the potential to even replace, classical access control models with a neural network that reduces the burden of access control model engineering and updates. Without loss of generality, we conduct a thorough investigation of a candidate DLBAC model, called DLBAC α , using both real-world and synthetic datasets. We demonstrate the feasibility of the proposed approach by addressing issues related to accuracy, generalization, and explainability. We also discuss challenges and future research directions. CCS CONCEPTS• Security and privacy → Access control; • Computing methodologies → Machine learning.

show abstract

“…Iyer et al [16] present an algorithm for active learning of ReBAC policies from a black-box access control decision engine, using authorization queries and equivalence queries. The algorithm is assumed to have access to complete information about attributes and relationships.…”

Section: Related Work On Rebac Policy Miningmentioning

confidence: 99%

“…policy learning) algorithms have the potential to greatly reduce this cost, by automatically producing a draft high-level policy from existing lower-level data, such as access control lists or access logs. There is a substantial amount of research on role mining [21,10] and a small but growing literature on ABAC policy mining [25,24,20,22,10,9,14,17,8,19], and ReBAC policy mining [4,5,6,3,15,2,16].…”

Section: Introductionmentioning

confidence: 99%

“…The basic ABAC (or ReBAC) policy mining problem is: Given information about the attributes of entities in the system, and the set of currently granted permissions; Find an ABAC (or ReBAC) policy that grants the same permissions using concise, high-level ReBAC rules. Several papers consider a variant of this problem where the information about permissions is incomplete [24,5,9,16,19]. However, all existing works on ABAC and ReBAC policy mining assume that the attribute (and relationship) information is complete, i.e., all attributes of all entities have known values.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

Bui¹,

Stoller²

2020

Preprint

View full text Add to dashboard Cite

Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

show abstract

Active Learning of Relationship-Based Access Control Policies

Cited by 10 publications

References 29 publications

The Hardness of Learning Access Control Policies

The Hardness of Learning Access Control Policies

Toward Deep Learning Based Access Control

Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

Contact Info

Product

Resources

About