Evolutionary Inference of Attribute-Based Access Control Policies

Medvet, Eric; Bartoli, Alberto; Carminati, Barbara; Ferrari, Elena

doi:10.1007/978-3-319-15934-8_24

Cited by 44 publications

(37 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Each evolutionary search starts with an initial population containing candidate rules created from a seed SRA-tuple along with numerous random variants of those rules together with some completely random candidate rules, evolves the population by repeatedly applying genetic operators (mutations and crossover), and then adds the highest quality rule in the population to the candidate policy. Rule quality is measured using the same fitness function f as [16] (our definition is slightly simplified but equivalent): f (ρ) = ⟨FAR(ρ), FRR(ρ), ID(ρ), WSC(ρ)⟩, where the false acceptance rate is FAR(ρ) = | [[ρ]] \ uncovAU |, the false rejection rate is FRR(ρ) = |uncovAU \ [[ρ]] |, uncovAU is the subset of AU not covered by the current candidate policy, and ID(ρ) equals 2 if the subject condition and resource condition both contain an atomic condition with path "id", equals 1 if exactly one of them does, and equals 0 if neither of them does. The fitness ordering is lexicographic order on these tuples, where smaller is better.…”

Section: Simplified Evolutionary Algorithmmentioning

confidence: 99%

See 1 more Smart Citation

Efficient and Extensible Policy Mining for Relationship-Based Access Control

Bui

Stoller

2019

Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

Relationship-based access control (ReBAC) is a flexible and expressive framework that allows policies to be expressed in terms of chains of relationship between entities as well as attributes of entities. ReBAC policy mining algorithms have a potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. Existing ReBAC policy mining algorithms support a policy language with a limited set of operators; this limits their applicability.This paper presents a ReBAC policy mining algorithm designed to be both (1) easily extensible (to support additional policy language features) and (2) scalable. The algorithm is based on Bui et al.'s evolutionary algorithm for ReBAC policy mining algorithm. First, we simplify their algorithm, in order to make it easier to extend and provide a methodology that extends it to handle new policy language features. However, extending the policy language increases the search space of candidate policies explored by the evolutionary algorithm, thus causes longer running time and/or worse results. To address the problem, we enhance the algorithm with a feature selection phase. The enhancement utilizes a neural network to identify useful features. We use the result of feature selection to reduce the evolutionary algorithm's search space. The new algorithm is easy to extend and, as shown by our experiments, is more efficient and produces better policies. KEYWORDS security policy mining; attribute-based access control; relationshipbased access control; feature selection ACM Reference Format:

show abstract

Section: Simplified Evolutionary Algorithmmentioning

confidence: 99%

“…Policy mining algorithms promise to drastically reduce this cost, by automatically produce a "first draft" of a high-level policy from existing lower-level data. There is a substantial amount of research on role mining, surveyed in [8,17], and a small but growing literature on ABAC policy mining [7,14,16,18,22,23], surveyed in [8].…”

Section: Introductionmentioning

confidence: 99%

Efficient and Extensible Policy Mining for Relationship-Based Access Control

Bui

Stoller

2019

Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

show abstract

“…[22] provides a comprehensive literature survey on this topic. There has also been work on mining ABAC policies [4], [23], [24], [25]. Specifically, Xu et al [4] proposed an approach (Xu-Stoller) for ABAC policy mining, that we have directly compared to.…”

Section: Related Workmentioning

confidence: 99%

“…The work by Medvet et al [23] uses the same ABAC language and case studies as in Xu-Stoller and employs an evolutionary and separate and conquer approach, where at every iteration, a new rule is generated and the set of access requests is reduced to a smaller size. This has the same efficiency as that of Xu-Stoller.…”

Section: Related Workmentioning

confidence: 99%

Efficient Bottom-Up Mining of Attribute Based Access Control Policies

Talukdar

Batra

Vaidya

et al. 2017

2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC)

View full text Add to dashboard Cite

Attribute Based Access Control (ABAC) is fast replacing traditional access control models due to its dynamic nature, flexibility and scalability. ABAC is often used in collaborative environments. However, a major hurdle to deploying ABAC is to precisely configure the ABAC policy. In this paper, we present an ABAC mining approach that can automatically discover the appropriate ABAC policy rules. We first show that the ABAC mining problem is equivalent to identifying a set of functional dependencies in relational databases that cover all of the records in a table. We also propose a more efficient algorithm, called ABAC-SRM which discovers the most general policy rules from a set of candidate rules. We experimentally show that ABAC-SRM is accurate and significantly more efficient than the existing state of the art.

show abstract

“…Attribute management [6,8,16,20,35,37,52] in general deals with requirements related to the attributes used within ABAC policies, ranging from the aggregation of attributes up to their ongoing maintenance. Policy management [4,15,20,22,24,30,37] deals with the development and continuous improvement of access policies.…”

Section: Building Blocks Of Dynamic Identity and Access Managementmentioning

confidence: 99%

Introducing Dynamic Identity and Access Management in Organizations

Kunz

Fuchs²,

Hummer³

et al. 2015

Information Systems Security

View full text Add to dashboard Cite

Abstract. Efficient and secure management of access to resources is a crucial challenge in today's corporate IT environments. During the last years, introducing company-wide Identity and Access Management (IAM) infrastructures building on the Role-based Access Control (RBAC) paradigm has become the de facto standard for granting and revoking access to resources. Due to its static nature, the management of rolebased IAM structures, however, leads to increased administrative efforts and is not able to model dynamic business structures. As a result, introducing dynamic attribute-based access privilege provisioning and revocation is currently seen as the next maturity level of IAM. Nevertheless, up to now no structured process for incorporating Attribute-based Access Control (ABAC) policies into static IAM has been proposed. This paper closes the existing research gap by introducing a novel migration guide for extending static IAM systems with dynamic ABAC policies. By means of conducting structured and tool-supported attribute and policy management activities, the migration guide supports organizations to distribute privilege assignments in an application-independent and flexible manner. In order to show its feasibility, we provide a naturalistic evaluation based on two real-world industry use cases.

show abstract

Evolutionary Inference of Attribute-Based Access Control Policies

Cited by 44 publications

References 18 publications

Efficient and Extensible Policy Mining for Relationship-Based Access Control

Efficient and Extensible Policy Mining for Relationship-Based Access Control

Efficient Bottom-Up Mining of Attribute Based Access Control Policies

Introducing Dynamic Identity and Access Management in Organizations

Contact Info

Product

Resources

About