On the Quality of Classification Models for Inferring ABAC Policies from Access Logs

Cappelletti, Luca; Valtolina, Stefano; Valentini, Giorgio; Bertino, Elisa

doi:10.1109/bigdata47090.2019.9005959

Cited by 17 publications

(30 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• We develop a candidate DLBAC model, DLBAC α , which outperforms classical policy mining and machine learning techniques in many aspects, including capturing the existing access control state of the system accurately and generalizing well to situations that were not seen during training time. • As DLBAC is a neural network, we address previously highlighted concerns on the explainability of the black-box nature of neural network-based systems for access control [12]. We apply deep learning interpretation methods to confirm that decision-making in DLBAC can indeed be understood to a large degree (albeit not with 100% accuracy).…”

Section: Introductionmentioning

confidence: 94%

“…Sanders et al [59] presented an approach to mine ABAC policies while satisfying the least privilege principle in a large-scale organization. Symbolic and non-symbolic ML algorithms to infer ABAC policies from access logs have been proposed by Cappelletti et al [12]. Liu et al [45] proposed a permission decision engine scheme for ABAC based on Random Forest [5].…”

Section: Related Workmentioning

confidence: 99%

“…Amazon published two datasets that contain access control information which is widely used in access control research [12,17,39]. We name these datasets as 𝑎𝑚𝑎𝑧𝑜𝑛-𝑘𝑎𝑔𝑔𝑙𝑒 and 𝑎𝑚𝑎𝑧𝑜𝑛-𝑢𝑐𝑖, and list them in the Table 1 (1-2).…”

Section: Real-world Datasetmentioning

confidence: 99%

“…The dataset is widely used in access control researches, and in most of the cases, the experiments are confined to only 5 to 8 most requested permissions [12,17,39]. Likewise, we took the seven most requested permissions, and for each permission, we list users who have access to the selected permissions.…”

Section: Real-world Datasetmentioning

confidence: 99%

See 3 more Smart Citations

Toward Deep Learning Based Access Control

Nobi,

Krishnan,

Huang

et al. 2022

Preprint

View full text Add to dashboard Cite

A common trait of current access control approaches is the challenging need to engineer abstract and intuitive access control models. This entails designing access control information in the form of roles (RBAC), attributes (ABAC), or relationships (ReBAC) as the case may be, and subsequently, designing access control rules. This framework has its benefits but has significant limitations in the context of modern systems that are dynamic, complex, and large-scale, due to which it is difficult to maintain an accurate access control state in the system for a human administrator. This paper proposes Deep Learning Based Access Control (DLBAC) by leveraging significant advances in deep learning technology as a potential solution to this problem. We envision that DLBAC could complement and, in the long-term, has the potential to even replace, classical access control models with a neural network that reduces the burden of access control model engineering and updates. Without loss of generality, we conduct a thorough investigation of a candidate DLBAC model, called DLBAC α , using both real-world and synthetic datasets. We demonstrate the feasibility of the proposed approach by addressing issues related to accuracy, generalization, and explainability. We also discuss challenges and future research directions. CCS CONCEPTS• Security and privacy → Access control; • Computing methodologies → Machine learning.

show abstract

Section: Introductionmentioning

confidence: 94%

Section: Related Workmentioning

confidence: 99%

Section: Real-world Datasetmentioning

confidence: 99%

Section: Real-world Datasetmentioning

confidence: 99%

See 2 more Smart Citations

Toward Deep Learning Based Access Control

Nobi,

Krishnan,

Huang

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Approaches have been proposed specifically for anomaly detection systems for network intrusion detection [33]. An initial evaluation of their use and comparison with decision trees for access control have been recently carried out [9]. However a major issue when using deep neural networks, as other machine learning algorithms, for security purposes is the scarcity of training data, especially when dealing with novel attacks.…”

Section: Different Contexts Same Monitorsmentioning

confidence: 99%

On Security Policy Migrations

Lobo

Bertino

Russo

2020

Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

There has been over the past decade a rapid change towards computational environments that are comprised of large and diverse sets of devices, many of them mobile, which can connect in flexible and context-dependent ways. Examples range from networks where we can have communications between powerful cloud centers, to the myriad of simple sensor devices on the IoT. As the management of these dynamic environments becomes ever more complex, we want to propose policy migrations as a methodology to simplify the management of security policies by re-utilizing and redeploying existing policies as the systems change. We are interested in understanding the challenges raised answering the following question: given a security policy that is being enforced in a particular source computational device, what does it entail to migrate this policy to be enforced in a different target device? Because of the differences between devices and because these devices cannot be seen in isolation but in the context where they are deployed, the meaning of the policy enforced in the source device needs to be re-interpreted and implemented in the context of the target device. The aim of the paper is to present a formal framework to evaluate the appropriateness of the migration.

show abstract

Polisma - A Framework for Learning Attribute-Based Access Control Policies

Jabal

Bertino

Lobo

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Technology advances in areas such as sensors, IoT, and robotics, enable new collaborative applications (e.g., autonomous devices). A primary requirement for such collaborations is to have a secure system which enables information sharing and information flow protection. Policy-based management system is a key mechanism for secure selective sharing of protected resources. However, policies in each party of such a collaborative environment cannot be static as they have to adapt to different contexts and situations. One advantage of collaborative applications is that each party in the collaboration can take advantage of knowledge of the other parties for learning or enhancing its own policies. We refer to this learning mechanism as policy transfer. The design of a policy transfer framework has challenges, including policy conflicts and privacy issues. Policy conflicts typically arise because of differences in the obligations of the parties, whereas privacy issues result because of data sharing constraints for sensitive data. Hence, the policy transfer framework should be able to tackle such challenges by considering minimal sharing of data and support policy adaptation to address conflict.In the paper we propose a framework that aims at addressing such challenges. We introduce a formal definition of the policy transfer problem for attribute-based policies. We then introduce the transfer methodology that consists of three sequential steps. Finally we report experimental results.

show abstract

On the Quality of Classification Models for Inferring ABAC Policies from Access Logs

Cited by 17 publications

References 13 publications

Toward Deep Learning Based Access Control

Toward Deep Learning Based Access Control

On Security Policy Migrations

Polisma - A Framework for Learning Attribute-Based Access Control Policies

Contact Info

Product

Resources

About