Towards Attribute-Based Access Control Policy Engineering Using Risk

Krautsevich, Leanid; Lazouski, Aliaksandr; Martinelli, Fabio; Yautsiukhin, Artsiom

doi:10.1007/978-3-319-07076-6_6

Cited by 10 publications

(5 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A constrained policy mining technique has been proposed in [9]. In [18], the authors have proposed a policy engineering approach that considers the risk associated with the improper use and possible abuse of a permitted access to a user. Lawal and Krishnan have proposed an approach for policy administration in ABAC via policy review [19].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

PAMMELA: Policy Administration Methodology using Machine Learning

Gumma¹,

Mitra²,

Dey³

et al. 2021

Preprint

View full text Add to dashboard Cite

In recent years, Attribute-Based Access Control (ABAC) has become quite popular and effective for enforcing access control in dynamic and collaborative environments. Implementation of ABAC requires the creation of a set of attribute-based rules which cumulatively form a policy. Designing an ABAC policy ab initio demands a substantial amount of effort from the system administrator. Moreover, organizational changes may necessitate the inclusion of new rules in an already deployed policy. In such a case, re-mining the entire ABAC policy will require a considerable amount of time and administrative effort. Instead, it is better to incrementally augment the policy. Keeping these aspects of reducing administrative overhead in mind, in this paper, we propose PAMMELA, a Policy Administration Methodology using Machine Learning to help system administrators in creating new ABAC policies as well as augmenting existing ones. PAMMELA can generate a new policy for an organization by learning the rules of a policy currently enforced in a similar organization. For policy augmentation, PAMMELA can infer new rules based on the knowledge gathered from the existing rules. Experimental results show that our proposed approach provides a reasonably good performance in terms of the various machine learning evaluation metrics as well as execution time.

show abstract

Section: Related Workmentioning

confidence: 99%

“…The process of creating a policy for implementing ABAC is known as policy engineering. Policy engineering can be carried out in two ways -top-down [22] and bottom-up [9], [18], [20], [30]. Bottom-up policy engineering is also termed as policy mining.…”

Section: Introductionmentioning

confidence: 99%

PAMMELA: Policy Administration Methodology using Machine Learning

Gumma¹,

Mitra²,

Dey³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Xu and Stoller [19] propose a framework for mining parameterized role-based policies that supports a basic version of ABAC where roles are considered as subject attributes. Krautsevich et al [10] construct an ABAC policy by defining values of attributes while deciding an access.…”

Section: Related Workmentioning

confidence: 99%

HyPE: A Hybrid Approach toward Policy Engineering in Attribute-Based Access Control

Das

Sural

Vaidya

et al. 2018

IEEE Lett. of the Comput. Soc.

View full text Add to dashboard Cite

Successful deployment of attribute-based access control requires the process of policy engineering which involves constructing a set of appropriate rules, known as a policy. Policy engineering is performed either by a top-down approach that may ignore some of the existing accesses in the organization or a bottom-up approach that may form rules which are not relevant to the organizational processes. In this work, we propose a hybrid approach toward policy engineering that addresses the limitations of the top-down and the bottom-up approaches while preserving their individual advantages.

show abstract

“…Despite the benefits and the existing ABAC solutions in the market, ABAC requires meticulous planning, and establishing attribute-based rules from scratch is only workable in small scenarios, since it is imperative to analyze all the valid and invalid value combinations in the system [6]. Therefore, policy mining has been identified as the key for achieving widespread adoption of the attribute-based approach [7].…”

Section: Introductionmentioning

confidence: 99%

ABAC Policy Mining through Affiliation Networks and Biclique Analysis

Perez-Haro,

Diaz-Perez

2024

Information

View full text Add to dashboard Cite

Policy mining is an automated procedure for generating access rules by means of mining patterns from single permissions, which are typically registered in access logs. Attribute-based access control (ABAC) is a model which allows security administrators to create a set of rules, known as the access control policy, to restrict access in information systems by means of logical expressions defined through the attribute–values of three types of entities: users, resources, and environmental conditions. The application of policy mining in large-scale systems oriented towards ABAC is a must because it is not workable to create rules by hand when the system requires the management of thousands of users and resources. In the literature on ABAC policy mining, current solutions follow a frequency-based strategy to extract rules; the problem with that approach is that selecting a high-frequency support leaves many resources without rules (especially those with few requesters), and a low support leads to the rule explosion of unreliable rules. Another challenge is the difficulty of collecting a set of test examples for correctness evaluation, since the classes of user–resource pairs available in logs are imbalanced. Moreover, alternative evaluation criteria for correctness, such as peculiarity and diversity, have not been explored for ABAC policy mining. To address these challenges, we propose the modeling of access logs as affiliation networks for applying network and biclique analysis techniques (1) to extract ABAC rules supported by graph patterns without a frequency threshold, (2) to generate synthetic examples for correctness evaluation, and (3) to create alternative evaluation measures to correctness. We discovered that the rules extracted through our strategy can cover more resources than the frequency-based strategy and perform this without rule explosion; moreover, our synthetics are useful for increasing the certainty level of correctness results. Finally, our alternative measures offer a wider evaluation profile for policy mining.

show abstract

Towards Attribute-Based Access Control Policy Engineering Using Risk

Cited by 10 publications

References 13 publications

PAMMELA: Policy Administration Methodology using Machine Learning

PAMMELA: Policy Administration Methodology using Machine Learning

HyPE: A Hybrid Approach toward Policy Engineering in Attribute-Based Access Control

ABAC Policy Mining through Affiliation Networks and Biclique Analysis

Contact Info

Product

Resources

About