Cited By
View all- Shang SWang XLiu A(2024)ABAC policy mining method based on hierarchical clustering and relationship extractionComputers and Security10.1016/j.cose.2024.103717139:COnline publication date: 16-May-2024
Learning Relationship-Based Access Control Policies from Black-Box Systems
Article No.: 22, Pages 1 - 36
Abstract
Access control policies are crucial in securing data in information systems. Unfortunately, often times, such policies are poorly documented, and gaps between their specification and implementation prevent the system users, and even its developers, from understanding the overall enforced policy of a system. To tackle this problem, we propose the first of its kind systematic approach for learning the enforced authorizations from a target system by interacting with and observing it as a black box. The black-box view of the target system provides the advantage of learning its overall access control policy without dealing with its internal design complexities. Furthermore, compared to the previous literature on policy mining and policy inference, we avoid exhaustive exploration of the authorization space by minimizing our observations. We focus on learning relationship-based access control (ReBAC) policy, and show how we can construct a deterministic finite automaton (DFA) to formally characterize such an enforced policy. We theoretically analyze our proposed learning approach by studying its termination, correctness, and complexity. Furthermore, we conduct extensive experimental analysis based on realistic application scenarios to establish its cost, quality of learning, and scalability in practice.
References
[1]
2004. Elgg Social Networking Engine. Retrieved August 1, 2021 https://elgg.org/.
[2]
2016. UI.Vision RPA. Retrieved August 1, 2021 https://ui.vision/rpa.
[3]
Fides Aarts, Joeri De Ruiter, and Erik Poll. 2013. Formal models of bank cards for free. In Proceedings of the 2013 IEEE 6th International Conference on Software Testing, Verification and Validation Workshops. IEEE, 461–468.
[4]
Fides Aarts, Bengt Jonsson, Johan Uijen, and Frits Vaandrager. 2015. Generating models of infinite-state communication protocols using regular inference with abstraction. Formal Methods in System Design 46, 1 (2015), 1–41.
[5]
Manar Alohaly, Hassan Takabi, and Eduardo Blanco. 2018. A deep learning approach for extracting attributes of ABAC policies. In Proceedings of the 23rd ACM on Symposium on Access Control Models and Technologies. 137–148.
[6]
Dana Angluin. 1987. Learning regular sets from queries and counterexamples. Information and Computation 75, 2 (1987), 87–106.
[7]
George Argyros, Ioannis Stais, Suman Jana, Angelos D. Keromytis, and Aggelos Kiayias. 2016. Sfadiff: Automated evasion attacks and fingerprinting using black-box differential automata learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1690–1701.
[8]
George Argyros, Ioannis Stais, Aggelos Kiayias, and Angelos D. Keromytis. 2016. Back in black: Towards formal, black box analysis of sanitizers and filters. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 91–109.
[9]
Gunjan Batra, Vijayalakshmi Atluri, Jaideep Vaidya, and Shamik Sural. 2021. Incremental maintenance of ABAC policies. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 185–196.
[10]
Thang Bui and Scott D. Stoller. 2020. A decision tree learning approach for mining relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 167–178.
[11]
Thang Bui and Scott D. Stoller. 2020. Learning attribute-based and relationship-based access control policies with unknown values. In Proceedings of the International Conference on Information Systems Security. Springer, 23–44.
[12]
Thang Bui, Scott D. Stoller, and Hieu Le. 2019. Efficient and extensible policy mining for relationship-based access control. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 161–172.
[13]
Thang Bui, Scott D. Stoller, and Jiajie Li. 2017. Mining relationship-based access control policies. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 239–246.
[14]
Thang Bui, Scott D. Stoller, and Jiajie Li. 2018. Mining relationship-based access control policies from incomplete and noisy data. In Proceedings of the International Symposium on Foundations and Practice of Security. Springer, 267–284.
[15]
Thang Bui, Scott D. Stoller, and Jiajie Li. 2019. Greedy and evolutionary algorithms for mining relationship-based access control policies. Computers & Security 80 (2019), 317–333.
[16]
Shuvra Chakraborty and Ravi Sandhu. 2021. Formal analysis of rebac policy mining feasibility. In Proceedings of the 11th ACM Conference on Data and Application Security and Privacy. 197–207.
[17]
Georg Chalupar, Stefan Peherstorfer, Erik Poll, and Joeri De Ruiter. 2014. Automated reverse engineering using lego®. In Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 14).
[18]
Alessandro Colantonio, Roberto Di Pietro, and Alberto Ocello. 2008. A Cost-Driven Approach to Role Engineering. In Proceedings of the 2008 ACM Symposium on Applied Computing (SAC’08). 2129–2136.
[19]
Carlos Cotrini, Luca Corinzia, Thilo Weghorn, and David Basin. 2019. The next 700 policy miners: A universal method for building policy miners. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.95–112.
[20]
Carlos Cotrini, Thilo Weghorn, and David Basin. 2018. Mining ABAC rules from sparse logs. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy. IEEE, 31–46.
[21]
Jason Crampton and James Sellwood. 2014. Path conditions and principal matching: A new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies. ACM, 187–198.
[22]
Joeri De Ruiter and Erik Poll. 2015. Protocol state fuzzing of TLS implementations. In Proceedings of the USENIX Security 15. 193–206.
[23]
Paul Fiterău-Broştean, Ramon Janssen, and Frits Vaandrager. 2016. Combining model learning and model checking to analyze TCP implementations. In Proceedings of the International Conference on Computer Aided Verification. Springer, 454–471.
[24]
Philip W. L. Fong. 2011. Relationship-based access control: Protection model and policy language. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy. ACM, 191–202.
[25]
Mayank Gautam, Sadhana Jha, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2017. Poster: Constrained policy mining in attribute based access control. In Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. ACM, 121–123.
[26]
David Harel and Hillel Kugler. 2002. Synthesizing state-based object systems from LSC specifications. International Journal of Foundations of Computer Science 13, 01 (2002), 5–51.
[27]
Padmavathi Iyer and Amirreza Masoumzadeh. 2018. Mining positive and negative attribute-based access control policy rules. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. ACM, 161–172.
[28]
Padmavathi Iyer and Amirreza Masoumzadeh. 2019. Generalized mining of relationship-based access control policies in evolving systems. In Proceedings of the 24th ACM on Symposium on Access Control Models and Technologies. ACM, 135–140.
[29]
Padmavathi Iyer and Amirreza Masoumzadeh. 2020. Active learning of relationship-based access control policies. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. 155–166.
[30]
Leila Karimi and James Joshi. 2018. An unsupervised learning based approach for mining attribute based access control policies. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data). IEEE, 1427–1436.
[31]
Ha Thanh Le, Cu Duy Nguyen, Lionel Briand, and Benjamin Hourte. 2015. Automated inference of access control policies for web applications. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 27–37.
[32]
Jure Leskovec and Andrej Krevl. 2014. SNAP Datasets: Stanford Large Network Dataset Collection. Retrieved from http://snap.stanford.edu/data.
[33]
H. Lu, J. Vaidya, and V. Atluri. 2008. Optimal Boolean Matrix Decomposition: Application to Role Engineering. In Proceedings of the 2008 IEEE 24th International Conference on Data Engineering. 297–306.
[34]
Tiziana Margaria, Oliver Niese, Harald Raffelt, and Bernhard Steffen. 2004. Efficient test-based model generation for legacy reactive systems. In Proceedings of the 9th IEEE International High-Level Design Validation and Test Workshop. IEEE, 95–100.
[35]
Amirreza Masoumzadeh. 2015. Inferring unknown privacy control policies in a social networking system. In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society. ACM, 21–25.
[36]
Eric Medvet, Alberto Bartoli, Barbara Carminati, and Elena Ferrari. 2015. Evolutionary inference of attribute-based access control policies. In Proceedings of the International Conference on Evolutionary Multi-Criterion Optimization. Springer, 351–365.
[37]
Barsha Mitra, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2016. A survey of role mining. ACM Computing Surveys (CSUR) 48, 4 (2016), 1–37.
[38]
Ian Molloy, Ninghui Li, Yuan Alan Qi, Jorge Lobo, and Luke Dickens. 2010. Mining roles with noisy data. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, 45–54.
[39]
Masoud Narouei, Hamed Khanpour, and Hassan Takabi. 2017. Identification of access control policy sentences from natural language policy documents. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 82–100.
[40]
Syed Zain R. Rizvi, Philip W. L. Fong, Jason Crampton, and James Sellwood. 2015. Relationship-based access control for an open-source medical records system. In Proceedings of the 20th ACM on Symposium on Access Control Models and Technologies. ACM, 113–124.
[41]
Mathijs Schuts, Jozef Hooman, and Frits Vaandrager. 2016. Refactoring of legacy software using model learning and equivalence checking: An industrial experience report. In Proceedings of the International Conference on Integrated Formal Methods. Springer, 311–325.
[42]
Annie W. Sokol. 2010. A Report on the Privilege (Access) Management Workshop. NIST Interagency/Internal Report (NISTIR).
[43]
Frits Vaandrager. 2017. Model learning. Communications of the ACM 60, 2 (Jan. 2017), 86–95.
[44]
Jaideep Vaidya, Vijayalakshmi Atluri, and Qi Guo. 2010. The role mining problem: A formal perspective. ACM Transactions on Information and System Security (TISSEC) 13, 3 (2010), 1–31.
[45]
Jaideep Vaidya, Vijayalakshmi Atluri, Qi Guo, and Haibing Lu. 2009. Edge-RMP: Minimizing administrative assignments for role-based access control. Journal of Computer Security 17, 2 (2009), 211–235.
[46]
Jon Whittle and Johann Schumann. 2000. Generating statechart designs from scenarios. In Proceedings of the 22nd International Conference on Software Engineering. 314–323.
[47]
Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (2014), 533–545.
[48]
Zhongyuan Xu and Scott D. Stoller. 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 276–291.
Index Terms
- Learning Relationship-Based Access Control Policies from Black-Box Systems
Recommendations
Active Learning of Relationship-Based Access Control Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesUnderstanding access control policies is essential in understanding the security behavior of systems. However, often times, a complete and accurate specification of the enforced access control policy in a system is not available. In fact, scale and ...
Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...
A Datalog Framework for Modeling Relationship-based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationships like friendship to limit access to resources have been part of social network applications since their beginnings. Describing access control policies in terms of relationships is not particular to social networks and it arises naturally in ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2022
288 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 May 2022
Accepted: 01 February 2022
Revised: 01 January 2022
Received: 01 August 2021
Published in TOPS Volume 25, Issue 3
Check for updates
Author Tags
Qualifiers
- Research-article
- Refereed
Funding Sources
- National Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 329Total Downloads
- Downloads (Last 12 months)94
- Downloads (Last 6 weeks)24
Reflects downloads up to 19 Nov 2024
Other Metrics
Citations
Cited By
View all- Shang SWang XLiu A(2024)ABAC policy mining method based on hierarchical clustering and relationship extractionComputers and Security10.1016/j.cose.2024.103717139:COnline publication date: 16-May-2024
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format