research-article

Public Access

Efficient and Extensible Policy Mining for Relationship-Based Access Control

Authors:

Scott D. Stoller,

Hieu LeAuthors Info & Claims

SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

Pages 161 - 172

https://doi.org/10.1145/3322431.3325106

Published: 28 May 2019 Publication History

Abstract

Relationship-based access control (ReBAC) is a flexible and expressive framework that allows policies to be expressed in terms of chains of relationship between entities as well as attributes of entities. ReBAC policy mining algorithms have a potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. Existing ReBAC policy mining algorithms support a policy language with a limited set of operators; this limits their applicability.

This paper presents a ReBAC policy mining algorithm designed to be both (1) easily extensible (to support additional policy language features) and (2) scalable. The algorithm is based on Bui et al.'s evolutionary algorithm for ReBAC policy mining algorithm. First, we simplify their algorithm, in order to make it easier to extend and provide a methodology that extends it to handle new policy language features. However, extending the policy language increases the search space of candidate policies explored by the evolutionary algorithm, thus causes longer running time and/or worse results. To address the problem, we enhance the algorithm with a feature selection phase. The enhancement utilizes a neural network to identify useful features. We use the result of feature selection to reduce the evolutionary algorithm's search space. The new algorithm is easy to extend and, as shown by our experiments, is more efficient and produces better policies.

References

[1]

Manar Alohaly, Hassan Takabi, and Eduardo Blanco. 2018. A Deep LearningApproach for Extracting Attributes of ABAC Policies. In Proc. 23rd ACM on Symposium on Access Control Models and Technologies (SACMAT). ACM, 137--148.

Digital Library

[2]

Matthias Beckerle and Leonardo A. Martucci. 2013. Formal Definitions for Usable Access Control Rule Sets-From Goals to Metrics. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS). ACM, Article 2, 11 pages.

Digital Library

[3]

Jasper Bogaerts, Maarten Decat, Bert Lagaisse, and Wouter Joosen. 2015. Entity-Based Access Control: supporting more expressive access control policies. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC2015). ACM, 291--300. https://lirias.kuleuven.be/handle/123456789/521795

Digital Library

[4]

Thang Bui, Scott D. Stoller, and Jiajie Li. 2017. Mining Relationship-Based Access Control Policies. In Proc. 22nd ACM Symposium on Access Control Models and Technologies (SACMAT).

Digital Library

[5]

Thang Bui, Scott D. Stoller, and Jiajie Li. 2018. Mining Relationship-Based AccessControl Policies from Incomplete and Noisy Data. In Proceedings of the 11th International Symposium on Foundations & Practice of Security (FPS 2018) (Lecture Notes in Computer Science), Vol. 11358. Springer-Verlag.

[6]

Thang Bui, Scott D. Stoller, and Jiajie Li. 2019. Greedy and Evolutionary Algo-rithms for Mining Relationship-Based Access Control Policies. Computers & Security 80 (jan 2019), 317--333. Also available at http://arxiv.org/abs/1708.04749. An earlier version appeared as a short paper in ACM SACMAT 2017.

[7]

Carlos Cotrini, Thilo Weghorn, and David Basin. 2018. Mining ABAC Rulesfrom Sparse Logs. In Proc. 3rd IEEE European Symposium on Security and Privacy(Euro S&P). 2141--2148.

[8]

Saptarshi Das, Barsha Mitra, Vijayalakshmi Atluri, Jaideep Vaidya, and ShamikSural. 2018. Policy Engineering in RBAC and ABAC. Lecture Notes in Computer Science, Vol. 11170. Shaker Verlag, 24--54.

[9]

Maarten Decat, Jasper Bogaerts, Bert Lagaisse, and Wouter Joosen. 2014. Thee-document case study: functional analysis and access control requirements. CW Reports CW 654. Department of Computer Science, KU Leuven.

[10]

Maarten Decat, Jasper Bogaerts, Bert Lagaisse, and Wouter Joosen. 2014.Theworkforce management case study: functional analysis and access control requirements. CW Reports CW 655. Department of Computer Science, KU Leuven.

[11]

FS-SEA* Software Release and ReBAC-Policies Data Release 2019. http://www.cs.stonybrook.edu/~stoller/software/.

[12]

Wenbo Guo, Dongliang Mu, Jun Xu, Purui Su, Gang Wang, and Xinyu Xing. 2018. LEMNA: Explaining Deep Learning Based Security Applications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security(CCS '18). ACM.

Digital Library

[13]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2015. Delving Deepinto Rectifiers: Surpassing Human-Level Performance on Image Net Classification. In The IEEE International Conference on Computer Vision (ICCV). IEEE Computer Society, 1026--1034.

Digital Library

[14]

Padmavathi Iyer and Amirreza Masoumzadeh. 2018. Mining Positive and Negative Attribute-Based Access Control Policy Rules. In Proc. 23rd ACM on Symposiumon Access Control Models and Technologies (SACMAT). ACM, 161--172.

Digital Library

[15]

Robert I. McKay, Nguyen Xuan Hoai, Peter Alexander Whigham, Yin Shan,and Michael O'Neill. 2010. Grammar-based Genetic Programming: A Survey.Genetic Programming and Evolvable Machines11, 3 (Sep 2010), 365--396.

Digital Library

[16]

Eric Medvet, Alberto Bartoli, Barbara Carminati, and Elena Ferrari. 2015. Evo-lutionary Inference of Attribute-based Access Control Policies. In Proceedings of the 8th International Conference on Evolutionary Multi-Criterion Optimization(EMO): Part I (Lecture Notes in Computer Science), Vol. 9018. Springer, 351--365.

[17]

Barsha Mitra, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2016. A Survey of Role Mining. Comput. Surveys 48, 4 (2016), 50:1--50:37.

Digital Library

[18]

Decebal C. Mocanu, Faith Turkmen, and Antonio Liotta. 2015. Towards ABAC policy mining from logs with deep learning. In Proc. 18th International Information Society Multiconference (IS 2015), Intelligent Systems. Institut Jozef Stefan, Ljubljana, Slovenia.

[19]

Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino,Seraphin B. Calo, and Jorge Lobo. 2010. Mining Roles with Multiple Objectives. ACM Trans. Inf. Syst. Secur.13, 4, Article 36 (2010), 36:1--36:35 pages.

Digital Library

[20]

Masoud Narouei, Hamed Khanpour, and Hassan Takabi. 2017. Identification of Access Control Policy Sentences from Natural Language Policy Documents. In Proc. 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec) (Lecture Notes in Computer Science), Vol. 10359. Springer, 82--100.

[21]

Ramprasaath R Selvaraju, Michael Cogswell, Abhishek Das, Ramakrishna Vedantam, Devi Parikh, and Dhruv Batra. 2017. Grad-cam: Visual explanations from deep networks via gradient-based localization. In 2017 IEEE International Conference on Computer Vision (ICCV). IEEE, 618--626.

[22]

Zhongyuan Xu and Scott D. Stoller. 2014. Mining Attribute-Based Access Control Policies from Logs. In Proc. 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec). Springer. Extended version available at http://arxiv.org/abs/1403.5715.

Digital Library

[23]

Zhongyuan Xu and Scott D. Stoller. 2015. Mining Attribute-based Access Control Policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (Sep.-Oct.2015), 533--545.

[24]

Matthew D. Zeiler. 2012. ADADELTA: An Adaptive Learning Rate Method. CoRRabs/1212.5701 (2012). arXiv:1212.5701 http://arxiv.org/abs/1212.5701

Cited By

Farhadighalati NEstrada-Jimenez LNikghadam-Hojjati SBarata J(2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3533145
Ma XQi QZhao LNing FLi H(2023)Mining Roles Based on User Dynamic Operation LogsRecent Advances in Computer Science and Communications10.2174/266625581666623090114531016:9Online publication date: Nov-2023
https://doi.org/10.2174/2666255816666230901145310
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
Show More Cited By

Index Terms

Efficient and Extensible Policy Mining for Relationship-Based Access Control
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...
Generalized Mining of Relationship-Based Access Control Policies in Evolving Systems
SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

Relationship-based access control (ReBAC) provides a flexible approach to specify policies based on relationships between system entities, which makes them a natural fit for many modern information systems, beyond online social networks. In this paper ...
A Decision Tree Learning Approach for Mining Relationship-Based Access Control Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies

May 2019

243 pages

ISBN:9781450367530

DOI:10.1145/3322431

General Chair:
Florian Kerschbaum
University of Waterloo, Canada
,
Program Chairs:
Atefeh Mashatan
Ryerson University, Canada
,
Jianwei Niu
University of Texas at San Antonio, USA
,
Adam J. Lee
University of Pittsburgh, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SACMAT '19

Sponsor:

SIGSAC

SACMAT '19: The 24th ACM Symposium on Access Control Models and Technologies

June 3 - 6, 2019

Toronto ON, Canada

Acceptance Rates

SACMAT '19 Paper Acceptance Rate 12 of 52 submissions, 23%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
511
Total Downloads

Downloads (Last 12 months)129
Downloads (Last 6 weeks)11

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Farhadighalati NEstrada-Jimenez LNikghadam-Hojjati SBarata J(2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3533145
Ma XQi QZhao LNing FLi H(2023)Mining Roles Based on User Dynamic Operation LogsRecent Advances in Computer Science and Communications10.2174/266625581666623090114531016:9Online publication date: Nov-2023
https://doi.org/10.2174/2666255816666230901145310
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
Baumer TMüller MPernul G(2023)System for Cross-Domain Identity Management (SCIM): Survey and Enhancement With RBACIEEE Access10.1109/ACCESS.2023.330427011(86872-86894)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3304270
Iyer PMasoumzadeh ADietrich SChowdhury OTakabi D(2022)Effective Evaluation of Relationship-Based Access Control Policy MiningProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535022(127-138)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535022
Iyer PMasoumzadeh A(2022)Learning Relationship-Based Access Control Policies from Black-Box SystemsACM Transactions on Privacy and Security10.1145/351712125:3(1-36)Online publication date: 19-May-2022
https://dl.acm.org/doi/10.1145/3517121
Davari MZulkernine M(2022)Mining Attribute-Based Access Control PoliciesInformation Systems Security10.1007/978-3-031-23690-7_11(186-201)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-23690-7_11
Chakraborty SSandhu RJoshi ACarminati BVerma R(2021)Formal Analysis of ReBAC Policy Mining FeasibilityProceedings of the Eleventh ACM Conference on Data and Application Security and Privacy10.1145/3422337.3447828(197-207)Online publication date: 26-Apr-2021
https://dl.acm.org/doi/10.1145/3422337.3447828
Bichhawat AFredrikson MYang J(2021)Automating Audit with Policy Inference2021 IEEE 34th Computer Security Foundations Symposium (CSF)10.1109/CSF51468.2021.00001(1-16)Online publication date: Jun-2021
https://doi.org/10.1109/CSF51468.2021.00001
Bui TStoller SLobo JStoller SLiu P(2020)A Decision Tree Learning Approach for Mining Relationship-Based Access Control PoliciesProceedings of the 25th ACM Symposium on Access Control Models and Technologies10.1145/3381991.3395619(167-178)Online publication date: 10-Jun-2020
https://dl.acm.org/doi/10.1145/3381991.3395619
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten