Skip to main content
SpringerLink
Log in

Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12553))

Included in the following conference series:

Abstract

Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC.

This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

This material is based on work supported in part by NSF grant CCF-1954837 and ONR grant N00014-20-1-2751.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.omg.org/spec/OCL/.

  2. 2.

    https://www.cs.stonybrook.edu/~stoller/software/.

  3. 3.

    https://github.com/barisesmer/C4.5.

  4. 4.

    https://scikit-learn.org/stable/modules/tree.html.

References

  1. Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of 31st Annual Computer Security Applications Conference (ACSAC), pp. 291–300. ACM (2015)

    Google Scholar 

  2. Bui, T., Stoller, S.D.: A decision tree learning approach for mining relationship-based access control policies. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT 2020), pp. 167–178. ACM Press (2020)

    Google Scholar 

  3. Bui, T., Stoller, S.D., Le, H.: Efficient and extensible policy mining for relationship-based access control. In: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019), pp. 161–172. ACM (2019)

    Google Scholar 

  4. Bui, T., Stoller, S.D., Li, J.: Mining relationship-based access control policies. In: Proceedings of 22nd ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 239–246 (2017)

    Google Scholar 

  5. Bui, T., Stoller, S.D., Li, J.: Mining relationship-based access control policies from incomplete and noisy data. In: Zincir-Heywood, N., Bonfante, G., Debbabi, M., Garcia-Alfaro, J. (eds.) FPS 2018. LNCS, vol. 11358, pp. 267–284. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18419-3_18

    Chapter  Google Scholar 

  6. Bui, T., Stoller, S.D., Li, J.: Greedy and evolutionary algorithms for mining relationship-based access control policies. Comput. Secur. 80, 317–333 (2019). Preprint: http://arxiv.org/abs/1708.04749. An earlier version appeared as a short paper in ACM SACMAT 2017

  7. C4.5 algorithm. https://en.wikipedia.org/wiki/C4.5_algorithm

  8. Cotrini, C., Corinzia, L., Weghorn, T., Basin, D.: The next 700 policy miners: a universal method for building policy miners. In: Proceedings of 2019 ACM Conference on Computer and Communications Security (CCS 2019), pp. 95–112 (2019)

    Google Scholar 

  9. Cotrini, C., Weghorn, T., Basin, D.: Mining ABAC rules from sparse logs. In: Proceedings of 3rd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 2141–2148 (2018)

    Google Scholar 

  10. Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S.: Policy engineering in RBAC and ABAC. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 24–54. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04834-1_2

    Chapter  Google Scholar 

  11. Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014

    Google Scholar 

  12. Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014. https://lirias.kuleuven.be/handle/123456789/440202

  13. Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The workforce management case study: functional analysis and access control requirements. CW Reports CW655, Department of Computer Science, KU Leuven, February 2014. https://lirias.kuleuven.be/handle/123456789/440203

  14. Iyer, P., Masoumzadeh, A.: Mining positive and negative attribute-based access control policy rules. In: Proceedings of 23rd ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 161–172. ACM (2018)

    Google Scholar 

  15. Iyer, P., Masoumzadeh, A.: Generalized mining of relationship-based access control policies in evolving systems. In: Proceedings of 24th ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 135–140. ACM (2019)

    Google Scholar 

  16. Iyer, P., Masoumzadeh, A.: Active learning of relationship-based access control policies. In: Lobo, J., Stoller, S.D., Liu, P. (eds.) Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020, Barcelona, Spain, 10–12 June 2020, pp. 155–166. ACM (2020). https://doi.org/10.1145/3381991.3395614

  17. Kleene, S.C.: Introduction to Metamathematics. D. Van Nostrand, Princeton (1950)

    MATH  Google Scholar 

  18. Law, M., Russo, A., Bertino, E., Broda, K., Lobo, J.: FastLAS: scalable inductive logic programming incorporating domain-specific optimisation criteria. In: Thirty-Fourth AAAI Conference on Artificial Intelligence (AAAI 2020), pp. 2877–2885. AAAI Press (2020)

    Google Scholar 

  19. Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15934-8_24

    Chapter  Google Scholar 

  20. Three-valued logic. https://en.wikipedia.org/wiki/Three-valued_logic

  21. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_18. Extended version available at http://arxiv.org/abs/1403.5715

    Chapter  Google Scholar 

  22. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Depend. Secure Comput. 12(5), 533–545 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Stony Brook University, Stony Brook, USA

    Thang Bui & Scott D. Stoller

Authors
  1. Thang Bui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Scott D. Stoller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Scott D. Stoller .

Editor information

Editors and Affiliations

  1. UNSW Sydney, Sydney, NSW, Australia

    Salil Kanhere

  2. IIT Bombay, Mumbai, India

    Vishwas T Patil

  3. IIT Kharagpur, Kharagpur, West Bengal, India

    Shamik Sural

  4. IIT Jammu, Jammu, India

    Manoj S Gaur

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bui, T., Stoller, S.D. (2020). Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-65610-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-65609-6

  • Online ISBN: 978-3-030-65610-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation