Abstract
Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC.
This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.
This material is based on work supported in part by NSF grant CCF-1954837 and ONR grant N00014-20-1-2751.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of 31st Annual Computer Security Applications Conference (ACSAC), pp. 291–300. ACM (2015)
Bui, T., Stoller, S.D.: A decision tree learning approach for mining relationship-based access control policies. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT 2020), pp. 167–178. ACM Press (2020)
Bui, T., Stoller, S.D., Le, H.: Efficient and extensible policy mining for relationship-based access control. In: Proceedings of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019), pp. 161–172. ACM (2019)
Bui, T., Stoller, S.D., Li, J.: Mining relationship-based access control policies. In: Proceedings of 22nd ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 239–246 (2017)
Bui, T., Stoller, S.D., Li, J.: Mining relationship-based access control policies from incomplete and noisy data. In: Zincir-Heywood, N., Bonfante, G., Debbabi, M., Garcia-Alfaro, J. (eds.) FPS 2018. LNCS, vol. 11358, pp. 267–284. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18419-3_18
Bui, T., Stoller, S.D., Li, J.: Greedy and evolutionary algorithms for mining relationship-based access control policies. Comput. Secur. 80, 317–333 (2019). Preprint: http://arxiv.org/abs/1708.04749. An earlier version appeared as a short paper in ACM SACMAT 2017
C4.5 algorithm. https://en.wikipedia.org/wiki/C4.5_algorithm
Cotrini, C., Corinzia, L., Weghorn, T., Basin, D.: The next 700 policy miners: a universal method for building policy miners. In: Proceedings of 2019 ACM Conference on Computer and Communications Security (CCS 2019), pp. 95–112 (2019)
Cotrini, C., Weghorn, T., Basin, D.: Mining ABAC rules from sparse logs. In: Proceedings of 3rd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 2141–2148 (2018)
Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S.: Policy engineering in RBAC and ABAC. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 24–54. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04834-1_2
Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014
Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014. https://lirias.kuleuven.be/handle/123456789/440202
Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The workforce management case study: functional analysis and access control requirements. CW Reports CW655, Department of Computer Science, KU Leuven, February 2014. https://lirias.kuleuven.be/handle/123456789/440203
Iyer, P., Masoumzadeh, A.: Mining positive and negative attribute-based access control policy rules. In: Proceedings of 23rd ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 161–172. ACM (2018)
Iyer, P., Masoumzadeh, A.: Generalized mining of relationship-based access control policies in evolving systems. In: Proceedings of 24th ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 135–140. ACM (2019)
Iyer, P., Masoumzadeh, A.: Active learning of relationship-based access control policies. In: Lobo, J., Stoller, S.D., Liu, P. (eds.) Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020, Barcelona, Spain, 10–12 June 2020, pp. 155–166. ACM (2020). https://doi.org/10.1145/3381991.3395614
Kleene, S.C.: Introduction to Metamathematics. D. Van Nostrand, Princeton (1950)
Law, M., Russo, A., Bertino, E., Broda, K., Lobo, J.: FastLAS: scalable inductive logic programming incorporating domain-specific optimisation criteria. In: Thirty-Fourth AAAI Conference on Artificial Intelligence (AAAI 2020), pp. 2877–2885. AAAI Press (2020)
Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15934-8_24
Three-valued logic. https://en.wikipedia.org/wiki/Three-valued_logic
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_18. Extended version available at http://arxiv.org/abs/1403.5715
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Depend. Secure Comput. 12(5), 533–545 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bui, T., Stoller, S.D. (2020). Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values. In: Kanhere, S., Patil, V.T., Sural, S., Gaur, M.S. (eds) Information Systems Security. ICISS 2020. Lecture Notes in Computer Science(), vol 12553. Springer, Cham. https://doi.org/10.1007/978-3-030-65610-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-65610-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65609-6
Online ISBN: 978-3-030-65610-2
eBook Packages: Computer ScienceComputer Science (R0)