Evolutionary Inference of Attribute-Based Access Control Policies

  • Eric Medvet
  • Alberto Bartoli
  • Barbara Carminati
  • Elena Ferrari
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9018)

Abstract

The interest in attribute-based access control policies is increasingly growing due to their ability to accommodate the complex security requirements of modern computer systems. With this novel paradigm, access control policies consist of attribute expressions which implicitly describe the properties of subjects and protection objects and which must be satisfied for a request to be allowed. Since specifying a policy in this framework may be very complex, approaches for policy mining, i.e., for inferring a specification automatically from examples in the form of logs of authorized and denied requests, have been recently proposed.

In this work, we propose a multi-objective evolutionary approach for solving the policy mining task. We designed and implemented a problem representation suitable for evolutionary computation, along with several search-optimizing features which have proven to be highly useful in this context: a strategy for learning a policy by learning single rules, each one focused on a subset of requests; a custom initialization of the population; a scheme for diversity promotion and for early termination. We show that our approach deals successfully with case studies of realistic complexity.

Keywords

Access Control Policy Language Security Policy Access Control Policy Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Ferrari, E.: Access Control in Data Management Systems. Synthesis Lectures on Data Management. Morgan & Claypool Publishers (2010)Google Scholar
  2. 2.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Scarfo, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication (SP) 800-162, Guide, October 2014Google Scholar
  3. 3.
    Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 197–206. ACM (2009)Google Scholar
  4. 4.
    Carminati, B., Ferrari, E., Guglielmi, M.: A System for Timely and Controlled Information Sharing in Emergency Situations. IEEE Transactions on Dependable and Secure Computing 10(3), 129–142 (2013)CrossRefGoogle Scholar
  5. 5.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. arXiv preprint arXiv:1306.2401 (2013)
  6. 6.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from RBAC policies. In: 2013 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT), pp. 1–6. IEEE (2013)Google Scholar
  7. 7.
    Gal-Oz, N., Gonen, Y., Yahalom, R., Gudes, E., Rozenberg, B., Shmueli, E.: Mining roles from web application usage patterns. In: Furnell, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2011. LNCS, vol. 6863, pp. 125–137. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  8. 8.
    Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with multiple objectives. ACM Trans. Inf. Syst. Secur. 13(4), 36:1–36:35 (2010)CrossRefGoogle Scholar
  9. 9.
    Ni, Q., Lobo, J., Calo, S., Rohatgi, P., Bertino, E.: Automating role-based provisioning by learning from examples. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pp. 75–84. ACM (2009)Google Scholar
  10. 10.
    Hu, N., Bradford, P.G., Liu, J.: Applying role based access control and genetic algorithms to insider threat detection. In: Proceedings of the 44th Annual Southeast Regional Conference, pp. 790–791. ACM (2006)Google Scholar
  11. 11.
    Lim, Y.T., Cheng, P.C., Rohatgi, P., Clark, J.A.: MLS security policy evolution with genetic programming. In: Proceedings of the 10th Annual Conference on Genetic and Evolutionary Computation, pp. 1571–1578. ACM (2008)Google Scholar
  12. 12.
    Lim, Y.T., Cheng, P.C., Rohatgi, P., Clark, J.A.: Dynamic security policy learning. In: Proceedings of the First ACM Workshop on Information Security Governance, pp. 39–48. ACM (2009)Google Scholar
  13. 13.
    Bleuler, S., Brack, M., Thiele, L., Zitzler, E.: Multiobjective genetic programming: reducing bloat using SPEA2. In: Proceedings of the 2001 Congress on Evolutionary Computation, vol. 1, pp. 536–543. IEEE (2001)Google Scholar
  14. 14.
    Tapiador, J.E., Clark, J.A.: Learning autonomic security reconfiguration policies. In: 2010 IEEE 10th International Conference on Computer and Information Technology (CIT), pp. 902–909. IEEE (2010)Google Scholar
  15. 15.
    Bartoli, A., Cumar, S., De Lorenzo, A., Medvet, E.: Compressing regular expression sets for deep packet inspection. In: Bartz-Beielstein, T., Branke, J., Filipič, B., Smith, J. (eds.) PPSN XIII 2014. LNCS, vol. 8672, pp. 394–403. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  16. 16.
    Fürnkranz, J.: Separate-and-conquer rule learning. Artificial Intelligence Review 13(1), 3–54 (1999)CrossRefMATHGoogle Scholar
  17. 17.
    Eggermont, J., Kok, J.N., Kosters, W.A.: Genetic programming for data classification: partitioning the search space. In: Proceedings of the 2004 ACM Symposium on Applied Computing, pp. 1001–1005. ACM (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Eric Medvet
    • 1
  • Alberto Bartoli
    • 1
  • Barbara Carminati
    • 2
  • Elena Ferrari
    • 2
  1. 1.Dip. di Ingegneria e ArchitetturaUniversità degli Studi di TriesteTriesteItaly
  2. 2.Dip. di Scienze Teoriche e ApplicateUniversità degli Studi dell’InsubriaComoItaly

Personalised recommendations