Skip to main content
SpringerLink
Log in

Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11358))

Included in the following conference series:

Abstract

Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

This material is based on work supported in part by NSF Grants CNS-1421893, and CCF-1414078, ONR Grant N00014-15-1-2208, and DARPA Contract FA8650-15-C-7561.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets–From goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS), pp. 2:1–2:11. ACM (2013)

    Google Scholar 

  2. Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of 31st Annual Computer Security Applications Conference (ACSAC), pp. 291–300. ACM (2015)

    Google Scholar 

  3. Bui, T., Stoller, S.D., Li, J.: Greedy and evolutionary algorithms for mining relationship-based access control policies. Comput. Secur. 80, 317–333 (2019)

    Article  Google Scholar 

  4. Cotrini, C., Weghorn, T., Basin, D.: Mining ABAC rules from sparse logs. In: Proceedings of 3rd IEEE European Symposium on Security and Privacy (EuroS&P), pp. 2141–2148 (2018)

    Google Scholar 

  5. Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The e-document case study: functional analysis and access control requirements. CW Reports CW654, Department of Computer Science, KU Leuven, February 2014

    Google Scholar 

  6. Decat, M., Bogaerts, J., Lagaisse, B., Joosen, W.: The workforce management case study: functional analysis and access control requirements. CW Reports CW655, Department of Computer Science, KU Leuven, February 2014

    Google Scholar 

  7. Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15934-8_24

    Chapter  Google Scholar 

  8. Molloy, I., Li, N., Qi, Y.A., Lobo, J., Dickens, L.: Mining roles with noisy data. In: Proceedings of 15th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 45–54. ACM (2010)

    Google Scholar 

  9. Molloy, I., Park, Y., Chari, S.: Generative models for access control policies: applications to role mining over logs with attribution. In: Proceedings of 17th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM (2012)

    Google Scholar 

  10. Munakami, M.: Developing an ABAC-based grant proposal workflow management system. Master’s thesis, Boise State University, December 2016

    Google Scholar 

  11. Vaidya, J., Atluri, V., Guo, Q., Lu, H.: Role mining in the presence of noise. In: Foresti, S., Jajodia, S. (eds.) DBSec 2010. LNCS, vol. 6166, pp. 97–112. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13739-6_7

    Chapter  Google Scholar 

  12. Vavilis, S., Egner, A.I., Petkovic, M., Zannone, N.: Role mining with missing values. In: Proceedings of 11th International Conference on Availability, Reliability and Security (ARES) (2016)

    Google Scholar 

  13. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_18. Extended version http://arxiv.org/abs/1403.5715

  14. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Stony Brook University, Stony Brook, USA

    Thang Bui, Scott D. Stoller & Jiajie Li

Authors
  1. Thang Bui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Scott D. Stoller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jiajie Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Scott D. Stoller .

Editor information

Editors and Affiliations

  1. Dalhousie University, Halifax, NS, Canada

    Nur Zincir-Heywood

  2. École des Mines de Nancy, Nancy, France

    Guillaume Bonfante

  3. Concordia University, Montreal, QC, Canada

    Mourad Debbabi

  4. Telecom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bui, T., Stoller, S.D., Li, J. (2019). Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. In: Zincir-Heywood, N., Bonfante, G., Debbabi, M., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2018. Lecture Notes in Computer Science(), vol 11358. Springer, Cham. https://doi.org/10.1007/978-3-030-18419-3_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-18419-3_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-18418-6

  • Online ISBN: 978-3-030-18419-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation