Abstract
Attribute-based access control (ABAC) is being widely adopted due to its flexibility and universality in capturing authorizations in terms of the properties (attributes) of users and resources. However, specifying ABAC policies is a complex task due to the variety of such attributes. Moreover, migrating an access control system adopting a low-level model to ABAC can be challenging. An approach for generating ABAC policies is to learn them from data, namely from logs of historical access requests and their corresponding decisions. This paper proposes a novel framework for learning ABAC policies from data. The framework, referred to as Polisma, combines data mining, statistical, and machine learning techniques, capitalizing on potential context information obtained from external sources (e.g., LDAP directories) to enhance the learning process. The approach is evaluated empirically using two datasets (real and synthetic). Experimental results show that Polisma is able to generate ABAC policies that accurately control access requests and outperforms existing approaches.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Learning policies from logs of access requests does not necessarily mean that there is an existing access control system or that policy learning is aimed to reproduce existing policies or validate them. Such logs may consist of examples of access control decisions provided by a human expert, and learning may be used for example in a coalition environment where a coalition member can get logs from another coalition member to learn policies for similar missions.
- 2.
Throughout the paper, we will use the dot notation to refer to a component of an entity (e.g., \(\rho \).d refers to the decision of the rule \(\rho \)).
- 3.
This approach also implicitly improves correctness.
- 4.
Even distribution tends to generate smaller groups. Each group potentially has a similar set of permissions. A large group of an uneven partition potentially includes a diverse set of users or resource; hence hindering observing restricted permissions.
- 5.
The definition of constructing resource groups is analogous to that of user groups.
- 6.
- 7.
Datasets are assumed to be noise-free, that is, (\(\mathcal {N} \subset \mathcal {F}) \wedge (\mathcal {D} \subset \mathcal {F}) \wedge (\mathcal {N} \cap \mathcal {D} = \phi )\). Note that \(\mathcal {F}\) is the complete set of control decisions which we will never have in a real system.
- 8.
Other algorithms can be used. We used Random Forest and kNN classifiers since they showed better results compared to SVM and Adaboost.
- 9.
F1 Score is the harmonic mean of precision and recall.
- 10.
Since the AZ dataset does not contain resource attributes, BS-R-C (instead of BS-UR-C) is executed in the second step and the execution of the third step is skipped.
- 11.
We also experimented samples of different sizes (i.e., 2k–5k), the learning results using these sample sizes showed slight improvement of scores.
References
Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: ACM SIGMOD Record, vol. 22, pp. 207–216. ACM (1993)
Agrawal, R., Srikant, R.: Fast algorithms for mining association rules. VLDB 1215, 487–499 (1994)
Bertino, E., Ghinita, G., Kamra, A.: Access control for databases: concepts and systems. Found. Trends® Databases 3(1–2), 1–148 (2011)
Cappelletti, L., Valtolina, S., Valentini, G., Mesiti, M., Bertino, E.: On the quality of classification models for inferring ABAC policies from access logs. In: Big Data, pp. 4000–4007. IEEE (2019)
Cotrini, C., Weghorn, T., Basin, D.: Mining ABAC rules from sparse logs. In: EuroS&P, pp. 31–46. IEEE (2018)
De Raedt, L., Dries, A., Thon, I., Van den Broeck, G., Verbeke, M.: Inducing probabilistic relational rules from probabilistic examples. In: IJCAI (2015)
Hu, V., et al.: Guide to attribute based access control (ABAC) definition and considerations (2017). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf
Karimi, L., Joshi, J.: An unsupervised learning based approach for mining attribute based access control policies. In: Big Data, pp. 1427–1436. IEEE (2018)
Kavšek, B., Lavrač, N.: APRIORI-SD: adapting association rule learning to subgroup discovery. Appl. Artif. Intell. 20(7), 543–583 (2006)
Kohavi, R., Sommerfield, D.: Feature subset selection using the wrapper method: overfitting and dynamic search space topology. In: KDD, pp. 192–197 (1995)
Krejcie, R.V., Morgan, D.W.: Determining sample size for research activities. Educ. Psychol. Measur. 30(3), 607–610 (1970)
Law, M., Russo, A., Elisa, B., Krysia, B., Jorge, L.: Representing and learning grammars in answer set programming. In: AAAI (2019)
Maxion, R.A., Reeder, R.W.: Improving user-interface dependability through mitigation of human error. Int. J. Hum.-Comput. Stud. 63(1–2), 25–50 (2005)
Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15934-8_24
Mocanu, D., Turkmen, F., Liotta, A.: Towards ABAC policy mining from logs with deep learning. In: IS, pp. 124–128 (2015)
Molloy, I., et al.: Mining roles with semantic meanings. In: SACMAT, pp. 21–30. ACM (2008)
Ni, Q., Lobo, J., Calo, S., Rohatgi, P., Bertino, E.: Automating role-based provisioning by learning from examples. In: SACMAT, pp. 75–84. ACM (2009)
AuthZForce. https://authzforce.ow2.org/
Balana. https://github.com/wso2/balana
OASIS eXtensible Access Control Markup Language (XACML) TC. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Rabitti, F., Bertino, E., Kim, W., Woelk, D.: A model of authorization for next-generation database systems. TODS 16(1), 88–131 (1991)
Sadeh, N., et al.: Understanding and capturing people’s privacy policies in a mobile social networking application. Pers. Ubiquitous Comput. 13(6), 401–412 (2009)
Xu, Z., Stoller, S.D.: Algorithms for mining meaningful roles. In: SACMAT, pp. 57–66. ACM (2012)
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43936-4_18
Acknowledgment
This research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of Defence under Agreement Number W911NF-16-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Research Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. Jorge Lobo was also supported by the Spanish Ministry of Economy and Competitiveness under Grant Numbers TIN201681032P, MDM20150502, and the U.S. Army Research Office under Agreement Number W911NF1910432.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Additional Algorithms
Algorithm 3 outlines the third step of Polisma for augmenting rules using domain-based restrictions.
B Running Example of Policy Learning Using Polisma
Consider a system including users and resources both associated with projects. User attributes, resource attributes, operations, and possible values for two selected attributes are shown in Table 2. Assume that a log of access control decision examples is given.
1.1 B.1 Rules Generalization
Brute-Force Strategy (BS). Assume that BS-UR-C is used to generalize \({\rho }_{2}\) defined in Fig. 8. \(A_U\) is {id, role, department, project, technical area} and \(A_R\) is {id, type, department, project, technical area}. Moreover, \({\rho }_{2}\) is able to control the access for the user whose ID is “acct-4’ when accessing a resource whose type is task. The attribute values of the user and resources controlled by \({\rho }_{2}\) are analyzed. To generalize \({\rho }_{2}\) using BS-UR-C, each attribute value is weighted as shown in Fig. 9. For weighting each user/resource attribute value, the proportion of the sizes of two user/resource subsets is calculated according to Definition 8.
In particular, for the value of the “department” attribute corresponding to the user referred by \(\rho _2\) (i.e., “d1”) (Fig. 9b), two user subsets are first found: a) the subset of the users belonging to department “d1”; and b) the subset of the users belonging to department “d1” and having a permission to perform the “setCost” operation on a resource of type “task” based on \(\mathcal {D}\). Then, the ratio of the sizes of these subsets is considered as the weight for the attribute value“d1”. The weights for the other user and resource attributes values are calculated similarly. Thereafter, the user attribute value and resource attribute value with the highest wights are chosen to perform the generalization. Assume that the value of the “department” user attribute is associated with the highest weight and the “project” resource attribute is associated with the highest weight. \({\rho }_{2}\) is generalized as:
\(\rho _{2}^{\prime }\) = \(\langle \)user(department: d1), resource (type: task, project: d1-p1), setCost, permit\(\rangle \)
Structure-Based Strategy ( SS ).
Assume that SS is used to generalize \({\rho }_{2}\), defined in Fig. 8. Also, suppose that Polisma is given the following information:
-
The subset of resources \(R^{\prime }\) satisfying \(\rho _2.e_R\) has two values for the project attribute (i.e., “d1-p1”, “d1-p2”).
-
The user “acct-4” belongs to the project “d1-p1”.
-
\(R^{\prime }\) and “acct-4” belong to the department “d1”.
-
\(\mathcal {T}\) = {(“d1-p1”, “d1”), (“d1-p2”, “d1”)}.
G is constructed as shown in Fig. 10. Using G, the two common attributes for “acct-4” and \(R^{\prime }\) are “d1-p1” and “d1” and the first common attribute is “d1-p1”. Therefore,\({\rho }_{2}\) is generalized as follows:
\(\rho _{2}^{\prime \prime }\) = \(\langle \)user(project: d1-p1), resource (type: task, project: d1-p1), setCost, permit\(\rangle \)
1.2 B.2 Rules Augmentation Using Domain-Based Restrictions
Assume that we decide to analyze the authorization domain by grouping users based on the “role” user attribute. As shown in the top part of Fig. 11, the authorization domains of the user groups having distinct values for the “role” attribute are identified using the access requests examples of \(\mathcal {D}\). These authorization domains allow one to recognize the set of operations authorized per user group. Thereafter, a set of negative authorizations are generated to restrict users having a specific role from performing specific operations on resources.
1.3 B.3 Rules Augmentation Using Machine Learning
Assume that \(\mathcal {D}\) includes a decision example (\(l_i\)) for a user (id: “pl-1”) accessing a resource (id: “sc-1”) where both of them belong to a department “d1”. Assuming Polisma generated a rule based on \(l_i\) as follows: \(\rho _{i}\) = \(\langle \) user(role: planner, department: d1), resource (type: schedule, department: d1), read, permit \(\rangle \) Such a rule cannot control a new request by a user (id: “pl-5” for accessing a resource (id: “sc-5”) where both of them belong to another department “d5”). Such a is similar to \(l_i\). Therefore, a prediction-based approach is required to enable generating another rule.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Abu Jabal, A. et al. (2020). Polisma - A Framework for Learning Attribute-Based Access Control Policies. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12308. Springer, Cham. https://doi.org/10.1007/978-3-030-58951-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-58951-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58950-9
Online ISBN: 978-3-030-58951-6
eBook Packages: Computer ScienceComputer Science (R0)