Polisma - A Framework for Learning Attribute-Based Access Control Policies

Abstract

Attribute-based access control (ABAC) is being widely adopted due to its flexibility and universality in capturing authorizations in terms of the properties (attributes) of users and resources. However, specifying ABAC policies is a complex task due to the variety of such attributes. Moreover, migrating an access control system adopting a low-level model to ABAC can be challenging. An approach for generating ABAC policies is to learn them from data, namely from logs of historical access requests and their corresponding decisions. This paper proposes a novel framework for learning ABAC policies from data. The framework, referred to as Polisma, combines data mining, statistical, and machine learning techniques, capitalizing on potential context information obtained from external sources (e.g., LDAP directories) to enhance the learning process. The approach is evaluated empirically using two datasets (real and synthetic). Experimental results show that Polisma is able to generate ABAC policies that accurately control access requests and outperforms existing approaches.

Appendices

A Additional Algorithms

Algorithm 3 outlines the third step of Polisma for augmenting rules using domain-based restrictions.

B Running Example of Policy Learning Using Polisma

Consider a system including users and resources both associated with projects. User attributes, resource attributes, operations, and possible values for two selected attributes are shown in Table 2. Assume that a log of access control decision examples is given.

Table 2. Details about A Project Management System

Fig. 8.

Examples of ground rules generated from rule mining based on the specifications of the running example

1.1 B.1 Rules Generalization

Brute-Force Strategy (BS). Assume that BS-UR-C is used to generalize \({\rho }_{2}\) defined in Fig. 8. \(A_U\) is {id, role, department, project, technical area} and \(A_R\) is {id, type, department, project, technical area}. Moreover, \({\rho }_{2}\) is able to control the access for the user whose ID is “acct-4’ when accessing a resource whose type is task. The attribute values of the user and resources controlled by \({\rho }_{2}\) are analyzed. To generalize \({\rho }_{2}\) using BS-UR-C, each attribute value is weighted as shown in Fig. 9. For weighting each user/resource attribute value, the proportion of the sizes of two user/resource subsets is calculated according to Definition 8.

Fig. 9.

Generalization of \(\rho _{2}\) defined in Fig. 8 using the Brute Force Strategy (BS-UR-C)

In particular, for the value of the “department” attribute corresponding to the user referred by \(\rho _2\) (i.e., “d1”) (Fig. 9b), two user subsets are first found: a) the subset of the users belonging to department “d1”; and b) the subset of the users belonging to department “d1” and having a permission to perform the “setCost” operation on a resource of type “task” based on \(\mathcal {D}\). Then, the ratio of the sizes of these subsets is considered as the weight for the attribute value“d1”. The weights for the other user and resource attributes values are calculated similarly. Thereafter, the user attribute value and resource attribute value with the highest wights are chosen to perform the generalization. Assume that the value of the “department” user attribute is associated with the highest weight and the “project” resource attribute is associated with the highest weight. \({\rho }_{2}\) is generalized as:

\(\rho _{2}^{\prime }\) = \(\langle \)user(department: d1), resource (type: task, project: d1-p1), setCost, permit\(\rangle \)

Fig. 10.

Generalization of \(\rho _{2}\) defined in Fig. 8 using Structure-based Strategy: An example of Attribute-relationship Graph

Structure-Based Strategy ( SS ).

Assume that SS is used to generalize \({\rho }_{2}\), defined in Fig. 8. Also, suppose that Polisma is given the following information:

• The subset of resources \(R^{\prime }\) satisfying \(\rho _2.e_R\) has two values for the project attribute (i.e., “d1-p1”, “d1-p2”).

• The user “acct-4” belongs to the project “d1-p1”.

• \(R^{\prime }\) and “acct-4” belong to the department “d1”.

• \(\mathcal {T}\) = {(“d1-p1”, “d1”), (“d1-p2”, “d1”)}.

G is constructed as shown in Fig. 10. Using G, the two common attributes for “acct-4” and \(R^{\prime }\) are “d1-p1” and “d1” and the first common attribute is “d1-p1”. Therefore,\({\rho }_{2}\) is generalized as follows:

\(\rho _{2}^{\prime \prime }\) = \(\langle \)user(project: d1-p1), resource (type: task, project: d1-p1), setCost, permit\(\rangle \)

1.2 B.2 Rules Augmentation Using Domain-Based Restrictions

Assume that we decide to analyze the authorization domain by grouping users based on the “role” user attribute. As shown in the top part of Fig. 11, the authorization domains of the user groups having distinct values for the “role” attribute are identified using the access requests examples of \(\mathcal {D}\). These authorization domains allow one to recognize the set of operations authorized per user group. Thereafter, a set of negative authorizations are generated to restrict users having a specific role from performing specific operations on resources.

Fig. 11.

Rules augmentation using domain-based restrictions

1.3 B.3 Rules Augmentation Using Machine Learning

Assume that \(\mathcal {D}\) includes a decision example (\(l_i\)) for a user (id: “pl-1”) accessing a resource (id: “sc-1”) where both of them belong to a department “d1”. Assuming Polisma generated a rule based on \(l_i\) as follows: \(\rho _{i}\) = \(\langle \) user(role: planner, department: d1), resource (type: schedule, department: d1), read, permit \(\rangle \) Such a rule cannot control a new request by a user (id: “pl-5” for accessing a resource (id: “sc-5”) where both of them belong to another department “d5”). Such a is similar to \(l_i\). Therefore, a prediction-based approach is required to enable generating another rule.