Abstract
Sensitive data is available online through web and distributed protocols that highlight the need for access control mechanisms. System designers write access control policies to represent conditions on accessing data. Access control policies can contain anomalies (redundancy, inconsistency, irrelevancy, and incompleteness) that can lead to security vulnerabilities. Detecting anomalies in large and complex policies is challenging due to the lack of effective analysis mechanisms and tools. In this paper, we introduce a formal tree-based policy modeling technique to represent, update, and analyze access control policies. Based on the proposed formal policy modeling, we propose an anomaly detection technique. Our approach focuses on Attribute Based Access Control (ABAC) policies as they are widely adopted. Also, they can provide high flexibility and enhance security and information sharing. The effectiveness of our policy modeling and anomaly detection technique has been demonstrated through experimental evaluation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: IEEE Infocom 2004, vol. 4, pp. 2605–2616. IEEE (2004)
Alfaro, J.G., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)
Anderson, A., et al.: Extensible access control markup language (XACML) version 1.0. OASIS (2003)
Bandara, A., Calo, S., Lobo, J., Lupu, E., Russo, A., Sloman, M.: Toward a formal characterization of policy specification & analysis. In: Annual Conference of ITA (ACITA), University of Maryland, USA. Citeseer (2007)
Bhatt, S., Patwa, F., Sandhu, R.: ABAC with group attributes and attribute hierarchies utilizing the policy machine. In: Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, pp. 17–28 (2017)
Capretta, V., Stepien, B., Felty, A., Matwin, S.: Formal correctness of conflict detection for firewalls. In: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, pp. 22–30 (2007)
Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High level conflict management strategies in advanced access control models. Electron. Notes Theoret. Comput. Sci. 186, 3–26 (2007)
Davy, S., Jennings, B., Strassner, J.: Efficient policy conflict analysis for autonomic network management. In: Fifth IEEE Workshop on Engineering of Autonomic and Autonomous Systems (ease 2008), pp. 16–24. IEEE (2008)
DeMillo, R.A., Lipton, R.J., Sayward, F.G.: Hints on test data selection: help for the practicing programmer. Computer 11(4), 34–41 (1978)
El Hadj, M.A., Ayache, M., Benkaouz, Y., Khoumsi, A., Erradi, M.: Clustering-based approach for anomaly detection in XACML policies. In: SECRYPT, pp. 548–553 (2017)
El Hadj, M.A., Khoumsi, A., Benkaouz, Y., Erradi, M.: Formal approach to detect and resolve anomalies while clustering ABAC policies. EAI Endorsed Trans. Secur. Saf. 5(16), e3 (2018)
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: a management tool for the analysis and deployment of network security policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds.) DPM/SETOP -2010. LNCS, vol. 6514, pp. 203–215. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19348-4_15
Hu, H., Ahn, G.J., Kulkarni, K.: Fame: a firewall anomaly management environment. In: Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp. 17–26 (2010)
Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. 10(6), 341–354 (2013)
Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Spec. Publ. 800(162), 1–54 (2013)
Jabal, A.A., Davari, M., Bertino, E., Makaya, C., Calo, S., Verma, D., Russo, A., Williams, C.: Methods and tools for policy analysis. ACM Comput. Surv. (CSUR) 51(6), 1–35 (2019)
Jabal, A.A., et al.: Profact: a provenance-based analytics framework for access control policies. IEEE Trans. Serv. Comput. 14(6), 1914–1928 (2019)
Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290 (2002)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 677–686 (2007)
Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 135–144 (2009)
Mankai, M., Logrippo, L.: Access control policies: modeling and validation. In: 5th NOTERE Conference (Nouvelles Technologies de la Répartition), pp. 85–91 (2005)
Martin, E., Hwang, J., Xie, T., Hu, V.: Assessing quality of policy properties in verification of access control policies. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 163–172. IEEE (2008)
Mohan, A., Blough, D.M., Kurc, T., Post, A., Saltz, J.: Detection of conflicts and inconsistencies in taxonomy-based authorization policies. In: 2011 IEEE International Conference on Bioinformatics and Biomedicine, pp. 590–594. IEEE (2011)
Biskup, J., López, J. (eds.): ESORICS 2007. LNCS, vol. 4734. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9
Sandhu, R.S.: Role-based access control. In: Advances in Computers, vol. 46, pp. 237–286. Elsevier (1998)
Servos, D., Osborn, S.L.: HGABAC: towards a formal model of hierarchical attribute-based access control. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930, pp. 187–204. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17040-4_12
Shaikh, R.A., Adi, K., Logrippo, L.: A data classification method for inconsistency and incompleteness detection in access control policy sets. Int. J. Inf. Secur. 16(1), 91–113 (2017)
Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Detecting incompleteness in access control policies using data classification schemes. In: 2010 Fifth International Conference on Digital Information Management (ICDIM), pp. 417–422. IEEE (2010)
Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: 2010 Sixth International Conference on Information Assurance and Security, pp. 204–209. IEEE (2010)
Spanoudakis, N.I., Kakas, A.C., Moraitis, P.: Gorgias-b: argumentation in practice. In: COMMA, pp. 477–478 (2016)
Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_7
Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)
Verma, D., et al.: Generative policy model for autonomic management. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–6. IEEE (2017)
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2014)
Yuan, L., Chen, H., Mai, J., Chuah, C.N., Su, Z., Mohapatra, P.: Fireman: a toolkit for firewall modeling and analysis. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), p. 15. IEEE (2006)
Acknowledgment
This work was supported in part by the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Canada Research Chairs (CRC) Program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Davari, M., Zulkernine, M. (2022). Policy Modeling and Anomaly Detection in ABAC Policies. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-02067-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-02066-7
Online ISBN: 978-3-031-02067-4
eBook Packages: Computer ScienceComputer Science (R0)