Skip to main content
SpringerLink
Log in

Policy Modeling and Anomaly Detection in ABAC Policies

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13204))

Included in the following conference series:

Abstract

Sensitive data is available online through web and distributed protocols that highlight the need for access control mechanisms. System designers write access control policies to represent conditions on accessing data. Access control policies can contain anomalies (redundancy, inconsistency, irrelevancy, and incompleteness) that can lead to security vulnerabilities. Detecting anomalies in large and complex policies is challenging due to the lack of effective analysis mechanisms and tools. In this paper, we introduce a formal tree-based policy modeling technique to represent, update, and analyze access control policies. Based on the proposed formal policy modeling, we propose an anomaly detection technique. Our approach focuses on Attribute Based Access Control (ABAC) policies as they are widely adopted. Also, they can provide high flexibility and enhance security and information sharing. The effectiveness of our policy modeling and anomaly detection technique has been demonstrated through experimental evaluation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Al-Shaer, E.S., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. In: IEEE Infocom 2004, vol. 4, pp. 2605–2616. IEEE (2004)

    Google Scholar 

  2. Alfaro, J.G., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

    Article  Google Scholar 

  3. Anderson, A., et al.: Extensible access control markup language (XACML) version 1.0. OASIS (2003)

    Google Scholar 

  4. Bandara, A., Calo, S., Lobo, J., Lupu, E., Russo, A., Sloman, M.: Toward a formal characterization of policy specification & analysis. In: Annual Conference of ITA (ACITA), University of Maryland, USA. Citeseer (2007)

    Google Scholar 

  5. Bhatt, S., Patwa, F., Sandhu, R.: ABAC with group attributes and attribute hierarchies utilizing the policy machine. In: Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, pp. 17–28 (2017)

    Google Scholar 

  6. Capretta, V., Stepien, B., Felty, A., Matwin, S.: Formal correctness of conflict detection for firewalls. In: Proceedings of the 2007 ACM Workshop on Formal Methods in Security Engineering, pp. 22–30 (2007)

    Google Scholar 

  7. Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High level conflict management strategies in advanced access control models. Electron. Notes Theoret. Comput. Sci. 186, 3–26 (2007)

    Article  MathSciNet  Google Scholar 

  8. Davy, S., Jennings, B., Strassner, J.: Efficient policy conflict analysis for autonomic network management. In: Fifth IEEE Workshop on Engineering of Autonomic and Autonomous Systems (ease 2008), pp. 16–24. IEEE (2008)

    Google Scholar 

  9. DeMillo, R.A., Lipton, R.J., Sayward, F.G.: Hints on test data selection: help for the practicing programmer. Computer 11(4), 34–41 (1978)

    Article  Google Scholar 

  10. El Hadj, M.A., Ayache, M., Benkaouz, Y., Khoumsi, A., Erradi, M.: Clustering-based approach for anomaly detection in XACML policies. In: SECRYPT, pp. 548–553 (2017)

    Google Scholar 

  11. El Hadj, M.A., Khoumsi, A., Benkaouz, Y., Erradi, M.: Formal approach to detect and resolve anomalies while clustering ABAC policies. EAI Endorsed Trans. Secur. Saf. 5(16), e3 (2018)

    Google Scholar 

  12. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: a management tool for the analysis and deployment of network security policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds.) DPM/SETOP -2010. LNCS, vol. 6514, pp. 203–215. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19348-4_15

    Chapter  Google Scholar 

  13. Hu, H., Ahn, G.J., Kulkarni, K.: Fame: a firewall anomaly management environment. In: Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp. 17–26 (2010)

    Google Scholar 

  14. Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. 10(6), 341–354 (2013)

    Article  Google Scholar 

  15. Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Spec. Publ. 800(162), 1–54 (2013)

    Google Scholar 

  16. Jabal, A.A., Davari, M., Bertino, E., Makaya, C., Calo, S., Verma, D., Russo, A., Williams, C.: Methods and tools for policy analysis. ACM Comput. Surv. (CSUR) 51(6), 1–35 (2019)

    Article  Google Scholar 

  17. Jabal, A.A., et al.: Profact: a provenance-based analytics framework for access control policies. IEEE Trans. Serv. Comput. 14(6), 1914–1928 (2019)

    Article  Google Scholar 

  18. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290 (2002)

    Article  Google Scholar 

  19. Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 677–686 (2007)

    Google Scholar 

  20. Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 135–144 (2009)

    Google Scholar 

  21. Mankai, M., Logrippo, L.: Access control policies: modeling and validation. In: 5th NOTERE Conference (Nouvelles Technologies de la Répartition), pp. 85–91 (2005)

    Google Scholar 

  22. Martin, E., Hwang, J., Xie, T., Hu, V.: Assessing quality of policy properties in verification of access control policies. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 163–172. IEEE (2008)

    Google Scholar 

  23. Mohan, A., Blough, D.M., Kurc, T., Post, A., Saltz, J.: Detection of conflicts and inconsistencies in taxonomy-based authorization policies. In: 2011 IEEE International Conference on Bioinformatics and Biomedicine, pp. 590–594. IEEE (2011)

    Google Scholar 

  24. Biskup, J., López, J. (eds.): ESORICS 2007. LNCS, vol. 4734. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9

    Book  MATH  Google Scholar 

  25. Sandhu, R.S.: Role-based access control. In: Advances in Computers, vol. 46, pp. 237–286. Elsevier (1998)

    Google Scholar 

  26. Servos, D., Osborn, S.L.: HGABAC: towards a formal model of hierarchical attribute-based access control. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930, pp. 187–204. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17040-4_12

    Chapter  Google Scholar 

  27. Shaikh, R.A., Adi, K., Logrippo, L.: A data classification method for inconsistency and incompleteness detection in access control policy sets. Int. J. Inf. Secur. 16(1), 91–113 (2017)

    Article  Google Scholar 

  28. Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Detecting incompleteness in access control policies using data classification schemes. In: 2010 Fifth International Conference on Digital Information Management (ICDIM), pp. 417–422. IEEE (2010)

    Google Scholar 

  29. Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: 2010 Sixth International Conference on Information Assurance and Security, pp. 204–209. IEEE (2010)

    Google Scholar 

  30. Spanoudakis, N.I., Kakas, A.C., Moraitis, P.: Gorgias-b: argumentation in practice. In: COMMA, pp. 477–478 (2016)

    Google Scholar 

  31. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_7

    Chapter  Google Scholar 

  32. Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Formal analysis of XACML policies using SMT. Comput. Secur. 66, 185–203 (2017)

    Article  Google Scholar 

  33. Verma, D., et al.: Generative policy model for autonomic management. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–6. IEEE (2017)

    Google Scholar 

  34. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2014)

    Article  Google Scholar 

  35. Yuan, L., Chen, H., Mai, J., Chuah, C.N., Su, Z., Mohapatra, P.: Fireman: a toolkit for firewall modeling and analysis. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), p. 15. IEEE (2006)

    Google Scholar 

Download references

Acknowledgment

This work was supported in part by the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Canada Research Chairs (CRC) Program.

Author information

Authors and Affiliations

  1. School of Computing, Queen’s University, Kingston, Canada

    Maryam Davari & Mohammad Zulkernine

Authors
  1. Maryam Davari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Zulkernine
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maryam Davari .

Editor information

Editors and Affiliations

  1. University of Kansas, Lawrence, KS, USA

    Bo Luo

  2. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  3. Polytechnique Montréal, Montréal, QC, Canada

    Frédéric Cuppens

  4. Iowa State University, Iowa Ciy, IA, USA

    Lotfi Ben Othmane

  5. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  6. University of Sfax, Sfax, Tunisia

    Slim Kallel

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Davari, M., Zulkernine, M. (2022). Policy Modeling and Anomaly Detection in ABAC Policies. In: Luo, B., Mosbah, M., Cuppens, F., Ben Othmane, L., Cuppens, N., Kallel, S. (eds) Risks and Security of Internet and Systems. CRiSIS 2021. Lecture Notes in Computer Science, vol 13204. Springer, Cham. https://doi.org/10.1007/978-3-031-02067-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-02067-4_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-02066-7

  • Online ISBN: 978-3-031-02067-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation