Skip to main content
SpringerLink
Log in

A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. For this purpose, we have used the Sipina data mining software package developed by Ricco Rakotomalala in the ERIC Research laboratory [30].

  2. XAMCL, a standard policy specification language, was defined for this purpose. However, for ease of understanding and simplicity, we have specified rules in simple XML language.

References

  1. Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii, S.: Typing for conflict detection in access control policies. Lect. Notes Bus. Inf. Process. 26, 212–226 (2009)

    Article  Google Scholar 

  2. Al-Kahtani, M.A., Sandhu, R.: Rule-based RBAC with negative authorization. In: 20th Annual Computer Security Applications Conference, pp. 405–415. IEEE (2004)

  3. Armando, A., Ranise, S.: Automated and efficient analysis of role-based access control with attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) Data and applications security and privacy XXVI. Lecture notes in computer science, vol. 7371, pp. 25–40. Springer, Berlin Heidelberg (2012)

    Chapter  Google Scholar 

  4. Bauer, L., Garriss, S., Reiter, M.K.: Detecting and resolving policy misconfigurations in access-control systems. In: SACMAT ’08: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 185–194. ACM, New York, NY, USA (2008)

  5. Benferhat, S., El Baida, R., Cuppens, F.: A stratification-based approach for handling conflicts in access control. In: SACMAT’03: Proceedings of the eighth ACM symposium on Access control models and technologies, pp. 189–195. ACM, New York, NY, USA (2003)

  6. Chinaei, A., Chinaei, H., Tompa, F.: A unified conflict resolution algorithm. In: W. Jonker, M. Petkovi (eds.) Secure data management. Lecture notes in computer science, vol. 4721, pp. 1–17. Springer, Berlin Heidelberg (2007). doi:10.1007/978-3-540-75248-6_1

  7. Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High level conflict management strategies in advanced access control models. Electron. Notes Theor. Comput. Sci. 186, 3–26 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  8. Das, T., Bhagwan, R., Naldurg, P.: Baaz: A system for detecting access control misconfigurations. In: Proceedings of the 19th USENIX Security Symposium (USENIX) (2010)

  9. De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Bhalla, S. (ed.) Databases in networked information systems. Lecture notes in computer science, vol. 3433, pp. 225–237. Springer, Berlin Heidelberg (2005)

  10. Dong, C., Russello, G., Dulay, N.: Flexible resolution of authorisation conflicts in distributed systems. In: De Turck, F., Kellerer, W., Kormentzas, G. (eds.) Managing large-scale service deployment. Lecture notes in computer science, vol. 5273, pp. 95–108. Springer, Berlin Heidelberg (2008). doi:10.1007/978-3-540-87353-2_8

    Chapter  Google Scholar 

  11. Dunlop, N., Indulska, J., Raymond, K.: Dynamic conflict detection in policy-based management systems. In: Proceedings of the sixth international enterprises tributed object computing conference (EDOC’02), p. 15. IEEE Computer Society, Los Alamitos, CA, USA (2002)

  12. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE ’05: Proceedings of the 27th international conference on software engineering, pp. 196–205. ACM, New York, NY, USA (2005)

  13. Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. 51(4), 1106–1120 (2007)

    Article  MATH  Google Scholar 

  14. Hu, H., Ahn, G.: Enabling verification and conformance testing for access control model. In: SACMAT’08: Proceedings of the 13th ACM symposium on access control models and technologies, pp. 195–204. ACM, New York, NY, USA (2008)

  15. Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012). doi:10.1109/TDSC.2012.20

    Article  Google Scholar 

  16. Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. 10(6), 341–354 (2013). doi:10.1109/TDSC.2013.18

    Article  Google Scholar 

  17. Jackson, D.: Automating first-order relational logic. ACM SIGSOFT Softw. Eng. Notes 25(6), 130–139 (2000)

    Article  Google Scholar 

  18. Kalam, A.A.E., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miége, A., Saurel, C., Trouessin, G.: Organization based access control. In: Proceedings of the IEEE 4th international workshop on policies for distributed systems and networks (Policy 2003), pp. 120–131. IEEE Computer Society, Los Alamitos, CA, USA (2003)

  19. Kamoda, H., Yamaoka, M., Matsuda, S., Broda, K., Sloman, M.: Access control policy analysis using free variable Tableaux. Inf. Media Technol. 1(2), 1155–1169 (2006)

    Google Scholar 

  20. Karp, A.H., Haury, H., Davis, M.H.: From ABAC to ZBAC: the evolution of access control models. Technical Report HPL-2009-30, HP Labs, http://www.hpl.hp.com/techreports/2009/HPL-2009-30 (2009)

  21. Kotsiantis, S.: Supervised machine learning: a review of classification techniques. Informatica 31, 249–268 (2007)

    MathSciNet  MATH  Google Scholar 

  22. Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. 7(2), 169–180 (2009)

    Article  Google Scholar 

  23. Leung, K.M.: Decision trees and decision rules. http://cis.poly.edu/mleung/FRE7851/f07/decisionTrees (2007). Accessed 07 Jan 2014

  24. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9(4), 253–273 (2010)

    Article  Google Scholar 

  25. Lupu, E.C., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE Trans. Software Eng. 25(6), 852–869 (1999)

    Article  Google Scholar 

  26. Mankai, M., Logrippo, L.: Access control policies: modeling and validation. Proc. NOTERE 2005, 85–91 (2005)

    Google Scholar 

  27. Masoumzadeh, A., Amini, M., Jalili, R.: Conflict detection and resolution in context-aware authorization. In: Advanced information networking and applications workshops, 2007, AINAW’07. 21st international conference on, vol. 1, pp. 505–511. IEEE (2007)

  28. Moon, C.J., Paik, W., Kim, Y.G., Kwon, J.H.: The conflict detection between permission assignment constraints in role-based access control. Lect. Notes Comput. Sci. 3822, 265–278 (2005)

    Article  MATH  Google Scholar 

  29. Mukkamala, R., Kamisetty, V., Yedugani, P.: Detecting and resolving misconfigurations in role-based access control (short paper). In: Prakash, A., SenGupta, I. (eds.) Information systems security. Lecture notes in computer science, vol. 5905, pp. 318–325. Springer, Berlin/Heidelberg (2009)

    Chapter  Google Scholar 

  30. Rakotomalala, R.: Sipina data mining software. http://eric.univ-lyon2.fr/ricco/sipina.html (2010)

  31. Ray, I., Li, N., France, R., Kim, D.K.: Using UML to visualize role-based access control constraints. In: SACMAT ’04: Proceedings of the 9th ACM symposium on access control models and technologies, pp. 115–124. ACM, New York, NY, USA (2004)

  32. Rissanen, E.: eXtensible access control markup language (XACML) Version 3.0 OASIS Standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en (2013). Accessed 07 Jan 2014

  33. Rokach, L., Maimon, O.: Decision trees. In: Maimon, O., Rokach, L. (eds.) Data mining and knowledge discovery handbook, pp. 165–192. Springer, US (2005)

    Chapter  Google Scholar 

  34. Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Detecting incompleteness in access control policies using data classification schemes. In: Proceedings of the 5th international conference on digital information management (ICDIM 2010), pp. 417–422. IEEE (2010)

  35. Shaikh, R.A., Adi, K., Logrippo, L., Mankovski, S.: Inconsistency detection method for access control policies. In: Proceedings of the 6th international conference on information assurance and security (IAS 2010), pp. 204–209. IEEE (2010)

  36. Sohr, K., Ahn, G.J., Gogolla, M., Migge, L.: Specification and validation of authorisation constraints using UML and OCL. In: Computer Security (ESORICS 2005), LNCS 3679, pp. 64–79. Springer, New York, NY, USA (2005)

  37. Stepien, B., Matwin, S., Felty, A.P.: Strategies for reducing risks of inconsistencies in access control policies. In: Proceedings of the fifth international conference on availability, reliability and security (AReS 2010), pp. 140–147 (2010)

  38. Szörényi, B.: Disjoint DNF tautologies with conflict bound two. J. Satisf. Boolean Model. Comput. 4, 1–14 (2007)

  39. Witten, I.H., Frank, E.: Data mining: practical machine learning tools and techniques with java implementations. Morgan Kaufmann Publishers, USA (1999)

    Google Scholar 

  40. Yuan, Y., Shaw, M.J.: Induction of fuzzy decision trees. Fuzzy Sets Syst. 69(2), 125–139 (1995)

    Article  MathSciNet  Google Scholar 

  41. Zaiane, O.: Chapter 7: data classification. http://webdocs.cs.ualberta.ca/zaiane/courses/cmput690/slides/Chapter7/index.htm (1999). Accessed 07 Jan 2014

Download references

Acknowledgments

The work reported in this article was partially supported by the Natural Sciences and Engineering Research Council of Canada, PROMPT Quebec, and CA Technologies. We would like to thank Serge Mankovski of CA Technologies for having helped our effort. The authors would also like to thank all members of the Computer Security Research Lab (UQO,Canada), and Bernard Stepien for providing useful comments and suggestions.

Author information

Authors and Affiliations

  1. Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah, Saudi Arabia

    Riaz Ahmed Shaikh

  2. Computer Science and Engineering Department, Université du Québec en Outaouais, Gatineau, QC, Canada

    Kamel Adi & Luigi Logrippo

Authors
  1. Riaz Ahmed Shaikh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kamel Adi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi Logrippo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Riaz Ahmed Shaikh.

Appendix

Appendix

Decision trees for the rule set 1, 2, 3 and 4 are given in Figs. 101112, and 13, respectively.

Fig. 10
figure 10

Decision tree for rule set 1

Full size image
Fig. 11
figure 11

Decision tree for rule set 2

Full size image
Fig. 12
figure 12

Decision tree for rule set 3

Full size image
Fig. 13
figure 13

Decision tree for rule set 4

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shaikh, R.A., Adi, K. & Logrippo, L. A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets. Int. J. Inf. Secur. 16, 91–113 (2017). https://doi.org/10.1007/s10207-016-0317-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0317-1

Keywords

Search

Navigation