Role mining using answer set programming
Introduction
Currently, role-based access control (RBAC) [1], [2] has become the predominant access control model because it greatly simplifies the security management. The key feature of RBAC is that each role is a collection of permissions, and all users acquire permissions only through the roles. However, it is costly to develop and maintain an RBAC system though RBAC reduces the management cost.
In order to build high quality RBAC system, researchers have proposed two important approaches: the top-down approach and the bottom-up approach. The top-down approach [3], [4] often starts with expert analysis of business processes and builds RBAC system from such analysis. However, the top-down approach is time consuming since it is human-intensive [5]. The bottom-up approach can discover roles from existing user-permission assignments automatically. Such a computing-intensive approach is called role mining.
Given the same user-permission assignments, different role mining algorithms will build different RBAC systems. Therefore, it requires a measurement to evaluate how good an RBAC state is. The measurement used in Vaidya et al. [6] is the number of roles while the measurement used in Zhang et al. [7] and Ene et al. [8] is the total number of edges when an RBAC state is represented by a graph visually. Guo et al. [9] aim to minimize the number of roles and the edges in role hierarchy graph. Molloy et al. [10] summarized the previous multiple ways of measures and proposed the notion of weighted structural complexity.
Constraint is a defined relationship among roles or a condition related to roles. One of the most common constraints is a separation-of-duty policy. For instance, a user cannot be a member of both mutually exclusion roles. In addition, constraints can be used to reflect business requirements. For example, there is only one person in the role of CEO in a company. As an essential part of the RBAC models, constraints play an important part in defining the security requirements of the system [11], [12], [13], [14].
Nonetheless, one main limitation of existing role mining methods is that, the construction process of an RBAC system cannot simultaneously meet various constraints. For example, two constraints are required to be satisfied. The role mining algorithm meets the first constraint but fails to satisfy the second constraint. That means there is a conflict between the two. Then, we should add an algorithm to resolve the conflict in the role mining algorithm. The next step in the example is to add the third constraint. The third constraint may have conflicts with the first two constraints. Thus, we may need to implement more different algorithms to resolve these two conflicts. Meanwhile, the first conflict resolution algorithm probably needs to be modified so as to ensure that the first two constraints still do not conflict. Obviously, with the increasing number of constraints, these would become impossible tasks. What is more, you cannot combine various conflict resolution algorithms with the role mining algorithms in many cases.
Leveraging the approach of answer set programming in artificial intelligence, we propose an ASP-based novel approach to construct an RBAC system that can comply with constraints and meet multi-objective optimization at the same time, namely constrained role miner (CRM). In the field of artificial intelligence, ASP has been viewed as an effective programming language for knowledge representation and declarative problem solving [15]. Different from traditional imperative programming languages (C++, Java, etc.), it is about “what to do”, without considering many details of “how to do”, for solving a problem. ASP allows us to adopt mature ASP solvers that have been proved to work well in practice. Moreover, its rich modeling language eases the understanding and explanation of the problem. With the advantage of ASP, we do not need to implement a variety of specific conflict resolution algorithm, only to describe the constraints problem with ASP modeling language. The case of role mining problem is the same, and the problem can also be solved with ASP approach. Finally, we compute an answer set of the ASP program with ASP solver, and extract the solution if the problem is solvable.
The main contributions of this paper are as follows.
- •
This paper proposes a novel role mining approach using ASP that can comply with various kinds of constraints and meet multi-objective optimization at the same time, namely constrained role miner (CRM).
- •
This paper presents experiments to demonstrate the effectiveness of our approach. According to experimental evaluation, CRM is also better than the existing role mining approaches in case of no constraints.
The rest of the paper is organized as follows. We discuss related work in Section 2. In Section 3, we review the notions of role mining problem and the main concepts of ASP. In Section 4, we describe constrained role miner and demonstrate how CRM works by using ASP. In Section 5, we show the results of experiment. Finally, we conclude the paper and discuss future works in Section 6.
Section snippets
Related work
There are two basic role engineering approaches: top-down and bottom-up. While the top-down approach defines roles by examining the business processes, the bottom-up approach has been proposed to use data mining techniques to build RBAC system.
Coyne [16] firstly defined the role engineering problem and proposed the concepts of the top-down approach. Kuhlmann et al. [17] proposed the concepts of role mining and how to use data mining techniques for finding roles from user-permission
Preliminaries
In this section, we will review the main concepts of ASP and the notions of role mining problem and constraint.
Computational complexity
The computational complexity of the Role Mining Problem (and of some of its variants) was considered in several papers. In this section we define the decisional version of the Role Mining With Constraints Problem and we show that it is NP-hard. Next we recall the decisional version of the Role Mining Problem.
Definition 8 Role Mining Decision Problem Given a set of users , a set of permissions , a user-permission assignment , and a positive integer , are there a set of roles , a user-to-role assignment , and a
Evaluation results
In this section, we evaluate the effectiveness of role mining using ASP. To study the performance of role mining using ASP, we implement CRM and run it on three datasets, including university, healthcare and Domino. The university datasets was used to evaluate algorithm by Molloy et al. [10]. The healthcare data was from the US Veteran’s Administration; the Domino data was from a Lotus Domino server. Meanwhile, we use eight important role mining algorithms to compare with
Conclusions
While there are many role mining approaches that have been proposed recently, none of existing role mining algorithms can simultaneously satisfy various constraints, which usually describe organizations’ security and business requirements. To strengthen the ability of role mining technology, this paper proposes a novel role mining approach using answer set programming that can comply with various constraints and meet various optimization objectives, namely constrained role miner(CRM). To study
Acknowledgments
This work is supported by National Natural Science Foundation of China under grants 61173170, 61300222, 61433006 and U1401258, National High Technology Research and Development Program of China under grant 2007AA01Z403, and Innovation Fund of Huazhong University of Science and Technology under grants 2013QN120, 2012TS052 and 2012TS053.
Wei Ye received his M.S. degree from college of computer science and technology at Huazhong University of Science and Technology in 2007. Now he is a Ph.D candidate in the Intelligent and Distribute computing lab, college of computer science and technology, Huazhong University of Science and Technology. His research interest includes access control and system security.
References (24)
- et al.
Role-based access control models
IEEE Computer
(1996) - et al.
Proposed NIST standard for role-based access control
ACM Trans. Inf. Syst. Secur. (TISSEC)
(2001) - P. Epstein, R. Sandhu, Engineering of role/permission assignments, in: Annual Computer Security Applications Conference...
- A. Kern, M. Kuhlmann, A. Schaad, J. Moffett, Observations on the role life-cycle in the context of enterprise security...
- I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang, J. Lobo, Evaluating role mining algorithms, in: Proceedings of the 14th ACM...
- J. Vaidya, V. Atluri, Q. Guo, The role mining problem:finding a minimal descriptive set of roles, in: Proceedings of...
- D. Zhang, K. Ramamohanarao, T. Ebringer, Role engineering using graph optimisation, in: Proceedings of the 12th ACM...
- A. Ene, W. Horne, N. Milosavljevic, P. Rao, R. Schreiber, R.E. Tarjan, Fast exact and heuristic methods for role...
- Q. Guo, J. Vaidya, V. Atluri, The role hierarchy mining problem: Discovery of optimal role hierarchies, in: Annual...
- et al.
Mining roles with multiple objectives
ACM Trans. Inf. Syst. Secur. (TISSEC)
(2010)
Role-based authorization constraints specification
ACM Trans. Inf. Syst. Secur. (TISSEC)
Cited by (10)
An improved minimal noise role mining algorithm based on role interpretability
2023, Computers and SecurityRole recommender-RBAC: Optimizing user-role assignments in RBAC
2021, Computer CommunicationsCitation Excerpt :Here, the role assignments to the users and permissions are enabled only for a set of time intervals. In constraint role miner [16], a proposed role mining algorithm complies with various kinds of constraints for optimizing the role assignments to the users and permissions. All the above role mining approaches maintain LPP by optimizing role assignments to the users as well as permissions, which are closely compatible with the user-permission assignments.
Advanced approach of sliding window based erasable pattern mining with list structure of industrial fields
2019, Information SciencesCitation Excerpt :Data mining is a series of processes for Knowledge Discovering in Databases (KDD), and various relevant approaches have been proposed such as classification [6,33], clustering [10,15,39], prediction [9], and association rule or pattern mining methods [1,11,14,25]. Moreover, the merits of data mining have also attracted the development of various real world applications such as electronic commerce management [7], bio-data analysis [8,24], online workflow analysis [16], sensor data analysis [28], and other interesting studies [27,36]. In addition, the merits of pattern mining have led to various types of variation studies such as representative pattern mining [20,42,43], weighted pattern mining [3,35], high utility pattern mining [30,32,38], Top-k pattern mining [26,31], uncertain pattern mining [2,19], and stream pattern mining [4,5,29,37,41].
Single-pass based efficient erasable pattern mining using list data structure on dynamic incremental databases
2018, Future Generation Computer SystemsCitation Excerpt :With the passage of time, more and more data have been accumulated in different application areas. In order to find interesting knowledge from such data, researchers have proposed various data mining techniques such as pattern mining (association rule mining) [1–5], clustering [6,7], and classification [8,9], and various applications such as social network analysis [10], electronic commerce management [11], bio research [12], multi-dimensional network analysis [13], online workflow analysis [14], and role-based access control [15]. Especially, extensive utilization of pattern mining has attracted wide research attentions and development of various approaches such as high utility pattern mining [16–18], uncertain pattern mining [19], representative pattern mining [20–22], Top-k pattern mining [18,23], weighted pattern mining [24,36], and stream pattern mining [17].
Trust, Security and Privacy in Emerging Distributed Systems
2016, Future Generation Computer Systems
Wei Ye received his M.S. degree from college of computer science and technology at Huazhong University of Science and Technology in 2007. Now he is a Ph.D candidate in the Intelligent and Distribute computing lab, college of computer science and technology, Huazhong University of Science and Technology. His research interest includes access control and system security.
Ruixuan Li received the BS, MS, and Ph.D. degrees in computer science from Huazhong University of Science and Technology in 1997, 2000, and 2004 respectively. He is currently a professor in the School of Computer Science and Technology at Huazhong University of Science and Technology, Wuhan, China. His research interests include distributed data management, peer-to-peer computing, social network, and distributed system security. He is a member of the IEEE and ACM.
Xiwu Gu received the BS, MS, and Ph.D. degrees in computer science from Huazhong University of Science and Technology in 1989, 1998, and 2007 respectively. He is currently a lecturer in the School of Computer Science and Technology at Huazhong University of Science and Technology, Wuhan, China. His research interests include distributed computing, data mining, social computing. He is a member of the China Computer Federation (CCF).
Yuhua Li received the Ph.D. degree in computer science from Huazhong University of Science and Technology in 2006. She is currently an associate professor in the School of Computer Science and Technology at Huazhong University of Science and Technology, Wuhan, China. Her research interests include link mining, social net work mining, graph mining, knowledge engineering, Semantic Web and ontology. She is a senior member of the China Computer Federation (CCF).
Kunmei Wen received the BS, MS, and Ph.D. degrees in computer science from Huazhong University of Science and Technology in 2000, 2003, and 2007, respectively. She is currently an associate professor in the School of Computer Science and Technology at Huazhong University of Science and Technology, Wuhan, China. Her research interests include data management, social network, and information retrieval.