skip to main content
10.1145/2133601.2133613acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

Discovering access-control misconfigurations: new approaches and evaluation methodologies

Published: 07 February 2012 Publication History

Abstract

Accesses that are not permitted by implemented policy but that share similarities with accesses that have been allowed, may be indicative of access-control policy misconfigurations. Identifying such misconfigurations allows administrators to resolve them before they interfere with the use of the system. We improve upon prior work in identifying such misconfigurations in two main ways. First, we develop a new methodology for evaluating misconfiguration prediction algorithms and applying them to real systems. We show that previous evaluations can substantially overestimate the benefits of using such algorithms in practice, owing to their tendency to reward predictions that can be deduced to be redundant. We also show, however, that these and other deductions can be harnessed to substantially recover the benefits of prediction. Second, we propose an approach that significantly simplifies the use of misconfiguration prediction algorithms. We remove the need to hand-tune (and empirically determine the effects of) various parameters, and instead replace them with a single, intuitive tuning parameter. We show empirically that this approach is generally competitive in terms of benefit and accuracy with algorithms that require hand-tuned parameters.

References

[1]
M. Abedin, S. Nessa, L. Khan, E. Al-Shaer, and M. Awad. Analysis of firewall policy rules using traffic mining techniques. International Journal of Internet Protocol Technology, 5:3--22, Apr. 2010.
[2]
R. Agrawal, T. Imielinski, and A. Swami. Mining association rules between sets of items in large databases. In ACM SIGMOD International Conference on Management of Data, pages 207--216, May 1993.
[3]
E. S. Al-Shaer and H. H. Hamed. Discovery of policy anomalies in distributed firewalls. In 23rd INFOCOM, March 2004.
[4]
A. W. Appel and E. W. Felten. Proof-carrying authentication. In 6th ACM Conference on Computer and Communications Security, 1999.
[5]
Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. In 1999 IEEE Symposium on Security and Privacy, May 1999.
[6]
L. Bauer, S. Garriss, J. M. McCune, M. K. Reiter, J. Rouse, and P. Rutenbar. Device-enabled authorization in the Grey system. In Information Security: 8th International Conference, ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 431--445, Sept. 2005.
[7]
L. Bauer, S. Garriss, and M. K. Reiter. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security, 14(1), May 2011.
[8]
T. Das, R. Bhagwan, and P. Naldurg. Baaz: A system for detecting access control misconfigurations. In 19th USENIX Security Symposium, Aug. 2010.
[9]
K. El-Arini and K. Killourhy. Bayesian detection of router configuration anomalies. In 2005 ACM SIGCOMM Workshop on Mining Network Data, August 2005.
[10]
T. Jaeger, A. Edwards, and X. Zhang. Policy management using access control spaces. ACM Transaction on Information and System Security, 6(3):327--364, 2003.
[11]
M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining-revealing business roles for security administration using data mining technology. In 8th ACM Symposium on Access Control Models and Technologies, June 2003.
[12]
F. Le, S. Lee, T. Wong, H. Kim, and D. Newcomb. Detecting network-wide and router-specific misconfigurations through data mining. IEEE/ACM Transactions on Networking (TON), 17(1):66--79, 2009.
[13]
F. Le, S. Lee, T. Wong, H. S. Kim, and D. Newcomb. Minerals: Using data mining to detect router misconfigurations. In MineNet '06: 2006 SIGCOMM Workshop on Mining Network Data, pages 293--298, 2006.
[14]
A. Mayer, A. Wool, and E. Ziskind. Fang: A firewall analysis engine. In 2000 IEEE Symposium on Security and Privacy, May 2000.
[15]
I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with semantic meanings. In 13th ACM Symposium on Access Control Models and Technologies, pages 21--30, 2008.
[16]
I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang, and J. Lobo. Evaluating role mining algorithms. In 14th ACM Symposium on Access Control Models and Technologies, pages 95--104, 2009.
[17]
T. Scheffer. Finding association rules that trade support optimally against confidence. Intelligent Data Analysis, 9(4):381--395, 2005.
[18]
G. Stevens and V. Wulf. Computer-supported access control. ACM Trans. Comput.-Hum. Interact., 16:12:1--12:26, September 2009.
[19]
J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: Finding a minimal descriptive set of roles. In 12th ACM Symposium on Access Control Models and Technologies, 2007.
[20]
A. Wool. Architecting the Lumeta firewall analyzer. In 10th USENIX Security Symposium, 2001.
[21]
L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, and P. Mohapatra. FIREMAN: A toolkit for FIREwall modeling and ANalysis. In 2006 IEEE Symposium on Security & Privacy, 2006.

Cited By

View all
  • (2024)Permission Governance Method Based on Separation of Responsibilities2024 IEEE 7th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC)10.1109/ITNEC60942.2024.10732997(1165-1169)Online publication date: 20-Sep-2024
  • (2016)Access Control Synthesis for Physical Spaces2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.38(443-457)Online publication date: Jun-2016
  • (2016)The Search for Trust EvidenceCyber Security10.1007/978-3-319-28313-5_3(34-45)Online publication date: 8-Jan-2016
  • Show More Cited By

Index Terms

  1. Discovering access-control misconfigurations: new approaches and evaluation methodologies

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy
        February 2012
        338 pages
        ISBN:9781450310918
        DOI:10.1145/2133601
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 07 February 2012

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. access control
        2. machine learning
        3. misconfiguration

        Qualifiers

        • Research-article

        Conference

        CODASPY'12
        Sponsor:

        Acceptance Rates

        CODASPY '12 Paper Acceptance Rate 21 of 113 submissions, 19%;
        Overall Acceptance Rate 149 of 789 submissions, 19%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)2
        • Downloads (Last 6 weeks)0
        Reflects downloads up to 25 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Permission Governance Method Based on Separation of Responsibilities2024 IEEE 7th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC)10.1109/ITNEC60942.2024.10732997(1165-1169)Online publication date: 20-Sep-2024
        • (2016)Access Control Synthesis for Physical Spaces2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.38(443-457)Online publication date: Jun-2016
        • (2016)The Search for Trust EvidenceCyber Security10.1007/978-3-319-28313-5_3(34-45)Online publication date: 8-Jan-2016
        • (2013)Uncovering access control weaknesses and flaws with security-discordant software clonesProceedings of the 29th Annual Computer Security Applications Conference10.1145/2523649.2523650(209-218)Online publication date: 9-Dec-2013
        • (2013)Property-testing real-world authorization systemsProceedings of the 18th ACM symposium on Access control models and technologies10.1145/2462410.2463207(225-236)Online publication date: 12-Jun-2013

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media