research-article

Public Access

Mining least privilege attribute based access control policies

Authors:

Matthew W Sanders,

Chuan YueAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 404 - 416

https://doi.org/10.1145/3359789.3359805

Published: 09 December 2019 Publication History

Abstract

Creating effective access control policies is a significant challenge to many organizations. Over-privilege increases security risk from compromised credentials, insider threats, and accidental misuse. Under-privilege prevents users from performing their duties. Policies must balance between these competing goals of minimizing under-privilege vs. over-privilege. The Attribute Based Access Control (ABAC) model has been gaining popularity in recent years because of its advantages in granularity, flexibility, and usability. ABAC allows administrators to create policies based on attributes of users, operations, resources, and the environment. However, in practice, it is often very difficult to create effective ABAC policies in terms of minimizing under-privilege and over-privilege especially for large and complex systems because their ABAC privilege spaces are typically gigantic. In this paper, we take a rule mining approach to mine systems' audit logs for automatically generating ABAC policies which minimize both under-privilege and over-privilege. We propose a rule mining algorithm for creating ABAC policies with rules, a policy scoring algorithm for evaluating ABAC policies from the least privilege perspective, and performance optimization methods for dealing with the challenges of large ABAC privilege spaces. Using a large dataset of 4.7 million Amazon Web Service (AWS) audit log events, we demonstrate that our automated approach can effectively generate least privilege ABAC policies, and can generate policies with less over-privilege and under-privilege than a Role Based Access Control (RBAC) approach. Overall, we hope our work can help promote a wider and faster deployment of the ABAC model, and can help unleash the advantages of ABAC to better protect large and complex computing systems.

References

[1]

Rakesh Agrawal, Ramakrishnan Srikant, et al. 1994. Fast algorithms for mining association rules. In Proceedings of the International Conference on Very Large Data Bases, VLDB, Vol. 1215. 487--499.

[2]

Amazon Web Services. 2019. AWS CloudTrail. https://aws.amazon.com/cloudtrail/. Accessed: 2019-06-09.

[3]

Amazon Web Services. 2019. AWS CloudTrail Log File Examples. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html. Accessed: 2019-06-09.

[4]

Amazon Web Services. 2019. AWS Products and Services. https://aws.amazon.com/products/. Accessed: 2019-06-09.

[5]

Lujo Bauer, Scott Garriss, and Michael K Reiter. 2011. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC) 14, 1 (2011), 2.

Digital Library

[6]

Jiawei Han, Jian Pei, Yiwen Yin, and Runying Mao. 2004. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data mining and knowledge discovery 8, 1 (2004), 53--87.

[7]

Trevor Hastie, Jerome Friedman, and Robert Tibshirani. 2001. The elements of statistical learning. Springer series in statistics New York, NY, USA.

[8]

Vincent C Hu et al. 2013. NIST 800-162: Guide to attribute based access control (ABAC) definition and considerations (Draft).

[9]

Carlos Cotrini Jiménez, Thilo Weghorn, and David A. Basin. 2018. Mining ABAC Rules from Sparse Logs. Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P) (2018), 31--46.

[10]

John D. Kelleher, Brian Mac Namee, and Aoife D'Arcy. 2015. Fundamentals of Machine Learning for Predictive Data Analytics: Algorithms, Worked Examples, and Case Studies. MIT Press.

[11]

Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino, Seraphin Calo, and Jorge Lobo. 2008. Mining roles with semantic meanings. In Proceedings of the ACM Symposium on Access Control Models and Technologies.

Digital Library

[12]

Ian Molloy, Youngja Park, and Suresh Chari. 2012. Generative Models for Access Control Policies: Applications to Role Mining over Logs with Attribution. In Proceedings of the ACM Symposium on Access Control Models and Technologies.

Digital Library

[13]

Linux Kernel Organization. 2019. Ext4 Disk Layout. https://www.kernel.org/doc/html/latest/filesystems/ext4/index.html. Accessed: 2019-09-14.

[14]

Carlos E. Rubio-Medrano, Josephine Lamp, Adam Doupé, Ziming Zhao, and Gail-Joon Ahn. 2017. Mutated Policies: Towards Proactive Attribute-based Defenses for Access Control. In Proceedings of the Workshop on Moving Target Defense.

Digital Library

[15]

Jerome H Saltzer and Michael D Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278--1308.

[16]

Matthew W Sanders and Chuan Yue. 2018. Minimizing Privilege Assignment Errors in Cloud Services. In Proceedings of the ACM Conference on Data and Application Security and Privacy. 2--12.

Digital Library

[17]

Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. 1996. Role-Based Access Control Models. IEEE Computer 29, 2 (1996), 38--47.

Digital Library

[18]

SANS Institute. 2019. A Compliance Primer for IT Professionals. https://www.sans.org/reading-room/whitepapers/compliance/compliance-primer-professionals-33538. Accessed: 2019-06-09.

[19]

Harold F Tipton and Kevin Henry. 2006. Official (ISC) 2 guide to the CISSP CBK. Auerbach Publications.

[20]

Zhongyuan Xu and Scott D Stoller. 2014. Mining attribute-based access control policies from logs. In Proceedings of the IFIP DBSec. Springer, 276--291.

Digital Library

[21]

Zhongyuan Xu and Scott D Stoller. 2015. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (2015).

Cited By

Kerl MBodin USchelén O(2025)Privacy-preserving attribute-based access control using homomorphic encryptionCybersecurity10.1186/s42400-024-00323-88:1Online publication date: 22-Jan-2025
https://doi.org/10.1186/s42400-024-00323-8
Zhong YChen PZhang H(2025)ESX: A Self-Generated Control Policy for Remote Access With SSH Based on eBPFIEEE Access10.1109/ACCESS.2024.345049613(6487-6506)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2024.3450496
Al-hammuri KGebali FKanan A(2024)ZTCloudGuard: Zero Trust Context-Aware Access Management Framework to Avoid Medical Errors in the Era of Generative AI and Cloud-Based Health Information EcosystemsAI10.3390/ai50300555:3(1111-1131)Online publication date: 8-Jul-2024
https://doi.org/10.3390/ai5030055
Show More Cited By

Index Terms

Mining least privilege attribute based access control policies
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

Practical Role-Based Access Control

This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument

Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
Specifying and enforcing the principle of least privilege in role-based access control

The principle of least privilege in role-based access control is an important area of research. There are two crucial issues related to it: the specification and the enforcement. We believe that the existing least privilege specification schemes are not ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
1,292
Total Downloads

Downloads (Last 12 months)322
Downloads (Last 6 weeks)40

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kerl MBodin USchelén O(2025)Privacy-preserving attribute-based access control using homomorphic encryptionCybersecurity10.1186/s42400-024-00323-88:1Online publication date: 22-Jan-2025
https://doi.org/10.1186/s42400-024-00323-8
Zhong YChen PZhang H(2025)ESX: A Self-Generated Control Policy for Remote Access With SSH Based on eBPFIEEE Access10.1109/ACCESS.2024.345049613(6487-6506)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2024.3450496
Al-hammuri KGebali FKanan A(2024)ZTCloudGuard: Zero Trust Context-Aware Access Management Framework to Avoid Medical Errors in the Era of Generative AI and Cloud-Based Health Information EcosystemsAI10.3390/ai50300555:3(1111-1131)Online publication date: 8-Jul-2024
https://doi.org/10.3390/ai5030055
D’Antoni LDing SGoel ARamesh MRungta NSung C(2024)Automatically Reducing Privilege for Access Control PoliciesProceedings of the ACM on Programming Languages10.1145/36897388:OOPSLA2(763-790)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689738
Zhong YChen PZhang H(2024)eGBox: A Secure Shell Runtime based on eBPFProceedings of the 2024 6th International Conference on Big-data Service and Intelligent Computation10.1145/3686540.3686544(26-34)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3686540.3686544
Gonzales OHuang SYang K(2024)Towards More Effective Insider Threat Countermeasures: A Survey of Approaches for Addressing Challenges and Limitations2024 IEEE International Systems Conference (SysCon)10.1109/SysCon61195.2024.10553441(1-8)Online publication date: 15-Apr-2024
https://doi.org/10.1109/SysCon61195.2024.10553441
Lopriore L(2024)Hierarchical password capabilitiesInternational Journal of Parallel, Emergent and Distributed Systems10.1080/17445760.2024.237631639:5(572-588)Online publication date: 9-Jul-2024
https://doi.org/10.1080/17445760.2024.2376316
Shang SWang XLiu A(2024)ABAC policy mining method based on hierarchical clustering and relationship extractionComputers and Security10.1016/j.cose.2024.103717139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103717
Hu HWang DHong TZhang S(2024)Enhancing Cross-Device Security with Fine-Grained Permission ControlSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_6(101-121)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_6
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten