1

An Automatic Attribute Based Access ControlPolicy Extraction from Access Logs

Leila Karimi , Student Member, IEEE, Maryam Aldairi , Student Member, IEEE,

James Joshi , Senior Member, IEEE, and Mai Abdelhakim , Member, IEEE

Abstract—With the rapid advances in computing and information technologies, traditional access control models have becomeinadequate in terms of capturing fine-grained, and expressive security requirements of newly emerging applications. An attribute-basedaccess control (ABAC) model provides a more flexible approach to addressing the authorization needs of complex and dynamicsystems. While organizations are interested in employing newer authorization models, migrating to such models pose as a significantchallenge. Many large-scale businesses need to grant authorizations to their user populations that are potentially distributed acrossdisparate and heterogeneous computing environments. Each of these computing environments may have its own access controlmodel. The manual development of a single policy framework for an entire organization is tedious, costly, and error-prone.In this paper, we present a methodology for automatically learning ABAC policy rules from access logs of a system to simplify thepolicy development process. The proposed approach employs an unsupervised learning-based algorithm for detecting patterns inaccess logs and extracting ABAC authorization rules from these patterns. In addition, we present two policy improvement algorithms,including rule pruning and policy refinement algorithms to generate a higher quality mined policy. Finally, we implement a prototype ofthe proposed approach to demonstrate its feasibility.

Index Terms—Access Control, Attribute Based Access Control, Policy Mining, Policy Engineering, Machine Learning, Clustering.

F

1 INTRODUCTION

A CCESS control systems are critical components of in-formation systems that help protect information re-

sources from unauthorized accesses. Various access con-trol models and approaches have been proposed in theliterature including Discretionary Access Control (DAC) [1][2], Mandatory Access Control (MAC) [3] [4], and Role-Based Access Control (RBAC) [5]. However, with the rapidadvances in newer computing and information technologies(e.g., social networks, Internet of Things (IoT), cloud/edgecomputing, etc.), existing access control (AC) approacheshave become inadequate in providing flexible and expres-sive authorization services [6]. For example, a health careenvironment requires a more expressive AC model thatmeets the needs of patients, health care providers as wellas other stakeholders in the health care ecosystem [7],[8]. Attribute Based Access Control (ABAC) models presenta promising approach that addresses newer challenges inemerging applications [9]. An ABAC approach grants accessrights to users based on attributes of entities in the system(i.e., user attributes, object attributes, and environmentalconditions) and a set of authorization rules.

L. Karimi, M. Aldairi, and J. Joshi are with the School of Computing andInformation, University of Pittsburgh.M. Abdelhakim is with Electrical and Computer Engineering, Swanson Schoolof Engineering, University of Pittsburgh.Email addresses: {leila.karimi, ma.aldairi, jjoshi, and maia}@pitt.edu© 2021 IEEE. Personal use of this material is permitted. Permission fromIEEE must be obtained for all other uses, including reprinting/republishingthis material for advertising or promotional purposes, collecting new collectedworks for resale or redistribution to servers or lists, or reuse of any copyrightedcomponent of this work in other works.

Although organizations and developers are interested inemploying the next generation AC models, adopting suchpolicy frameworks poses a significant challenge. Many largeorganizations need to grant authorization to their vast userpopulations distributed across disparate computing envi-ronments, including legacy systems. Each of these comput-ing environments may have its own AC model. The manualdevelopment of a single policy for the entire organizationis tedious and error-prone. Policy Mining techniques havebeen proposed in the literature to address such challengesto help organizations cut the cost, time, and error of policydevelopment/management. Policy mining algorithms easethe migration to more recent/appropriate authorizationmodels by completely (or partially) automating the processof constructing AC policies.

Policy mining techniques were first introduced for devel-oping RBAC policies. Kuhlmann et al. coined the term “rolemining" to refer to a data mining approach that constructsroles from a given permission assignment dataset [10]; thiswork was followed by various role mining techniques, suchas [11], [12], [13]. Although the proposed approaches arebeneficial in developing optimal sets of roles, they are notapplicable in extracting ABAC policies.

Xu and Stoller were the first to study the problem ofmining ABAC policies from given access control matricesor logs [14], [15]. Following that, several researchers haveinvestigated various ABAC policy mining techniques [16],[17], [18]. However, these studies suffer from several limita-tions, as follows:

• First, the existing approaches do not support miningauthorization rules with negative filters. An ABAC

arX

iv:2

003.

0727

0v4

[cs

.CR

] 3

0 Ja

n 20

21

2

policy rule can be comprised of a set of positive andnegative filters. Negative filters are useful in scenar-ios when an exception needs to be expressed. Forexample, a healthcare provider can express the fol-lowing rule using a negative attribute filter: “A nursecan read a patient’s record except for payment purposes."Using negative filters in rule expressions results in amore concise authorization policy (Section 5).

• Second, some proposed approaches such as in [14],[15], [17] are unable to mine a high-quality policywhen the given access log is not complete in the sensethat every possible combination of attribute values isnot included in the access log (Section 3).

• Third, the proposed approaches are unable to minea policy from noisy access logs containing over-assignments and under-assignments [16], [18]. Hav-ing noisy access records is a common problem inevolving domains such as IoT or social networks [19].It is essential that an ABAC policy miner should becapable of handling a reasonable amount of noise tobe applicable to real-world applications.

• Last but not the least, the existing approaches do notinclude techniques for improving the mined policyafter the first round of policy extraction. In addition,in scenarios where the authorization policies maychange over time (such as in social networks withaddition and removal of various applications), theseapproaches do not provide any guidelines for adjust-ing the policy. This makes practical deployment ofthese approaches very difficult.

Furthermore, none of the existing work addresses theseissues in an integrated way. In this paper, we proposea machine learning based ABAC policy mining approachto address these challenges. To summarize, the primarycontributions of this paper are as follows:

1) We propose an unsupervised learning based ap-proach to extract ABAC policy rules that containboth positive and negative attribute filters as wellas positive and negative relation conditions.

2) The proposed policy mining approach is effectiveeven with an incomplete set of access logs and inpresence of noise.

3) As part of the unsupervised learning based ap-proach, we propose the rule pruning and policyrefinement algorithms to enhance the quality of themined policy and to ease its maintenance.

4) We propose a policy quality metric based on policycorrectness and conciseness to be able to comparedifferent sets of mined policy rules and to select thebest one based on some given criteria.

5) We implement a prototype of the proposed modeland evaluate it using various ABAC policies toshow its efficiency and effectiveness.

To the best of our knowledge, our proposed approach isthe first unsupervised learning based ABAC policy miningmethod that can be used to extract ABAC policies with bothpositive and negative attribute and relationship filters.

The rest of the paper is organized as follows. In Section2, we overview the ABAC model and its policy language as

well as the unsupervised learning algorithm. In Section 3,we define the ABAC policy extraction problem, discuss therelated challenges, and introduce the metrics for evaluatingthe extracted policy. In Section 4, we present the proposedABAC policy extraction approach. In Section 5, we presentthe evaluation of the proposed approach on various sets ofpolicies. We present the related work in Section 6 and theconclusions and future work in Section 8.

2 PRELIMINARIES

In this section, we overview ABAC, the ABAC policy lan-guage, and the unsupervised learning algorithm.

2.1 ABAC ModelIn 2013, NIST published a “Guide to ABAC Definition andConsideration" [9], according to which, “the ABAC engine canmake an access control decision based on the assigned attributesof the requester, the assigned attributes of the object, environmentconditions, and a set of policies that are specified in terms of thoseattributes and conditions.” Throughout the paper, we use userattributes, object attributes, and session attributes to refer to theattributes of the requester, attributes of the object, and theenvironmental attributes/conditions, respectively.

Accordingly, 𝑈, 𝑂, 𝑆, 𝑂𝑃 are sets of users, objects,sessions, and operations in a system and user attributes(𝐴𝑢), object attributes (𝐴𝑜), and session attributes (𝐴𝑠) aremappings of subject attributes, object attributes, and en-vironmental attributes as defined in the NIST Guide [9].𝐸 = 𝑈 ∪ 𝑂 ∪ 𝑆 and 𝐴 = 𝐴𝑢 ∪ 𝐴𝑜 ∪ 𝐴𝑠 are the sets of allentities and all attributes in the system, respectively.Definition 1. (Attribute Range). Given an attribute 𝑎 ∈ 𝐴,

the attribute range 𝑉𝑎 is the set of all valid values for 𝑎 inthe system.

Definition 2. (Attribute Function). Given an entity 𝑒 ∈ 𝐸 ,an attribute function 𝑓𝑎_𝑒 is a function that maps an entityto a specific value from the attribute range. Specifically,𝑓𝑎_𝑒 (𝑒, 𝑎) returns the value of attribute 𝑎 for entity 𝑒.

Example 1. 𝑓𝑎_𝑒 (𝐽𝑜ℎ𝑛, 𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛) = faculty indicates that thevalue of attribute position for user John is faculty.

Example 2. 𝑓𝑎_𝑒 (𝑑𝑒𝑝1, 𝑐𝑟𝑠) = {𝑐𝑠101, 𝑐𝑠601, 𝑐𝑠602} indicatesthat the value of attribute crs for object dep1 is a set{𝑐𝑠101, 𝑐𝑠601, 𝑐𝑠602}.Each attribute in the system can be a single-valued

(atomic) or multi-valued (set). In Example 1 position is asingle-valued attribute while crs is a multi-valued attributein Example 2. For simplicity, we consider only atomic at-tributes in this work. Actually, the process of extractingABAC policy with multi-valued attributes is exactly thesame as that with atomic attributes, however, we need topre-process data to convert each multi-valued attribute toa set of atomic attributes. This can be done using varioustechniques such as defining dummy variables [20], 1-of-𝐾scheme [21], etc. At the end of the process and when policyrules are extracted, we need one more step to convert backatomic attribute filters to the corresponding multi-valuedattribute filters.

Attribute filters are used to denote the sets of users,objects, and sessions to which an authorization rule applies.

3

Definition 3. (Attribute Filter). An attribute filter is definedas a set of tuples F = {〈𝑎, 𝑣 |!𝑣〉| 𝑎 ∈ 𝐴 and 𝑣 ∈ 𝑉𝑎}. Here〈𝑎, 𝑣〉 is a positive attribute filter tuple that indicates 𝑎has value 𝑣, and 〈𝑎, !𝑣〉 is a negative attribute filter tuplethat indicates 𝑎 has any value in its range except 𝑣.

Example 3. Tuple 〈𝑙𝑎𝑏𝑒𝑙, !𝑡𝑜𝑝-𝑠𝑒𝑐𝑟𝑒𝑡〉 points to all entities inthe system that do not have “top-secret" as their securitylabel “label".

Definition 4. (Attribute Filter Satisfaction). An entity 𝑒 ∈ 𝐸satisfies an attribute filter F , denoted as 𝑒 |= F , iff

∀〈𝑎𝑖 , 𝑣𝑖〉 ∈ F : 𝑓𝑎_𝑒 (𝑒, 𝑎𝑖) = 𝑣𝑖 ∧∀〈𝑎𝑖 , !𝑣𝑖〉 ∈ F : 𝑓𝑎_𝑒 (𝑒, 𝑎𝑖) ≠ 𝑣𝑖 .

Example 4. Suppose 𝐴𝑢 = {𝑑𝑒𝑝𝑡, 𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛, 𝑐𝑜𝑢𝑟𝑠𝑒𝑠}. The setof tuples FU = {〈𝑑𝑒𝑝𝑡, 𝐶𝑆〉, 〈𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛, 𝑔𝑟𝑎𝑑〉} denotes auser attribute filter. Here, the graduate students in theCS department satisfy FU .

Definition 5. (Relation Condition). A relation condition isdefined as a set of tuples R = {〈𝑎, 𝑏 |!𝑏〉| 𝑎, 𝑏 ∈ 𝐴 ∧ 𝑎 ≠

𝑏}. Here 〈𝑎, 𝑏〉 is a positive relation condition tuple thatindicates 𝑎 and 𝑏 have the same values, and 〈𝑎, !𝑏〉 is anegative relation condition tuple that indicates 𝑎 and 𝑏

do not have the same values.

A relation is used in a rule to denote the equality con-dition between two attributes of users, objects, or sessions.Note that the two attributes in the relation condition musthave the same range.Definition 6. (Relation Condition Satisfaction). An entity

𝑒 ∈ 𝐸 satisfies a relation condition R, denoted as 𝑒 |= R,iff

∀〈𝑎𝑖 , 𝑏𝑖〉 ∈ R : 𝑓𝑎_𝑒 (𝑒, 𝑎𝑖) = 𝑓𝑎_𝑒 (𝑒, 𝑏𝑖)∀〈𝑎𝑖 , !𝑏𝑖〉 ∈ R : 𝑓𝑎_𝑒 (𝑒, 𝑎𝑖) ≠ 𝑓𝑎_𝑒 (𝑒, 𝑏𝑖).

Definition 7. (Access Request). An access request is a tuple𝑞 = 〈𝑢, 𝑜, 𝑠, 𝑜𝑝〉 where user 𝑢 ∈ 𝑈 sends a request to thesystem to perform operation 𝑜𝑝 ∈ 𝑂𝑃 on object 𝑜 ∈ 𝑂 insession 𝑠 ∈ 𝑆.

Definition 8. (Authorization Tuple/Access Log). An autho-rization tuple is a tuple 𝑡 = 〈𝑞, 𝑑〉 containing decision𝑑 made by the access control system for request 𝑞. AnAccess Log L is a set of such tuples.

The decision 𝑑 of an authorization tuple can be permitor deny. The tuple with permit decision means that user 𝑢can perform an operation 𝑜𝑝 on an object 𝑜 in session 𝑠.The authorization tuple with deny decision means that user𝑢 cannot perform operation 𝑜𝑝 on object 𝑜 in session 𝑠.

Access log is a union of Positive Access Log, L+, andNegative Access Log, L−, where:

L+ = {〈𝑞, 𝑑〉|〈𝑞, 𝑑〉 ∈ L ∧ 𝑑 = 𝑝𝑒𝑟𝑚𝑖𝑡},

andL− = {〈𝑞, 𝑑〉|〈𝑞, 𝑑〉 ∈ L ∧ 𝑑 = 𝑑𝑒𝑛𝑦}.

Definition 9. (ABAC Rule). An access rule 𝜌 is a tuple〈F ,R, 𝑜𝑝 |!𝑜𝑝〉, where F is an attribute filter, R is a re-lation condition, and 𝑜𝑝 is an operation. !𝑜𝑝 is a negatedoperation that indicates the operation can have any valueexcept 𝑜𝑝.

Example 5. Consider rule 𝜌1 = 〈{〈𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛, 𝑠𝑡𝑢𝑑𝑒𝑛𝑡〉,〈𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛, 𝑐𝑎𝑚𝑝𝑢𝑠〉, 〈𝑡𝑦𝑝𝑒, 𝑎𝑟𝑡𝑖𝑐𝑙𝑒〉}, {〈𝑑𝑒𝑝𝑡𝑢 , 𝑑𝑒𝑝𝑡𝑜〉},𝑟𝑒𝑎𝑑〉. It can be interpreted as “A student can read anarticle if he/she is on campus and his/her department matchesthe department of the article".

Definition 10. (Rule Satisfaction) An access request 𝑞 =

〈𝑢, 𝑜, 𝑠, 𝑜𝑝〉 is said to satisfy a rule 𝜌, denoted as 𝑞 |= 𝜌,iff

〈𝑢, 𝑜, 𝑠〉 |= F ∧ 〈𝑢, 𝑜, 𝑠〉 |= R ∧ 𝑜𝑝𝑞 = 𝑜𝑝𝜌 .

Definition 11. (ABAC Policy). An ABAC policy is a tuple𝜋 = 〈𝐸,𝑂𝑃, 𝐴, 𝑓𝑎_𝑒,P〉 where 𝐸 , 𝑂𝑃, 𝐴, and P are setsof entities, operations, attributes, and ABAC rules in thesystem and 𝑓𝑎_𝑒 is the attribute function.

Definition 12. (ABAC Policy Decision). The decision of anABAC policy 𝜋 for an access request 𝑞 denoted as 𝑑𝜋 (𝑞)is permit iff:

∃𝜌 ∈ 𝜋 : 𝑞 |= 𝜌

otherwise, the decision is deny.

If an access request satisfies a rule of the access controlpolicy, then the decision of the system for such accessrequest is permit. If the access request does not satisfy anyrule in the access control policy then the decision of thesystem for such access request is deny.

TABLE 1 summarizes the notations used in this paper.

2.2 Unsupervised Learning AlgorithmUnsupervised learning algorithms try to infer a functionthat describes the structure of unlabeled data. They areuseful when no or very few labeled data is available. Weleverage such methods for extracting ABAC policies fromaccess logs.

In particular, given a set of authorization tuples, weemploy an unsupervised learning approach to mine andextract an ABAC policy that has high quality. An unsu-pervised learning approach is suitable because there is nolabeled data available for desired ABAC rules. ABAC policyextraction, in this case, can be considered as a mappingbetween authorization tuples to a set of clusters that arerepresentative of the desired ABAC rules. Such a mappingcan be expressed as a function, ℎ : X → Y, where:

1) X is a set of authorization tuples (i.e., access log).2) Y is a set of numbered labels (i.e., cluster labels,

each cluster corresponding to a rule of the ABACpolicy 𝜋).

The goal is then to learn the function ℎ with low cluster-ing error and mine the desired policy that is high quality.

3 PROBLEM DEFINITION

3.1 ABAC Policy Extraction ProblemAlthough organizations are interested in employing anABAC model, adopting it is a big challenge for them.The manual development of such a policy is tedious anderror-prone. Policy Mining techniques have been proposedto address such challenges in order to reduce the cost,time, and error of policy development/maintenance. ABACpolicy mining algorithms ease the migration to the ABAC

4

TABLE 1: Notations

Notation Definition

𝑈 ,𝑂, 𝑆, 𝑂𝑃 Sets of users, objects, sessions, and operations𝐴𝑢 , 𝐴𝑜 , and 𝐴𝑠 Sets of user attributes, object attributes, and session attributes𝐸 =𝑈 ∪𝑂 ∪ 𝑆 Set of all entities

𝐴 = 𝐴𝑢 ∪ 𝐴𝑜 ∪ 𝐴𝑠 Set of all attributes𝑉𝑎 Attribute Range: set of all valid values for 𝑎 ∈ 𝐴

𝑓𝑎_𝑒 (𝑒, 𝑎) Attribute Function: a function that maps an entity 𝑒 ∈ 𝐸 to a value from 𝑉𝑎

F = { 〈𝑎, 𝑣 |!𝑣 〉 | 𝑎 ∈ 𝐴∧ 𝑣 ∈ 𝑉𝑎 } Attribute FilterR = { 〈𝑎, 𝑏〉 | 𝑎, 𝑏 ∈ 𝐴∧ 𝑎 ≠ 𝑏 ∧ 𝑉𝑎 = 𝑉𝑏 } Relation Condition

𝑞 = 〈𝑢, 𝑜, 𝑠, 𝑜𝑝〉 Access Request𝑡 = 〈𝑞, 𝑑〉 Authorization Tuple, showing decision 𝑑 made by the system for request 𝑞L Access Log, set of authorization tuples

L+ = { 〈𝑞, 𝑑〉 | 〈𝑞, 𝑑〉 ∈ L ∧ 𝑑 = 𝑝𝑒𝑟𝑚𝑖𝑡 } Positive Access LogL− = { 〈𝑞, 𝑑〉 | 〈𝑞, 𝑑〉 ∈ L ∧ 𝑑 = 𝑑𝑒𝑛𝑦 } Negative Access Log

𝜌 = 〈F, R, 𝑜𝑝 |!𝑜𝑝〉 ABAC RuleP Set of all policy rules

𝜋 = 〈𝐸, 𝑂𝑃, 𝐴, 𝑓𝑎_𝑒 , P〉 ABAC Policy𝑑𝜋 (𝑞) The decision of an ABAC policy 𝜋 for an access request 𝑞

𝑇 𝑃𝜋 |L , 𝐹𝑃𝜋 |L , 𝑇 𝑁𝜋 |L , and 𝐹𝑁𝜋 |L Relative True Positive, False Positive, True Negative, and False Negative Rates𝐴𝐶𝐶𝜋 |L Relative Accuracy Rate

𝐹 -𝑠𝑐𝑜𝑟𝑒𝜋 |L Relative F-score𝑊𝑆𝐶 (𝜋) Weighted Structural Complexity of policy 𝜋

Q𝜋 Policy Quality Metric

framework by completely (or partially) automating the de-velopment of ABAC policy rules.

The primary input to a policy mining algorithm is the logof authorization decisions in the system. The log indicatesauthorization decision (i.e., permit or deny) for any givenaccess request by a user of the system. For ABAC policymining, such a log is accompanied by attributes of entitiesinvolved in the log entries. The goal of a policy miningalgorithm is to extract ABAC policy rules from access logsthat have high quality with respect to some quality metrics(e.g., policy size and correctness).

We define the ABAC policy extraction problem formallyas follows:Definition 13. (ABAC Policy Extraction Problem). Let

𝐼 =< 𝐸,𝑂𝑃, 𝐴, 𝑓𝑎_𝑒,L >, where the components are asdefined earlier, then the ABAC policy extraction problemis to find a set of rules R such that the ABAC policy𝜋 =< 𝐸,𝑂𝑃, 𝐴, 𝑓𝑎_𝑒,R > has high quality with respect toL.

3.2 Challenges and Requirements

For an ABAC policy extraction approach to be applicableto a wide range of real-world scenarios, we identify thefollowing challenges and requirements:

1) Correctness of Mined Policy: The mined policy mustbe consistent with original authorization log in thatthe access decision of the mined policy must resultin the same access decision of the log entry. Aninconsistent extracted policy may result in situationsin which an originally authorized access is denied(more restrictive) or originally unauthorized access ispermitted (less restrictive) by the system.

2) Complexity of Mined Policy: The policy mining algo-rithm should endeavor to extracting a policy that isas concise as possible. Since the policy rules need tobe manipulated by human administrators, the moreconcise they are, the more manageable and easier to

interpret they would be. In addition, succinct rulesare desirable as they are easier to audit and manage.

3) Negative Attribute Filters: The ABAC policy miningsolution should support both positive and negativeattribute filters which will result in more conciseand manageable mined policy.

4) Relation Conditions: The solution should support theextraction of relation conditions for policy miningin order to generate more concise and manageablemined policy.

5) Sparse Logs: In real-world, the access log that isinput to the policy mining algorithm may be sparse,representing only a small fraction of all possibleaccess requests. The policy mining algorithm mustbe able to extract useful rules even from a sparselog.

6) Mining Negative Authorization Rules: An ABAC pol-icy can contain both positive and negative ruleswhich permit or deny access requests, respectively.The use of negative rules is helpful in situationswhere specifying exceptions to more general rulesis important. Including negative policy rules wouldhelp in generating a more concise ABAC policy.Thus, the policy mining algorithm should be ableto extract both positive and negative authorizationrules.

7) Noisy Authorization Log: In the real world and withcomplex and dynamic information systems, it ispossible to have a noisy authorization log consistingof over-assignments and under-assignments. Theseissues occur either due to a wrong configurationof the original authorization system or improperpolicy updates by administrators. The policy miningalgorithm should be capable of extracting meaning-ful rules even in presence of an acceptable amountof noise in the input access log.

8) Dynamic and Evolving Policies: Modern informationsystems are often dynamic. The authorization needs

5

of these systems and the attributes of the entities inthe environment evolve rapidly. These changes willresult in over-assignments or under-assignments.The proposed method should employ a mechanismto support the dynamicity of the information sys-tems and their authorization policies and ease themaintenance of evolving systems.

Our proposed approach addresses all the requirementsexcept the sixth one. Table 2 shows the challenges that areaddressed by our proposed approach and how it improvesupon the state-of-the-art policy mining techniques. In Sec-tion 6, we discuss the existing solutions in details.

3.3 Evaluation Metrics

One of the main metrics for evaluating the quality of anextracted policy is how accurately it matches the originalpolicy. That means the authorization decisions made by theextracted policy for a set of access requests should be similarto the decisions made by the original policy for that set ofrequests. As an example, if the decision of the original policyfor an access request 𝑞 is permit, then the decision of themined policy for the same access request must be permitas well. If the mined policy denies the same access request,then we record this authorization tuple as a False Negative.We define Relative True Positive, Relative False Positive, RelativeTrue Negative, and Relative False Negative rates, respectively,as follows:Definition 14. (Relative True Positive Rate). Given an access

log L and an ABAC policy 𝜋, the relative true positiverate of 𝜋 regarding L denoted as 𝑇𝑃𝜋 |L is the portion ofpositive access logs for which the decision of 𝜋 is permit:

𝑇𝑃𝜋 |L =|{〈𝑞, 𝑑〉 ∈ L+ |𝑑𝜋 (𝑞) = 𝑝𝑒𝑟𝑚𝑖𝑡}|

|L+ |Here, |𝑠 | is the cardinality of set 𝑠.

Definition 15. (Relative False Positive Rate). The relativefalse positive rate of 𝜋 regarding L denoted as 𝐹𝑃𝜋 |L isthe portion of negative access logs for which the decisionof 𝜋 is permit:

𝐹𝑃𝜋 |L =|{〈𝑞, 𝑑〉 ∈ L− |𝑑𝜋 (𝑞) = 𝑝𝑒𝑟𝑚𝑖𝑡}|

|L− |

Similarly, we calculate the relative true negative rate andfalse negative rate of 𝜋 regarding L, denoted as 𝑇𝑁𝜋 |L and𝐹𝑁𝜋 |L , respectively, as follows:

𝑇𝑁𝜋 |L =|{〈𝑞, 𝑑〉 ∈ L− |𝑑𝜋 (𝑞) = 𝑑𝑒𝑛𝑦}|

|L− |

𝐹𝑁𝜋 |L =|{〈𝑞, 𝑑〉 ∈ L+ |𝑑𝜋 (𝑞) = 𝑑𝑒𝑛𝑦}|

|L+ |The relative precision and relative recall are calculated as

follows:

𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛𝜋 |L =𝑇𝑃𝜋 |L

𝑇𝑃𝜋 |L + 𝐹𝑃𝜋 |L

𝑅𝑒𝑐𝑎𝑙𝑙𝜋 |L =𝑇𝑃𝜋 |L

𝑇𝑃𝜋 |L + 𝐹𝑁𝜋 |L

The relative accuracy metric, 𝐴𝐶𝐶𝜋 |L , measures the ac-curacy of mined policy 𝜋 with regards to the decisions madeby the original policy indicated by L and is defined formallyas follows:

Definition 16. (Relative Accuracy). Given the relative truepositive and negative rates, the relative accuracy of 𝜋regarding L denoted as 𝐴𝐶𝐶𝜋 |L is calculated as follows:

𝐴𝐶𝐶𝜋 |L =𝑇𝑃𝜋 |L + 𝑇𝑁𝜋 |L

𝑇𝑃𝜋 |L + 𝑇𝑁𝜋 |L + 𝐹𝑃𝜋 |L + 𝐹𝑁𝜋 |L

As accuracy may be misleading in unbalanced data sets[22] (which is very probable in case of access logs), we userelative F-score to better evaluate the mined policy:

𝐹-𝑠𝑐𝑜𝑟𝑒𝜋 |L = 2 ·𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛𝜋 |L · 𝑅𝑒𝑐𝑎𝑙𝑙𝜋 |L𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛𝜋 |L + 𝑅𝑒𝑐𝑎𝑙𝑙𝜋 |L

Policies with higher relative F-score are better as they aremore consistent with the original access log.

On the other hand, as the number of filters in each ruleand the number of rules in an access control policy increases,policy intelligibility would decrease and maintenance of thepolicy would become harder. Hence, complexity is anotherkey metric for evaluating the quality of a policy.

Weighted Structural Complexity (WSC) is a general-ization of policy size and was first introduced for RBACpolicies [23] and later extended for ABAC policies [15]. WSCis consistent with usability studies of access control rules,which indicates that the more concise the policies are themore manageable they become [24]. Informally, for a givenABAC policy, its WSC is a weighted sum of its elements.Formally, for an ABAC policy 𝜋 with rules P, its WSC isdefined as follows:

𝑊𝑆𝐶 (𝜋) = 𝑊𝑆𝐶 (P)

𝑊𝑆𝐶 (P) =∑︁𝜌∈P

𝑊𝑆𝐶 (𝜌)

𝑊𝑆𝐶 (𝜌 = 〈FU , FO , FS ,R, 𝑜𝑝, 𝑑〉) = 𝑤1𝑊𝑆𝐶 (FU)+𝑤2𝑊𝑆𝐶 (FO) + 𝑤3𝑊𝑆𝐶 (FS) + 𝑤4𝑊𝑆𝐶 (R)

∀𝑠 ∈ {FU , FO , FS ,R} : 𝑊𝑆𝐶 (𝑠) =∑︁|𝑠 |

where |𝑠 | is the cardinality of set 𝑠 and each 𝑤𝑖 is a user-specified weight.

Van Rijsbergen proposes an effectiveness measure forcombining two different metrics 𝑃 and 𝑅 in [25] as follows :

𝐸 = 1 − 1𝛼

𝑃+ 1 − 𝛼

𝑅

Given relative F-score and WSC measures for variousmined policies resulting from running different mining al-gorithms over access log, it may not be straightforward toselect the best algorithm and, hence, the mined policy withthe highest quality. So, to be able to compare the quality ofdifferent mined ABAC policies, we combine the two metricsbased on Van Rijsbergen’s effectiveness measure [25] anddefine the Policy Quality Metric as follows:

6

TABLE 2: State-of-the-art ABAC Rule Mining Techniques

Xu et al. [15] Medvet et al. [16] Iyer et. al [17] Cotrini et al. [18] Our Proposed Approach

Policy Correctness X X X X XPolicy Complexity X X X X XNegative Attribute Filters 7 7 7 7 XRelation Conditions X X X 7 XSparse Logs 7 X 7 X XNegative Authorization Rules 7 7 X 7 7Noisy Authorization Log X 7 7 7 XSystem Dynamicity 7 7 7 7 X

Q𝜋 = ( 𝛼

𝐹-𝑠𝑐𝑜𝑟𝑒𝜋 |L+ 1 − 𝛼Δ𝑊𝑆𝐶𝜋

)−1

Here 𝛼 =1

1 + 𝛽2 where 𝛽 determines the importance of

relative F-score over policy complexity and Δ𝑊𝑆𝐶𝜋 showsthe relative reduction in the complexity with regards to thecomplexity of the most complex mined policy. Δ𝑊𝑆𝐶𝜋 iscalculated as follows:

Δ𝑊𝑆𝐶𝜋 =𝑊𝑆𝐶𝑚𝑎𝑥 −𝑊𝑆𝐶 (𝜋) + 1

𝑊𝑆𝐶𝑚𝑎𝑥

𝑊𝑆𝐶𝑚𝑎𝑥 is the weighted structural complexity of the mostcomplex mined policy.Definition 17. (Most Complex Mined Policy). The most

complex mined policy is the mined policy with thehighest weighted structural complexity. It is extracted byiterating through positive access log L+ and adding anaccess control rule for each authorization tuple if it’s notalready included in the mined policy. The correspondingrule for each authorization tuple includes all attributesof user, object, and subject of that authorization tuple.

Considering the equal importance of relative F-score andrelative loss of complexity of the policy, we calculate thequality measure as follows:

Q𝜋 =2 · 𝐹-𝑠𝑐𝑜𝑟𝑒𝜋 |L · Δ𝑊𝑆𝐶𝜋

𝐹-𝑠𝑐𝑜𝑟𝑒𝜋 |L + Δ𝑊𝑆𝐶𝜋

A mined policy with a higher F-score would have ahigher policy quality. On the other hand, as the complexityof a policy increases, its quality will decrease. The intuitionhere is that once an extracted policy reaches a high F-score,adding additional rules will lead to a decrease in Q𝜋 .

For the most complex mined policy 𝜋𝑤 , Δ𝑊𝑆𝐶𝜋𝑤 ≈ 0,so its policy quality Q𝜋𝑤 is very close to zero. For anempty mined policy 𝜋𝑒 (a policy without any rule), whileΔ𝑊𝑆𝐶𝜋𝑒 ≈ 1, as it denies all the access requests, its falsenegative rate is one and its true positive rate is zero. So itsprecision is zero and as a result, its F-score is zero as well.So the quality of the empty policy Q𝜋𝑒 is zero, too.

The most complex mined policy and the empty minedpolicy are the two extreme cases with policy quality equalto zero. Other mined policies between these two cases havehigher policy quality than zero.

4 THE PROPOSED LEARNING-BASED APPROACH

Our proposed learning-based ABAC policy extraction pro-cedure consists of the steps summarized in Figure 1.

1. Data Pre-processing

Handling missingvalues, Converting tocategorical values 2. Parameter Tuning

Finding best number of clusters,best cluster initialization, andappropriate thresholds 

3. Clustering

Clustering data usingk-mean/k-modealgorithm

4. Rule Extraction

Finding effectiveattributes andrelations, BuildingRules

5. Rule Pruning

Removing duplicaterules, Finding similarrules and eliminatingthem

6. Policy Refinement

Refining policy rulesbased on FP and FNrecords

Fig. 1: Overview of the Proposed Approach.

4.1 Data Pre-processingAs features of our learning algorithm are categorical vari-ables, the first step in pre-processing the access log isto convert all numerical variables to their correspondingcategorical values. For example, in ABAC, environmentalattributes deal with time, location or dynamic aspects of theaccess control scenario. Hence, we need to pre-process anddiscretize such continuous variables to categorical ones (e.g.time of access to working hours and non working hours) soour proposed algorithm is applicable to them.

We also need to handle missing values in this step. Asthe frequency of each attribute value is an important factorin our rule extraction algorithm (Section 4.4) for decidingif an attribute is effective or not, it is important to replacemissing values in a way that it doesn’t mess up with theoriginal frequency of each attribute value. For this purpose,we replace each missing value by UNK (i.e., unknown).

4.2 Selection of Learning AlgorithmWe use the K-modes algorithm [26], which is a well knownunsupervised learning algorithm used for clustering cate-gorical data. K-modes has been proved effective in miningABAC policies [27]; this algorithm uses an initializationmethod based on both the distance between data pointsand the density of data points. Using both density anddistance when initializing clusters help avoid two problems:(i) clustering outliers as new clusters are based only on thedistances; and (ii) creating new clusters surrounding onecenter based only on the density. Compared to a random

7

initialization method, this method provides more robustnessand better accuracy in the clustering process [26].

4.3 Parameter TuningIn the next step, we tune the learning parameters. There areseveral challenges that need to be addressed in this step,which include the following:

4.3.1 Number of Clusters (k)One of the main challenges in an unsupervised learningis determining the number of clusters, 𝑘 . In our samplepolicies, as we know the number of rules in each policy,we can set the number of clusters beforehand but in areal situation as we do not know the size of the rules inadvance, making the correct choice of 𝑘 is difficult. One ofthe popular methods for determining the number of clustersin an unsupervised learning model is the Elbow Method [28],[29]. This method is based on total within group sum ofsquares. 𝑘 will be chosen as the number of clusters if addinganother cluster doesn’t give much better modeling of thedata (i.e., the elbow point of the graph).

As a second approach, we choose a number of clusters(𝑘) which gives the best modeling of the data in terms of thepolicy quality metric. For this purpose, we run our clusteringalgorithm for different values of 𝑘 and calculate the accuracyof the corresponding model using 10-fold cross-validation.The value of 𝑘 that maximizes the accuracy of the model isselected as the final number of clusters.

Note that increasing 𝑘 will ultimately reduce the amountof clustering error or it will increase the accuracy of themodel, but by increasing the number of clusters, the num-ber of extracted rules will also increase resulting in morecomplexity (i.e., higher WSC). So it is important to find anoptimal 𝑘 that balances between policy accuracy and WSC.

4.3.2 Cluster Initialization & Local OptimaDifferent cluster initializations can lead to a different setof clusters as k-means/k-modes may converge to a localoptima. To overcome this issue, for a given number ofclusters, 𝑘 , we train multiple models with different clusterinitializations and then select the partition with the smallestclustering error.

4.4 Policy Rules ExtractionThe main phase in our proposed approach is the extractionof ABAC policy rules. In the first step, we need to collect allthe authorization tuples related to each rule of the policy. Weuse data clustering for this purpose. We divide the access loginto clusters where the records in each cluster correspond toone AC rule in the system. This is done based on findingsimilar patterns between features (i.e., attribute values) ofthe records (i.e., access control tuples). In the second step,we extract the attribute filters of such a rule. We adapt therule extraction algorithm in [27] and extend it to extract bothpositive and negative attribute filters. We define effectivepositive attribute and effective negative attribute as follows:Definition 18. (Effective Positive (Negative) Attribute). Let

𝑆 = {〈𝑎, 𝑣〉} be the set of all possible attribute-value pairsin a system; we define 〈𝑎 𝑗 , 𝑣 𝑗〉 ∈ 𝑆 (〈𝑎 𝑗 , !𝑣 𝑗〉 ∈ 𝑆) as an

effective positive (negative) attribute pair of 𝜌𝑖 correspond-ing to cluster 𝐶𝑖 , where the frequency of occurrence of 𝑣 𝑗in the set of all the records of cluster 𝐶𝑖 is much higher(lower) than its frequency of occurrence in the originaldata; this is determined based on a threshold T𝑃 (T𝑁 ).The attribute expression 〈𝑎 𝑗 , 𝑣 𝑗〉 (〈𝑎 𝑗 , !𝑣 𝑗〉) is added tothe attribute filters of the extracted rule 𝜌𝑖 for 𝐶𝑖 .

In the final step, we extract the relation conditions forAC rules for each cluster. This will be done based on thefrequency of equality between pairs of attributes in therecords of each cluster. We define effective positive relationand effective negative relation as follows:

Definition 19. (Effective Positive (Negative) Relation). Let𝑅 = {〈𝑎, 𝑏〉} be the set of all possible relations betweenpairs of attributes in the system; we define 〈𝑎 𝑗 , 𝑏 𝑗〉 asan effective positive (negative) relation pairs of 𝜌𝑖 cor-responding to cluster 𝐶𝑖 , where the frequency of 𝑎 𝑗

equals 𝑏 𝑗 in all the records of cluster 𝐶𝑖 is much higher(lower) than their frequency in the original data; this isdetermined based on a threshold \𝑃 (\𝑁 ). The relation〈𝑎 𝑗 , 𝑏 𝑗〉 (〈𝑎 𝑗 , !𝑏 𝑗〉) is added to the relation conditions ofthe extracted rule 𝜌𝑖 for this cluster.

We note that the values of the thresholds T𝑃 , T𝑁 , \𝑃 ,and \𝑁 will be different for each data set. To find thebest threshold values for each data set, we run the ruleextraction algorithm for different values of thresholds, andthe values which result in the maximum accuracy over thecross-validation data set will be selected.

Algorithms 1 and 2 show effective attribute and effectiverelation extraction procedures, respectively.

Algorithm 1 Effective attribute extraction algorithm

1: procedure EXTRACTATTRIBUTEFILTERSInput: 𝐶𝑖 , 𝐴, 𝑉 , L, T𝑃 , T𝑁Output: F

2: F ← ∅3: for all 𝑎 ∈ 𝐴 do4: for all 𝑣 𝑗 ∈ 𝑉𝑎 do5: if 𝐹𝑟𝑒𝑞(𝑣 𝑗 , 𝐶𝑖) − 𝐹𝑟𝑒𝑞(𝑣 𝑗 ,L) > T𝑃 then6: F 𝑖 ← F ∪ 〈𝑎, 𝑣 𝑗〉7: end if8: if 𝐹𝑟𝑒𝑞(𝑣 𝑗 ,L) − 𝐹𝑟𝑒𝑞(𝑣 𝑗 , 𝐶𝑖) > T𝑁 then9: F 𝑖 ← F ∪ 〈𝑎, !𝑣 𝑗〉

10: end if11: end for12: end for

return 𝜌𝑖13: end procedure

4.5 Policy Enhancement

After the first phase of policy rule extraction, we get a policywhich may not be as accurate and concise as we desire. Weenhance the quality of the mined policy through iterationsof policy improvement steps that include: rule pruning andpolicy refinement.

8

Algorithm 2 Effective relation extraction algorithm

1: procedure EXTRACTRELATIONSInput: 𝐶𝑖 , 𝐴, L, \𝑃 , \𝑁Output: R

2: R ← ∅3: for all 𝑎 ∈ 𝐴 do4: for all 𝑏 ∈ 𝐴 and 𝑏 ≠ 𝑎 do5: if 𝐹𝑟𝑒𝑞(𝑎 = 𝑏, 𝐶𝑖) - 𝐹𝑟𝑒𝑞(𝑎 = 𝑏,L)>\𝑃 then6: R ← R ∪ 〈𝑎, 𝑏〉7: end if8: if 𝐹𝑟𝑒𝑞(𝑎 = 𝑏,L) - 𝐹𝑟𝑒𝑞(𝑎 = 𝑏, 𝐶𝑖)>\𝑁 then9: R ← R ∪ 〈𝑎, !𝑏〉

10: end if11: end for12: end for

return R13: end procedure

4.5.1 Rule PruningDuring the rule extraction phase, it’s possible to have twoclusters that correspond to the same rule. As a result, theextracted rules of these clusters are very similar to eachother. Having two similar rules in the final policy increasesthe complexity of the mined policy while it may not helpthe accuracy of the policy and as a result, it hurts the policyquality. To address such an issue, in the rule pruning step,we identify similar rules and eliminate the ones whoseremoval improves the policy quality more. If eliminatingneither of the two rules improves the policy quality, wekeep both the rules. This may happen when we have twovery similar AC rules in the original policy. We measure thesimilarity between two rules using Jaccard similarity [30] asfollows:

𝐽 (𝑆1, 𝑆2) = |𝑆1 ∩ 𝑆2 |/|𝑆1 ∪ 𝑆2 |Based on this, we calculate the similarity between two

rules 𝜌1 and 𝜌2 as follows:

𝐽 (𝜌1, 𝜌2) =[ ∑F∈{FU ,FO ,FS }

|F𝜌1 ∩ F𝜌2 | + |R𝜌1 ∩ R𝜌2 | + |𝑜𝑝𝜌1 ∩ 𝑜𝑝𝜌2 |]

[ ∑F∈{FU ,FO ,FS }

|F𝜌1 ∪ F𝜌2 | + |R𝜌1 ∪ R𝜌2 | + |𝑜𝑝𝜌1 ∪ 𝑜𝑝𝜌2 |]

We consider two rules to be similar if their Jaccardsimilarity score is more than 0.5, which means that the sizeof their common elements is more than half of the size of theunion of their elements. Algorithm 3 shows the rule pruningprocedure.

4.5.2 Policy RefinementDuring the rule extraction phase, it is possible to extractrules that are either too restricted or too relaxed comparedto the original policy rules. A rule is restricted if it employsmore filters than the original rule.Example 6. Consider the following two rules:

𝜌1 = 〈{(𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛, 𝑓 𝑎𝑐𝑢𝑙𝑡𝑦)},{(𝑡𝑦𝑝𝑒, 𝑔𝑟𝑎𝑑𝑒𝑏𝑜𝑜𝑘)},{𝑠𝑒𝑡𝑆𝑐𝑜𝑟𝑒}, 𝑝𝑒𝑟𝑚𝑖𝑡〉

𝜌2 = 〈{(𝑝𝑜𝑠𝑖𝑡𝑖𝑜𝑛, 𝑓 𝑎𝑐𝑢𝑙𝑡𝑦),(𝑢𝐷𝑒𝑝𝑡, 𝐸𝐸)},{(𝑡𝑦𝑝𝑒, 𝑔𝑟𝑎𝑑𝑒𝑏𝑜𝑜𝑘)},{𝑠𝑒𝑡𝑆𝑐𝑜𝑟𝑒}, 𝑝𝑒𝑟𝑚𝑖𝑡〉

Algorithm 3 Rule Pruning algorithm

1: procedure RULEPRUNINGInput: 𝜋Output: 𝜋

2: P ← 𝜋.P3: 𝑞 ← CALCQUALITY(P)4: for all 𝜌𝑖 ∈ P do5: for all 𝜌 𝑗 ∈ P and 𝜌𝑖 ≠ 𝜌 𝑗 do6: if SIMILARITY(𝜌𝑖 , 𝜌 𝑗 ) > 0.5 then7: P𝑖 ← P/𝜌𝑖8: P 𝑗 ← P/𝜌 𝑗

9: 𝑞𝑖 ← CALCQUALITY(P𝑖)10: 𝑞 𝑗 ← CALCQUALITY(P 𝑗 )11: if 𝑞𝑖 >= 𝑞 and 𝑞𝑖 >= 𝑞 𝑗 then12: P ← P𝑖13: end if14: if 𝑞 𝑗 >= 𝑞 and 𝑞 𝑗 >= 𝑞𝑖 then15: P ← P 𝑗

16: end if17: end if18: end for19: end for

return P20: end procedure

Here 𝜌2 is more restricted than 𝜌1 as it imposes moreconditions on the user attributes.

Having such a restricted rule in the mined policy wouldresult in a larger number of FNs as an access request thatwould be permitted by the original rule will be denied bythe restricted rule.

On the other hand, an extracted rule is more relaxedcompared to the original rule if it misses some of the filters.In Example 6, 𝜌1 is more relaxed than 𝜌2. Such a relaxed rulewould result in more FPs as it permits access requests thatshould be denied as per the original policies.

To address these issues, we propose a policy refinementprocedure which is shown in Algorithm 4. Here, we tryto refine the mined policy (𝜋𝑚) based on the patterns dis-covered in the FN or FP records. These patterns are usedto eliminate extra filters from restricted rules or appendmissing filters to relax the rules.

To extract patterns from the FN or FP records, we applyour rule extraction procedure on these records to get the cor-responding policies 𝜋𝐹𝑁 and 𝜋𝐹𝑃 . Here our training data areFN and FP records, respectively. We compare the extractedFN or FP rules with the mined policy and remove the extrafilters or append the missed ones to the corresponding rules.As an example, consider the FP records. Here, our goalis to extract the patterns that are common between accessrequests that were permitted based on the mined policywhile they should have been denied based on the originalpolicy.

In each step of refinement, a rule from 𝜋𝑚 that is similarto a rule from 𝜋𝐹𝑁 or 𝜋𝐹𝑃 based on the Jaccard similarity(Section 4.5.1) is selected and then refined in two ways asdiscussed below.

Policy refinement based on 𝜋𝐹𝑁 : In the case of FN records,two situations are possible: a rule is missing from the mined

9

policy (𝜋𝑚) or one of the rules in 𝜋𝑚 is more restrictive. Toresolve this issue, for each rule 𝜌𝑖 ∈ 𝜋𝐹𝑁 :

• if there is a similar rule 𝜌 𝑗 ∈ 𝜋𝑚 then we refine 𝜌 𝑗 asfollows:

∀ 𝑓 ∈ F : F𝜌 𝑗= F𝜌 𝑗

/(F𝜌 𝑗/F𝜌𝑖)

where F = FU ∪ FO ∪ FS ∪ R. So, the extra filters areremoved from the restricted rule (𝜌 𝑗 ).

• if there is no such rule, then 𝜌𝑖 is the missing rule andwe add it to 𝜋𝑚.

Policy refinement based on 𝜋𝐹𝑃 : In the case of FP records,some filters might be missing in an extracted rule in themined policy (𝜋𝑚); so for each rule 𝜌𝑖 ∈ 𝜋𝐹𝑃 , we refine themined policy as follows:

∀ 𝑓 ∈ F : F𝜌 𝑗= F𝜌 𝑗

∪ (F𝜌𝑖/F𝜌 𝑗)

where F = FU∪FO∪FS∪R includes all the filters in the rule.So, the missing filters are added to the relaxed rule (𝜌 𝑗 ).

These refinements can be done in multiple iterationsuntil further refinement does not give a better model interms of policy quality Q𝜋 .

Algorithm 4 Policy refinement algorithm

1: procedure REFINEPOLICYInput: 𝐴, LOutput: 𝜋𝑚

2: FN ← GETFNS(𝜋𝑚,L)3: 𝜋𝐹𝑁 ← EXTRACTPOLICY(FN)4: for all 𝜌𝑖 ∈ 𝜋𝐹𝑁 .P do5: 𝑅𝑠 ← GETSIMILARRULES(𝜋𝐹𝑁 .P, 𝜋𝑚.P)6: if |𝑅𝑠 | = 0 then7: 𝜋𝑚.P ← 𝜋𝑚.P ∪ 𝜌𝑖8: else9: for all 𝜌 𝑗 ∈ 𝑅𝑠 do

10: for all F ∈ FU ∪ FO ∪ FS ∪ R do11: F𝜌 𝑗

← F𝜌 𝑗\(F𝜌 𝑗

\F𝜌𝑖 )12: end for13: end for14: end if15: end for16: FP ← GETFPS(𝜋𝑚,L)17: 𝜋𝐹𝑃 ← EXTRACTPOLICY(F P)18: for all 𝜌𝑖 ∈ 𝜋𝐹𝑃 .P do19: 𝑅𝑠 ← GETSIMILARRULES(𝜋𝐹𝑃 .P, 𝜋𝑚.P)20: if |𝑅𝑠 | ! = 0 then21: for all 𝜌 𝑗 ∈ 𝑅𝑠 do22: for all F ∈ FU ∪ FO ∪ FS ∪ R do23: F𝜌 𝑗

← F𝜌 𝑗∪ (F𝜌𝑖\F𝜌 𝑗

)24: end for25: end for26: end if27: end for

return 𝜋𝑚28: end procedure

5 EXPERIMENTAL EVALUATION

We have implemented a prototype of our proposed ap-proach presented in Section 4. Here, we present our experi-mental evaluation.

5.1 Datasets

We perform our experiments on multiple datasets includingsynthesized and real ones. The synthesized access logs aregenerated from two sets of ABAC policies. The first one isa manually written set of policies that is adapted from [15]to be compatible with our policy language. The second oneincludes a completely randomly generated set of policies. Tosynthesize our input data, for each ABAC policy (i.e., Uni-versity Policy, Healthcare Policy, etc.), a set of authorizationtuples is generated and the outcome of the ABAC policy foreach access right is evaluated. The authorization tuples withpermit as their outcomes are the inputs to our unsupervisedlearning model.

Our real datasets are built from access logs provided byAmazon in Kaggle competition [31] and available in the UCImachine learning repository [32].

Manual Policy - University: This policy is adapted from[15] and it controls access of different users including stu-dents, instructors, teaching assistants, etc., to various objects(applications, gradebooks, etc.).

Manual Policy - Healthcare: This policy is adapted from[15] and is used to control access by different users (e.g.nurses, doctors, etc.) to electronic health records (EHRs) andEHR items.

Manual Policy - Project Management: This policy isadapted from [15] and it controls access by different users(e.g. department managers, project leaders, employees, etc.)to various objects (e.g. budgets,schedules and tasks).

Random Policies: The authorization rules for this policyis generated completely randomly from random sets ofattributes and attribute values. These randomly generatedpolicies provide an opportunity to evaluate our proposedalgorithm on access logs with various sizes and with vary-ing structural characteristics. However, we note that, theperformance of our algorithm on random policies might notbe representative of its performance in real scenarios andover real policies.

Real Dataset - Amazon Kaggle: The Kaggle competitiondataset [31] includes access requests made by Amazon’semployees over two years. Each record in this dataset de-scribes an employee’s request to a resource and whetherthe request was authorized or not. A record consists of theemployee’s attribute values and the resource identifier. Thedataset includes more than 12,000 users and 7,000 resources.

Real Dataset - Amazon UCI: This dataset is providedby Amazon in the UCI machine learning repository [32].It includes more than 36,000 users and 27,000 permissions.Since the dataset contains over 33,000 attributes, our focusin this experiment is narrowed only to the most requested 8permissions in the dataset.

Partial Datasets: To check the efficiency of the proposedalgorithm over sparse datasets, we generate sparse datasets(partial datasets) by randomly selecting authorization tu-ples from the complete dataset. For example, a 10% sparse(partial) dataset is generated by randomly selecting 10% oftuples from the complete access logs.

Noisy Datasets: To check the efficiency of the proposedalgorithm over noisy datasets, we generate noisy datasetsby randomly reversing the decision of authorization tuples.For instance, a 10% noisy dataset is generated by randomly

10

TABLE 3: Details of the Synthesized and Real Policies

# 𝜋 |P | |𝐴| |𝑉 | |L | |L+ | |L− |

𝜋1 UniversityP 10 11 45 2,700K 231K 2,468K𝜋2 HealthcareP 9 13 40 982K 229K 753K𝜋3 ProjectManagementP 11 14 44 5,900K 505K 5,373K𝜋4 UniversityPN 10 11 45 2,700K 735K 1,964K𝜋5 HealthcarePN 9 13 40 982K 269K 713K𝜋6 ProjectManagementPN 11 14 44 5,900K 960K 4,918K𝜋7 Random Policy 1 10 8 27 17K 2,742 14K𝜋8 Random Policy 2 10 10 48 5,250K 245K 5,004K𝜋9 Random Policy 3 10 12 38 560K 100K 459K𝜋10 Amazon Kaggle - 10 15K 32K 30K 1897𝜋11 Amazon UCI - 14 7,153 70K 36K 34K

reversing the decision of 10% of authorization tuples in thecomplete access logs.

For each of the manual policies, we consider two differ-ent sets of policy rules; the first one only contains positiveattribute filters and relations while the second one includesboth positive and negative attribute filters and relations. Wehave included these policies in Appendix A.

Table 3 shows the details of the manual and randomaccess log datasets. In this table, |P | shows the number ofrules in the original policy, |𝐴| and |𝑉 | show the numberof attributes and attribute values and |L|, |L+ |, |L− | showthe number of access control tuples, the number of positiveaccess logs, and the number of negative access logs in thegiven dataset, respectively.

5.2 Experimental SetupTo evaluate our proposed method, we use a computer with2.6 GHz Intel Core i7 and 16 GB of RAM. We use Python 3 inthe mining and the evaluation process. The algorithms werehighly time-efficient (e.g., maximum time consumption isless than half an hour).

We use kmodes library [33] for clustering our data. Theinitialization based on density (CAO) [26] is chosen forcluster initialization in kmodes algorithm.

To find optimal 𝑘 , we apply the Silhouette method totest different values of 𝑘 . We examine each value of 𝑘 inpre-defined set [10, 20]. Then the 𝑘 value that results in thehighest Silhouette score is used in the final model.

To generate the synthesized access log L, we brute forcethrough all attributes 𝐴 and their values 𝑉𝑎 to produceall possible combinations for the tuples. This method wasused to generate a complete access log for the random andmanual policy datasets. We generate two sets of partialdatasets; the 10% partial datasets are used to check theefficiency of the proposed approach over sparse datasets(Table 4) and the 0.1% partial datasets are used to comparethe proposed approach with previous work (Table 5). Wealso generate a set of noisy datasets to check the efficiencyof the proposed algorithm over noisy access log. The resultsof such experiments are reported in Table 4.

For all experiments, the optimal thresholds for selectingeffective attributes and relations are between 0.2 and 0.3.

5.3 ResultsWe first evaluate the performance of our policy miningalgorithm on complete datasets. Table 4 shows the resultsof these experiments.

Our second set of experiments is on partial datasets. Thealgorithm proposed by Xu and Stoller [14] and the approachpresented by Cotrini et al. [18] are not able to handlecomplete datasets as these datasets are huge. To be able tocompare the performance of our proposed algorithm withtheir work, we generated 0.1% sparse (partial) datasets andrun all algorithms over these partial datasets. The results ofthese experiments are shown in Table 5 and Figures 2, 3, and4.

The algorithm proposed by Xu and Stoller [14] and theapproach presented by Cotrini et al. [18] do not generatepolicy rules with negative attribute filters and relations,however we report the results of their algorithms overdatasets related to policy rules including negations (policies𝜋4, 𝜋5, 𝜋6) to show how the quality of mined policies wouldbe impacted if the mining algorithm does not extract rulesthat include negation.

5.3.1 The F-Score of the Mined Policies

Table 4 shows the final 𝐹-𝑠𝑐𝑜𝑟𝑒𝜋 |L of our proposed ap-proach after several rounds of refinement over all completedatasets. As we can see in Table 4, the proposed approachachieves high F-score across all experiments except for 𝜋6.𝜋6 is a very complex dataset with both positive and negativeattributes and relation filters including 14 attributes, 44attribute values, and around six million access records. Thefinal policy quality for this dataset is around 0.63, which isacceptable considering the complexity of the policy.

Table 5 and Figure 2 show the comparison of the F-Scores of policies mined by our proposed approach withthat of previous work over partial datasets (with 0.1% ofthe complete datasets). The F-Score of policies mined by ouralgorithm is very close to the one done by the approachproposed by Cotrini et al. [18]. As we can see, our proposedapproach outperforms theirs in half of the experiments.

5.3.2 The Complexity of the Mined Policies

In Table 4, we can see the final𝑊𝑆𝐶 of the policies mined byour proposed approach. All extracted policies have the com-plexity lower than 100 which is much lower than those of themost complex policies for individual datasets. According toDefinition 17, the most complex policy for each dataset hasthe same complexity as the original positive access log (L+).Given numbers in Tables 3 and 4, the most complex policiesfor these scenarios are thousands of times more complexthan the extracted policies by our approach.

11

We compare the complexity of the policies mined bydifferent ABAC mining algorithms in Figure 3. Among threedifferent approaches, the Cotrini et al. algorithms extractsthe most complex policies with WSC greater than 1000 forsome cases. The complexity of the policies mined by ouralgorithm is very close to the one extracted by the approachproposed by Xu and Stroller [14].

5.3.3 The Policy Quality of the Mined Policies

Finally, Table 4 shows the quality of the extracted policiesthrough our proposed approach. We can see that out ofall datasets that our proposed algorithm was applied on,around 75% of the cases reached the policy quality of morethan 0.8, which is significant, considering the huge size oforiginal access logs (each more than 30K records).

According to Figure 4, in most cases the policy qualityof the policies mined by our proposed approach is higherthan those of the policies extracted by other ABAC miningalgorithms.

Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11

0

20

40

60

80

100

F-sc

ore

Proposed ApproachXu and Stoller [14]Cotrini et al. [18]

Fig. 2: The F-Score of the Policies Mined by ABAC MiningAlgorithms

Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11

0

500

1000

1500

2000

2500

WSC

Proposed ApproachXu and Stoller [14]Cotrini et al. [18]

Fig. 3: The Complexity of the Policies Mined by ABACMining Algorithms

Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11

0.0

0.2

0.4

0.6

0.8

1.0

Polic

y Qu

ality

Proposed ApproachXu and Stoller [14]Cotrini et al. [18]

Fig. 4: The Quality of the Policies Mined by ABAC MiningAlgorithms

6 RELATED WORK

As RBAC approach became popular, many organizationdecided to equip their information systems with more re-cent access control model, however migrating to RBACfrom legacy access control systems was a huge obstacle forsuch environments. As a result, several researchers haveaddressed such a challenge by introducing automated roleextraction algorithms [10], [11], [12], [13], [23], [34], [35], [36],[37], [38], [39]. Role engineering or role mining are the termsthat have been used to refer to procedures to extract anoptimal set of roles given user-permission assignments.

In [10], Kuhlmann and Schimpf try to discover a setof roles from user-permission assignments using clusteringtechniques, however, they do not show the feasibility oftheir proposed approach through experiments. In addition,their proposed approach lacks a metric to choose the bestmodel based on their clustering method.

The ORCA role mining tool is proposed bySchlegelmilch and Steffens and tries to perform ahierarchical clustering on user-permission assignments[11]. Their proposed method limits the hierarchicalstructure to a tree so that each permission/user is assignedto one role in the hierarchy. This feature limits the feasibilityof their proposed approach as, in real environments, rolesdo not necessarily form a tree.

Ni et al. propose a supervised learning approach forrole mining which maps each user-permission assignmentto a role using a supervised classifier (i.e., a support vectormachine (SVM)) [39]. The main limitation of their proposedapproach is that the roles and some parts of the role-permission assignments are needed beforehand; and hence,it is not applicable in many organizations.

Vaidya et al. are the first to define the Role MiningProblem (RMP) formally and analyze its theoretical bounds[40]. They also propose a heuristic approach for findinga minimal set of roles for a given set of user-permissionassignments.

Xu and Stoller are the first to propose an algorithm formining ABAC policies from RBAC [41], logs [14], and accesscontrol list [15] plus attribute information. Their policy min-ing algorithms iterate over access control tuples (generated

12

TABLE 4: Results of Our Proposed Approach on Various Synthesized and Real Policy Datasets

𝜋 Total Running Time (s) Optimal 𝑘 P𝑚𝑖𝑛𝑒𝑑 𝐴𝐶𝐶𝜋 |L 𝐹 -𝑠𝑐𝑜𝑟𝑒𝜋 |L 𝑊𝑆𝐶𝑜𝑟𝑖𝑔 𝑊𝑆𝐶𝑚𝑖𝑛𝑒𝑑 Q𝜋

𝜋1 9376.556 15 20 97.5% 83.6% 33 91 0.91Partial 𝜋1 (10%) 1994.769 15 13 97.29% 82.21% 33 54 0.90Noisy 𝜋1 (10%) 4979.56 10 8 96.94% 80% 33 28 0.90

𝜋2 2180.745 18 18 85.49% 75.93% 33 71 0.86Partial 𝜋2 (10%) 4787.98 10 8 96.94% 85.33% 33 28 0.92Noisy 𝜋2 (10%) 7339.91 8 15 72.22% 82.13% 33 27 0.90

𝜋3 7795.44 15 17 95.6% 65.63% 44 55 0.80Partial 𝜋3 (10%) 1347.29 6 10 95.2% 62.24% 44 56 0.77Noisy 𝜋3 (10%) 1912.72 15 15 94.47% 62.66% 44 81 0.77

𝜋4 13662.62 7 16 86.7% 71.58% 33 40 0.83𝜋5 8681.64 15 15 78.11% 62% 33 67 0.76𝜋6 12905.78 20 17 88.05% 46.28% 44 80 0.63𝜋7 24.63 8 20 93% 78.33% 33 65 0.88𝜋8 13081.20 10 14 99.12% 91.28% 33 51 0.95𝜋9 2266.68 8 16 92.17% 79.66% 33 46 0.89𝜋10 265.3 15 20 94% 97% - 44 0.98𝜋11 1010.43 24 25 98.49% 99% - 92 0.82

TABLE 5: Comparison of Our Proposed Approach with Previous Work on Various Synthesizedand Real Policy Datasets

Mining Alg. 𝜋 Time (s) 𝐴𝐶𝐶𝜋 |L 𝐹 -𝑠𝑐𝑜𝑟𝑒𝜋 |L P𝜋𝑚𝑖𝑛𝑒𝑑𝑊𝑆𝐶 (𝜋) Q𝜋

Xu and Stoller [14] Partial 𝜋1 (0.1%) 227 94.74% 65.87% 10 34 0.79Cotrini et al. [18] 126 80.74% 45.3% 132 508 0.58Proposed Approch 7.3 96% 74.2% 7 29 0.85Xu and Stoller [14] Partial 𝜋2 (0.1%) 32645 64.43 63.61 3 6 0.78Cotrini et al. [18] 529 72.72% 64% 65 272 0.75Proposed Approch 7.9 79.78% 68.23% 13 49 0.81Xu and Stoller [14] Partial 𝜋3 (0.1%) −∗ −∗ −∗ −∗ −∗ −∗Cotrini et al. [18] 3587 91.57% 54.124% 24 77 0.70Proposed Approch 11.44 94.96% 51.31% 12 55 0.78Xu and Stoller [14] Partial 𝜋4 (0.1%) 4230 73.37% 16.1% 10 34 0.28Cotrini et al. [18] 204 93.55% 88.5% 385 1389 0.86Proposed Approch 15 89.3% 80% 10 40 0.89Xu and Stoller [14] Partial 𝜋5 (0.1%) 45348 79.25 73.09 3 6 0.84Cotrini et al. [18] 3587 86.46% 79.2% 123 462 0.83Proposed Approch 8.8 87.2% 76.3% 15 66 0.86Xu and Stoller [14] Partial 𝜋6 (0.1%) −∗ −∗ −∗ −∗ −∗ −∗Cotrini et al. [18] 2848 82.75% 62.66% 31 100 0.77Proposed Approch 22.67 81.2% 49.4% 12 44 0.66Xu and Stoller [14]

𝜋10−∗ −∗ −∗ −∗ −∗ −∗

Cotrini et al. [18] 237 84.25% 91.39% 1055 2431 0.92Proposed Approch 265.3 94% 97% 20 44 0.98Xu and Stoller [14]

𝜋11−∗ −∗ −∗ −∗ −∗ −∗

Cotrini et al. [18] 1345 70.93% 75.64% 466 1247 0.85Proposed Approch 1010.43 98.49% 99% 24 92 0.99

∗ Xu and Stoller [14] did not terminate nor produced any output for the these datasets even after running formore than 24 hours.

from available information, e.g., user permission relationsand attributes) and construct candidates rules. They thengeneralize the candidate rules by replacing conjuncts inattribute expressions with constraints. The main limitationof these algorithms is that as they are based on heuristicapproaches, the proposed techniques work very well forsimple and small scale AC policies, however, as the numberof rules in the policy and the number of elements in eachrule increases, they do not perform well.

Following Xu and Stroller’s proposed method, Medvetet al. [16] propose a multi-objective evolutionary algorithmfor extracting ABAC policies. The proposed approach is aseparate and conquer algorithm, in each iteration of which, anew rule is learned and the set of access log tuples becomessmaller. Their algorithm employs several search-optimizingfeatures to improve the quality of the mined rules. Although

their approach is a multi-objective optimization frameworkwhich incorporates requirements on both correctness andexpressiveness, it suffers from the same issue as [15].

Iyer and Masoumzadeh [17] propose a more systematic,yet heuristic ABAC policy mining approach which is basedon the rule mining algorithm called PRISM. It inheritsshortcomings associated with PRISM that includes dealingwith a large dimensionality of the search space of attributevalues and generation of a huge number of rules.

Cotrini et al. propose an algorithm called Rhapsody formining ABAC rules from sparse logs [18]. Their proposedapproach is built upon subgroup discovery algorithms.They define a novel metric, reliability which measures howoverly permissive an extracted rule is. In addition, theypropose a universal cross-validation metric for evaluatingthe mined policy when the input log is sparse. However,

13

their algorithm is not capable of mining policies from logswith many attributes as the number of extracted rules growsexponentially in the number of attributes of the system.

7 DISCUSSION AND LIMITATIONS

As mentioned in section 5.3, our proposed approach isable to achieves a practical level of performance whenapplied to both synthesized and real datasets. In the caseof synthesized datasets, the proposed approach is capableof mining policies containing both positive and negativeattribute filters from complete datasets. On the other hand,our proposed approach shows potential for use in sparsedatasets. In addition, the real datasets contain a large num-ber of attributes and attribute values as shown in Table3. The ability of our proposed approach in mining high-quality policies for these datasets shows that the size ofattributes and attribute values have minimal impact on theeffectiveness of our approach.

The proposed approach is based on an unsupervisedclustering algorithm. Since finding the proper number ofclusters is a challenge related to clustering algorithms, ourapproach is affected by this issue as well. The same issuewill also be valid in finding the best thresholds to extracteffective attributes and relations.

We note that, as the proposed algorithm is based ontuning multiple parameters, it is possible that it gets stuckin minimum optima. For this reason, we do not claim thatit will extract the policy with the highest quality in everyscenario, nor we claim that extracting rules with negativeattribute filters and relations would always result in policywith higher quality (as we can see in Section 5.3); however,by trying more randomization in cluster initialization and awider range of parameters, we can get one that is closer toglobal optima.

In our evaluation, we used random selection to createnoisy and sparse datasets from complete datasets. Althoughwe ensured the same percentage of randomly selectedtuples from permitted and denied logs, guaranteeing thequality of the sampling is difficult.

8 CONCLUSION

In this paper, we have proposed an unsupervised learningbased approach to automating an ABAC policy extractionprocess. The proposed approach is capable of discoveringboth positive and negative attribute expressions as well aspositive and negative relation conditions while previousapproaches in access control policy extraction had onlyfocused on positive expressions. Furthermore, our work iscapable of improving the extracted policy through iterationsof proposed rule pruning and policy refinement algorithms.Such refinement algorithms are based on the false positiveand false negative records and they help in increasing thequality of the mined policy.

Most importantly, we have proposed the policy qualitymetric which considers both the conciseness and correctnessof the mined policy and is important for comparing theextracted policy with the original one and for improvingit as needed.

We have evaluated our policy extraction algorithm on ac-cess logs generated for various sample policies and demon-strated its feasibility. Furthermore, we have shown that ourapproach outperforms previous works in terms of policyquality.

As future work, we plan to extend our method tosupport numerical data and extract negative authorizationrules as well while studying the effects of various conflictresolution strategies on the quality of the mined policy.

REFERENCES

[1] R. S. Sandhu and P. Samarati, “Access control: principle andpractice,” IEEE communications magazine, vol. 32, no. 9, pp. 40–48,1994.

[2] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, “Protection inoperating systems,” Communications of the ACM, vol. 19, no. 8,pp. 461–471, 1976.

[3] D. E. Bell and L. J. LaPadula, “Secure computer systems: Math-ematical foundations,” tech. rep., MITRE CORP BEDFORD MA,1973.

[4] R. S. Sandhu, “Lattice-based access control models,” Computer,vol. 26, no. 11, pp. 9–19, 1993.

[5] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role-based access control models,” Computer, vol. 29, no. 2, pp. 38–47,1996.

[6] P. W. Fong and I. Siahaan, “Relationship-based access controlpolicies and their policy languages,” in Proceedings of the 16thACM symposium on Access control models and technologies, pp. 51–60,ACM, 2011.

[7] J. Jin, G.-J. Ahn, H. Hu, M. J. Covington, and X. Zhang, “Patient-centric authorization framework for sharing electronic healthrecords,” in Proceedings of the 14th ACM symposium on Access controlmodels and technologies, pp. 125–134, ACM, 2009.

[8] L. Karimi and J. Joshi, “Multi-owner multi-stakeholder accesscontrol model for a healthcare environment,” in Collaboration andInternet Computing (CIC), 2017 IEEE 3rd International Conference on,pp. 359–368, IEEE, 2017.

[9] V. C. Hu, D. Ferraiolo, R. Kuhn, A. R. Friedman, A. J. Lang,M. M. Cogdell, A. Schnitzer, K. Sandlin, R. Miller, K. Scarfone,et al., “Guide to attribute based access control (abac) definition andconsiderations (draft),” NIST special publication, vol. 800, no. 162,2013.

[10] M. Kuhlmann, D. Shohat, and G. Schimpf, “Role mining-revealingbusiness roles for security administration using data mining tech-nology,” in Proceedings of the eighth ACM symposium on Accesscontrol models and technologies, pp. 179–186, ACM, 2003.

[11] J. Schlegelmilch and U. Steffens, “Role mining with orca,” inProceedings of the tenth ACM symposium on Access control modelsand technologies, pp. 168–176, ACM, 2005.

[12] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, andJ. Lobo, “Mining roles with semantic meanings,” in Proceedings ofthe 13th ACM symposium on Access control models and technologies,pp. 21–30, ACM, 2008.

[13] Z. Xu and S. D. Stoller, “Algorithms for mining meaningful roles,”in Proceedings of the 17th ACM symposium on Access Control Modelsand Technologies, pp. 57–66, ACM, 2012.

[14] Z. Xu and S. D. Stoller, “Mining attribute-based access control poli-cies from logs,” in IFIP Annual Conference on Data and ApplicationsSecurity and Privacy, pp. 276–291, Springer, 2014.

[15] Z. Xu and S. D. Stoller, “Mining attribute-based access controlpolicies,” IEEE Transactions on Dependable and Secure Computing,vol. 12, no. 5, pp. 533–545, 2015.

[16] E. Medvet, A. Bartoli, B. Carminati, and E. Ferrari, “Evolutionaryinference of attribute-based access control policies.,” in EMO (1),pp. 351–365, 2015.

[17] P. Iyer and A. Masoumzadeh, “Mining positive and negativeattribute-based access control policy rules,” in Proceedings of the23nd ACM on Symposium on Access Control Models and Technologies,pp. 161–172, ACM, 2018.

[18] C. Cotrini, T. Weghorn, and D. Basin, “Mining abac rules fromsparse logs,” in 2018 IEEE European Symposium on Security andPrivacy (EuroS&P), pp. 31–46, IEEE, 2018.

14

[19] P. Marinescu, C. Parry, M. Pomarole, Y. Tian, P. Tague, and I. Papa-giannis, “Ivd: Automatic learning and enforcement of authoriza-tion rules in online social networks,” in 2017 IEEE Symposium onSecurity and Privacy (SP), pp. 1094–1109, IEEE, 2017.

[20] D. B. Suits, “Use of dummy variables in regression equations,”Journal of the American Statistical Association, vol. 52, no. 280,pp. 548–551, 1957.

[21] C. M. Bishop, Pattern recognition and machine learning. springer,2006.

[22] Wikipedia contributors, “Accuracy paradox-wikipedia, the freeencyclopedia,” 2018. [Online; accessed 30-September-2019].

[23] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, andJ. Lobo, “Mining roles with multiple objectives,” ACM Transactionson Information and System Security (TISSEC), vol. 13, no. 4, p. 36,2010.

[24] M. Beckerle and L. A. Martucci, “Formal definitions for usableaccess control rule sets from goals to metrics,” in Proceedings of theNinth Symposium on Usable Privacy and Security, p. 2, ACM, 2013.

[25] C. J. v. Rijsbergen, Information retrieval. 2.ed. Butterworths, 1979.[26] F. Cao, J. Liang, and L. Bai, “A new initialization method for cat-

egorical data clustering,” Expert Systems with Applications, vol. 36,no. 7, pp. 10223–10228, 2009.

[27] L. Karimi and J. Joshi, “An unsupervised learning based approachfor mining attribute basedaccess control policies,” in Big Data (BigData), 2018 IEEE International Conference on, IEEE, 2018.

[28] R. L. Thorndike, “Who belongs in the family?,” Psychometrika,vol. 18, no. 4, pp. 267–276, 1953.

[29] C. Goutte, P. Toft, E. Rostrup, F. Å. Nielsen, and L. K. Hansen, “Onclustering fmri time series,” NeuroImage, vol. 9, no. 3, pp. 298–310,1999.

[30] P. Jaccard, “The distribution of the flora in the alpine zone. 1,” Newphytologist, vol. 11, no. 2, pp. 37–50, 1912.

[31] Amazon.com, “Amazon employee access challenge.” Kaggle.[32] Montanez, Ken, “Amazon access samples.” UCI Machine Learn-

ing Repository: Amazon Access Samples Data Set.[33] Devos, Nico and Hes, Robin, “Kmodes implementation.”[34] J. Vaidya, V. Atluri, and Q. Guo, “The role mining problem: finding

a minimal descriptive set of roles,” in Proceedings of the 12th ACMsymposium on Access control models and technologies, pp. 175–184,ACM, 2007.

[35] J. Vaidya, V. Atluri, and J. Warner, “Roleminer: mining roles usingsubset enumeration,” in Proceedings of the 13th ACM conference onComputer and communications security, pp. 144–153, ACM, 2006.

[36] D. Zhang, K. Ramamohanarao, and T. Ebringer, “Role engineeringusing graph optimisation,” in Proceedings of the 12th ACM sympo-sium on Access control models and technologies, pp. 139–144, ACM,2007.

[37] Q. Guo, J. Vaidya, and V. Atluri, “The role hierarchy mining prob-lem: Discovery of optimal role hierarchies,” in Computer SecurityApplications Conference, 2008. ACSAC 2008. Annual, pp. 237–246,IEEE, 2008.

[38] H. Takabi and J. B. Joshi, “Stateminer: an efficient similarity-basedapproach for optimal mining of role hierarchy,” in Proceedings ofthe 15th ACM symposium on Access control models and technologies,pp. 55–64, ACM, 2010.

[39] Q. Ni, J. Lobo, S. Calo, P. Rohatgi, and E. Bertino, “Automatingrole-based provisioning by learning from examples,” in Proceed-ings of the 14th ACM symposium on Access control models andtechnologies, pp. 75–84, ACM, 2009.

[40] J. Vaidya, V. Atluri, and Q. Guo, “The role mining problem: Aformal perspective,” ACM Transactions on Information and SystemSecurity (TISSEC), vol. 13, no. 3, p. 27, 2010.

[41] Z. Xu and S. D. Stoller, “Mining attribute-based access controlpolicies from rbac policies,” in Emerging Technologies for a SmarterWorld (CEWIT), 2013 10th International Conference and Expo on,pp. 1–6, IEEE, 2013.

Leila Karimi received an undergraduate degreeand the MS degree in information technology en-gineering from the Sharif University of Technol-ogy, Tehran, Iran. She is a Ph.D. candidate at theSchool of Computing and Information (SCI), atthe University of Pittsburgh. Her research inter-ests lie at the intersection of information security,data privacy, and machine learning. Currently,she is working on applying machine learningtechniques to solve challenging problems in thesecurity domain.

Maryam Aldairi received an undergraduate degree management infor-mation systems From King Faisal University, Alhasa, KSA., and the MSdegree in information science from the University of Pittsburgh. She isa Ph.D. student at the School of Computing and Information (SCI), atthe University of Pittsburgh. Her research interests lie at the intersec-tion of information security, adversarial learning, and machine learning.Currently, her focus is on applying machine learning techniques to solvechallenging problems in the security domain.

James Joshi received the MS degree in com-puter science and the Ph.D. degree in computerengineering from Purdue University. He is a pro-fessor of School of Computing and Information(SCI), at the University of Pittsburgh. His re-search interests include Access Control Mod-els, Security and Privacy of Distributed Systems,Trust Management and Information Survivability.He is the director of LERSAIS at the University ofPittsburgh. He is an elected fellow of the Societyof Information Reuse and Integration (SIRI) and

is a senior member of the IEEE and the ACM. He currently serves asa Program Director of the Secure and Trustworthy Cyberspace programat the National Science Foundation.

Mai Abdelhakim is an assistant professor in thedepartment of electrical and computer engineer-ing at the University of Pittsburgh’s Swansonschool of engineering. She received her Ph.D.degree in Electrical Engineering from MichiganState University, and Bachelor’s and Master’sdegrees in Electronics and Communications En-gineering from Cairo University. Her researchinterests include cyber-physical systems, cyber-security, machine learning, stochastic systemsmodeling, and information theory.